AAA authentication errors

Unanswered Question
Oct 25th, 2007
User Badges:

Hi, I'm trying to figure out what might be causing this error?


Oct 25 10:53:29.800: TAC+: 10.20.0.10 (883737627) AUTHEN/CONT queued

Oct 25 10:53:34.800: TAC+: 10.20.0.10 (883737627) AUTHEN/CONT -- TIMED OUT

Oct 25 10:53:34.800: TAC+: (883737627) AUTHEN/CONT processed

Oct 25 10:53:34.800: TAC+: Error sending continue packet.

Oct 25 10:53:34.800: TAC+: Closing TCP/IP 0x479241D0 connection to 10.20.0.10/49

Oct 25 10:53:34.800: AAA/AUTHEN (883737627): status = ERROR



I'm running ACS v4.1.1.23.5 and IOS Version 12.2(18)SXF on my 6513s.


Any ideas?


thank you.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Thu, 10/25/2007 - 09:16
User Badges:
  • Purple, 4500 points or more

It looks like its timing out. Do you have the timeout set to 5 seconds? Make sure you can access the ACS server from the device. If that's OK, try increasing your timeout. Also check your ACS failed attempts log and see if there is anything in there.


HTH and please rate.

Richard Burts Thu, 10/25/2007 - 09:21
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Todd


From the messages I would guess that you are attempting to send the authentication request to the TACACS/ACS and not receiving a response.


The first thing that I would check would be IP connectivity. In checking on this we need to know whether you have configured the option to specify the source address for TACACS packets? If you have specified the source address for TACACS then you need to check connectivity with an extended ping. In the extended ping specify the destination as 10.20..0.10 (the TACACS server) and specify the source address as whatever you have specified in your config as the source for TACACS. If you have not specified the source address then check connectivity with a standard ping to 10.20.0.10.


If there is not a problem with IP connectivity then I suggest that the next thing to check is whether the server is receiving the authentication request. Look in the logs on the server - especially look in the failed attempts report and see if the authentication request was seen and if so why the server did not authenticate it.


HTH


Rick

Actions

This Discussion