06-07-2013 03:28 AM - edited 03-10-2019 08:31 PM
What is Cisco's recommendation for configuring deadtime feature on Nexus devices? I understand that by default, its value is 0...How should this be configured so as to reduce the processing time for AAA requests in case all the AAA servers are unreachable?
Solved! Go to Solution.
06-12-2013 04:50 PM
hey sorry missed your post.
Correct if it's set to 0. No, server monitoring will be performed. I'd suggest you to set it for 5 minutes. Your understanding on this matter is absolutely correct.
Jatin Katyal
- Do rate helpful posts -
06-08-2013 01:14 PM
In majority fo cases I have seen it configured for 5 mins.
switch(config)# tacacs-server deadtime 5
TACACS+ Server Monitoring (NX 5000 should be same for all models)
An unresponsive TACACS+ server can delay the processing of AAA requests. A Nexus 5000 Series switch can periodically monitor an TACACS+ server to check whether it is responding (or alive) to save time in processing AAA requests. The Nexus 5000 Series switch marks unresponsive TACACS+ servers as dead and does not send AAA requests to any dead TACACS+ servers. A Nexus 5000 Series switch periodically monitors dead TACACS+ servers and brings them to the alive state once they are responding. This process verifies that a TACACS+ server is in a working state before real AAA requests are sent its way. Whenever an TACACS+ server changes to the dead or alive state, a Simple Network Management Protocol (SNMP) trap is generated and the Nexus 5000 Series switch displays an error message that a failure is taking place before it can impact performance. See Figure 18-1.
TACACS+ Server States
TACACS+ Server Monitoring
Jatin Katyal
- Do rate helpful posts -
06-10-2013 01:21 AM
Thanks for your reply, Jatin.
How are the AAA servers marked dead or alive? Are the AAA servers verified for status only when an authentication request comes to the switch? Or are AAA servers periodically verified from switch for their statuses?
06-10-2013 06:42 AM
The TACACS+ server monitoring is performed by sending a test authentication request to the TACACS+ server.
Jatin Katyal
- Do rate helpful posts -
06-10-2013 10:36 AM
Jatin,
If no tacacs server monitoring is configured, then how will the tacacs servers be marked dead/alive?
06-10-2013 04:37 PM
The default username is test and the default password is test. The default value for the idle timer is 0 minutes and the valid range is 0 to 1440 minutes. The test idle timer specifies the interval in which a TACACS+ server receives no requests before the Nexus 5000 Series switch sends out a test packet. The default idle timer value is 0 minutes. When the idle time interval is 0 minutes, periodic TACACS+ server monitoring is not performed. For periodic TACACS+ server monitoring, the idle timer value must be greater than 0. Without monitoring, the dead time doesn't work well. However, even without the dead timer configured, subsequent AAA servers will be attempted if the first one fails to respond with in a timly manner.
Jatin Katyal
- Do rate helpful posts -
06-10-2013 11:32 PM
Jatin,
Thanks for your replies.
We don't have idle timer configured, so by default, its value is 0. So that means, there is no periodic monitoring for our tacacs servers. So we should first configure an idle timer. What is the recommended value for this? I also understand that in the absence of any idle timer, tacacs servers are checked for status only when an application request comes...And if they don't reply to a request, they are marked dead..and now because default dead timer is 0, so dead timer never expires and dead servers are never tested if they have come up...So gist is we should configure both an idle timer and dead timer for perfect tacacs servers monitoring.
Could you confirm my understanding?
06-12-2013 08:08 AM
Jatin,
Could you respond to my question?
06-12-2013 04:50 PM
hey sorry missed your post.
Correct if it's set to 0. No, server monitoring will be performed. I'd suggest you to set it for 5 minutes. Your understanding on this matter is absolutely correct.
Jatin Katyal
- Do rate helpful posts -
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide