Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX AAA To tacacs server not reliable

I've got a couple of different platforms of PIX, 535s and FWSMs mainly all running the latest code. I have them all configured similarly with regards to AAA via tacacs:

aaa-server TACACS protocol tacacs+

aaa-server TACACS host <Removed> key <removed>

username <removed> password <removed> encrypted privilege 15

aaa authentication enable console TACACS LOCAL

aaa authentication ssh console TACACS LOCAL

aaa authentication telnet console TACACS LOCAL

aaa accounting command TACACS

Now, sometimes I can get in with my tacacs account but other times I have to use the local backup account. There seems to be no reason behind it. My routers all pointing to the same TACACS server have no issues like this. The PIX's however are totally unreliable in this regard.

Anyone experiencing this?

6 REPLIES
Cisco Employee

Re: PIX AAA To tacacs server not reliable

Hello mlipsey,

This shouldn't be. Do the ACS logs reveal anything? What about

debug tacacs

debug aaa authentication

Can you send 1000 pings to the tacacs server from your FWs without issue? Any packet loss?

Hope this helps! If so, please rate.

Thanks!

New Member

Re: PIX AAA To tacacs server not reliable

I can ping it no problem; I did a quick thousand with no issue. I did even more and still no issue. There is no connectivity problem. I'm not using Cisco ACS though I'm using an open source TAC_Plus on Linux. I will check in its logs but previous checking didn't reveal anything.

New Member

Re: PIX AAA To tacacs server not reliable

A Connectivity issue between PIX and ACS.

Try increasing the timeout of the tacacs server.

New Member

Re: PIX AAA To tacacs server not reliable

How do you increase that timeout? I don't see a command for that. I see the command to decrease or increase the time before it tries a dead server but not actual timeout value before it considers it dead.

Cisco Employee

Re: PIX AAA To tacacs server not reliable

What command are you referring to?

I see

aaa-server server_tag [(if_name)] host server_ip [key] [timeout seconds]

New Member

Re: PIX AAA To tacacs server not reliable

You can increase the timeout in the aaa-server command

aaa-server servertag (if_name) host ip key [timeout]

136
Views
3
Helpful
6
Replies
CreatePlease login to create content