When I shutdown the primary ACS service, the authentication and accounting take a long time to process. Is it normal? Whenever new command is enter, it take sometime to display after the command authorization. The time toke almost the same as timeout configure.
The primary ACS is working fine without any delay if it's up and running.
Anything that I can do to fine tune?
Here are the configuration that I have :
aaa group server tacacs+ ACSSE
server-private 192.168.128.28 key abcacs01
server-private 192.168.136.35 key abcacs01
ip tacacs source-interface bvi1
aaa authentication login default group ACSSE line
aaa authentication enable default enable
aaa authorization exec default group ACSSE if-authenticated
aaa authorization commands 15 default group ACSSE if-authenticated
aaa authorization config-commands
aaa accounting update newinfo
aaa accounting exec default start-stop group ACSSE
aaa accounting commands 15 default start-stop group ACSSE
aaa accounting connection default start-stop group ACSSE
aaa accounting system default start-stop group ACSSE
Re: configuration command take long time to display
Your description of the issue sounds like your router is sending its request to the first TACACS sever and is waiting for a response but it does not receive a response. So it waits for the timeout and when the first request times out it sends the request to the second server.
If the router received an immediate answer or if it could not establish a connection to the primary server then you would not have the delay. You might be able to confirm this by running debug tacacs authentication or debug tacacs accounting. I believe that you will see your router send a request to the primary and then not receive a response (or it may receive some response which it does not interpret as not available).
If you want to tune this you could adjust the timeout value to a shorter value. But I believe that a better solution would be to figure out why the server is not sending any response.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :