cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
757
Views
0
Helpful
3
Replies

AAA failing intermittently

BAITnetwork
Level 1
Level 1

Hi All,

I have an ongoing issue with AAA failing to some WAN routers after seeminly random periods of time. Our current workaround is to remove and then re-apply the tacacs configuration on the device. This fixes the issue but sometimes only for a few weeks before it needs to be done again.

It seems to happen more often on some of the WAN devices with ADSL connections but isn't strictly limited to them.

The ACS (4.2)server is not recording any failed login attempts when the AAA fails.

AAA and TACACs debugging doesn't appear to be logging much in the way of useful events.

Nov 15 02:36:06.668: AAA/API(0000009F): } aaa_attr_req_add()
Nov 15 02:36:06.668: AAA/ATTR(0000009F): cursor init: 432D1480 4379A05C shell unknown
Nov 15 02:36:06.668: AAA/ATTR(0000009F): find: 4379A09C 0 00000009 reply-message(200) 10 Password:
Nov 15 02:36:06.668: AAA/ATTR(0000009F): delete attr: 4379A05C 00000001 2
Nov 15 02:36:06.668: AAA/ATTR(0000009F): del attr: 4379A09C 0 00000009 reply-message(200) 10 Password:
Nov 15 02:36:06.668: AAA/IPC(0000009F): Sending authen/author message to AAA server pid 72
Nov 15 02:36:06.668: AAA SRV(0000009F): process authen req
Nov 15 02:36:06.668: AAA SRV(0000009F): Authen method=LOCAL
Nov 15 02:36:06.668: AAA/ATTR(0000009F): cursor init: 43006BA8 4386EB80 none none
Nov 15 02:36:06.668: AAA/ATTR(0000009F): find: dnis(42): not found
Nov 15 02:36:06.668: AAA/ATTR(0000009F): find: 4386EBC0 0 00000009 clid(27) 12 %ip-removed%
Nov 15 02:36:06.668: AAA/ATTR(0000009F): cursor init: 434A51F8 4379A05C none unknown

Nov 15 00:18:03.329: TPLUS: Queuing AAA Accounting request 154 for processing
Nov 15 00:18:03.329: TPLUS: processing accounting request id 154
Nov 15 00:18:03.329: TPLUS: Sending AV task_id=215
Nov 15 00:18:03.333: TPLUS: Sending AV timezone=EDST
Nov 15 00:18:03.333: TPLUS: Sending AV service=shell
Nov 15 00:18:03.333: TPLUS: Sending AV start_time=1289780275
Nov 15 00:18:03.333: TPLUS: Sending AV disc-cause=1
Nov 15 00:18:03.333: TPLUS: Sending AV disc-cause-ext=9
Nov 15 00:18:03.333: TPLUS: Sending AV pre-session-time=51
Nov 15 00:18:03.333: TPLUS: Sending AV elapsed_time=8

Any Ideas on how I can fix this?

3 Replies 3

Nicolas Darchis
Cisco Employee
Cisco Employee

Hi,

it would sound like the router declared the radius server as dead. This is why re-entering the server details fix the problem.

In your logs we see the router authenticating against local method.

I would suggest checking the WAN link reliability but also play with commands like the followings :

-radius-server timeout x

-radius-server retry x

-radius-server retransmit x

Increase them and see if this improves the situation.

You can also check the "radius-server deadtime" to decrease it in order to reactivate the radius server sooner.

Hope this helps,

Nicolas

===

Don't forget to rate answers that you find useful

Hi Nicolas,

I appreciate the quick response however I'm not using a radius server, I'm using a TACACs server and the options for retry and retransmit that work for Radius don't appear to be available for TACACs.

Any other ideas?

Indeed, my mistake.

tacacs-server timeout x    is still a good command to try :-)

Apart from that, I would check what's up with your WAN connectivity and analyze when the tacacs server is declared dead and why (packet drops ?).

Alternatively you can configure another tacacs server to have some more redundancy

Nicolas

===

Don't forget to rate answers that you find useful

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: