Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
422
Views
0
Helpful
1
Replies

ZFW policy for TACACS not working

katerina.dardoufa
Level 4
Level 4

‎08-01-2018 03:00 AM - edited ‎02-21-2020 08:02 AM

Hello,

 

I have configured a ZFW on a 2801 router and everything is working fine, apart for the tacacs policy. My configuration is as follows:

 

ip access-list extended TKSwitch-Tacacs
 permit tcp host x.x.x.x host y.y.y.y eq tacacs
 permit tcp host x.x.x.x host z.z.z.z eq tacacs

 

class-map type inspect match-all TK_Tacacs

 match protocol tacacs
 match access-group name TKSwitch-Tacacs

 

policy-map type inspect TK2Inside

 class type inspect TK_Tacacs
  inspect

 

When the "match protocol" command is used under the class map, tacacs authentication of the device x.x.x.x fails, with this message in the log:

000198: Aug  1 12:26:21.318: %FW-6-DROP_PKT: Dropping tcp session x.x.x.x:33306 y.y.y.y:49  due to  Stray Segment with ip ident 0

 

If I omit the "match protocol", then the authentication works fine.

 

Any help will be highly appreciated.

 

Thanks!

Labels:
0 Helpful
1 Reply 1

katerina.dardoufa
Level 4
Level 4

‎08-01-2018 03:26 AM

Problem solved.

 

The system port-mapping for tacacs was udp 49. I manually configured the port-mapping to tcp-49, and now the policy seems to be working fine.

 

Thanks!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card