Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1732
Views
0
Helpful
4
Replies

Tacacs / TCP issue - Tacacs access is not working, will only work after telnet to the tacacs server.

deojoseph7
Level 1
Level 1

‎12-01-2014 01:05 PM - edited ‎03-05-2019 12:16 AM

Hi,

Good day!

We do have this issue in our Tacacs access. Tacacs acess is not working on the router. The affected routers are members of the same vrf.

The tacacs server is pingable and port 49 is open as well as verified via telnet. 

However, the TCP sessions destined to the tacacs server are stuck in finwait1.  It's just weird that the tacacs will work for an hour after doing a telnet to the tacacs server using incorrect port or just telnet to the server w/out any ports.

 

Traffic captured (filtering the traffic between the tacacs server and the rotuer) was already performed and it showed a TCP out-of-order and TCP zero window results destined to the router. 

 

Any thoughts? 

======================================================

RouterA#ping 204.16.x.x

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 204.16.x.x, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/48/48 ms
RouterA#sh tcp br
TCB       Local Address               Foreign Address             (state)
48C9E5D4  10.168.130.65.48136         204.16.x.x.49             FINWAIT1
48CA3290  10.168.130.65.15255         204.16.x.x.49             FINWAIT1
49372310  10.168.130.65.29261          204.16.x.x.49             FINWAIT1
48278AB0  10.168.130.65.47455         204.16.x.x.49             FINWAIT1
492E5D68  10.168.130.82.19978         10.168.130.81.179           ESTAB
4937294C  10.168.130.65.22            204.16.x.x.40681          ESTAB
481B6008  10.168.130.65.19450         204.16.x.x.49             FINWAIT1
4817D534  10.168.130.65.58877         204.16.x.x.49             FINWAIT1
48188244  10.168.130.65.59926         204.16.x.x.49             FINWAIT1
RouterA#telnet 204.16.x.x 49
Trying 204.16.x.x, 49 ... Open

1 person had this problem
Labels:
0 Helpful
4 Replies 4

paul driver
VIP
VIP

‎12-01-2014 01:55 PM

Hello

 

debug tacacs authentication

debug aaa authentication

test aaa group tacacs+ (username) (tacacs key) legacy

 

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

deojoseph7
Level 1
Level 1
In response to paul driver

‎12-02-2014 08:23 AM

Hi Paul, 

Pls. see attached file for my debug results.

I've also included the results of "debug ip tcp packet 204.16.x.x".

Thanks Paul!

I'm only able to access the router using local credentials.

 

=================================================

RouterA#test aaa group tacacs+ e1053817 password1 legacy
Attempting authentication test to server-group tacacs+ using tacacs+
No authoritative response from any server.

 

 

Preview file
25 KB
0 Helpful

paul driver
VIP
VIP
In response to deojoseph7

‎12-03-2014 01:21 AM

Hello

I can your icmp is successful but is that destination running as a AAA server?
Is your AAA configuration correct, AA method, key etc.. is it pointing to the correct servers?
Possible FW blocking the connection?


show tacacs server

 

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

deojoseph7
Level 1
Level 1
In response to paul driver

‎12-05-2014 09:00 AM

Hi Paul,

 

The AAA configuration is correct, tacacs server & key is correct. This config has been used in other sites as well. Ping to the tacacs server is also successful.

It's just weird that the tacacs will work (for only an hour) after doing a telnet to the tacacs server from the router using an incorrect port or just a plain telnet w/out any ports.

But port 49 is verified open if you do a telnet.

===========================

 
RouterA#telnet 204.16.x.x 49
Trying 204.16.x.x, 49 ... Open
 
 

aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local 
aaa authorization commands 1 default group tacacs+ if-authenticated 
aaa authorization commands 15 default group tacacs+ if-authenticated 
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
!
!
aaa session-id common

 

 

(tacacs will work for only an hour after doing the below telnet)

RouterA#telnet 204.16.x.x 
Trying 204.16.x.x ... 
% Connection timed out; remote host not responding

 

 

0 Helpful
Customers Also Viewed These Support Documents