Solved: Cannot Telnet to 6500 switch

NETAD · ‎09-26-2013

Telnet has been working forever on our 6500 switches and today it stopped. We use tacacs. Here's the message we receive when trying to login

% Authorization failed.

here's the tacacs config and aaa

aaa new-model

!

aaa authentication login default group tacacs+ enable

aaa authentication enable default group tacacs+ enable

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

!

aaa session-id common

tacacs-server host 192.168.100.253

tacacs-server timeout 10

tacacs-server directed-request

tacacs-server key 7 ..................................

other switches are still authentication properly using the same tacacs.

What could have happened to it. We received a lot of messages saying it could not reach 192.168.100.254 from the the management Vlan but TACACS server is actually 254. Can you help please. Tried to create a local username but that didn't work either for a temporarily fix.

Thanks.

Jatin Katyal · ‎09-27-2013

Check ACS > reports and activities > failed attempts.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

Jatin Katyal · ‎09-26-2013

Please help me with:

show run | begin line vty

debug tacacs

debug aaa authen

debug aaa author

do you see any hits on the ACS under reports and activities?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

NETAD · ‎09-26-2013

Thanks for you help what option do I select under reports and acitivity. I will get you the debug info in a second.

NETAD · ‎09-26-2013

line vty 0 4

exec-timeout 60 0

password 7 ......................

line vty 5 15

exec-timeout 60 0

password 7 ..........................

!

.Sep 26 16:54:33.538 EDT: TPLUS: Queuing AAA Accounting request 5531 for processing

.Sep 26 16:54:33.538 EDT: TPLUS: processing accounting request id 5531

.Sep 26 16:54:33.538 EDT: TPLUS: Sending AV task_id=7744

.Sep 26 16:54:33.538 EDT: TPLUS: Sending AV timezone=EDT

.Sep 26 16:54:33.538 EDT: TPLUS: Sending AV service=shell

.Sep 26 16:54:33.538 EDT: TPLUS: Sending AV start_time=1380228873

.Sep 26 16:54:33.538 EDT: TPLUS: Sending AV priv-lvl=15

.Sep 26 16:54:33.538 EDT: TPLUS: Sending AV cmd=debug aaa authentication

.Sep 26 16:54:33.538 EDT: TPLUS: Accounting request created for 5531(ssaab)

.Sep 26 16:54:33.538 EDT: TPLUS: using previously set server 192.168.100.253 from group tacacs+

.Sep 26 16:54:33.542 EDT: TPLUS(0000159B)/0/NB_WAIT/52AC5CD4: Started 10 sec timeout

.Sep 26 16:54:33.542 EDT: TPLUS(0000159B)/0/NB_WAIT: socket event 2

.Sep 26 16:54:33.542 EDT: TPLUS(0000159B)/0/NB_WAIT: wrote entire 143 bytes request

.Sep 26 16:54:33.542 EDT: TPLUS(0000159B)/0/READ: socket event 1

.Sep 26 16:54:33.542 EDT: TPLUS(0000159B)/0/READ: Would block while reading

.Sep 26 16:54:33.546 EDT: TPLUS(0000159B)/0/READ: socket event 1

.Sep 26 16:54:33.546 EDT: TPLUS(0000159B)/0/READ: read entire 12 header bytes (expect 5 bytes data)

.Sep 26 16:54:33.546 EDT: TPLUS(0000159B)/0/READ: socket event 1

.Sep 26 16:54:33.546 EDT: TPLUS(0000159B)/0/READ: read entire 17 bytes response

.Sep 26 16:54:33.546 EDT: TPLUS(0000159B)/0/52AC5CD4: Processing the reply packet

.Sep 26 16:54:33.546 EDT: TPLUS: Received accounting response with status PASS

.Sep 26 16:54:42.450 EDT: TPLUS: Queuing AAA Accounting request 5531 for processing

.Sep 26 16:54:42.450 EDT: TPLUS: processing accounting request id 5531

.Sep 26 16:54:42.450 EDT: TPLUS: Sending AV task_id=7745

.Sep 26 16:54:42.450 EDT: TPLUS: Sending AV timezone=EDT

.Sep 26 16:54:42.450 EDT: TPLUS: Sending AV service=shell

.Sep 26 16:54:42.450 EDT: TPLUS: Sending AV start_time=1380228882

.Sep 26 16:54:42.450 EDT: TPLUS: Sending AV priv-lvl=15

.Sep 26 16:54:42.450 EDT: TPLUS: Sending AV cmd=debug aaa authorization

.Sep 26 16:54:42.450 EDT: TPLUS: Accounting request created for 5531(ssaab)

.Sep 26 16:54:42.450 EDT: TPLUS: using previously set server 192.168.100.253 from group tacacs+

.Sep 26 16:54:42.454 EDT: TPLUS(0000159B)/0/NB_WAIT/52AC5CD4: Started 10 sec timeout

.Sep 26 16:54:42.454 EDT: TPLUS(0000159B)/0/NB_WAIT: socket event 2

.Sep 26 16:54:42.454 EDT: TPLUS(0000159B)/0/NB_WAIT: wrote entire 142 bytes request

.Sep 26 16:54:42.454 EDT: TPLUS(0000159B)/0/READ: socket event 1

.Sep 26 16:54:42.454 EDT: TPLUS(0000159B)/0/READ: Would block while reading

.Sep 26 16:54:42.458 EDT: TPLUS(0000159B)/0/READ: socket event 1

.Sep 26 16:54:42.458 EDT: TPLUS(0000159B)/0/READ: read entire 12 header bytes (expect 5 bytes data)

.Sep 26 16:54:42.458 EDT: TPLUS(0000159B)/0/READ: socket event 1

.Sep 26 16:54:42.458 EDT: TPLUS(0000159B)/0/READ: read entire 17 bytes response

.Sep 26 16:54:42.458 EDT: TPLUS(0000159B)/0/52AC5CD4: Processing the reply packet

.Sep 26 16:54:42.458 EDT: TPLUS: Received accounting response with status PASS

.Sep 26 16:55:02.830 EDT: AAA/BIND(0000159F): Bind i/f

.Sep 26 16:55:02.830 EDT: AAA/AUTHEN/LOGIN (0000159F): Pick method list 'default'

.Sep 26 16:55:02.830 EDT: TPLUS: Queuing AAA Authentication request 5535 for processing

.Sep 26 16:55:02.834 EDT: TPLUS: processing authentication start request id 5535

.Sep 26 16:55:02.834 EDT: TPLUS: Authentication start packet created for 5535(ssaab)

.Sep 26 16:55:02.834 EDT: TPLUS: Using server 192.168.100.253

.Sep 26 16:55:02.834 EDT: TPLUS(0000159F)/0/NB_WAIT/528154D8: Started 10 sec timeout

.Sep 26 16:55:02.834 EDT: TPLUS(0000159F)/0/NB_WAIT: socket event 2

.Sep 26 16:55:02.834 EDT: TPLUS(0000159F)/0/NB_WAIT: wrote entire 42 bytes request

.Sep 26 16:55:02.834 EDT: TPLUS(0000159F)/0/READ: socket event 1

.Sep 26 16:55:02.834 EDT: TPLUS(0000159F)/0/READ: Would block while reading

.Sep 26 16:55:02.838 EDT: TPLUS(0000159F)/0/READ: socket event 1

.Sep 26 16:55:02.838 EDT: TPLUS(0000159F)/0/READ: read entire 12 header bytes (expect 16 bytes data)

.Sep 26 16:55:02.838 EDT: TPLUS(0000159F)/0/READ: socket event 1

.Sep 26 16:55:02.838 EDT: TPLUS(0000159F)/0/READ: read entire 28 bytes response

.Sep 26 16:55:02.838 EDT: TPLUS(0000159F)/0/528154D8: Processing the reply packet

.Sep 26 16:55:02.838 EDT: TPLUS: Received authen response status GET_PASSWORD (8)

.Sep 26 16:55:06.407 EDT: TPLUS: Queuing AAA Authentication request 5535 for processing

.Sep 26 16:55:06.407 EDT: TPLUS: processing authentication continue request id 5535

.Sep 26 16:55:06.407 EDT: TPLUS: Authentication continue packet generated for 5535

.Sep 26 16:55:06.407 EDT: TPLUS(0000159F)/0/WRITE/52A57824: Started 10 sec timeout

.Sep 26 16:55:06.407 EDT: TPLUS(0000159F)/0/WRITE: wrote entire 25 bytes request

.Sep 26 16:55:06.419 EDT: TPLUS(0000159F)/0/READ: socket event 1

.Sep 26 16:55:06.419 EDT: TPLUS(0000159F)/0/READ: read entire 12 header bytes (expect 6 bytes data)

.Sep 26 16:55:06.419 EDT: TPLUS(0000159F)/0/READ: socket event 1

.Sep 26 16:55:06.419 EDT: TPLUS(0000159F)/0/READ: read entire 18 bytes response

.Sep 26 16:55:06.419 EDT: TPLUS(0000159F)/0/52A57824: Processing the reply packet

.Sep 26 16:55:06.419 EDT: TPLUS: Received authen response status PASS (2)

.Sep 26 16:55:06.427 EDT: AAA/AUTHOR (0x159F): Pick method list 'default'

.Sep 26 16:55:06.427 EDT: TPLUS: Queuing AAA Authorization request 5535 for processing

.Sep 26 16:55:06.427 EDT: TPLUS: processing authorization request id 5535

.Sep 26 16:55:06.427 EDT: TPLUS: Protocol set to None .....Skipping

.Sep 26 16:55:06.427 EDT: TPLUS: Sending AV service=shell

.Sep 26 16:55:06.427 EDT: TPLUS: Sending AV cmd*

.Sep 26 16:55:06.427 EDT: TPLUS: Authorization request created for 5535(ssaab)

.Sep 26 16:55:06.427 EDT: TPLUS: using previously set server 192.168.100.253 from group tacacs+

.Sep 26 16:55:06.427 EDT: TPLUS(0000159F)/0/NB_WAIT/47A1ECA0: Started 10 sec timeout

.Sep 26 16:55:06.431 EDT: TPLUS(0000159F)/0/NB_WAIT: socket event 2

.Sep 26 16:55:06.431 EDT: TPLUS(0000159F)/0/NB_WAIT: wrote entire 61 bytes request

.Sep 26 16:55:06.431 EDT: TPLUS(0000159F)/0/READ: socket event 1

.Sep 26 16:55:06.431 EDT: TPLUS(0000159F)/0/READ: Would block while reading

.Sep 26 16:55:06.435 EDT: TPLUS(0000159F)/0/READ: socket event 1

.Sep 26 16:55:06.435 EDT: TPLUS(0000159F)/0/READ: read entire 12 header bytes (expect 6 bytes data)

.Sep 26 16:55:06.435 EDT: TPLUS(0000159F)/0/READ: socket event 1

.Sep 26 16:55:06.435 EDT: TPLUS(0000159F)/0/READ: read entire 18 bytes response

.Sep 26 16:55:06.435 EDT: TPLUS(0000159F)/0/47A1ECA0: Processing the reply packet

.Sep 26 16:55:06.435 EDT: TPLUS: received authorization response for 5535: FAIL

.Sep 26 16:55:06.435 EDT: AAA/AUTHOR/EXEC(0000159F): Authorization FAILED

.Sep 26 16:55:14.751 EDT: TPLUS: Queuing AAA Accounting request 5531 for processing

.Sep 26 16:55:14.755 EDT: TPLUS: processing accounting request id 5531

.Sep 26 16:55:14.755 EDT: TPLUS: Sending AV task_id=7746

.Sep 26 16:55:14.755 EDT: TPLUS: Sending AV timezone=EDT

.Sep 26 16:55:14.755 EDT: TPLUS: Sending AV service=shell

.Sep 26 16:55:14.755 EDT: TPLUS: Sending AV start_time=1380228914

.Sep 26 16:55:14.755 EDT: TPLUS: Sending AV priv-lvl=15

.Sep 26 16:55:14.755 EDT: TPLUS: Sending AV cmd=show logging

.Sep 26 16:55:14.755 EDT: TPLUS: Accounting request created for 5531(ssaab)

.Sep 26 16:55:14.755 EDT: TPLUS: using previously set server 192.168.100.253 from group tacacs+

.Sep 26 16:55:14.755 EDT: TPLUS(0000159B)/0/NB_WAIT/52A4402C: Started 10 sec timeout

.Sep 26 16:55:14.755 EDT: TPLUS(0000159B)/0/NB_WAIT: socket event 2

.Sep 26 16:55:14.755 EDT: TPLUS(0000159B)/0/NB_WAIT: wrote entire 131 bytes request

.Sep 26 16:55:14.755 EDT: TPLUS(0000159B)/0/READ: socket event 1

.Sep 26 16:55:14.755 EDT: TPLUS(0000159B)/0/READ: Would block while reading

.Sep 26 16:55:14.759 EDT: TPLUS(0000159B)/0/READ: socket event 1

.Sep 26 16:55:14.759 EDT: TPLUS(0000159B)/0/READ: read entire 12 header bytes (expect 5 bytes data)

.Sep 26 16:55:14.759 EDT: TPLUS(0000159B)/0/READ: socket event 1

.Sep 26 16:55:14.759 EDT: TPLUS(0000159B)/0/READ: read entire 17 bytes response

Jatin Katyal · ‎09-26-2013

so this is what we are getting but I also see you're not using exec-authorization

.Sep 26 16:55:06.435 EDT: TPLUS: received authorization response for 5535: FAIL

.Sep 26 16:55:06.435 EDT: AAA/AUTHOR/EXEC(0000159F): Authorization FAILED

can you paste show run | in single-connect

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

NETAD · ‎09-27-2013

Nothing comes up when I do show run | in single-connect. Now this was working before. I don't know why it stopped

NETAD · ‎09-27-2013

this is the correct config from the 6509

aaa new-model

aaa authentication login default group tacacs+ enable

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

Jatin Katyal · ‎09-27-2013

Last time you pasted the below listed config without the command in bold.

aaa authentication login default group tacacs+ enable

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

On the Tacacs server please make sure you have privilege level set is 15 for that user. What code of ACS server are you using?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

NETAD · ‎09-27-2013

Yes I appologize i was in the wrong switch. We are running ACS 3.3. Users are inheriting group settings and it's set to level 15.

Jatin Katyal · ‎09-27-2013

Check ACS > reports and activities > failed attempts.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

NETAD · ‎09-27-2013

09/26/2013,16:26:04,Author failed,ssaab,Net Enable,192.168.78.82,,Service denied,service=shell cmd*,tty1,192.168.100.2

09/26/2013,13:07:33,Author failed,ssaab,Net Enable,192.168.78.82,,Service denied,service=shell cmd*,tty1,192.168.100.4

NETAD · ‎09-30-2013

Anymore thoughts on this Jatin?

NETAD · ‎09-30-2013

Never mind It worked by itself now.

Jatin Katyal · ‎09-30-2013

Started working on its own...:)

Thanks for closing the discussion.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

NETAD · ‎09-30-2013

Yes it's crazy. I don't know why did this happen