Re: Nexus 9k - First login rejected

equinn · ‎10-08-2019

Hi Guys

We're having a strange issue with our Nexus 9ks and wondering if anyone else has seen it before.

We use ISE as our AAA server with a normal TACACS+ connection but every time we attempt to connect to the switches, the 1st attempt succeeds from ISEs perspective but the switch closes the connection. The second connection attempt always succeeds. The user would just be local to the ISE store and tacacs timeout is set to 30 seconds. Theres no failures at all I can find.

We don't have the same issue on any of the catalyst switches with the same configurations.

Anyone come across this before?

Thanks!

Eoin

balaji.bandi · ‎10-08-2019

You can check on the ISE what is the reason for rejection, is the ISE users or ISE uses external authentication against LDAP/AD ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

equinn · ‎10-09-2019

Hi Balaji

Thats the thing. ISE doesnt reject the connection. That gives successful Authentication and Authorization. The connection shuts down on the switch side.

balaji.bandi · ‎10-09-2019

To Identify the issue, if we could enable debug logs and send to syslogto co-related when the problem occurs or simulate the issue to understand what went wrong between ?

Do you have any CoPP policy in place on the switch ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

equinn · ‎10-10-2019

Theres no CoPP policy on the switches outside of what comes with the default image.
We could easily replicate the issue as its with every logon and we have a syslog server. Just have to select which debugs to turn on.