03-31-2010 11:19 AM
We are seeing timeouts, commands skipping, error message "command authorization failed' , and running very slow while running netconfig ad-hoc commands on 3750's
It seems that many of the problems occur with the interface range command.
We have aaa running on the 3750's and think that command authorization might be part of the problem, but smaller changes execute without problem.
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting send stop-record authentication failure
aaa accounting update newinfo
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
Has anyone also encountered this type of issue?
thanks
Mark
03-31-2010 10:37 PM
There are no known performance problems with Netconfig on LMS 3.2. It sounds like command authorization could be the culprit. We have seen cases in the past where it takes quite a few seconds to verify the command is authorized on the AAA server. The more commands you have, the more this time adds up.
Would it be possible to temporarily disable this on one device for testing?
--
Please support CSC Helps Haiti
https://supportforums.cisco.com/docs/DOC-8895
https://supportforums.cisco.com
04-01-2010 10:03 AM
We found that by removing aaa authorization config-command has appeared to solve the problem. We run a job to remove the command and run the config changes then re-apply the command
04-01-2010 09:29 PM
It might be worth investigating why this is happening. It could be due to network latency between the LMS and the AAA server. You could measure this using an IP SLA TCP connect operation from one affected IOS device to the AAA server (on tcp/49). While it won't measure the TACACS+ protocol itself, it will tell you how long the TCP handshake is taking. After that, you could look at AAA server statistics to see if the server is too bogged down. If you're using an external database, perhaps there is some latency there which can be fixed.
--
Please support CSC Helps Haiti
https://supportforums.cisco.com/docs/DOC-8895
https://supportforums.cisco.com
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide