cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

6062
Views
15
Helpful
6
Replies
Highlighted
Beginner

slow CLI response after implementing TACACS

After implementing TACACS, one of our routers takes about 8 seconds to response to any CLI command. We have no problems with other devices in the same location with the same AAA configuration. The router is talking to the ACS server (ACS 5.3) and the logs on the ACS server look normal for the router as well. Anyone had the same issue or any suggestions?

Everyone's tags (6)
6 REPLIES 6
Highlighted
Advocate

Re:slow CLI response after implementing TACACS

Are you using a username that is present on the tacacs server and the local db?

My guess is your shared secret is wrong and you could have authenticated using the same account in the local db. Also how many tacacs servers are you using?

Sent from Cisco Technical Support Android App

Tarik Admani
*Please rate helpful posts*
Highlighted
Beginner

Re:slow CLI response after implementing TACACS

Thanks Tarik, but that's not the case. I'm able to find the AAA logs on the ACS server, everything looks good on the server side. We have other devices with the same configuration, but this only happens on one device.

Highlighted
Advocate

Re:slow CLI response after implementing TACACS

Are you using single connect in your tacacs configuration can you issue show run | inc aaa, show run | inc tacacs. When you run "test aaa authentication group tacacs (use ? And tab to build the command correctly), see if it take long for the authentication.

What version and hardware are you on?

Sent from Cisco Technical Support Android App

Tarik Admani
*Please rate helpful posts*
Highlighted
Beginner

slow CLI response after implementing TACACS

Tarik, thanks for the quick reply. I found the cause. It was the reverse DNS lookup.

I turned on debug on the router: debug aaa accounting

and found a message:" Domain: query for x.x.x.x.in-addr.arpa. type 12 to 255.255.255.255"

Then I issued command: no ip domain-lookup

everything is back to normal.

Highlighted
Beginner

slow CLI response after implementing TACACS

hello Jerry Cao !

You are rights, I have solved this with "no ip domain-lookup"

Thank you !!!

Highlighted
Beginner

I'm having the same issue on

I'm having the same issue on a Cisco Wide Area Application Services (universal-k9) Software Release 5.3.1 (build b20 Aug  4 
2013) Version: oe294-5.3.1.20.   It will not authenticate with TACAS and is taking up to 2 minutes for cli commands to respond.  I have several other Cisco WANX NM-SRE910 devices using the same configuration and they are working fine.  I've included a snippet of the config below.  Any help would be greatly appreciated.

 

tacacs key ****
tacacs timeout 15
tacacs host 10.2.100.100 primary
tacacs host 10.2.100.101
aaa accounting exec default start-stop tacacs
aaa accounting commands 15 default start-stop tacacs
authentication login tacacs enable primary
authentication configuration tacacs enable primary
authentication login local enable secondary
authentication configuration local enable secondary
authentication fail-over server-unreachable
aaa authorization commands 15 default tacacs+

 

Thanks,

JD Canty

Network Engineer GLS, Inc.

jcanty@gls.com

704-973-6829