Solved: Tacacs single-connection - Cisco Community

5109

Views

0

Helpful

5

Replies

Dear Cisco,

After running into the session limit (20k) of our ISE 3495, we followed tacacs recommendation of Cisco TAC to implement single-connection feature:

We encountered some issues during our POC:

We change the config to : tacacs-server host IP single-connection key xxx
We try to connect to the switch : NOK (enable & conf mode not possible)
When we check the “single-connection” box in ISE of the device everything works fine again.

This seems to happen on all C3560 (12.2(53)SE2)

Is there Cisco recommendation concerning where to implement this feature?

On the switch
On ISE
Both

Kind regards,

Lieven Stubbe

Infrabel

1 Accepted Solution

Accepted Solutions

I think on both is correct answer

View solution in original post

5 Replies 5

I think this is expected. You configure the switch single-connection to one side but if you not configure the ISE single connection tick box it will ignore single connection from switch . Thats why it work after you check the tick box.

We only have this behaviour on our C3560 devices, so my question remains: on which side do you need to activate the single-connection feature?

Lieven

I think on both is correct answer

Hello Cisco,

Did some Wireshark and it seems that "both" is the correct answer, when you disable the feature on ISE and/or Switch the TACACS stream is split in several TCP sessions. When active on both ends, everything is in one TCP session.

Kind regards,

Lieven Stubbe

Infrabel

Any issue with the TACACs server running out of resources with single connect if you have thousands of TACACS clients? I'm thinking 10K to 20k clients, each with a an open TCP connections when single-connection configured.

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community