Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
258
Views
0
Helpful
2
Replies

2 isr4k site do not connect to ISE TACACS

billmoise
Level 1
Level 1

‎07-12-2024 04:59 PM

I have an issue where there are 2 site in Japan do no connect to TACACS. We're running TACACS on the ISE deployment. We're pointing the two isr4k's to the PSN nodes at the HQ. We do a packet capture, at HQ headend device,  and see the back and forth traffic. However if you look in the TACACS live log you see nothing related to the isr4k IP address and when you do a debug on the 2 isr4k devices you see connection time out to the ISE PSN

I can ping and traceroute to the PSN fine from the 2 isr4k devices. I though it was an ISP issue but they're able to do a capture and see the traffic going back and forth. 

Here are some lines from the debug

012475: Jul 9 23:56:01.633: TPLUS: Queuing AAA Accounting request 55 for processing
012476: Jul 9 23:56:01.634: TPLUS: processing accounting request id 55
012477: Jul 9 23:56:01.634: TPLUS: Sending AV task_id=4206
012478: Jul 9 23:56:01.634: TPLUS: Sending AV timezone=JAP
012479: Jul 9 23:56:01.634: TPLUS: Sending AV service=shell
012480: Jul 9 23:56:01.634: TPLUS: Sending AV start_time=1720536961
012481: Jul 9 23:56:01.634: TPLUS: Accounting request created for 55(NexTeam)
012482: Jul 9 23:56:01.634: TPLUS: Using server 10.x.x.60
012483: Jul 9 23:56:01.634: TPLUS: Source IP selected is: 10.x.x.1
012484: Jul 9 23:56:01.635: TPLUS(00000037)/0/NB_WAIT/7FC85ED341A8: Started 1 sec timeout
012485: Jul 9 23:56:02.634: TPLUS(00000037)/0/NB_WAIT/7FC85ED341A8: timed out
012486: Jul 9 23:56:02.635: TPLUS(00000037)/0/NB_WAIT/7FC85ED341A8: timed out, clean up
012487: Jul 9 23:56:02.635: TPLUS(00000037)/0/7FC85ED341A8: Processing the reply packet
012488: Jul 9 23:56:06.569: TAC+: Using default tacacs server-group "ISE-T" list.
012489: Jul 9 23:56:06.569: % TAC+: Index :1 | Count : 0

012490: Jul 9 23:56:06.569: % TAC+:server handle : DD000006

012491: Jul 9 23:56:06.569: % TAC+:server name : ISEHQ2
012492: Jul 9 23:56:06.569: % TAC+:server addr : 10.x.x.186

012493: Jul 9 23:56:06.569: TAC+: Opening TCP/IP to 10.x.x.186/49 timeout=3
012494: Jul 9 23:56:07.570: TAC+: TCP/IP open to 10.x.x.186/49 failed -- Connection timed out; remote host not responding
012495: Jul 9 23:56:07.570: % TAC+: Index :2 | Count : 2

#ping 10.x.x.186
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.x.x.186, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 180/180/181 ms

Labels:
0 Helpful
2 Replies 2

MHM Cisco World
VIP
VIP

‎07-12-2024 05:38 PM

When add device to ISE you use specific IP

Try ping ISE using this IP

It can the router use IP different than what ISE add or there is FW drop traffic to ISE from specific IP

MHM

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎07-13-2024 07:06 AM

Did you specify a source address on the isr4k for tacacs? If not it might be helpful to configure a source address for tacacs on the isr4k.

Can you verify that ISE has entries for the new isr4K using the IP that they use?

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card