ACS 5.2 VM - Authentication timeout

josefribeiro · ‎09-08-2011

Hi All,

I'm troubleshooting a very strange problem. I have several devices on the same subnet and with similar configuration. All of them were entered manually on the ACS server and are configured to authenticate using TACACS+. Some of the devices can authenticate ok, but other will timeout. I did a tcpdump on the firewall port and can see the device sending the SYN to the ACS server but the server sends no reply to the device.

Any ideas? Could this be a device database problem?

Thanks,

Jose Ribeiro

Tarik Admani · ‎09-10-2011

Jose,

You mentioned there was a firewall in the picture, at the devices being translated before they hit the ACS server? Does the ACS have these clients in its database? Also is this problem limited to all devices on this subnet or do a few work and the others do not?

Also for additional troubleshooting you can follow these steps to enable debug levels on the ACS processes. Login into the cli of the acs > acs-config > (gui username and password) > debug-logs runtime level debug > exit.

then as you are reproducing the issue you can try to catch these on the cli by entering "show acs-logs filename acsRuntime.log | last 80" or you can download the support bundle after reproducing the issue and check the acsRuntime.log or any of the archive files in case you box is under a lot of load.

Thanks,

Tarik

josefribeiro · ‎09-22-2011

Hi Tarik,

Thanks for the reply.I tried what you mentioned and below is the result. I'm trying from client 10.88.194.33 authenticate to server 10.195.214.37. I captured packets on the ACS and I see requests coming to the ACS

Below I have to outputs, one from tech dumptcp and the other from the debug command you suggested. The issue is that ACS does not show the authentication attempt on the report.

Results from TECH DUMPTCP

16:09:28.386018 IP (tos 0x0, ttl 60, id 32894, offset 0, flags [none], proto 6, length: 52) 10.88.194.33.59919 > ctsbigdcemath01.tacacs: F [tcp sum ok] 48:48(0) ack 1 win 5840

16:09:28.435743 IP (tos 0x0, ttl 64, id 36921, offset 0, flags [DF], proto 6, length: 52) ctsbigdcemath01.tacacs > 10.88.194.33.59919: . [tcp sum ok] 1:1(0) ack 49 win 46

16:09:31.944350 IP (tos 0x0, ttl 60, id 14764, offset 0, flags [none], proto 6, length: 60) 10.88.194.33.60168 > ctsbigdcemath01.tacacs: S [tcp sum ok] 401027082:401027082(0) win 5840

16:09:31.944350 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 6, length: 60) ctsbigdcemath01.tacacs > 10.88.194.33.60168: S [tcp sum ok] 2134823712:2134823712(0) ack 401027083 win 5792

16:09:31.954321 IP (tos 0x0, ttl 60, id 14765, offset 0, flags [none], proto 6, length: 52) 10.88.194.33.60168 > ctsbigdcemath01.tacacs: . [tcp sum ok] 1:1(0) ack 1 win 5840

16:09:31.954321 IP (tos 0x0, ttl 60, id 14766, offset 0, flags [none], proto 6, length: 99) 10.88.194.33.60168 > ctsbigdcemath01.tacacs: P 1:48(47) ack 1 win 5840

16:09:31.954321 IP (tos 0x0, ttl 64, id 51433, offset 0, flags [DF], proto 6, length: 52) ctsbigdcemath01.tacacs > 10.88.194.33.60168: . [tcp sum ok] 1:1(0) ack 48 win 46

RESULTS from DEBUG

# show acs-logs filename acsRuntime.log | include 194.33

inboundProtocolManager,22/09/2011,16:39:22:487,DEBUG,3005852576,cntx=0002111090,Start Lookup for NAS with IP = 10.88.194.33,Protocol

DataUtils.cpp:278

inboundProtocolManager,22/09/2011,16:39:22:487,DEBUG,3005852576,cntx=0002111090,NAS with IP = 10.88.194.33 matches AAAClient with IP

= 10.88.194.33 and mask 32,ProtocolDataUtils.cpp:327

inboundProtocolManager,22/09/2011,16:40:55:687,DEBUG,3005852576,cntx=0002111302,Start Lookup for NAS with IP = 10.88.194.33,Protocol

DataUtils.cpp:278

inboundProtocolManager,22/09/2011,16:40:55:687,DEBUG,3005852576,cntx=0002111302,NAS with IP = 10.88.194.33 matches AAAClient with IP

= 10.88.194.33 and mask 32,ProtocolDataUtils.cpp:327

inboundProtocolManager,22/09/2011,16:42:06:515,DEBUG,3005852576,cntx=0002111369,Start Lookup for NAS with IP = 10.88.194.33,Protocol

DataUtils.cpp:278

inboundProtocolManager,22/09/2011,16:42:06:515,DEBUG,3005852576,cntx=0002111369,NAS with IP = 10.88.194.33 matches AAAClient with IP

= 10.88.194.33 and mask 32,ProtocolDataUtils.cpp:327

Javier Henderson · ‎09-23-2011

Jose,

Do you see the hit count increase on the applicable rule when you try to log in from the non-working router?