04-05-2010 08:28 AM - edited 03-06-2019 10:28 AM
Hi All,
I have one tacacs+ server configured for all cisco devices. Recently I found one issue with 3560G 12.22(46) SE. When the login timeout, the tacacs server just automatically stopped the service due to a bad sequence number. Here is one part of the log message from tacacs server:
------ From here waiting for the password input --------------
type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1
msg_len=10, data_len=0
msg:
Password:
data:
End packet
Waiting for packet
---------------- Timeout when I haven't input my password --------------------
10.1.1.2 tty1: fd 6 eof (connection closed)
Read -1 bytes from 10.1.1.2 tty1, expecting 12
10.1.1.2 tty1: Null reply packet, expecting CONTINUE
login query for 'hxmeng' tty1 from 10.1.1.2 rejected
login failure: hxmeng 10.1.1.30 (10.1.1.2) tty1
Writing AUTHEN/FAIL size=18
PACKET: key=key
version 192 (0xc0), type 1, seq no 5, flags 0x1
session_id 1585634415 (0x5e82dc6f), Data length 6 (0x6)
End header
10.1.1.2: Bad sequence number 5 should be even
I checked the other switch with different version 12.2(35)SE5. No issue at all with same tacacs configuration. The other model like 6504, 2950 don't have this issue either. The normal log information for successful time out should be :
type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1
msg_len=10, data_len=0
msg:
Password:
data:
End packet
Waiting for packet
Read AUTHEN/CONT size=32
PACKET: key=key
version 193 (0xc1), type 1, seq no 5, flags 0x1
session_id 3834844074 (0xe49313aa), Data length 20 (0x14)
End header
type=AUTHEN/CONT
user_msg_len 0 (0x0), user_data_len 15 (0xf)
flags=0x1
User msg:
User data:
Login timed out
End packet
The switch will send AUTHEN/CONT packet to tacacs server, tacacs server will respond disconnect message back (doesn't show here). But that version 3560G just return a NULL packet which caused tacacs server problem. My switch configuration about tacacs is simple:
tacacs-server host 10.20.1.72
tacacs-server key mykey
ip tacacs source-interface Vlan1
I'm using tac_plus for tacacs server purpose.
Please help. I checked the bug toolkit and didn't find the related bug information. But it seems the bug for me. Is there any work around about this if this is the bug.
Any help is really appreciated. Thanks.
Lou
04-05-2010 12:35 PM
A bad sequence on a TCP connection usually means there are several transit path from the source to the destination and somewhere along the path the packets are taken different physical links towards the destination.
Is that the case here?
Do you have some per-packet load-balancing enabled from the source to the destination?
Regards
Edison
04-05-2010 12:38 PM
Thanks Edison for your reply. We don't have multiple path to the TACACS server. And some other switches with different model or version at the same location have no issue for this timeout situation. It more sounds like a bug for me. Not sure is there any work around for this?
Lou
04-05-2010 01:05 PM
I did an internal search and I couldn't find a bug that applies to your case.
I recommend migrating to 12.2(44)SE6 if possible.
04-05-2010 01:10 PM
Thank you Edison. That means I need downgrade the current version? I really don't want to change the software if I can find some workaround. Sigh.
Lou
04-05-2010 01:12 PM
12.2(44)SE6 is not a downgrade from 12.2(46)SE
They are simply different tracks.
(44)SE6 is actually newer than (46)SE.
04-05-2010 01:15 PM
I will test it with one switch tomorrow and let you know the result. Thanks Edison.
04-05-2010 01:20 PM
One additional question about upgrade. My current version is IPBase version. Can I upgarde to IPService Version for free? Thanks.
04-05-2010 01:27 PM
If you have Smartnet, you will be able to download the IP Services for free but legally, you need to update your license with your Cisco reseller.
Regards
Edison
04-05-2010 01:28 PM
gotcha. thanks!!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: