Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
548
Views
0
Helpful
3
Replies

configuration command take long time to display

ccsam
Level 1
Level 1

‎04-20-2008 08:04 PM - edited ‎03-10-2019 03:48 PM

When I shutdown the primary ACS service, the authentication and accounting take a long time to process. Is it normal? Whenever new command is enter, it take sometime to display after the command authorization. The time toke almost the same as timeout configure.

The primary ACS is working fine without any delay if it's up and running.

Anything that I can do to fine tune?

Here are the configuration that I have :

aaa new-model

aaa group server tacacs+ ACSSE

server-private 192.168.128.28 key abcacs01

server-private 192.168.136.35 key abcacs01

ip tacacs source-interface bvi1

aaa authentication login default group ACSSE line

aaa authentication enable default enable

aaa authorization exec default group ACSSE if-authenticated

aaa authorization commands 15 default group ACSSE if-authenticated

aaa authorization config-commands

aaa accounting update newinfo

aaa accounting exec default start-stop group ACSSE

aaa accounting commands 15 default start-stop group ACSSE

aaa accounting connection default start-stop group ACSSE

aaa accounting system default start-stop group ACSSE

tacacs-server timeout 10

The software version :

c2800nm-adventerprisek9-mz.124-11.T3.bin

Labels:
0 Helpful
3 Replies 3

mchin345
Level 6
Level 6

‎04-25-2008 06:01 AM

I think no issues in your configuration for more help :

use this Cisco Secure Access Control Server for Windows Troubleshoot and Alerts

http://www.cisco.com/en/US/products/sw/secursw/ps2086/tsd_products_support_troubleshoot_and_alerts.html

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to mchin345

‎04-25-2008 08:07 AM

Chee

Your description of the issue sounds like your router is sending its request to the first TACACS sever and is waiting for a response but it does not receive a response. So it waits for the timeout and when the first request times out it sends the request to the second server.

If the router received an immediate answer or if it could not establish a connection to the primary server then you would not have the delay. You might be able to confirm this by running debug tacacs authentication or debug tacacs accounting. I believe that you will see your router send a request to the primary and then not receive a response (or it may receive some response which it does not interpret as not available).

If you want to tune this you could adjust the timeout value to a shorter value. But I believe that a better solution would be to figure out why the server is not sending any response.

HTH

Rick

HTH

Rick
0 Helpful

ccsam
Level 1
Level 1
In response to Richard Burts

‎04-28-2008 08:14 PM

Hi Rick,

Thanks for your reply. I will try to capture the debug message to find out further.

regards,

Sam

0 Helpful
Customers Also Viewed These Support Documents