05-21-2013 04:04 AM - edited 03-10-2019 08:27 PM
I have aaa server can be used to authenticate my router and switches but suddenly when i tried to login to some of my routers using ACS Accounts i got this message "% 1 is not an open connection" but when i remove the authentication using the ACS , i can login locally smothly without any problem
Solved! Go to Solution.
05-22-2013 05:42 AM
Hi Amira,
Yes, I see this coming in your tacacs authorization Response and I am not sure why we are pushing this value in autocmd. Also mark this thread resolved so that other's can take benefit out of it, in case they are facing the same issue.
have a blessed day.
Jatin Katyal
- Do rate helpful posts -
05-21-2013 10:00 AM
Hi Amira,
can you paste the activity you perform when you get this message. Also, when you get this message does the authentication is successful or not?
Regards,
Subeh
05-21-2013 11:16 PM
HI Subeh
I just try to type the username and pass of my ACS account and this error messgae appear when i type the username and pass and it can not log me in to the router although i tried by my ACS account using the console and i can log in to the router
05-21-2013 05:17 PM
From the problem description, it seems you are facing this issue only when we have AAA configured.
When you attempt to connect and receive an error message "% 1 is not an open connection". Do you also see any corresponding hits on ACS as well?
Can you turn on the debugs when you have this problem and send it over for my analysis.
(Guess you are using tacacs in case not then use radius)
debug tacacs
debug aaa authen
debug aaa autho
from the router/switch, please provide;
show users
show line
In case we need to delete any session on the line.
clear tcp line vty
Do provide show run and show version from the device.
Jatin Katyal
- Do rate helpful posts -
05-21-2013 11:52 PM
05-22-2013 01:28 AM
Why we are looking at tacacs administration logs? We need to check tacacs authentication logs i.e failed attempts in case we have ACS 4.x or tacacs authentication in case we have acs 5.x
From debugs I can see authentication and authorization successful.
TPLUS: Received authen response status PASS (2)
AAA/AUTHOR/EXEC(00000043): Authorization successful
I requested show run in my last post. can you please attach the same if not then please provide the below listed outputs:
show run | in aaa
show run | in tacacs
show run | beg line
Jatin Katyal
- Do rate helpful posts -
05-22-2013 01:39 AM
05-22-2013 02:22 AM
The configuration looks fine. I see the vty lines are configured for line password and privilege but aaa commands shows you have local method in place.
did you try to clear the tcp session?
can you run turn on the debugs ( we don't need debug aaa accounting)
debug tacacs
debug aaa authentication
debug aaa authorization
run the below listed command with tacacs username and password.
test aaa group tacacs+
Jatin Katyal
- Do rate helpful posts -
05-22-2013 02:58 AM
when i tried to clear TCP line vty , i got the following :
*May 22 10:12:19.463: AAA/AUTHOR: auth_need : user= 'blombank' ruser= 'HQ_VocieGW1'rem_addr= '10.30.28.1' priv= 15 list= '' AUTHOR-TYPE= 'command'
*May 22 10:12:19.463: TPLUS: Queuing AAA Accounting request 50 for processing
*May 22 10:12:19.463: TPLUS: processing accounting request id 50
*May 22 10:12:19.463: TPLUS: Sending AV task_id=297
*May 22 10:12:19.467: TPLUS: Sending AV timezone=UTC
*May 22 10:12:19.467: TPLUS: Sending AV service=shell
*May 22 10:12:19.467: TPLUS: Sending AV priv-lvl=15
*May 22 10:12:19.467: TPLUS: Sending AV cmd=clear tcp line vty 0
*May 22 10:12:19.467: TPLUS: Accounting request created for 50(blombank)
*May 22 10:12:19.467: TPLUS: using previously set server 10.7.11.112 from group tacacs+
*May 22 10:12:19.467: TPLUS(00000032)/0/NB_WAIT/78472D48: Started 5 sec timeout
*May 22 10:12:19.467: TPLUS(00000032)/0/NB_WAIT: socket event 2
*May 22 10:12:19.467: TPLUS(00000032)/0/NB_WAIT: wrote entire 126 bytes request
*May 22 10:12:19.467: TPLUS(00000032)/0/READ: socket event 1
*May 22 10:12:19.467: TPLUS(00000032)/0/READ: Would block while reading
*May 22 10:12:19.551: TPLUS(00000032)/0/READ: socket event 1
*May 22 10:12:19.551: TPLUS(00000032)/0/READ: read entire 12 header bytes (expect 5 bytes data)
*May 22 10:12:19.551: TPLUS(00000032)/0/READ: socket event 1
[confirm]
*May 22 10:12:19.551: TPLUS(00000032)/0/READ: read entire 17 bytes response
*May 22 10:12:19.551: TPLUS(00000032)/0/78472D48: Processing the reply packet
*May 22 10:12:19.551: TPLUS: Received accounting response with status PASS
[confirm]
%Clear TCP failed: line 706 doesn't exist or doesn't have TCP
and attached the debug output
05-22-2013 03:15 AM
the attached debugs were not captured correctly. I don't see the authentication and authorization debugs for a test.
What did you see on the router, when you ran the test command?
Jatin Katyal
- Do rate helpful posts -
05-22-2013 03:24 AM
05-22-2013 03:33 AM
Could you please check ACS user/group setup and see if there is some auto-command configured?
Jatin Katyal
- Do rate helpful posts -
05-22-2013 03:50 AM
kindly note some other routers , i can login using ACS account
05-22-2013 05:38 AM
thank you jatin
thank you very much
really when i removed the auto command check box all is ok now with me
05-22-2013 05:42 AM
Hi Amira,
Yes, I see this coming in your tacacs authorization Response and I am not sure why we are pushing this value in autocmd. Also mark this thread resolved so that other's can take benefit out of it, in case they are facing the same issue.
have a blessed day.
Jatin Katyal
- Do rate helpful posts -
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide