Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3087
Views
0
Helpful
2
Replies

Understanding this TACACS Debug

daniel.bowen
Level 1
Level 1

‎06-15-2007 01:24 AM - edited ‎03-10-2019 03:13 PM

01:19:44: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).

01:19:44: TAC+: Closing TCP/IP 0xAC5F14 connection to 10.52.166.119/49

01:19:44: TAC+: Using default tacacs server-group "tacacs+" list.

01:19:46: TAC+: Using default tacacs server-group "tacacs+" list.

01:19:46: TAC+: Opening TCP/IP to 10.52.166.119/49 timeout=5

01:19:46: TAC+: Opened TCP/IP handle 0xABDD68 to 10.52.166.119/49

01:19:46: TAC+: 10.52.166.119 (2254716401) ACCT/REQUEST/STOP queued

01:19:46: TAC+: (2254716401) ACCT/REQUEST/STOP processed

01:19:46: TAC+: received bad ACCT packet: type = 0, expected 3

01:19:46: TAC+: Invalid ACCT/REQUEST/STOP packet (check keys).

01:19:46: TAC+: Closing TCP/IP 0xABDD68 connection to 10.52.166.119/49

01:19:46: TAC+: Using default tacacs server-group "tacacs+" list.

01:20:19: TAC+: Using default tacacs server-group "tacacs+" list.

01:20:19: TAC+: Opening TCP/IP to 10.52.166.119/49 timeout=5

01:20:19: TAC+: Opened TCP/IP handle 0xAC5F14 to 10.52.166.119/49

01:20:19: TAC+: 10.52.166.119 (726398633) ACCT/REQUEST/STOP queued

01:20:19: TAC+: (726398633) ACCT/REQUEST/STOP processed

01:20:19: TAC+: received bad ACCT packet: type = 0, expected 3

01:20:19: TAC+: Invalid ACCT/REQUEST/STOP packet (check keys).

01:20:19: TAC+: Closing TCP/IP 0xAC5F14 connection to 10.52.166.119/49

01:20:19: TAC+: Using default tacacs server-group "tacacs+" list.

01:20:19: TAC+: Using default tacacs server-group "tacacs+" list.

01:20:19: TAC+: Opening TCP/IP to 10.52.166.119/49 timeout=5

01:20:19: TAC+: Opened TCP/IP handle 0xABDD68 to 10.52.166.119/49

01:20:19: TAC+: 10.52.166.119 (1195930714) ACCT/REQUEST/STOP queued

01:20:20: TAC+: (1195930714) ACCT/REQUEST/STOP processed

01:20:20: TAC+: received bad ACCT packet: type = 0, expected 3

01:20:20: TAC+: Invalid ACCT/REQUEST/STOP packet (check keys).

01:20:20: TAC+: Closing TCP/IP 0xABDD68 connection to 10.52.166.119/49

01:20:20: TAC+: Using default tacacs server-group "tacacs+" list.

Can anybody help me understand this TACACS debug that I get when I try and authenticate on this device using TACACS?

Many thanks,

Dan

Labels:
0 Helpful
2 Replies 2

Jagdeep Gambhir
Level 10
Level 10

‎06-15-2007 04:43 AM

Hi Dan,

Here is some info :

01:19:44: TAC+: Using default tacacs server-group "tacacs+" list.

01:19:46: TAC+: Using default tacacs server-group "tacacs+" list.

It is using default configured tacacs list.

01:19:46: TAC+: Opening TCP/IP to 10.52.166.119/49 timeout=5

01:19:46: TAC+: Opened TCP/IP handle 0xABDD68 to 10.52.166.119/49

01:19:46: TAC+: 10.52.166.119 (2254716401) ACCT/REQUEST/STOP queued

Here it is trying to make a connection with tacacs server on port 49 ( default tacacs port), request is queued.

01:19:46: TAC+: (2254716401) ACCT/REQUEST/STOP processed

01:19:46: TAC+: received bad ACCT packet: type = 0, expected 3

01:19:46: TAC+: Invalid ACCT/REQUEST/STOP packet (check keys).

01:19:46: TAC+: Closing TCP/IP 0xABDD68 connection to 10.52.166.119/49

Here it is not getting any response from tacacs due to secret key mismatch.

And loop goes on.

Please reenter aaa key on this device and acs , pls do not copy/paste

Also be aware that in ACS aaa client key take precedence over NDG key.

Let me know how that goes.

Regards,

Jagdeep

0 Helpful

darpotter
Level 5
Level 5

‎06-15-2007 07:51 AM

The "check keys" message would seem to indicate the shared secret doesnt match the one on the AAA server.

0 Helpful
Customers Also Viewed These Support Documents