03-16-2012 01:32 PM - edited 03-10-2019 06:54 PM
Hello,
I cannot log into my OSPF router using TACACS+ below are the debug messages
.Mar 16 16:20:29: TPLUS(0000004F)/0/NB_WAIT/661E1170: timed out, clean up
.Mar 16 16:20:29: TPLUS(0000004F)/0/661E1170: Processing the reply packet
.Mar 16 16:24:46: TAC+: Using default tacacs server-group "TACACS-SERVERS" list.
.Mar 16 16:24:46: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=5
.Mar 16 16:24:51: TAC+: TCP/IP open to x.x.x.x/49 failed -- Connection timed out; remote host not responding
.Mar 16 16:24:51: TPLUS: Queuing AAA Accounting request 75 for processing
.Mar 16 16:24:51: TPLUS: processing accounting request id 75
.Mar 16 16:24:51: TPLUS: Sending AV task_id=627
.Mar 16 16:24:51: TPLUS: Sending AV timezone=EDT
.Mar 16 16:24:51: TPLUS: Sending AV service=shell
.Mar 16 16:24:51: TPLUS: Sending AV start_time=1331929491
.Mar 16 16:24:51: TPLUS: Sending AV priv-lvl=1
.Mar 16 16:24:51: TPLUS: Sending AV cmd=show logging <cr>
.Mar 16 16:24:51: TPLUS: Accounting request created for 75(backup)
.Mar 16 16:24:51: TPLUS: Using server x.x.x.x .Mar 16 16:20:29: TPLUS(0000004F)/0/NB_WAIT/661E1170: timed out, clean up
.Mar 16 16:20:29: TPLUS(0000004F)/0/661E1170: Processing the reply packet
.Mar 16 16:24:46: TAC+: Using default tacacs server-group "TACACS-SERVERS" list.
.Mar 16 16:24:46: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=5
.Mar 16 16:24:51: TAC+: TCP/IP open to x.x.x.x/49 failed -- Connection timed out; remote host not responding
.Mar 16 16:24:51: TPLUS: Queuing AAA Accounting request 75 for processing
.Mar 16 16:24:51: TPLUS: processing accounting request id 75
.Mar 16 16:24:51: TPLUS: Sending AV task_id=627
.Mar 16 16:24:51: TPLUS: Sending AV timezone=EDT
.Mar 16 16:24:51: TPLUS: Sending AV service=shell
.Mar 16 16:24:51: TPLUS: Sending AV start_time=1331929491
.Mar 16 16:24:51: TPLUS: Sending AV priv-lvl=1
.Mar 16 16:24:51: TPLUS: Sending AV cmd=show logging <cr>
.Mar 16 16:24:51: TPLUS: Accounting request created for 75(backup)
.Mar 16 16:24:51: TPLUS: Using server x.x.x.x
I have comfirmed the IP on the server. The router can ping the TACACS+ server and telnet over port 49. I have confirmed the ip has a route. I have deleted / readded the entry on the ACS server. I have verfiied the TACACS+ key several times.
03-17-2012 03:05 PM
What version code is running on your router and what version of ACS are you running? Is this a new installation or did this start all of a sudden?
Also what is the source interface for the tacacs request? You may need to specify the source interface to send the tacacs request from.
Thanks,
Tarik Admani
03-19-2012 03:24 AM
Hi Nicholas,
As Tarik wrote, be sure that the remote server is aware of the source-interface configured on the router.
Can you try to telnet to the server?
telnet 1.1.1.1 49 /source-interface
You should be able to see "CONNECT".
You can also try to use the test aaa command, and see if your user get successfully authenticated.
'test aaa group tacacs
Regards
Marco
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide