I am trying to troubleshoot a AAA/TACACS problem on a 3825 router. This router is at a remote site and establishes a GRE tunnel secured with IPSEC to another 3825 router at our main site. The router at the main site works perfectly with AAA authentication to our ACS server. The 3825 at the remote location does not. The IOS versions are the same on the routers (c3825-advsecurityk9-mz.124-3g). However, the access switches at the remote location do work properly with the AAA authentication. This is very confusing. I have tried different TACACS keys but it does not help. Setting DEBUG TACACS AUTHENTICATION I encountered the following messages:
Dec 20 13:38:40: TPLUS: received bad AUTHEN packet: length = 6, expected 111171
Dec 20 13:38:40: TPLUS: Invalid AUTHEN packet (check keys).
The debug message does seem to point pretty clearly to a mismatch in the key. I would suggest that on both the router and the TACACS server that you remove the key and reconfigure the key.
I also wonder if there is possibly some confusion about what IP address the router is using as the source address in the authentication request packet. If you look on the logs of the TACACS server (especially in the failed attempts) do you see the inbound authentication request - and if so what do the logs indicate about the server response?
I am doing TACACS authentication for a lot of routers over IPSec/GRE tunnels and it works fine.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :