Problems getting TACACS and SNTP to cork on CSS11500

d-fillmore · ‎11-20-2009

Hi,

I have a problem with TACACS and SNTP on a pair of CSS11501s and a pair of CSS11503s

I have configured a TACACS server and an SNTP server which are accessable out the management interface. There is a route to these devices out the management interface. They aren't pingable but if I span the management port and sniff it I can see the ICMP requests leaviong th interface if I try to ping any of them. The problem is that the device sends no SNTP packets to the server and it never sends any packets to TACACS server on the management or any of the other ports - it's as if both services are somehow disabled. I did some debugging as per doc 27000 on CCO and I do get the message "SECURITY-7: Security Manager sending error 7 reply to xyz" which the doc suggests is a key mistmatch, but I don't think it can be as the device isn't even trying to connect to the TACACS server on port 49.
Am I missing something obvious?

I've pasted the relevant parts of the config below

Thanks in advance,

Dom

lab-fe-2# show run

!Generated on 11/20/2009 09:40:18

!Active version: sg0820303

configure

!*************************** GLOBAL ***************************

sntp primary-server 10.52.240.1 version 3

sntp secondary-server 10.52.240.2 version 3

virtual authentication primary tacacs

virtual authentication secondary local

tacacs-server key xxxxxxxxxxxxx

tacacs-server 10.52.255.201 49

ip management route 10.52.240.0 255.255.240.0 10.55.2.252

ip route 0.0.0.0 0.0.0.0 10.55.3.254 1

!************************* INTERFACE *************************

interface e1

bridge vlan 2503

phy 100Mbits-FD

interface e2

bridge vlan 2004

phy 100Mbits-FD

interface Ethernet-Mgmt

phy 10Mbits-FD

!************************** CIRCUIT **************************

lab-fe-2# show boot

!************************ BOOT CONFIG ************************
ip address 10.55.2.245
subnet mask 255.255.255.0
primary boot-file sg0820303
primary boot-type boot-via-disk
gateway address 10.55.2.252

lab-fe-2#
lab-fe-2# show tacacs-server

Per-Server Status:

IP/Port              State   Primary        Authen.      Author.      Account
-------              -----   -------        -------      -------       ------
10.52.255.201:49     Dead    No                   0            0            0
Totals:                                           0            0            0

Per-Server Configuration:

IP/Port              Key              Server Timeout        Server Frequency
-------              ---              --------------        ----------------
10.52.255.201:49     Not Configured   None                  None

Global Configuration Parameters:

Global Timeout:                5
Global KAL Frequency:          5
Global Key:                    Configured
Authorize Config Commands:     No
Authorize Non-Config Commands: No
Account Config Commands:       No
Account Non-Config Commands:   No
Send Full Command:             Yes
end of buffer.

lab-fe-2#
lab-fe-2#
lab-fe-2#
lab-fe-2#

busterswt · ‎12-02-2009

The management port should only be used for out-of-band management of the device. You'll likely want to configure circuit vlan 2503 with an IP from that subnet, as well as circuit vlan 2004 with an IP from that subnet. Your default route is OK as long as 10.55.3.254 (the next hop) is accessible from the 'outside' interface of the CSS.

The management route you have configured is used only to manage the CSS from a subnet that is different from that of the management port. As 10.55.2.252 appears to be your inside network, simply remove the word 'management' from that route statement to make that a usable route.

If you keep the existing IP on the management interface you might get an error when trying to use it within the circuit VLAN. May want to temporarily remove the management IP until everything is working properly.

Good luck!

James

d-fillmore · ‎12-03-2009

Thanks for your response James. I've just realised I've not put any of the circuit IP addresses in the post so it's no wonder no-one's replied to it!

You're right, the management interface is meant for out of band management and that's what the TACACS and SNTP are - out of band management functions. The TACACS and SNTP servers are located on the management network and aren't accessable over either the inside or outside interfaces.

I can't remove the management address as we use it to manage the device remotely.

I'll see if I can find the circuit addresses and repost the config.

Thanks again

Dom

busterswt · ‎12-03-2009

I look forward to seeing the entire config then!

d-fillmore · ‎01-21-2010

I have got to the bottom of this, It looks like the CSS cannot authenticate users using a TACACS server

over the management interface unless the TACACS server is located on the same subnet as the management interface;

The Ethernet management port provides a connection to the CSS that allows you to perform CSS management functions. The Ethernet management port supports management functions such as secure remote login through SSH, remote login through Telnet, file transfer through active FTP, SNMP queries, HTTPS access to the Device Management user interface, SNTP, DNS, ICMP redirects, RADIUS, syslog, CDP, TACACs, and CSS configuration changes through XML.

Note When using static routes for managing the CSS from subnets beyond the management LAN, the Ethernet management port supports the management applications listed above, except CDP, DNS, SNTP, and TACACs. For more information on static routes, see the "Configuring Static Routes for the Ethernet Management Port" section.

I'm going to have to configure NAT on the Management port's gateway device so the CSS thinks the TACACS server is on the same subnet.

The confusing thing about this is that this is documented up to version 7.40, but it's not mentioned in the documentation for 7.5, 8.1 or 8.2 and neither is it mentioned that it is supported in the release notes of any of those versions.

Cheers, Dom