Bad/Invalid Authentication Packet

jamie.gleeson · ‎12-20-2007

I am trying to troubleshoot a AAA/TACACS problem on a 3825 router. This router is at a remote site and establishes a GRE tunnel secured with IPSEC to another 3825 router at our main site. The router at the main site works perfectly with AAA authentication to our ACS server. The 3825 at the remote location does not. The IOS versions are the same on the routers (c3825-advsecurityk9-mz.124-3g). However, the access switches at the remote location do work properly with the AAA authentication. This is very confusing. I have tried different TACACS keys but it does not help. Setting DEBUG TACACS AUTHENTICATION I encountered the following messages:

Dec 20 13:38:40: TPLUS: received bad AUTHEN packet: length = 6, expected 111171

Dec 20 13:38:40: TPLUS: Invalid AUTHEN packet (check keys).

Any help would be appreciated.

Thanks

Jamie

Richard Burts · ‎12-22-2007

Jamie

The debug message does seem to point pretty clearly to a mismatch in the key. I would suggest that on both the router and the TACACS server that you remove the key and reconfigure the key.

I also wonder if there is possibly some confusion about what IP address the router is using as the source address in the authentication request packet. If you look on the logs of the TACACS server (especially in the failed attempts) do you see the inbound authentication request - and if so what do the logs indicate about the server response?

I am doing TACACS authentication for a lot of routers over IPSec/GRE tunnels and it works fine.

HTH

Rick

HTH

Rick