cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2665
Views
0
Helpful
5
Replies
lni1
Beginner

Tacacs single-connection

Dear Cisco,

 

After running into the session limit (20k) of our ISE 3495, we followed tacacs recommendation of Cisco TAC to implement single-connection feature:

 

We encountered some issues during our POC:

 

  • We change the config to : tacacs-server host IP single-connection key xxx
  • We try to connect to the switch : NOK (enable & conf mode not possible)
  • When we check the “single-connection” box in ISE of the device everything works fine again.

This seems to happen on all C3560 (12.2(53)SE2)

 

Is there Cisco recommendation concerning where to implement this feature?

 

  • On the switch
  • On ISE
  • Both

Kind regards,

Lieven Stubbe

Infrabel

1 ACCEPTED SOLUTION

Accepted Solutions

I think on both is correct answer

View solution in original post

5 REPLIES 5
ognyan.totev
Contributor

I think this is expected. You configure the switch single-connection to one side but if you not configure the ISE single connection tick box it will ignore single connection from switch . Thats why it work after you check the tick box.

lni1
Beginner

We only have this behaviour on our C3560 devices, so my question remains: on which side do you need to activate the single-connection feature?

 

Lieven

I think on both is correct answer

View solution in original post

Hello Cisco,

 

Did some Wireshark and it seems that "both" is the correct answer, when you disable the feature on ISE and/or Switch the TACACS stream is split in several TCP sessions. When active on both ends, everything is in one TCP session.

 

Kind regards,

Lieven Stubbe

Infrabel

Any issue with the TACACs server running out of resources with single connect if you have thousands of TACACS clients?  I'm thinking 10K to 20k clients, each with a an open TCP connections when single-connection configured.

 

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE- Guest and Posture Troubleshooting (40%)

Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel