04-20-2008 08:04 PM - edited 03-10-2019 03:48 PM
When I shutdown the primary ACS service, the authentication and accounting take a long time to process. Is it normal? Whenever new command is enter, it take sometime to display after the command authorization. The time toke almost the same as timeout configure.
The primary ACS is working fine without any delay if it's up and running.
Anything that I can do to fine tune?
Here are the configuration that I have :
aaa new-model
aaa group server tacacs+ ACSSE
server-private 192.168.128.28 key abcacs01
server-private 192.168.136.35 key abcacs01
ip tacacs source-interface bvi1
aaa authentication login default group ACSSE line
aaa authentication enable default enable
aaa authorization exec default group ACSSE if-authenticated
aaa authorization commands 15 default group ACSSE if-authenticated
aaa authorization config-commands
aaa accounting update newinfo
aaa accounting exec default start-stop group ACSSE
aaa accounting commands 15 default start-stop group ACSSE
aaa accounting connection default start-stop group ACSSE
aaa accounting system default start-stop group ACSSE
tacacs-server timeout 10
The software version :
c2800nm-adventerprisek9-mz.124-11.T3.bin
04-25-2008 06:01 AM
I think no issues in your configuration for more help :
use this Cisco Secure Access Control Server for Windows Troubleshoot and Alerts
04-25-2008 08:07 AM
Chee
Your description of the issue sounds like your router is sending its request to the first TACACS sever and is waiting for a response but it does not receive a response. So it waits for the timeout and when the first request times out it sends the request to the second server.
If the router received an immediate answer or if it could not establish a connection to the primary server then you would not have the delay. You might be able to confirm this by running debug tacacs authentication or debug tacacs accounting. I believe that you will see your router send a request to the primary and then not receive a response (or it may receive some response which it does not interpret as not available).
If you want to tune this you could adjust the timeout value to a shorter value. But I believe that a better solution would be to figure out why the server is not sending any response.
HTH
Rick
04-28-2008 08:14 PM
Hi Rick,
Thanks for your reply. I will try to capture the debug message to find out further.
regards,
Sam
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide