Solved: %SYS-6-TTY_EXPIRE_TIMER: (absolute timer expired)

almeidag · ‎04-13-2020

Hi i am getting logout of my session on a C9200L-48P-4X .

the log are :

"003205: Apr 13 10:39:17.373 PT: %SYS-6-TTY_EXPIRE_TIMER: (absolute timer expired, tty 2 (10.0.101.1)), user XXXX
003206: Apr 13 10:39:17.373 PT: %SYS-3-DUP_TIMER: Same tty2 in linewatch_timers, type 0
003207: Apr 13 10:39:17.377 PT: %SYS-6-LOGOUT: User XXXX has exited tty session 2(10.0.101.1)
003208: Apr 13 10:39:17.378 PT: TPLUS: Queuing AAA Accounting request 32 for processing
003209: Apr 13 10:39:17.378 PT: TPLUS: processing accounting request id 32
003210: Apr 13 10:39:17.378 PT: TPLUS: Sending AV task_id=4111
003211: Apr 13 10:39:17.378 PT: TPLUS: Sending AV timezone=PT
003212: Apr 13 10:39:17.378 PT: TPLUS: Sending AV service=shell
003213: Apr 13 10:39:17.378 PT: TPLUS: Sending AV start_time=1586769556
003214: Apr 13 10:39:17.378 PT: TPLUS: Sending AV disc-cause=5
003215: Apr 13 10:39:17.379 PT: TPLUS: Sending AV disc-cause-ext=47
003216: Apr 13 10:39:17.379 PT: TPLUS: Sending AV pre-session-time=0
003217: Apr 13 10:39:17.379 PT: TPLUS: Sending AV elapsed_time=1201
003218: Apr 13 10:39:17.379 PT: TPLUS: Sending AV stop_time=1586770757 "

I have nothing in my config on absolute timer , i do have a ISE as an tacacs server, but not seeing any attributes for this to happen.

any suggestion?

George

poongarg · ‎04-15-2020

Hi George,

It looks like the TACACS profile that you are pushing from ISE as part of authorization is configured with Timeout setting.

Can you please provide the screenshot of the TACACS profile.

View solution in original post

Richard Burts · ‎04-13-2020

George

This output looks like it might be output from debug. Are you running debug? If so which debug is it?

You tell us that you do not have anything in your config about absolute timer and that is probably correct. But we do not know what is in your config. For example do you have a session timer configured on your vty ports? Perhaps you could post your config so we could understand it better?

HTH

Rick

almeidag · ‎04-13-2020

the debug i was useing was

debug aaa authentication
debug tacacs

And here is my config :

aaa new-model
!
!
aaa authentication banner ^CCAccessing AAA-Servers^C
aaa authentication fail-message ^CCAAA Authentication FAILED.^C
aaa authentication login default group tacacs+ local
aaa authentication login XXXXXXX local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group radius local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization network default group radius local
aaa accounting send stop-record authentication failure
aaa accounting delay-start
aaa accounting suppress null-username
aaa accounting nested
aaa accounting update periodic 2880
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group radius

ip tacacs source-interface Vlan255
ip ssh source-interface Vlan255
ip ssh version 2
!
!

ip radius source-interface Vlan255

tacacs server ACS
address ipv4 10.0.0.100
key 7 xxxxxxxxxx
timeout 8
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 25 access-request include
radius-server deadtime 2
radius-server key 7 xxxxxxxxxx
!
radius server ISE01
address ipv4 10.0.0.100 auth-port 1645 acct-port 1646
timeout 8
key xxxxxxxx
!

line vty 0 4
session-timeout 60
exec-timeout 60 0
transport input ssh
line vty 5 15
session-timeout 60
exec-timeout 60 0
transport input ssh

Richard Burts · ‎04-13-2020

George

Thanks for the additional information. I am not authoritative about this (and if someone from Cisco who is authoritative could jump in that would be nice) but it seems to me that these lines in the config are significant

line vty 0 4
session-timeout 60
exec-timeout 60 0

The exec-timeout is an inactivity timer and probably not involved in your issue. But session-timeout is based on the length of your vty session. It is logical to me that absolute timer may be the timer that measures the length of the vty session and when it gets to 60 the timer expires and the vty session is terminated.

HTH

Rick

almeidag · ‎04-13-2020

Hi

that was an attempt to force logout for 60 min (1hour) but it didn´t work it logsout at "elapsed_time=1201" 1201 sec = 20 min.

thks

george

poongarg · ‎04-15-2020

Hi George,

It looks like the TACACS profile that you are pushing from ISE as part of authorization is configured with Timeout setting.

Can you please provide the screenshot of the TACACS profile.

almeidag · ‎04-15-2020

You are right. I check the profile and found the timeout setting configured.

Thanks for you support.

George