01-02-2019 12:25 PM - edited 03-08-2019 04:55 PM
Hello everyone,
Trying to figure out why does issuing commands on Cisco 3850 via console take long time vs. ISR4431, when TACACS+ is down.
Example:
When I issue sho run on the 3850, it takes about 20 seconds before I see it on the screen, however, issuing the same command on the ISR 4431, it is almost instantaneous (<2 seconds).
Switch is running 16.6.4
I have also changed the method to first use local and then group GROUP_NAME, and I get the same result.
Here's a sample of the AAA config:
aaa authentication login default group GROUP_NAME local
aaa authentication enable default group GROUP_NAME enable
aaa authorization exec default group GROUP_NAME local
aaa authorization exec ISE group GROUP_NAME local
aaa authorization commands 15 default group GROUP_NAME local
aaa authorization config-commands
aaa authorization console
aaa accounting exec default start-stop group GROUP_NAME
aaa accounting commands 15 default start-stop group GROUP_NAME
aaa accounting system default start-stop group GROUP_NAME
Any suggestions/tips would be greatly appreciated.
Thanks,
raman
01-02-2019 01:09 PM - edited 01-02-2019 01:10 PM
Hello
For a test can you disable DNS lookup if enabled
no ip domain-lookup
01-02-2019 01:12 PM
Hi Paul,
I have verified that command is disabled on the switch. My AAA configs are almost identical on both the switch and the router.
Be glad to look at other commands if needed.
Thanks for taking the time to view this post.
raman
01-02-2019 01:16 PM
Hi Raman,
Does this only happen when you log in via the console?
The reason I ask is that we have some 3850s and when we issue "sh run" it takes about 10 to 15 seconds for the output to show up regardless of how you connect to them (Console, SSH, telnet, ACS, local, etc..).
HTH
01-02-2019 01:21 PM
Yes, this only happens when I console in. I can run the same command via SSH with TACACS being accessible, and it is instantaneous. Also, I'm not stacking the switch. I don't see the delay for instance if use the ? to view commands associated with specific commands.
01-02-2019 01:28 PM
Hello
@RAMAN AZIZIAN wrote:
Yes, this only happens when I console in. I can run the same command via SSH with TACACS being accessible, and it is instantaneous. Also, I'm not stacking the switch. I don't see the delay for instance if use the ? to view commands associated with specific commands.
line console 0
transport preferred none
exit
01-02-2019 02:19 PM
unfortunately that did not work. Also I tried it on 3650 and I get the same behavior.
Curious, if you see the same thing if you have a lab setup?
Thanks,
01-02-2019 02:45 PM
Hello
The past two test i have asked you to perform were around dns resolution but this doesn't seem to have helped.
So can you post your line config and also output from debug aaa accounting/authorization please if applicable.
Lastly if you remove aaa accounting temporally does that make any difference?
01-02-2019 03:03 PM
Paul,
I will see if I can include the debug output. I can tell you when I do run the debug each the switch does attempt to communicate with the server, which is the behavior of timing out since it is not communicating with the server.
01-02-2019 03:13 PM
raman
I can only work with the information presented. Your original post described symptoms associated with tacacs being down. I found factors in the provided configuration that explain that behavior. My analysis seems to be supported by your comments about debug output
I can tell you when I do run the debug each the switch does attempt to communicate with the server,
If you have other experience where authorization used local first and then tacacs then please provide documentation of that experience - provide the changed configuration and debug output showing no attempt to communicate with tacacs.
HTH
Rick
01-02-2019 04:42 PM
Hello
@RAMAN AZIZIAN wrote:
Paul,
I can tell you when I do run the debug each the switch does attempt to communicate with the server, which is the behavior of timing out since it is not communicating with the server.
Do you have tacacs-server timeout period set to other than the default ?
tacacs-server timeout xx
01-02-2019 02:46 PM
Assuming that the part of the original post showing the aaa configuration accurately reflects what is on this switch there is a pretty easy explanation for the symptoms described. The key to understanding it is the reference that it happens when tacacs is down. Here are the key lines
aaa authorization commands 15 default group GROUP_NAME local
aaa authorization config-commands
aaa authorization console
I will start by pointing to the line that enables authorization for the console. By default the Cisco console does not perform authorization. But here it is enabled. Also note that authorization goes to tacacs first with local as a fall-back. So when he enters the show run command it sends an authorization request to tacacs. He must wait for that to time out (and potentially a retry to timeout) before the command actually executes.
HTH
Rick
01-02-2019 03:00 PM
Hello Rick,
Thanks for your reply.
I have tried the authentication/authorization method to point to the local first and then group name and I get the same result.
What puzzles me is why the router does not experience the same delay as the switch, and it has the same exact AAA configuration.
The switch is directly connected to the router via .1q, which shouldn't really matter (at least I don't think it should), since the TACACS server (via ISE) is down, and I am consoling in directly to the switch.
01-02-2019 02:43 PM
01-02-2019 03:01 PM
Memory is not over utilized and yes, if TACACS is back online, it works with no issues.
thanks,
raman
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide