This issue occurs due to the presence of Cisco bug ID CSCsd46369.
The TACACS+ packets sent by the router or switch to the TACACS+ server contain the wrong IP source address. This occurs even though the configuration identifies a specific interface to be used as the IP source address. The TACACS+ server rejects some of the Authentication, Authorization, and Accounting (AAA) requests because they arrive with an unknown IP source address.
This issue is observed on a Cisco 3845 router running Cisco IOS Software 12.4(5) (c3845-adventerprisek9_sna-mz.124-5.bin). Refer to All Affected Versions for other Cisco IOS versions affected by this bug.
As a workaround, perform one of these steps:
- Configure entries for each IP address in use at each Network Attached Storage (NAS) on the TACACS+ server.
- Download and upgrade the Cisco IOS to any of these versions: