Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Authorization Commands take 8 seconds to send initial TCP SYN Seq Packet to ACS

Device: 3841

IOS: 15.1(4)M2 ADVSecurity

Commands: AAA Authorization

Problem: Commands take approximately 8 seconds to process when required to authorize with ACS.

Example: The show run command will take 8 seconds to process then output is displayed.

Symptoms: Packet sniff indicates that it takes 8 seconds for the router to send the initial TCP SYN SEQ packet to ACS.

                  Login to device has no delay

Does anyone know of any bug or other documentation that addresses this symptom and/or problem?


Thank you.

Tom

Everyone's tags (2)
4 REPLIES

Re: Authorization Commands take 8 seconds to send initial TCP SY

There is a bug with the single connect flag being set. You have that set by any chance?

Are you using host names or ip addresses in your configuration?

Sent from Cisco Technical Support iPad App

Tarik Admani *Please rate helpful posts*
New Member

Re: Authorization Commands take 8 seconds to send initial TCP SY

We are not using single connect and we are using ip addresses.

Re: Authorization Commands take 8 seconds to send initial TCP SY

Please post the show run | inc aaa and show run | inc tacacs.

Can you also run two seperate session so the unit and post the debug output of (debug aaa authentication) then run the "test aaa group tacacs+ new-code". Also can you issue the "show process cpu" to see if the cpu may be high on this unit.

Also with the debugs turned off, if you issue a telnet port 49 /source-interface ...and see how longs it takes to open the connection.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: Authorization Commands take 8 seconds to send initial TCP SY

Well good news, you had me looking down the right path. I debugged AAA Authorization and found that for the two commands:

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

the router actually tries to resolve the IP addresses to host names. We had the TACACS servers in by IP but did not have the "no ip domain lookup command" on the box. When I put that command in everything went nice and fast. Thanks for the help!

492
Views
7
Helpful
4
Replies
CreatePlease to create content