Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9367
Views
15
Helpful
6
Replies

slow CLI response after implementing TACACS

Jerry Cao
Level 1
Level 1

‎10-01-2012 04:27 PM - edited ‎03-10-2019 07:37 PM

After implementing TACACS, one of our routers takes about 8 seconds to response to any CLI command. We have no problems with other devices in the same location with the same AAA configuration. The router is talking to the ACS server (ACS 5.3) and the logs on the ACS server look normal for the router as well. Anyone had the same issue or any suggestions?

4 people had this problem
Labels:
0 Helpful
6 Replies 6

Tarik Admani
VIP Alumni
VIP Alumni

‎10-01-2012 04:51 PM

Are you using a username that is present on the tacacs server and the local db?

My guess is your shared secret is wrong and you could have authenticated using the same account in the local db. Also how many tacacs servers are you using?

Sent from Cisco Technical Support Android App

0 Helpful

Jerry Cao
Level 1
Level 1
In response to Tarik Admani

‎10-01-2012 05:02 PM

Thanks Tarik, but that's not the case. I'm able to find the AAA logs on the ACS server, everything looks good on the server side. We have other devices with the same configuration, but this only happens on one device.

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni

‎10-01-2012 05:08 PM

Are you using single connect in your tacacs configuration can you issue show run | inc aaa, show run | inc tacacs. When you run "test aaa authentication group tacacs (use ? And tab to build the command correctly), see if it take long for the authentication.

What version and hardware are you on?

Sent from Cisco Technical Support Android App

0 Helpful

Jerry Cao
Level 1
Level 1
In response to Tarik Admani

‎10-01-2012 05:21 PM

Tarik, thanks for the quick reply. I found the cause. It was the reverse DNS lookup.

I turned on debug on the router: debug aaa accounting

and found a message:" Domain: query for x.x.x.x.in-addr.arpa. type 12 to 255.255.255.255"

Then I issued command: no ip domain-lookup

everything is back to normal.

Dumitru Otel
Level 1
Level 1
In response to Jerry Cao

‎06-20-2013 04:05 AM

hello Jerry Cao !

You are rights, I have solved this with "no ip domain-lookup"

Thank you !!!

0 Helpful

7tclark
Level 1
Level 1

‎06-23-2014 12:37 PM

I'm having the same issue on a Cisco Wide Area Application Services (universal-k9) Software Release 5.3.1 (build b20 Aug  4 
2013) Version: oe294-5.3.1.20.   It will not authenticate with TACAS and is taking up to 2 minutes for cli commands to respond.  I have several other Cisco WANX NM-SRE910 devices using the same configuration and they are working fine.  I've included a snippet of the config below.  Any help would be greatly appreciated.

 

tacacs key ****
tacacs timeout 15
tacacs host 10.2.100.100 primary
tacacs host 10.2.100.101
aaa accounting exec default start-stop tacacs
aaa accounting commands 15 default start-stop tacacs
authentication login tacacs enable primary
authentication configuration tacacs enable primary
authentication login local enable secondary
authentication configuration local enable secondary
authentication fail-over server-unreachable
aaa authorization commands 15 default tacacs+

 

Thanks,

JD Canty

Network Engineer GLS, Inc.

jcanty@gls.com

704-973-6829

0 Helpful
Customers Also Viewed These Support Documents