Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
768
Views
3
Helpful
6
Replies

PIX AAA To tacacs server not reliable

mlipsey
Level 1
Level 1

‎07-06-2006 08:25 AM - edited ‎03-10-2019 02:38 PM

I've got a couple of different platforms of PIX, 535s and FWSMs mainly all running the latest code. I have them all configured similarly with regards to AAA via tacacs:

aaa-server TACACS protocol tacacs+

aaa-server TACACS host <Removed> key <removed>

username <removed> password <removed> encrypted privilege 15

aaa authentication enable console TACACS LOCAL

aaa authentication ssh console TACACS LOCAL

aaa authentication telnet console TACACS LOCAL

aaa accounting command TACACS

Now, sometimes I can get in with my tacacs account but other times I have to use the local backup account. There seems to be no reason behind it. My routers all pointing to the same TACACS server have no issues like this. The PIX's however are totally unreliable in this regard.

Anyone experiencing this?

Labels:
0 Helpful
6 Replies 6

hemendoz
Cisco Employee
Cisco Employee

‎07-06-2006 08:38 AM

Hello mlipsey,

This shouldn't be. Do the ACS logs reveal anything? What about

debug tacacs

debug aaa authentication

Can you send 1000 pings to the tacacs server from your FWs without issue? Any packet loss?

Hope this helps! If so, please rate.

Thanks!

mlipsey
Level 1
Level 1
In response to hemendoz

‎07-07-2006 08:28 AM

I can ping it no problem; I did a quick thousand with no issue. I did even more and still no issue. There is no connectivity problem. I'm not using Cisco ACS though I'm using an open source TAC_Plus on Linux. I will check in its logs but previous checking didn't reveal anything.

0 Helpful

viveksantuka
Level 1
Level 1

‎07-07-2006 01:34 AM

A Connectivity issue between PIX and ACS.

Try increasing the timeout of the tacacs server.

0 Helpful

mlipsey
Level 1
Level 1
In response to viveksantuka

‎07-07-2006 08:29 AM

How do you increase that timeout? I don't see a command for that. I see the command to decrease or increase the time before it tries a dead server but not actual timeout value before it considers it dead.

0 Helpful

hemendoz
Cisco Employee
Cisco Employee
In response to mlipsey

‎07-07-2006 08:55 AM

What command are you referring to?

I see

aaa-server server_tag [(if_name)] host server_ip [key] [timeout seconds]

0 Helpful

viveksantuka
Level 1
Level 1
In response to hemendoz

‎07-09-2006 08:15 PM

You can increase the timeout in the aaa-server command

aaa-server servertag (if_name) host ip key [timeout]

0 Helpful
Customers Also Viewed These Support Documents