Possible bug in 3560G 12.22(46) SE

Unanswered Question
Apr 5th, 2010

Hi All,

I have one tacacs+ server configured for all cisco devices. Recently I found one issue with 3560G 12.22(46) SE. When the login timeout, the tacacs server just automatically stopped the service due to a bad sequence number. Here is one part of the log message from tacacs server:

------ From here waiting for the password input --------------

type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1
msg_len=10, data_len=0
End packet
Waiting for packet

---------------- Timeout when I haven't input my password -------------------- tty1: fd 6 eof (connection closed)

Read -1 bytes from tty1, expecting 12 tty1: Null reply packet, expecting CONTINUE

login query for 'hxmeng' tty1 from rejected

login failure: hxmeng ( tty1

Writing AUTHEN/FAIL size=18

PACKET: key=key

version 192 (0xc0), type 1, seq no 5, flags 0x1

session_id 1585634415 (0x5e82dc6f), Data length 6 (0x6)

End header Bad sequence number 5 should be even

I checked the other switch with different version 12.2(35)SE5. No issue at all with same tacacs configuration. The other model like 6504, 2950 don't have this issue either. The normal log information for successful time out should be :

type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1
msg_len=10, data_len=0
End packet
Waiting for packet
Read AUTHEN/CONT size=32
PACKET: key=key
version 193 (0xc1), type 1, seq no 5, flags 0x1
session_id 3834844074 (0xe49313aa), Data length 20 (0x14)
End header
user_msg_len 0 (0x0), user_data_len 15 (0xf)
User msg:
User data:
Login timed out
End packet

The switch will send AUTHEN/CONT packet to tacacs server, tacacs server will respond disconnect message back (doesn't show here). But that version 3560G just return a NULL packet which caused tacacs server problem. My switch configuration about tacacs is simple:

tacacs-server host
tacacs-server key mykey

ip tacacs source-interface Vlan1

I'm using tac_plus for tacacs server purpose.

Please help. I checked the bug toolkit and didn't find the related bug information. But it seems the bug for me. Is there any work around about this if this is the bug.

Any help is really appreciated. Thanks.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Edison Ortiz Mon, 04/05/2010 - 12:35

A bad sequence on a TCP connection usually means there are several transit path from the source to the destination and somewhere along the path the packets are taken different physical links towards the destination.

Is that the case here?

Do you have some per-packet load-balancing enabled from the source to the destination?



hxmengmetro Mon, 04/05/2010 - 12:38

Thanks Edison for your reply. We don't have multiple path to the TACACS server. And some other switches with different model or version at the same location have no issue for this timeout situation. It more sounds like a bug for me. Not sure is there any work around for this?


Edison Ortiz Mon, 04/05/2010 - 13:05

I did an internal search and I couldn't find a bug that applies to your case.

I recommend migrating to 12.2(44)SE6 if possible.

hxmengmetro Mon, 04/05/2010 - 13:10

Thank you Edison. That means I need downgrade the current version? I really don't want to change the software if I can find some workaround. Sigh.


Edison Ortiz Mon, 04/05/2010 - 13:12

12.2(44)SE6 is not a downgrade from 12.2(46)SE

They are simply different tracks.

(44)SE6 is actually newer than (46)SE.

hxmengmetro Mon, 04/05/2010 - 13:15

I will test it with one switch tomorrow and let you know the result. Thanks Edison.

hxmengmetro Mon, 04/05/2010 - 13:20

One additional question about upgrade. My current version is IPBase version. Can I upgarde to IPService Version for free? Thanks.

Edison Ortiz Mon, 04/05/2010 - 13:27

If you have Smartnet, you will be able to download the IP Services for free but legally, you need to update your license with your Cisco reseller.




This Discussion