12-19-2012 06:00 AM - edited 03-10-2019 07:54 PM
Without Authorization , I am able work smoothly with just click on ASR ...., But Once I enable Authorization it takes many secs to move to other command exampe ( If i hit config t or int gi1/0/1 , it take time to move to next command level) ...
These Authorization issue I am facing only on ASR and for Other Cisco Switches and Router its working fine wiith just a click.
Did any one face such issue , and how it is fix ...
See the Show version for ASR
Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVIPSERVICESK9-M), Version 15.1(2)S, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Thu 24-Mar-11 23:32 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2011 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
NOITDCRTRCORP01 uptime is 10 weeks, 6 days, 1 hour, 16 minutes
Uptime for this control processor is 10 weeks, 6 days, 1 hour, 19 minutes
System returned to ROM by reload
System restarted at 17:47:32 IST Thu Oct 4 2012
System image file is "bootflash:/asr1000rp1-advipservicesk9.03.03.00.S.151-2.S.bin"
Last reload reason: EHSA standby down
AAA Commands on ASR 1006
aaa new-model
aaa group server tacacs+ tacgroup
server 10.48.128.10
server 10.72.160.10
ip vrf forwarding Mgmt-intf
ip tacacs source-interface GigabitEthernet0
aaa authentication login default group tacgroup local
aaa authentication enable default group tacgroup enable
aaa accounting exec default start-stop group tacgroup
aaa accounting commands 1 default start-stop group tacgroup
aaa accounting commands 15 default start-stop group tacgroup
aaa accounting connection default start-stop group tacgroup
aaa accounting system default start-stop group tacgroup
aaa authorization commands 0 default group tacgroup none
aaa authorization commands 1 default group tacgroup none
aaa authorization commands 15 default group tacgroup none
aaa session-id common
tacacs-server host 10.48.128.10 key 7 13351601181B0B382F04796166
tacacs-server key 7 053B071C325B411B1D25464058
12-19-2012 06:30 AM
Have you tried to downgrade the IOS version ?
Back to good old 12...
regards.
V.
12-19-2012 06:48 AM
No I have not Downgrade , is it bug on version 15.1(2) ...
Please confirm
Can any one suggest any alternative solutions
12-19-2012 07:31 AM
then try another 15.x and let us know.
12-20-2012 07:10 PM
I think your issue maybe related to your tacacs server. If you re-order the two servers (typically a 5 second timer before failover occurs) and see if that improves your performance:
You can try to debug the issue by referring to the command reference guide....i.e. debug tacacs...you can also try to telnet to both ip address to port 49 to see if the connection opens, in order to rule out issues where a firewall or routing to one of the tacacs servers is failing. I also noticed you have the shared secret and tacacs server defined for one of the servers, is the sam present for the other server that is in the server group?
server 10.48.128.10
server 10.72.160.10
to
server 10.72.160.10
server 10.48.128.10
Thanks,
Tarik Admani
*Please rate helpful posts*
12-21-2012 12:25 AM
Hi
I am able to do Authentication properly , but when i add Authorization commands .. it also works ok but the response to excecute any commands is very slow ..
Example Without Authorization command
show < and any commands > works smoothly
But With Autorization command
show < and any commands > works with very slow response .. but gives the required result.
This issue is only for Cisco ASR router only , other Cisco Devices works ok with Authorization
No Firewall involved
06-20-2013 12:28 AM
hello !
The same trouble with Cisco 7206VXR: IOS "c7200-advipservicesk9-mz.151-4.M2.bin", with other devices the tacas works fine
06-20-2013 02:13 AM
hello,
I found the answer on the this post https://supportforums.cisco.com/thread/2174266
Checked with "#debug aaa accounting" if ip domain-lookup is active and disable it !
Jun 20 08:56:07.280: Domain: query for 202.200.200.10.in-addr.arpa. type 12 to 255.255.255.255
Now all works fine !!!
Thanks you !!!
06-20-2013 02:17 AM
I've even seen issues with tacacs single-connect, system accounting and ip domain-lookup.
Thanks for updating the thread.
Jatin Katyal
- Do rate helpful posts -
11-19-2013 03:31 AM
same issue, same fix. thanks a lot!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: