Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2500
Views
0
Helpful
6
Replies

Login issue

Raja_D
Level 1
Level 1

‎08-22-2017 11:41 PM - edited ‎03-05-2019 09:02 AM

Hi,

 

We have noticed frequent login attempt failure issue during specific time in one of our core device (cisco ASR1006) . We are able to get till the password prompt and when entered the password we get error as "Authorization failed" during that specific time and when checked in tacacs server we did not observe any login attempt's at all during that specific time.

Later we are able to login to the device normally without any issues.

 

 

Below is the tacacs configuration that is existing in the device.

 

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable none
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 7 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa session-id common

 

please advise what could be the issue cause.

 

James....

Labels:
0 Helpful
6 Replies 6

Georg Pauwen
VIP
VIP

‎08-22-2017 11:57 PM

Hello James,

since this occurs only at specific times, this could be a memory problem. How much memory do you have installed ?

Can you post the output of 'show memory aaa' ?

Something else you could try is replace the line:

aaa authorization commands 15 default group tacacs+ local 

with

aaa authorization commands 15 default group tacacs+ if-authenticated

0 Helpful

Raja_D
Level 1
Level 1
In response to Georg Pauwen

‎08-23-2017 03:21 AM

Hi Georg,

 

I don't find "show memory aaa" as valid command in router, below are the commands that i can execute, let me know the one which can be helpful for you to get info.

 

show memory ?
  allocating-process  Show allocating process name
  dead                Memory owned by dead processes
  debug               Memory debugging commands
  failures            Memory failures
  fast                Fast memory stats
  fragment            Summary of memory fragment information
  free                Free memory stats
  io                  IO memory stats
  lite-chunks         Malloc lite info
  multibus            Multibus memory stats
  overflow            memory overflow corrections
  pci                 PCI memory stats
  processor           Processor memory stats
  statistics          Mempool Statistics
  summary             Summary of memory usage per alloc PC
  transient           Transient memory stats
  |                   Output modifiers
  <cr>

 

I have checked the below output, pls check if you get to find any info from this.

 

show memory allocating-process
                Head    Total(b)     Used(b)     Free(b)   Lowest(b)  Largest(b)
Processor  7F3D121F1010   4284521104   1522495736   2762025368   2745459944   2746921532
 lsmpi_io  7F3D11AEF1A8     6295128     6294304         824         824         412

 

Please clarify me the reason behind replacing below commands and how could this modification would be helpful with respect to timeline issue for login.

 

aaa authorization commands 15 default group tacacs+ local 

with

aaa authorization commands 15 default group tacacs+ if-authenticated

 

 

James..

0 Helpful

Georg Pauwen
VIP
VIP
In response to Raja_D

‎08-23-2017 03:43 AM

James,

my bad, the command is:

show aaa memory

0 Helpful

Raja_D
Level 1
Level 1
In response to Georg Pauwen

‎08-23-2017 10:08 PM

Enclosed is the snap

Preview file
119 KB
0 Helpful

Georg Pauwen
VIP
VIP
In response to Raja_D

‎08-23-2017 11:34 PM

Hello,

the output looks ok. The line whose counters should increase when there is an AAA failure due to low memory is:

AAA Unique ID Failure

That counter is 0.

That said, next time this occurs, check general reachability of the TACACS server. How is that server connected in your network ?

0 Helpful

Raja_D
Level 1
Level 1
In response to Georg Pauwen

‎08-25-2017 08:38 AM

TACACS server is placed in DC behind the Firewall and the source from where we are trying to connect to the router is already permitted in firewall.

 

As said earlier the login to  router happens normally after sometime, but during some specific time we end up with error message as "Authorization failed" . 

 

During that moment we are able to login normally on all the other core devices through the TACACS credentials. This behaviour started recently. No recent changes on Tacacs end or on the router side. 

 

During the period when we are facing login issue, we are not able to continue our work normally for which we need to work on this router. 

 

No abnormal logs are even seen in the TACACS server during that period when we face login issue. 

 

Any suggestion over this is highly appreciated. 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card