configuration command take long time to display

Unanswered Question
Apr 20th, 2008

When I shutdown the primary ACS service, the authentication and accounting take a long time to process. Is it normal? Whenever new command is enter, it take sometime to display after the command authorization. The time toke almost the same as timeout configure.


The primary ACS is working fine without any delay if it's up and running.


Anything that I can do to fine tune?


Here are the configuration that I have :

aaa new-model

aaa group server tacacs+ ACSSE

server-private 192.168.128.28 key abcacs01

server-private 192.168.136.35 key abcacs01


ip tacacs source-interface bvi1


aaa authentication login default group ACSSE line

aaa authentication enable default enable

aaa authorization exec default group ACSSE if-authenticated

aaa authorization commands 15 default group ACSSE if-authenticated

aaa authorization config-commands

aaa accounting update newinfo

aaa accounting exec default start-stop group ACSSE

aaa accounting commands 15 default start-stop group ACSSE

aaa accounting connection default start-stop group ACSSE

aaa accounting system default start-stop group ACSSE

tacacs-server timeout 10


The software version :

c2800nm-adventerprisek9-mz.124-11.T3.bin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Fri, 04/25/2008 - 08:07

Chee


Your description of the issue sounds like your router is sending its request to the first TACACS sever and is waiting for a response but it does not receive a response. So it waits for the timeout and when the first request times out it sends the request to the second server.


If the router received an immediate answer or if it could not establish a connection to the primary server then you would not have the delay. You might be able to confirm this by running debug tacacs authentication or debug tacacs accounting. I believe that you will see your router send a request to the primary and then not receive a response (or it may receive some response which it does not interpret as not available).


If you want to tune this you could adjust the timeout value to a shorter value. But I believe that a better solution would be to figure out why the server is not sending any response.


HTH


Rick

ccsam Mon, 04/28/2008 - 20:14

Hi Rick,


Thanks for your reply. I will try to capture the debug message to find out further.


regards,


Sam

Actions

This Discussion