09-27-2019 08:17 AM - edited 02-21-2020 11:10 AM
ISE 2.4 Patch 9
I've successully used tacacs with no issues until all of a sudden I can to work one day and tacacs wouldn't work on any device I tried accessing and logs no longer appeared in operations>tacacs live logs. The only changes made prior to me noticing this was my primary psn was out of sync when I came in, so I just manually synced it back to my deployment AND I installed new product licenses because my existing ones were about to expire in a few days. I deleted the old licenses after installing the new.
Would any of the above cause TACACS to stop working? I did a packet capture and plain as day saw my network devices still sending tacacs requests, but not getting any response from ISE. I ended up having to reload the PSN to get it working again but my concern is finding out what caused the issue. Would a license update or deletion (even though new ones are installed) to the device admin license cause it? Would a sync issue break it?
Solved! Go to Solution.
09-27-2019 10:00 AM
09-27-2019 09:04 AM
09-27-2019 10:00 AM
09-27-2019 10:04 AM
Hi Damien,
Got a tac case open. In my case authentication, authorization, and accounting stopped working. You didn't even see failures pop up in the logs. That's when I got real nervous. Then, I did debugs on various network devices that used ISE for tacacs and they all showed the same. TACACS request sent, no response back. So in short, I never even got as far as authentication failure because no logs showed and no response ever came back to the devices.
09-27-2019 10:39 AM
09-29-2019 09:56 AM - edited 09-29-2019 09:57 AM
ISE 2.4 Patch 10 has been posted on Sept 27, 2019 and the bug fix for CSCvq73457 is included.
09-27-2019 10:31 AM
My guess would be that during the sync, the services were restarted and the TACACS+ service didn't start up completely or got hung. Next time (hope it doesn't happen again), try to check to see if all of the services are running before reloading. At this point, all you can really do is work with TAC to see if they can find anything in the past system logs.
09-27-2019 10:43 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: