Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Bad/Invalid Authentication Packet

I am trying to troubleshoot a AAA/TACACS problem on a 3825 router. This router is at a remote site and establishes a GRE tunnel secured with IPSEC to another 3825 router at our main site. The router at the main site works perfectly with AAA authentication to our ACS server. The 3825 at the remote location does not. The IOS versions are the same on the routers (c3825-advsecurityk9-mz.124-3g). However, the access switches at the remote location do work properly with the AAA authentication. This is very confusing. I have tried different TACACS keys but it does not help. Setting DEBUG TACACS AUTHENTICATION I encountered the following messages:

Dec 20 13:38:40: TPLUS: received bad AUTHEN packet: length = 6, expected 111171

Dec 20 13:38:40: TPLUS: Invalid AUTHEN packet (check keys).

Any help would be appreciated.



Hall of Fame Super Silver

Re: Bad/Invalid Authentication Packet


The debug message does seem to point pretty clearly to a mismatch in the key. I would suggest that on both the router and the TACACS server that you remove the key and reconfigure the key.

I also wonder if there is possibly some confusion about what IP address the router is using as the source address in the authentication request packet. If you look on the logs of the TACACS server (especially in the failed attempts) do you see the inbound authentication request - and if so what do the logs indicate about the server response?

I am doing TACACS authentication for a lot of routers over IPSec/GRE tunnels and it works fine.



CreatePlease login to create content