cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7084
Views
13
Helpful
9
Replies

Command execution get very slow when AAA Authorization enable on ASR 1006

sachin.sg
Level 1
Level 1

Without Authorization , I am able work smoothly with just click on ASR ...., But Once I enable Authorization it takes many secs to move to other command exampe ( If i hit config t or int gi1/0/1 , it   take time to move to next command level) ...

These Authorization issue I am facing only on ASR and for Other Cisco Switches and Router its working fine wiith just a click.

Did any one face such issue , and how it is fix ...

See the Show version for ASR

Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVIPSERVICESK9-M), Version 15.1(2)S, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2011 by Cisco Systems, Inc.

Compiled Thu 24-Mar-11 23:32 by mcpre

 

Cisco IOS-XE software, Copyright (c) 2005-2011 by cisco Systems, Inc.

All rights reserved.  Certain components of Cisco IOS-XE software are

licensed under the GNU General Public License ("GPL") Version 2.0.  The

software code licensed under GPL Version 2.0 is free software that comes

with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such

GPL code under the terms of GPL Version 2.0.  For more details, see the

documentation or "License Notice" file accompanying the IOS-XE software,

or the applicable URL provided on the flyer accompanying the IOS-XE

software.

 

ROM: IOS-XE ROMMON

 

NOITDCRTRCORP01 uptime is 10 weeks, 6 days, 1 hour, 16 minutes

Uptime for this control processor is 10 weeks, 6 days, 1 hour, 19 minutes

System returned to ROM by reload

System restarted at 17:47:32 IST Thu Oct 4 2012

System image file is "bootflash:/asr1000rp1-advipservicesk9.03.03.00.S.151-2.S.bin"

Last reload reason: EHSA standby down

AAA Commands on ASR 1006


aaa new-model


aaa group server tacacs+ tacgroup

server 10.48.128.10

server 10.72.160.10

ip vrf forwarding Mgmt-intf

ip tacacs source-interface GigabitEthernet0

 

aaa authentication login default group tacgroup local

aaa authentication enable default group tacgroup enable

aaa accounting exec default start-stop group tacgroup

aaa accounting commands 1 default start-stop group tacgroup

aaa accounting commands 15 default start-stop group tacgroup

aaa accounting connection default start-stop group tacgroup

aaa accounting system default start-stop group tacgroup

aaa authorization commands 0 default group tacgroup none

aaa authorization commands 1 default group tacgroup none

aaa authorization commands 15 default group tacgroup none


aaa session-id common

 

tacacs-server host 10.48.128.10 key 7 13351601181B0B382F04796166

tacacs-server key 7 053B071C325B411B1D25464058

9 Replies 9

vrz rrr
Level 1
Level 1

Have you tried to downgrade the IOS version ?

Back to good old 12...

regards.

V.

No I have  not Downgrade , is it bug on version 15.1(2) ...

Please confirm

Can any one suggest any alternative solutions

then try another 15.x and let us know.

I think your issue maybe related to your tacacs server. If you  re-order the two servers (typically a 5 second timer before failover  occurs) and see if that improves your performance:

You  can try to debug the issue by referring to the command reference  guide....i.e. debug tacacs...you can also try to telnet to both ip  address to port 49 to see if the connection opens, in order to rule out  issues where a firewall or routing to one of the tacacs servers is  failing. I also noticed you have the shared secret and tacacs server  defined for one of the servers, is the sam present for the other server  that is in the server group?

server 10.48.128.10

server 10.72.160.10

to

server 10.72.160.10

server 10.48.128.10

Thanks,

Tarik Admani
*Please rate helpful posts*

Hi

     I am able to do Authentication properly , but when i add Authorization commands .. it also works ok but the response to excecute any commands is very slow ..

Example Without Authorization command

show < and any commands > works smoothly

But With Autorization command

show  < and any commands > works with very slow response .. but gives the required result.

This issue is only for Cisco ASR router only , other Cisco Devices works ok with Authorization

No Firewall involved

hello !

The same trouble with Cisco 7206VXR: IOS "c7200-advipservicesk9-mz.151-4.M2.bin", with other devices the tacas works fine

Dumitru Otel
Level 1
Level 1

hello,

I found the answer on the this post https://supportforums.cisco.com/thread/2174266

Checked with "#debug aaa accounting" if ip domain-lookup is active and disable it !

Jun 20 08:56:07.280: Domain: query for 202.200.200.10.in-addr.arpa. type 12 to 255.255.255.255

Now all works fine !!!

Thanks you !!!

I've even seen issues with tacacs single-connect, system accounting and ip domain-lookup.

Thanks for updating the thread.

Jatin Katyal
- Do rate helpful posts -

~Jatin

same issue, same fix. thanks a lot!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: