It looks like its timing out. Do you have the timeout set to 5 seconds? Make sure you can access the ACS server from the device. If that's OK, try increasing your timeout. Also check your ACS failed attempts log and see if there is anything in there.
From the messages I would guess that you are attempting to send the authentication request to the TACACS/ACS and not receiving a response.
The first thing that I would check would be IP connectivity. In checking on this we need to know whether you have configured the option to specify the source address for TACACS packets? If you have specified the source address for TACACS then you need to check connectivity with an extended ping. In the extended ping specify the destination as 10.20..0.10 (the TACACS server) and specify the source address as whatever you have specified in your config as the source for TACACS. If you have not specified the source address then check connectivity with a standard ping to 10.20.0.10.
If there is not a problem with IP connectivity then I suggest that the next thing to check is whether the server is receiving the authentication request. Look in the logs on the server - especially look in the failed attempts report and see if the authentication request was seen and if so why the server did not authenticate it.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...