Solved: TAC+: TCP/IP open to 10.20.17.2/49 failed -- Connection timed ou

carlbryant · ‎04-13-2012

TACACS+ configured on router and router is in ACS. I can ping the ACS but the router cannot establish a connection to authenticate users.

aaa group server tacacs+ hq_acs-1

server 10.20.17.2

ip tacacs source-interface GigabitEthernet0/0

!

aaa authentication login default group tacacs+ local

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa authorization commands 10 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting nested

aaa accounting update newinfo periodic 60

aaa accounting auth-proxy default start-stop group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa accounting resource default start-stop group tacacs+

BigTree_3945#sh ip int br

Interface IP-Address OK? Method Status Protocol

GigabitEthernet0/0 10.4.3.1 YES NVRAM down down

GigabitEthernet0/1 10.12.10.26 YES NVRAM up up

Serial0/2/0 unassigned YES NVRAM down down

Serial0/2/0.602 10.12.15.10 YES NVRAM down down

Apr 13 11:08:13.673: TPLUS: Queuing AAA Authentication request 79 for processing

Apr 13 11:08:13.673: TPLUS: processing authentication start request id 79

Apr 13 11:08:13.675: TPLUS: Authentication start packet created for 79(cisscdb)

Apr 13 11:08:13.675: TPLUS: Using server 10.20.17.2

Apr 13 11:08:13.675: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: Started 5 sec timeout

Apr 13 11:08:18.676: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: timed out

Apr 13 11:08:18.676: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: timed out, clean up

Apr 13 11:08:18.676: TPLUS(0000004F)/0/1BDD9C34: Processing the reply packet

Apr 13 11:08:25.834: TPLUS: Queuing AAA Authentication request 79 for processing

Apr 13 11:08:25.834: TPLUS: processing authentication start request id 79

Apr 13 11:08:25.834: TPLUS: Authentication start packet created for 79(cisscdb)

Apr 13 11:08:25.834: TPLUS: Using server 10.20.17.2

Apr 13 11:08:25.834: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: Started 5 sec timeout

Apr 13 11:08:30.836: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: timed out

Apr 13 11:08:30.836: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: timed out, clean up

Apr 13 11:08:30.836: TPLUS(0000004F)/0/1BDD9C34: Processing the reply packet

Apr 13 11:08:43.689: TAC: Using default tacacs server-group "tacacs" list.

Apr 13 11:08:43.689: TAC+: Opening TCP/IP to 10.20.17.2/49 timeout=5

Apr 13 11:08:51.057: TPLUS: Queuing AAA Authentication request 79 for processing

Apr 13 11:08:51.057: TPLUS: processing authentication start request id 79

Apr 13 11:08:51.057: TPLUS: Authentication start packet created for 79(cisscdb)

Apr 13 11:08:51.057: TPLUS: Using server 10.20.17.2

Apr 13 11:08:51.057: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: Started 5 sec timeout

Apr 13 11:08:54.692: TAC+: TCP/IP open to 10.20.17.2/49 failed -- Connection timed out; remote host not responding

Apr 13 11:08:54.692: TPLUS: Queuing AAA Accounting request 76 for processing

Apr 13 11:08:54.692: TPLUS: processing accounting request id 76

Apr 13 11:08:54.692: TPLUS: Sending AV task_id=332

Apr 13 11:08:54.692: TPLUS: Sending AV timezone=EDT

Apr 13 11:08:54.692: TPLUS: Sending AV service=shell

Apr 13 11:08:54.692: TPLUS: Sending AV start_time=1334329734

Apr 13 11:08:54.692: TPLUS: Sending AV priv-lvl=15

Apr 13 11:08:54.692: TPLUS: Sending AV cmd=show logging <cr>

Apr 13 11:08:54.692: TPLUS: Accounting request created for 76(n20j03t)

Apr 13 11:08:54.692: TPLUS: Using server 10.20.17.2

Apr 13 11:08:54.692: TPLUS(0000004C)/1/NB_WAIT/20FD90EC: Started 5 sec timeout

Apr 13 11:08:56.058: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: timed out

Apr 13 11:08:56.058: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: timed out, clean up

Apr 13 11:08:56.058: TPLUS(0000004F)/0/1BDD9C34: Processing the reply packet

Apr 13 11:08:59.693: TPLUS(0000004C)/1/NB_WAIT/20FD90EC: timed out

Apr 13 11:08:59.693: TPLUS(0000004C)/1/NB_WAIT/20FD90EC: timed out, clean up

Apr 13 11:08:59.693: TPLUS(0000004C)/1/20FD90EC: Processing the reply packet

BigTree_3945#

AAA Client IP Address

Key

Network Device Group

Authenticate Using

Single Connect TACACS+ AAA Client (Record stop in accounting on failure).

The 10.12.10.* range is listed under the HQ site.

Your help is greatly appreciated.

Javier Henderson · ‎04-15-2012

You stated that you can ping ACS from the router, did you try sourcing the packets from the GigabitEthernet 0/0 interface (which is the one TACACS+ will try to use, given the configuration that you posted)?

What does the network path between the router and ACS look like (ie, any firewalls, NAT, etc)?

Can you connect to port 49 at the ACS IP address from the router sourcing the packets from GigabitEthernet 0/0 ?

Are you using VRFs?

What version of IOS?

View solution in original post

Javier Henderson · ‎04-15-2012

You stated that you can ping ACS from the router, did you try sourcing the packets from the GigabitEthernet 0/0 interface (which is the one TACACS+ will try to use, given the configuration that you posted)?

What does the network path between the router and ACS look like (ie, any firewalls, NAT, etc)?

Can you connect to port 49 at the ACS IP address from the router sourcing the packets from GigabitEthernet 0/0 ?

Are you using VRFs?

What version of IOS?

carlbryant · ‎04-16-2012

It was the source interface, I changed to one that was up and it works now. Not sure why that is, i deployed another router to a different with the same config and it works with the interface in a down state..