Solved: Re: Tacacs single-connection

lni1 · ‎12-17-2018

Dear Cisco,

After running into the session limit (20k) of our ISE 3495, we followed tacacs recommendation of Cisco TAC to implement single-connection feature:

We encountered some issues during our POC:

We change the config to : tacacs-server host IP single-connection key xxx
We try to connect to the switch : NOK (enable & conf mode not possible)
When we check the “single-connection” box in ISE of the device everything works fine again.

This seems to happen on all C3560 (12.2(53)SE2)

Is there Cisco recommendation concerning where to implement this feature?

On the switch
On ISE
Both

Kind regards,

Lieven Stubbe

Infrabel

ognyan.totev · ‎12-17-2018

I think on both is correct answer

View solution in original post

ognyan.totev · ‎12-17-2018

I think this is expected. You configure the switch single-connection to one side but if you not configure the ISE single connection tick box it will ignore single connection from switch . Thats why it work after you check the tick box.

lni1 · ‎12-17-2018

We only have this behaviour on our C3560 devices, so my question remains: on which side do you need to activate the single-connection feature?

Lieven

ognyan.totev · ‎12-17-2018

I think on both is correct answer

lni1 · ‎12-20-2018

Hello Cisco,

Did some Wireshark and it seems that "both" is the correct answer, when you disable the feature on ISE and/or Switch the TACACS stream is split in several TCP sessions. When active on both ends, everything is in one TCP session.

Kind regards,

Lieven Stubbe

Infrabel

kevink707 · ‎08-15-2019

Any issue with the TACACs server running out of resources with single connect if you have thousands of TACACS clients? I'm thinking 10K to 20k clients, each with a an open TCP connections when single-connection configured.