Solved: TACACS+ Queueing AAA Authentication

Danny Morris · ‎06-14-2013

Hello,

I have recently upgraded the IOS on my 3560X to 15.0(2)SE3 and I am having trouble getting TACACS to work correctly. This was working correctly on this device before I upgraded the IOS so I am not sure what happened. I made some other changes as well (management IP change, and other config clean up) so I am not 100% sure the issue was with the IOS. I have this exact same config on several other Cisco devices and it works fine. Any thoughts are appreciated.

Config:

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

ip tacacs source-interface Vlan1

tacacs-server host

ip tacacs source-interface Vlan1
tacacs-server host 10.x.x.x key ***********************

Debugs:

TPLUS: Queuing AAA Authentication request 88 for processing

I never get anything past queueing. I cannot find a way to clear the queue either.

I have to disable the uplink port and reboot the switch to even get into the console port. At that point, I get 1 authentication attempt (debug shown below) before I get to the queueing messages.

Mar 29 21:34:36.864 CDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up

Mar 29 21:40:48.068 CDT: TPLUS: Queuing AAA Authentication request 47 for processing

Mar 29 21:40:48.068 CDT: TPLUS: processing authentication start request id 47

Mar 29 21:40:48.068 CDT: TPLUS: Authentication start packet created for 47(**USERNAME**)

Mar 29 21:40:48.068 CDT: TPLUS: Using server 10.x.x.x

Mar 29 21:40:48.068 CDT: TPLUS(0000002F)/0/IDLE/68F4CBC: Started 5 sec timeout

Mar 29 21:40:48.077 CDT: TPLUS(0000002F)/0/IDLE/68F4CBC: got immediate connect on new 0

Mar 29 21:40:48.077 CDT: TPLUS(0000002F)/0/WRITE/68F4CBC: Started 5 sec timeout

Mar 29 21:40:48.077 CDT: T+: Version 192 (0xC0), type 1, seq 1, encryption 1, SC 0

Mar 29 21:40:48.077 CDT: T+: session_id 912650955 (0x3665F2CB), dlen 32 (0x20)

Mar 29 21:40:48.077 CDT: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii

Mar 29 21:40:48.077 CDT: T+: svc:LOGIN user_len:11 port_len:4 (0x4) raddr_len:9 (0x9) data_len:0

Mar 29 21:40:48.077 CDT: T+: user: (**USERNAME**)

Mar 29 21:40:48.077 CDT: T+: port: tty1

Mar 29 21:40:48.077 CDT: T+: rem_addr: 10.y.y.y

Mar 29 21:40:48.077 CDT: T+: data:

Mar 29 21:40:48.077 CDT: T+: End Packet

Mar 29 21:40:48.077 CDT: TPLUS(0000002F)/0/WRITE: write to 10.x.x.x failed with errno 257((ENOTCONN))

Mar 29 21:40:48.077 CDT: TPLUS: Authentication start packet created for 47(**USERNAME**)

Mar 29 21:40:48.077 CDT: TPLUS(0000002F): Start write failed

Mar 29 21:43:01.976 CDT: %SYS-5-CONFIG_I: Configured from console by dcmorris on console

Mar 29 21:43:08.057 CDT: TPLUS: Queuing AAA Authentication request 48 for processing

Mar 29 21:45:24.842 CDT: TPLUS: Queuing AAA Authentication request 49 for processing

Mar 29 21:48:52.494 CDT: TPLUS: Queuing AAA Authentication request 50 for processing

Jatin Katyal · ‎06-14-2013

You may want to take a look here

https://supportforums.cisco.com/message/3965551#3965551

Jatin Katyal

- Do rate helpful posts -

~Jatin

View solution in original post

Jatin Katyal · ‎06-14-2013

You may want to take a look here

https://supportforums.cisco.com/message/3965551#3965551

Jatin Katyal

- Do rate helpful posts -

~Jatin

Danny Morris · ‎06-14-2013

Thank you for the information. I am downgrading the IOS now.