Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
442
Views
0
Helpful
4
Replies

Tacacs Fails after latest upgrade on Switch C-3650CX-8TC-S

RG78874
Beginner
Beginner

‎02-17-2022 01:57 AM

Hi,

 

I have upgrade our Switch that was running c3560cx-universalk9-mz.152-7.E2.bin to the latest version c3560cx-universalk9-mz.152-7.E5.bin

 

After the upgrade that took 11 minutes to complete and I waited a bit longer (10 mins extra) and found tacacs is not working and I had to use local login.

Is this a known bug, I have seen forums, articles with different devices that people see this.

 

Is their something I am supposed to do after a upgrade to enable tacacs?

 

If this is a bug could I have an article please.

Labels:
0 Helpful
4 Replies 4

Flavio Miranda
VIP Mentor VIP Mentor
VIP Mentor

‎02-17-2022 05:43 AM

Hi

 First it is necessary to identify where the problem is. Althouth the problem apeared after switch upgrade, the real reason may be something else.

Try a few things:

 

ping "tacacs ip address"

If sucessed:

 

telnet "tacacs ip address"  49

Does it shows "open" ?

 

test aaa group tacacs+ "user" "Password"  legacy

 

 Other useful commands:

 

debug aaa authentication

debug aaa authorization

debug tacacs

debug ip tcp transaction

 

 

0 Helpful

RG78874
Beginner
Beginner
In response to Flavio Miranda

‎02-17-2022 05:59 AM

hi

I logged into my device using tacacs credentials. After reloading the new boot config (upgrading) the Switch, I could only log on with local credentials.

I checked the tacacs box, and that was connected to AD and other devices had no issue.

 

I want to know if this is a bug or if this is recorded some where or if their is a fix when this happens. I had to rollback as we had a release outage Window.

 

So everything was open as in ports and working fine before the upgrade. Firewalls all checked out fine. I upgraded devices in a different environment and same problem.

0 Helpful

marce1000
VIP Mentor VIP Mentor
VIP Mentor
In response to RG78874

‎02-17-2022 09:16 AM - edited ‎02-17-2022 09:19 AM

 

 - Check the AD-logs to see , if tacacs authentication request from the switch still arrives, or radius server logs (if radius is used in between switch and MS-AD)

  Take note of these for future upgrades too : 

                https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu62273

                https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt20131

 M.

 M.



-- ' A nun once asked a penguin ' do you think the earth is flat ? ; the penguin replied :
Madam, it all depends , in Riemann geometries the earth can be perfectly flat! The nun thanked him , he tripped and fell forward : the poor animal had forgotten that he might be living in a Riemann geometry too!
0 Helpful

Leonardo Pena Davila
Rising star
Rising star

‎02-17-2022 09:19 AM

Hi, 

 

I think in that version you should edit the Edited the switch config with new TACACS format 

Deprecated config:

tacacs-server host x.x.x.x
tacacs-server host y.y.y.y
tacacs-server directed-request
tacacs-server key 7

New config:

tacacs server <<
tacacs server
address ipv4 y.y.y.y
key 7

 

HTH

Leonardo

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents