Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1900
Views
0
Helpful
6
Replies

3750 tacacs timeout problem

jbarger
Level 1
Level 1

‎05-31-2017 11:49 AM - edited ‎03-11-2019 12:45 AM

We have  a stack of switches that cant be logged into using tacacs, the configuration is a clone of at least 30 configurations all the other devices use tacacs just fine.  When I run a debug I can clearly see tacacs is timing out and it seems like the packet is dropped. I can ping both tacacs servers but I can not telnet to port 49.  There is no access list applied and I have changed versions of software. I am currently running 15.0.2.10.

Some debug messages...

001945: .May 31 07:46:59.688: TPLUS: Queuing AAA Authentication request 528 for processing
001946: .May 31 07:46:59.688: TPLUS(00000210) login timer started 1020 sec timeout
001947: .May 31 07:46:59.688: TPLUS: processing authentication start request id 528
001948: .May 31 07:46:59.688: TPLUS: Authentication start packet created for 528(username)
001949: .May 31 07:46:59.688: TPLUS: Using server 192.168.1.1
001950: .May 31 07:46:59.688: TPLUS(00000210)/0/NB_WAIT/80304AC: Started 5 sec timeout

001951: .May 31 07:47:04.696: TPLUS(00000210)/0/NB_WAIT/80304AC: timed out
001952: .May 31 07:47:04.696: TPLUS: Choosing next server 192.168.1.2
001953: .May 31 07:47:04.696: TPLUS(00000210)/1/NB_WAIT/80304AC: Started 5 sec timeout
001954: .May 31 07:47:04.696: TPLUS(00000210)/80304AC: releasing old socket 0
001956: .May 31 07:47:04.696: TPLUS(00000210)/1/NB_WAIT/80304AC: Socket 1 is in wait state

2 people had this problem
Labels:
0 Helpful
6 Replies 6

dmramirez1
Level 1
Level 1

‎09-20-2017 04:07 AM

Can anyone assist with this problem? I have the same.

0 Helpful

agrissimanis
Level 1
Level 1
In response to dmramirez1

‎09-20-2017 04:23 AM - edited ‎09-20-2017 04:47 AM

I had the same problem, TACACS queries were timing out from some switches, but worked on others. I had not restarted the ISE PSN after enabling Device administration service. After PSN restart the problem was fixed. There is also a bug associated with TACACS failing to respond in ISE 2.1 - CSCva93191

0 Helpful

dmramirez1
Level 1
Level 1
In response to agrissimanis

‎09-20-2017 08:04 AM

I'll be honest, I am not sure of what you are talking about.

 

What is the ISE PSN?

 

I am decently new to Tacacs and until this recent switch haven't have any problems. I have verified connectivity but  Ikeep getting Socket 1 is in wait state and then timeouts.

0 Helpful

agrissimanis
Level 1
Level 1
In response to dmramirez1

‎09-20-2017 08:56 AM

Apologies, I should have asked what product do you use as your TACACS servers?

0 Helpful

dmramirez1
Level 1
Level 1
In response to agrissimanis

‎09-20-2017 10:14 AM

Using a Cisco SecureACS


0 Helpful

agrissimanis
Level 1
Level 1
In response to dmramirez1

‎09-21-2017 07:40 AM

Sorry, I have only used Identity Services Engine as TACACS server, not ACS. There are several reasons why the TACACS server would not respond, such as ACLs blocking the traffic somewhere, bugs on the TACACS server, etc. Try capturing traffic at several places in the network to see how far the request goes.

0 Helpful
Customers Also Viewed These Support Documents