Possible bug in 3560G 12.22(46) SE

hxmengmetro · ‎04-05-2010

Hi All,

I have one tacacs+ server configured for all cisco devices. Recently I found one issue with 3560G 12.22(46) SE. When the login timeout, the tacacs server just automatically stopped the service due to a bad sequence number. Here is one part of the log message from tacacs server:

------ From here waiting for the password input --------------

type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1
msg_len=10, data_len=0
msg:
Password:
data:
End packet
Waiting for packet

---------------- Timeout when I haven't input my password --------------------

10.1.1.2 tty1: fd 6 eof (connection closed)

Read -1 bytes from 10.1.1.2 tty1, expecting 12

10.1.1.2 tty1: Null reply packet, expecting CONTINUE

login query for 'hxmeng' tty1 from 10.1.1.2 rejected

login failure: hxmeng 10.1.1.30 (10.1.1.2) tty1

Writing AUTHEN/FAIL size=18

PACKET: key=key

version 192 (0xc0), type 1, seq no 5, flags 0x1

session_id 1585634415 (0x5e82dc6f), Data length 6 (0x6)

End header

10.1.1.2: Bad sequence number 5 should be even

I checked the other switch with different version 12.2(35)SE5. No issue at all with same tacacs configuration. The other model like 6504, 2950 don't have this issue either. The normal log information for successful time out should be :

type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1
msg_len=10, data_len=0
msg:
Password:
data:
End packet
Waiting for packet
Read AUTHEN/CONT size=32
PACKET: key=key
version 193 (0xc1), type 1, seq no 5, flags 0x1
session_id 3834844074 (0xe49313aa), Data length 20 (0x14)
End header
type=AUTHEN/CONT
user_msg_len 0 (0x0), user_data_len 15 (0xf)
flags=0x1
User msg:
User data:
Login timed out
End packet

The switch will send AUTHEN/CONT packet to tacacs server, tacacs server will respond disconnect message back (doesn't show here). But that version 3560G just return a NULL packet which caused tacacs server problem. My switch configuration about tacacs is simple:

tacacs-server host 10.20.1.72
tacacs-server key mykey

ip tacacs source-interface Vlan1

I'm using tac_plus for tacacs server purpose.

Please help. I checked the bug toolkit and didn't find the related bug information. But it seems the bug for me. Is there any work around about this if this is the bug.

Any help is really appreciated. Thanks.

Lou

Edison Ortiz · ‎04-05-2010

A bad sequence on a TCP connection usually means there are several transit path from the source to the destination and somewhere along the path the packets are taken different physical links towards the destination.

Is that the case here?

Do you have some per-packet load-balancing enabled from the source to the destination?

Regards

Edison

hxmengmetro · ‎04-05-2010

Thanks Edison for your reply. We don't have multiple path to the TACACS server. And some other switches with different model or version at the same location have no issue for this timeout situation. It more sounds like a bug for me. Not sure is there any work around for this?

Lou

Edison Ortiz · ‎04-05-2010

I did an internal search and I couldn't find a bug that applies to your case.

I recommend migrating to 12.2(44)SE6 if possible.

hxmengmetro · ‎04-05-2010

Thank you Edison. That means I need downgrade the current version? I really don't want to change the software if I can find some workaround. Sigh.

Lou

Edison Ortiz · ‎04-05-2010

12.2(44)SE6 is not a downgrade from 12.2(46)SE

They are simply different tracks.

(44)SE6 is actually newer than (46)SE.

hxmengmetro · ‎04-05-2010

I will test it with one switch tomorrow and let you know the result. Thanks Edison.

hxmengmetro · ‎04-05-2010

One additional question about upgrade. My current version is IPBase version. Can I upgarde to IPService Version for free? Thanks.

Edison Ortiz · ‎04-05-2010

If you have Smartnet, you will be able to download the IP Services for free but legally, you need to update your license with your Cisco reseller.

Regards

Edison

hxmengmetro · ‎04-05-2010

gotcha. thanks!!!