Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2861
Views
29
Helpful
8
Replies

Cisco nexus aaa deadtime

Go to solution
Kashish_Patel
Level 2
Level 2

‎06-07-2013 03:28 AM - edited ‎03-10-2019 08:31 PM

What is Cisco's recommendation for configuring deadtime feature on Nexus devices? I understand that by default, its value is 0...How should this be configured so as to reduce the processing time for AAA requests in case all the AAA servers are unreachable?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Kashish_Patel

‎06-12-2013 04:50 PM

hey sorry missed your post.

Correct if it's set to 0. No, server monitoring will be performed. I'd suggest you to set it for 5 minutes. Your understanding on this matter is absolutely correct.

Jatin Katyal
- Do rate helpful posts -

~Jatin

View solution in original post

8 Replies 8

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎06-08-2013 01:14 PM

In majority fo cases I have seen it configured for 5 mins.

switch(config)# tacacs-server deadtime 5

TACACS+ Server Monitoring (NX 5000 should be same for all models)

An unresponsive TACACS+ server can delay the processing of AAA requests. A Nexus 5000 Series switch can periodically monitor an TACACS+ server to check whether it is responding (or alive) to save time in processing AAA requests. The Nexus 5000 Series switch marks unresponsive TACACS+ servers as dead and does not send AAA requests to any dead TACACS+ servers. A Nexus 5000 Series switch periodically monitors dead TACACS+ servers and brings them to the alive state once they are responding. This process verifies that a TACACS+ server is in a working state before real AAA requests are sent its way. Whenever an TACACS+ server changes to the dead or alive state, a Simple Network Management Protocol (SNMP) trap is generated and the Nexus 5000 Series switch displays an error message that a failure is taking place before it can impact performance. See Figure 18-1.

TACACS+ Server States

TACACS+ Server Monitoring

http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/sec_tacacsplus.html#wp1272831

Jatin Katyal
- Do rate helpful posts -

~Jatin

Go to solution
Kashish_Patel
Level 2
Level 2
In response to Jatin Katyal

‎06-10-2013 01:21 AM

Thanks for your reply, Jatin.

How are the AAA servers marked dead or alive? Are the AAA servers verified for status only when an authentication request comes to the switch? Or are AAA servers periodically verified from switch for their statuses?

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Kashish_Patel

‎06-10-2013 06:42 AM

The TACACS+ server monitoring is performed by sending a test authentication request to the TACACS+ server.

Configuring Periodic TACACS+ Server Monitoring

http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/sec_tacacsplus.html#wp1272831

Jatin Katyal
- Do rate helpful posts -

~Jatin

Go to solution
Kashish_Patel
Level 2
Level 2
In response to Jatin Katyal

‎06-10-2013 10:36 AM

Jatin,

If no tacacs server monitoring is configured, then how will the tacacs servers be marked dead/alive?

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Kashish_Patel

‎06-10-2013 04:37 PM

The default username is test and the default password is test. The default value for the idle timer is 0 minutes and the valid range is 0 to 1440 minutes. The test idle timer specifies the interval in  which a TACACS+ server receives no requests before the Nexus 5000 Series  switch sends out a test packet. The default idle timer value is 0 minutes. When  the idle time interval is 0 minutes, periodic TACACS+ server monitoring  is not performed. For periodic TACACS+ server monitoring, the idle timer value must be greater than 0. Without monitoring, the dead time doesn't work well. However, even without the dead timer configured, subsequent AAA servers will be attempted if the first one fails to respond with in a timly manner.

Jatin Katyal
- Do rate helpful posts -

~Jatin

Go to solution
Kashish_Patel
Level 2
Level 2
In response to Jatin Katyal

‎06-10-2013 11:32 PM

Jatin,

Thanks for your replies.

We don't have idle timer configured, so by default, its value is 0. So that means, there is no periodic monitoring for our tacacs servers. So we should first configure an idle timer. What is the recommended value for this? I also understand that in the absence of any idle timer, tacacs servers are checked for status only when an application request comes...And if they don't reply to a request, they are marked dead..and now because default dead timer is 0, so dead timer never expires and dead servers are never tested if they have come up...So gist is we should configure both an idle timer and dead timer for perfect tacacs servers monitoring.

Could you confirm my understanding?

0 Helpful

Go to solution
Kashish_Patel
Level 2
Level 2
In response to Kashish_Patel

‎06-12-2013 08:08 AM

Jatin,

Could you respond to my question?

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Kashish_Patel

‎06-12-2013 04:50 PM

hey sorry missed your post.

Correct if it's set to 0. No, server monitoring will be performed. I'd suggest you to set it for 5 minutes. Your understanding on this matter is absolutely correct.

Jatin Katyal
- Do rate helpful posts -

~Jatin
Customers Also Viewed These Support Documents