Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
974
Views
7
Helpful
4
Replies

Authorization Commands take 8 seconds to send initial TCP SYN Seq Packet to ACS

thomas.duganjr
Level 1
Level 1

‎08-25-2012 06:18 AM - edited ‎03-10-2019 07:27 PM

Device: 3841

IOS: 15.1(4)M2 ADVSecurity

Commands: AAA Authorization

Problem: Commands take approximately 8 seconds to process when required to authorize with ACS.

Example: The show run command will take 8 seconds to process then output is displayed.

Symptoms: Packet sniff indicates that it takes 8 seconds for the router to send the initial TCP SYN SEQ packet to ACS.

                  Login to device has no delay

Does anyone know of any bug or other documentation that addresses this symptom and/or problem?


Thank you.

Tom

Labels:
0 Helpful
4 Replies 4

Tarik Admani
VIP Alumni
VIP Alumni

‎08-25-2012 10:59 AM

There is a bug with the single connect flag being set. You have that set by any chance?

Are you using host names or ip addresses in your configuration?

Sent from Cisco Technical Support iPad App

thomas.duganjr
Level 1
Level 1
In response to Tarik Admani

‎08-25-2012 05:21 PM

We are not using single connect and we are using ip addresses.

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to thomas.duganjr

‎08-25-2012 06:52 PM

Please post the show run | inc aaa and show run | inc tacacs.

Can you also run two seperate session so the unit and post the debug output of (debug aaa authentication) then run the "test aaa group tacacs+ new-code". Also can you issue the "show process cpu" to see if the cpu may be high on this unit.

Also with the debugs turned off, if you issue a telnet port 49 /source-interface ...and see how longs it takes to open the connection.

Thanks,

Tarik Admani
*Please rate helpful posts*

thomas.duganjr
Level 1
Level 1
In response to Tarik Admani

‎08-27-2012 01:46 AM

Well good news, you had me looking down the right path. I debugged AAA Authorization and found that for the two commands:

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

the router actually tries to resolve the IP addresses to host names. We had the TACACS servers in by IP but did not have the "no ip domain lookup command" on the box. When I put that command in everything went nice and fast. Thanks for the help!

0 Helpful
Customers Also Viewed These Support Documents