My customer has many 3560 switches configured with TACACS and several have no servers under the aaa group server tacacs+ xxxxxxxx command in running config but they are there in the startup config.
Some switches do not have them in either config but no one has removed them.
On one of the switches without the servers listed the switch is still going to the TACACS server as shown in a debug TACACS.
TAC+: using previously set server 172.20.1.40 from group xxxxxxx
Can anyone say why these lines maybe missing from the config as if you write memory then the startup will not have the commands as it writes running config to startup config and the customer mistakenly did this.
How on earth does it still see the servers when not configured as when it uses the method list it refers to the TACACS group xxxxxx which has no servers so should error (not fail) then step onto the next method? It goes direct to the TACACS server.
Would the no parser cache command be of use as the configs are not that large?
Any help appreciated. There is authorization and accounting and nothing anywhere shows any change to the configs of all these devices.
I have 2 observations/theories about your issue, but am not convinced that either of them necessarily explains your issue:
- I have seen situations where a command was present, activated, then was removed, but the router/switch continued to operate as if the command was there. For example I have seen a routing protocol with a network statement for an interface, so the interface is activated in the routing protocol. Then remove the network statement, but the protocol is still running on the interface. I wonder if aaa had a config statement for a server, started using that server, and then the config statement was removed, what would happen? I have not tested this and do not know. And if you say that the switches show no config change then it seems unlikely that this is the right explanation for your issue.
- I have seen situations where commands were in the startup config, at boot time there was some issue and certain commands were ignored. So the commands are in startup config but are not in running config, and no config change was made. I am having difficulty thinking of what kind of situation might cause the switch to ignore the server definition at boot time.
Note that if you have the situation where the command is in startup config but not in running config and then you do a write mem or copy running-config startup-config, then you wind up with the command no longer in startup, which might explain part of your issue.
Thanks for your input. I believe it is a bug in 12.2(40)SE as if you have the command in startup config and reload the switch it does not appear in running config but with 12.2(46)SE it is fixed. I have searched the bug database but got no match allthough we can be sure it is a bug.
I suspected this but wanted to know why it refered to servers it does not know about and use the method which should error.
I will ask my customer to use the no parser cache as I think it may be this.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...