10-29-2008 11:14 AM - edited 03-10-2019 04:09 PM
I have attached the debug. From the spoke site I can telnet to the tacacs server's management port. I don't see failed attempts on the tacacs server so I get the impression that it's not making it there or back. Can someone take a look at the debug and let me know what if anything my be wrong.
Thanks in advance!!
10-30-2008 08:51 AM
Brent
I have looked at the information that you posted. The debug shows that it is sending requests, and seems to show that it processes a reply. But there is no indication of what the reply is. I find that quite odd. I might suggest that you add debug tacacs packet and test again. It would show more detail of what is going back and forth.
I notice several things in the commands that you post that might be issues. You show configuration of the server but do not show the configuration of the key (or shared secret) that the router and the server use to protect their transmissions. If the keys do not match you will not authenticate with the server (though that usually does create entries in the failed attempts report indicating invalid key).
I also notice that you define the server group as Netadmin but in the authentication command you call for NMM-Netadmin. And under the vty lines you specify the authentication method as Netadmin but in the authentication command you call it NMM-Netadmin.
Perhaps you can clarify some of these things?
HTH
Rick
10-30-2008 09:23 AM
10-30-2008 09:39 AM
Brent
That does help to clarify a little. Clearly the router is sending a request. Some packet is received in response but there is an error in reading the packet header. It would be nice to know more about the error, but the debug is not helpful about that.
I wonder how it would work if you remove the single-connection parameter from the server configuration on the router.
Also can you verify that the TACACS server is working properly? Is it authenticating for other clients?
Is there anything unique about the configuration in the server for client 10.50.2.176?
Does the server have any entries in its failed attempts file that correspond to the time when you are testing?
HTH
Rick
10-30-2008 10:28 AM
Hey,
I've verified that the tacacs server is running properly as I use it on all my security devices like fw's and others. I have removed the "single-connection" and now I am getting the following at the tail end
*Oct 30 16:52:16.847: TPLUS(0000001B)/0/NB_WAIT: wrote entire 45 bytes request
*Oct 30 16:52:16.847: TPLUS(0000001B)/0/READ: socket event 1
*Oct 30 16:52:16.847: TPLUS(0000001B)/0/READ: Would block while reading
*Oct 30 16:52:16.867: TPLUS(0000001B)/0/READ: socket event 1
*Oct 30 16:52:16.867: TPLUS(0000001B)/0/READ: read 0 bytes
*Oct 30 16:52:16.871: TPLUS(0000001B)/0/READ: socket event 1
*Oct 30 16:52:16.871: TPLUS(0000001B)/0/READ: errno 254
*Oct 30 16:52:16.871: TPLUS(0000001B)/0/853AF00C: Processing the reply packet
The strange thing is that when I look at the failed attempts on the server I don't see anything .. it's like it never makes it there but I know it does I see it in the debug ..
10-30-2008 11:21 AM
Brent
Is there any possibility that there is a firewall or IDS/IPS that could be intercepting the request and generating/proxying a response?
HTH
Rick
10-30-2008 11:27 AM
No there is no firewall.
Also I can telnet from the router to the management port of the tacacs server .. so I know it can indeed connect.
10-30-2008 11:55 AM
Brent
I have assumed since your original post that basic IP connectivity was not an issue. So I am looking for possible reasons why the request does not show up at the server - which is especially puzzling since some kind of response seems to get to the router.
HTH
Rick
10-30-2008 11:57 AM
yes I agree very strange.
I think I'll open up a TAC. Maybe there is something I'm missing.
Thanks for your help
Take care.
10-30-2008 11:59 AM
The way you go about troubleshooting this issue
is wrong. You need to do the following:
- run tcpdump on the tacacs server and see if
it even completes a 3-way hand-shake, like this:
13:54:26.712822 192.168.15.248.11030 > 10.0.0.10.49: S 533573034:533573034(0) win 4128
13:54:26.712860 10.0.0.10.49 > 192.168.15.248.11030: S 86308781:86308781(0) ack 533573035 win 5840
13:54:26.714667 192.168.15.248.11030 > 10.0.0.10.49: . ack 1 win 4128
13:54:26.715946 192.168.15.248.11030 > 10.0.0.10.49: . 1:39(38) ack 1 win 4128
- run tcpdump on the tacacs server and capture
it to a file so that you can view it with
ethereal/wireshark:
tcpdump -s 1500 -w /tmp/tacacs.cap -i eth0 -nnn host router_ip_address and port 49
- Now view the file tacacs.cap with ethereal.
You can find out why tacacs is not working.
The other thing to keep in mind is that the
tacacs key you enter on the router is kinda
tricky. "abc123 " is NOT the same as
"abc123". The extra space in the end could
cause issue. You can not decode it with
tcpdump because the packet is encrypted.
10-30-2008 05:06 PM
I managed to generate the output
Oct 31 11:03:59.204: TPLUS(0000005A)/0/NB_WAIT: wrote entire 38 bytes request
Oct 31 11:03:59.204: TPLUS(0000005A)/0/READ: socket event 1
Oct 31 11:03:59.204: TPLUS(0000005A)/0/READ: Would block while reading
Oct 31 11:03:59.204: TPLUS(0000005A)/0/READ: socket event 1
Oct 31 11:03:59.208: TPLUS(0000005A)/0/READ: errno 254
Oct 31 11:03:59.208: TPLUS(0000005A)/0/847809C0: Processing the reply packet
which includes the same errno (254) as the OP's output. It was generated by not configuring the end point as a client in the ACS.
which leads to the suggestion to confirm the correct source interface is configured in ACS
HTH
Ross
10-31-2008 08:50 AM
So the issue was that I needed to specify a tacacs interface and I also didn't configure the subnet for that interface on the ACS server. Once I did both it worked like a dream.
Thanks for all the help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide