cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

LMS 3.2 netconfig poor performance

markschnabel
Enthusiast
Enthusiast

We are seeing timeouts, commands skipping, error message "command authorization failed' , and running very slow while running netconfig ad-hoc commands on 3750's

It seems that many of the problems occur with the interface range command.

We have aaa running on the 3750's and think that command authorization might be part of the problem, but smaller changes execute without problem.

aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting send stop-record authentication failure
aaa accounting update newinfo
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+

Has anyone also encountered this type of issue?

thanks

Mark

3 REPLIES 3

Joe Clarke
Hall of Fame Cisco Employee Hall of Fame Cisco Employee
Hall of Fame Cisco Employee

There are no known performance problems with Netconfig on LMS 3.2.  It sounds like command authorization could be the culprit.  We have seen cases in the past where it takes quite a few seconds to verify the command is authorized on the AAA server.  The more commands you have, the more this time adds up.

Would it be possible to temporarily disable this on one device for testing?

--

Please support CSC Helps Haiti

https://supportforums.cisco.com/docs/DOC-8895

https://supportforums.cisco.com

We found that by removing aaa authorization config-command has appeared to solve the problem. We run a job to remove the command and run the config changes then re-apply the command

Joe Clarke
Hall of Fame Cisco Employee Hall of Fame Cisco Employee
Hall of Fame Cisco Employee

It might be worth investigating why this is happening.  It could be due to network latency between the LMS and the AAA server.  You could measure this using an IP SLA TCP connect operation from one affected IOS device to the AAA server (on tcp/49).  While it won't measure the TACACS+ protocol itself, it will tell you how long the TCP handshake is taking.  After that, you could look at AAA server statistics to see if the server is too bogged down.  If you're using an external database, perhaps there is some latency there which can be fixed.

--

Please support CSC Helps Haiti

https://supportforums.cisco.com/docs/DOC-8895

https://supportforums.cisco.com

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: