Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2803
Views
20
Helpful
28
Replies

Secure ACS Intermittent

jpl861
Level 4
Level 4

‎02-15-2007 12:33 AM - edited ‎03-10-2019 02:59 PM

Hi,

We are using Cisco Secure ACS and for the past week, our switch and router logins are really really intermittent. Most of the time, even if we are into the console already and issue a command, "authorization failed" will appear then just keep pressing up and enter then the command will be accepted. Any idea why is this happening? Thank you very much.

Labels:
0 Helpful
28 Replies 28

darpotter
Level 5
Level 5

‎02-15-2007 03:36 AM

You could try looking in the in failed attempts report. This would be a good place to start.

Vivek Santuka
Cisco Employee
Cisco Employee

‎02-15-2007 04:07 AM

Hi,

One more thing which is worth trying is to increase the tacacs-server timeout value.

Regards,

Vivek

smue_decm
Level 1
Level 1

‎02-21-2007 11:30 PM

Hi,

we have the same problem in our network. Commands entered rapidly first work fine but after a period of time the commands are rejected - "authorization failed". With an increased "tacacs timeout" the message "authorization failed" doesn't appear anymore. as a result the tacacs queue increases and the switch or router has a faint response.

The accepted commands are listed in the "TACACS+ administration" log - as assumed. But the rejected commands don't appear in any log...what's the problem?

ellis_b
Level 3
Level 3

‎02-22-2007 12:11 AM

Have you tried running a constant ping from the device to the ACS server? Is there something that is dropping packets along the path (ie from congestion or something)? What version of ACS are you running?

0 Helpful

smue_decm
Level 1
Level 1
In response to ellis_b

‎02-22-2007 01:04 AM

Hi,

thanks for the reply.

We're using ACS 4.0.

The network's fine. We tested connectivity from a switch within our LAN AND over many hops from other devices in the network.

0 Helpful

Vivek Santuka
Cisco Employee
Cisco Employee
In response to smue_decm

‎02-22-2007 01:40 AM

Hi,

You can try adding "single-connection" keyword after the "tacacs-server host" command in the device.

The single-connection keyword specifies a single connection (only valid with ACS). Rather than have the router open and close a TCP connection to the server each time it must communicate, the single-connection option maintains a single open connection between the router and the server.

The single connection is more efficient because it allows the server to handle a higher number of TACACS operations.

Regards,

Vivek

smue_decm
Level 1
Level 1
In response to Vivek Santuka

‎02-22-2007 02:25 AM

Hi,

this works better now. But still, after several tries the entered commands end up in a queue...

Is there any possiblity without reconfiguring a switch or router?

0 Helpful

Vivek Santuka
Cisco Employee
Cisco Employee
In response to smue_decm

‎02-22-2007 02:31 AM

Hi,

With 3.x there was a way to tweak ACS but with 4.x you will have to open a TAC case.

Regards,

Vivek

0 Helpful

darpotter
Level 5
Level 5
In response to smue_decm

‎02-22-2007 03:51 AM

hmmm.. how many concurrent admin sessions might be performing T+ authorisation?

This could be ACS running out of spare connections. You'd see no errors in the ACS CSV, but you might see something in the CSTacacs service log. It really should log if connections/packets are being dropped.

Vivek Santuka
Cisco Employee
Cisco Employee
In response to darpotter

‎02-22-2007 04:32 AM

Infact not only concurrent authorization session but accounting sessions also matter.

ACS can handle limited number of concurrent tacacs sessions.

0 Helpful

jpl861
Level 4
Level 4
In response to Vivek Santuka

‎02-22-2007 05:21 AM

The ACS appliance doesn't reply to ping packets. We are using ACS 3.3.

Sometimes we have to type our username and password again and again because the ACS is not responding.

Can the timeout resolve this issue?

Thank you very much guys. =)

0 Helpful

at
Level 1
Level 1
In response to jpl861

‎02-26-2007 09:47 AM

hi,

with acs 3.1 we had the problem that we reached the maximum of 40 single connections ! (Message in the package.cab : "maximum 40 single connection are busy")

we increased the maximum "MaxSessions" in the Registry from 40 (hex 28) to 200 (hex C8 )

Look at

[HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAAv3.1\CSTacacs]

"BaseDir"="\\CSTacacs"

"Version"="3.1(1.27)"

"Port"=dword:00000031

"PacketSize"=dword:00000400

"MaxSessions"=dword:00000028

"LocalSecret"="secret_value"

"SingleConnect"=dword:00000001

"ProxyOn"=dword:00000001

"ProxyRetries"=dword:00000001

"ChPassEnabled"=dword:00000000

"ChPassFastReplicate"=dword:00000000

"CHPassDisabledMessage"="Chpass is currently disabled."

"PackDump"=dword:00000001

regards

alex

0 Helpful

akemp
Level 5
Level 5
In response to Vivek Santuka

‎02-22-2007 05:23 AM

Very interesting indeed, do you have that magic number as I'm experiencing that same issue too.

The only figures that I've found documented are from 3.2 and only for 800 AP's and 100K users (how artificially they derived this synthetic info is questionable but Dewan the Product Manager for Cisco Wireless was kinda quiet about it)

0 Helpful

Vivek Santuka
Cisco Employee
Cisco Employee
In response to akemp

‎02-22-2007 05:53 AM

If I am not wrong Tacacs+ threads hover around a maximum of 50.

Regards,

Vivek

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents