cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6856
Views
0
Helpful
6
Replies

"write to 11.1.1.5 failed with errno 257((ENOTCONN))"

kanchand
Cisco Employee
Cisco Employee

I have a ACS 5.0 and a router C5940 tried to authenticated it. When i put a debug tacacs the router  displays "write to 11.1.1.5 failed with errno 257((ENOTCONN))"  the connectivity is ok but the request doesn´t arrive to acs, the other  devices work ok, with the same configuration. I need to know if there  are a solution for this issue.why in the tacacs+ config alone i am facing the issue .whereas for the same device radius is working fine.

thanks for your help,

6 Replies 6

Jagdeep Gambhir
Level 10
Level 10

Hi,


 The issue can be due to single-connection. Disable it If you have that enabled.


Regards,
~JG


Hi,

I have not enabled it .

I am getting these messages when i turned on tacacs+ debug in the router

*Mar  1 21:31:58.654: AAA/AUTHEN/START (4071980044): Method=tacacs+ (tacacs+)
*Mar  1 21:31:58.654: TAC+: send AUTHEN/START packet ver=192 id=-222987252
*Mar  1 21:31:58.654: TAC+: Using default tacacs server-group "tacacs+" list.
*Mar  1 21:31:58.654: TAC+: Opening TCP/IP to 11.1.1.5/49 timeout=60
*Mar  1 21:31:58.658: TAC+: TCP/IP open to 11.1.1.5/49 failed -- Connection refu
sed by remote host
*Mar  1 21:31:58.658: AAA/AUTHEN (4071980044): status = ERROR
*Mar  1 21:31:58.658: AAA/AUTHEN/START (4071980044): Method=ENABLE
*Mar  1 21:31:58.658: AAA/AUTHEN (4071980044): status = GETPASS
5940router#
*Mar  1 21:32:00.454: AAA/AUTHEN/CONT (4071980044): continue_login (user='(undef
)')

Thanks

kanchana

Could you check if ACS is reachable from the router, is there any other devices between ACS and router, seems port 49 is not responding, and also check on the access policy on ACS to see the hit counts

Yes the router is reachable...


Also, I tried  a sniffer on the network and confirmed that client/router is sending traffic to port 49 on ACS.  ACS does not send to port 49 on client but to the source port for the original message.

Infact i checked on another router also same configuration.Facing the same issue ,

Please someone help me

Router:C5940 Software (C5940-ADVENTERPRISEK9-M), - Version 12.4

Thanks

kanchana

p.eschbach
Level 1
Level 1

Had the same problem.  Just needed to use the ip tacacs source-interface command and source the packets from my loopback so they weren't coming from the serial.

Mohamed_
Level 1
Level 1

I had the same problem. At the TACACS server make sure you're using the same key you used at the TACACS client.

(/etc/tacacs+/tac_plus.conf )

the key I had configured on tac_plus.conf was (key = cisco)

I just removed the spaces and the problem gone (key=cisco).

 

goodluck :)