It looks to me like the 2600 sends a request to the TACACS server and does not get any response. Probably the first thing I would do would be to test for IP connectivity by seeing if you can do an extended ping from the 2600 to 10.2.1.1 and secifying 10.2.1.254 as the source.
If you can demonstrate that there is IP connectivity the next thing I would look at is a traceroute from the TACACS server to 10.2.1.254. Make sure that the server gets a response and look to see if the response came from the 2600 using address 10.2.1.254. (This will help make sure that the authentication request is sourced from the address that you think it is.)
If that checks out the next thing I would do is to look in the logs on the TACACS server and see if there is any indication that it heard the request from the 2600. If there are log messages they may indicate the nature of the problem.
I am glad that you were able to resolve the issue with the secondary address. From the log messages in this post it is clear that the router is communicating with the TACACS server. Especially receipt of the GETUSER and the GETPASS show that the router is sending to the server and is getting responses. So the addresses are correct and the TACACS keys are ok. I am not sure why the login failed. Probably the best way to find the problem is to look in the logs on the TACACS server. It saw an authentication request and the logs should indicate the reason that the request failed. The obvious possibilities are incorrect entry of the user ID or password, or incorrect configuration of the user in the TACACS server, or the user is not configured in the server for access to this router. But the logs should have the answer.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...