Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1133
Views
0
Helpful
3
Replies

ACS 5.2 VM - Authentication timeout

josefribeiro
Level 1
Level 1

‎09-08-2011 08:34 AM - edited ‎03-10-2019 06:23 PM

Hi All,

I'm troubleshooting a very strange problem. I have several devices on the same subnet and with similar configuration. All of them were entered manually on the ACS server and are configured to authenticate using TACACS+. Some of the devices can authenticate ok, but other will timeout. I did a tcpdump on the firewall port and can see the device sending the SYN to the ACS server but the server sends no reply to the device.

Any ideas? Could this be a device database problem?

Thanks,

Jose Ribeiro

Labels:
0 Helpful
3 Replies 3

Tarik Admani
VIP Alumni
VIP Alumni

‎09-10-2011 10:17 PM

Jose,

You mentioned there was a firewall in the picture, at the devices being translated before they hit the ACS server? Does the ACS have these clients in its database? Also is this problem limited to all devices on this subnet or do a few work and the others do not?

Also for additional troubleshooting you can follow these steps to enable debug levels on the ACS processes. Login into the cli of the acs > acs-config > (gui username and password) > debug-logs runtime level debug > exit.

then as you are reproducing the issue you can try to catch these on the cli by entering "show acs-logs filename acsRuntime.log | last 80" or you can download the support bundle after reproducing the issue and check the acsRuntime.log or any of the archive files in case you box is under a lot of load.

Thanks,

Tarik

0 Helpful

josefribeiro
Level 1
Level 1
In response to Tarik Admani

‎09-22-2011 02:03 PM

Hi Tarik,

Thanks for the reply.I tried what you mentioned and below is the result. I'm trying from client 10.88.194.33 authenticate to server 10.195.214.37. I captured packets on the ACS and I see requests coming to the ACS

Below I have to outputs, one from tech dumptcp and the other from the debug command you suggested. The issue is that ACS does not show the authentication attempt on the report.

Results from TECH DUMPTCP

16:09:28.386018 IP (tos 0x0, ttl  60, id 32894, offset 0, flags [none], proto 6, length: 52) 10.88.194.33.59919 > ctsbigdcemath01.tacacs: F [tcp sum ok] 48:48(0) ack 1 win 5840

16:09:28.435743 IP (tos 0x0, ttl  64, id 36921, offset 0, flags [DF], proto 6, length: 52) ctsbigdcemath01.tacacs > 10.88.194.33.59919: . [tcp sum ok] 1:1(0) ack 49 win 46

16:09:31.944350 IP (tos 0x0, ttl  60, id 14764, offset 0, flags [none], proto 6, length: 60) 10.88.194.33.60168 > ctsbigdcemath01.tacacs: S [tcp sum ok] 401027082:401027082(0) win 5840

16:09:31.944350 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto 6, length: 60) ctsbigdcemath01.tacacs > 10.88.194.33.60168: S [tcp sum ok] 2134823712:2134823712(0) ack 401027083 win 5792

16:09:31.954321 IP (tos 0x0, ttl  60, id 14765, offset 0, flags [none], proto 6, length: 52) 10.88.194.33.60168 > ctsbigdcemath01.tacacs: . [tcp sum ok] 1:1(0) ack 1 win 5840

16:09:31.954321 IP (tos 0x0, ttl  60, id 14766, offset 0, flags [none], proto 6, length: 99) 10.88.194.33.60168 > ctsbigdcemath01.tacacs: P 1:48(47) ack 1 win 5840

16:09:31.954321 IP (tos 0x0, ttl  64, id 51433, offset 0, flags [DF], proto 6, length: 52) ctsbigdcemath01.tacacs > 10.88.194.33.60168: . [tcp sum ok] 1:1(0) ack 48 win 46

RESULTS from DEBUG

# show acs-logs filename acsRuntime.log | include 194.33

inboundProtocolManager,22/09/2011,16:39:22:487,DEBUG,3005852576,cntx=0002111090,Start Lookup for NAS with IP = 10.88.194.33,Protocol

DataUtils.cpp:278

inboundProtocolManager,22/09/2011,16:39:22:487,DEBUG,3005852576,cntx=0002111090,NAS with IP = 10.88.194.33 matches AAAClient with IP

= 10.88.194.33 and mask 32,ProtocolDataUtils.cpp:327

inboundProtocolManager,22/09/2011,16:40:55:687,DEBUG,3005852576,cntx=0002111302,Start Lookup for NAS with IP = 10.88.194.33,Protocol

DataUtils.cpp:278

inboundProtocolManager,22/09/2011,16:40:55:687,DEBUG,3005852576,cntx=0002111302,NAS with IP = 10.88.194.33 matches AAAClient with IP

= 10.88.194.33 and mask 32,ProtocolDataUtils.cpp:327

inboundProtocolManager,22/09/2011,16:42:06:515,DEBUG,3005852576,cntx=0002111369,Start Lookup for NAS with IP = 10.88.194.33,Protocol

DataUtils.cpp:278

inboundProtocolManager,22/09/2011,16:42:06:515,DEBUG,3005852576,cntx=0002111369,NAS with IP = 10.88.194.33 matches AAAClient with IP

= 10.88.194.33 and mask 32,ProtocolDataUtils.cpp:327

0 Helpful

Javier Henderson
Level 4
Level 4
In response to josefribeiro

‎09-23-2011 06:35 AM

Jose,

Do you see the hit count increase on the applicable rule when you try to log in from the non-working router?

0 Helpful
Customers Also Viewed These Support Documents