TACACS not working in ASA 8.0(3)
We have quite a few ASA s with similar tacacs and crypto configs but yesterday we had issue with pix and we swapped pix with ASA 8.0(3) and tunnel is up and running but we are not able to login using tacacs even after the configs,, and i found a bug in cisco.com which asks us to use command " crypto map set reverse-route"
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk08454
even after configuring it right,, am not able to,, login using tacacs,, can some tell me how to use this command or ,, any other way ?
thnx in advance
we have a tunnel established with remote ASA and here are the configs related: let me know if ya need any hing,, thnx for replyin thgh
local device configs:
aaa-server protocol tacacs+
aaa-server host < ip>
aaa authentication ssh console
aaa authentication http console
access-list extended permit ip any
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map 20 match address
crypto map 20 set peer x.x.x.x
crypto map 20 set transform-set ESP-3DES-MD5
crypto map 20 set reverse-route
crypto map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
crypto isakmp policy 65535
remote ASA
access-list remark MobileAL
access-list extended permit ip any ip add subnet
crypto map 1925 match address outside_1925_cryptomap
crypto map 1925 set peer
crypto map 1925 set transform-set ESP-3DES-MD5
crypto map 1925 set security-association lifetime seconds 86400
crypto map 1925 set nat-t-disable
crypto map 1925 set reverse-route
Similar Messages
-
Tacacs not working for 3 new 5508 WLC's...working fine for 6 old 4400 WLC's.
before 7.116 code upgrade...I remember 5508 was working on and off and now they are not.
Same configs on SW, WLC and ACS.
Debug on WLC gives..below message when Tacacs is attempted..
*aaaQueueReader: Oct 25 09:20:41.700: tplus_processAuthRequest: memory alloc failed for tplus
Any pointers for troubleshooting? Not sure why statistics show zero...?? Radius is working for users.
(wlc03) >show tacacs auth statistics
Authentication Servers:
Server Index..................................... 1
Server Address................................... 10.3.121.21
Msg Round Trip Time.............................. 0 (msec)
First Requests................................... 0
Retry Requests................................... 0
Accept Responses................................. 0
Reject Responses................................. 0
Error Responses.................................. 0
Restart Responses................................ 0
Follow Responses................................. 0
GetData Responses................................ 0
Encrypt no secret Responses...................... 0
Challenge Responses.............................. 0
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Timeout Requests................................. 0
Unknowntype Msgs................................. 0
Other Drops...................................... 0
Server Index..................................... 2
--More-- or (q)uit
Server Address................................... 10.3.121.22
Msg Round Trip Time.............................. 0 (msec)
First Requests................................... 0
Retry Requests................................... 0
Accept Responses................................. 0
Reject Responses................................. 0
Error Responses.................................. 0
Restart Responses................................ 0
Follow Responses................................. 0
GetData Responses................................ 0
Encrypt no secret Responses...................... 0
Challenge Responses.............................. 0
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Timeout Requests................................. 0
Unknowntype Msgs................................. 0
Other Drops...................................... 0
(wlc03) >show tacacs summary
Authentication Servers
Idx Server Address Port State Tout
1 10.3.121.21 49 Enabled 5
2 10.3.121.22 49 Enabled 5
Authorization Servers
Idx Server Address Port State Tout
1 10.3.121.21 49 Enabled 30
2 10.3.121.22 49 Enabled 5
Accounting Servers
Idx Server Address Port State Tout
1 10.3.121.21 49 Enabled 5
We can ping the TACACS servers...>show memory statistics
System Memory Statistics:
Total System Memory............: 1028820992 bytes
Used System Memory.............: 458424320 bytes
Free System Memory.............: 570396672 bytes
Bytes allocated from RTOS......: 21939008 bytes
Chunks Free....................: 29 bytes
Number of mmapped regions......: 45
Total space in mmapped regions.: 212779008 bytes
Total allocated space..........: 12015112 bytes
Total non-inuse space..........: 9923896 bytes
Top-most releasable space......: 133800 bytes
Total allocated (incl mmap)....: 234718016 bytes
Total used (incl mmap).........: 224794120 bytes
Total free (incl mmap).........: 9923896 bytes
show buffers
Pool[00]: 16 byte chunks
chunks in pool: 50000
chunks in use: 19030
bytes in use: 304480
bytes requested: 90479 (214001 overhead bytes)
Pool[01]: 64 byte chunks
chunks in pool: 40000
chunks in use: 14519
bytes in use: 929216
bytes requested: 566395 (362821 overhead bytes)
Pool[02]: 128 byte chunks
chunks in pool: 20000
chunks in use: 7726
bytes in use: 988928
bytes requested: 672853 (316075 overhead bytes)
Pool[03]: 256 byte chunks
chunks in pool: 4000
chunks in use: 808
bytes in use: 206848
bytes requested: 154777 (52071 overhead bytes)
Pool[04]: 1024 byte chunks
--More-- or (q)uit
chunks in pool: 15300
chunks in use: 11645
bytes in use: 11924480
bytes requested: 4945714 (6978766 overhead bytes)
Pool[05]: 2048 byte chunks
chunks in pool: 1000
chunks in use: 189
bytes in use: 387072
bytes requested: 355272 (31800 overhead bytes)
Pool[06]: 4096 byte chunks
chunks in pool: 1000
chunks in use: 36
bytes in use: 147456
bytes requested: 102479 (44977 overhead bytes)
Raw Pool:
chunks in use: 186
bytes requested: 156052303
show process memory
Name Priority BytesInUse BlocksInUse Reaper
cslStoreManager (240/ 7) 0 0 ( 0/ 0)%
System Reset Task (240/ 7) 0 0 ( 0/ 0)%
reaperWatcher ( 3/ 96) 0 0 ( 0/ 0)% I
osapiReaper ( 10/ 94) 0 0 ( 0/ 0)% I
TempStatus (240/ 7) 424 1 ( 0/ 0)% I
pktDebugSocketTask (255/ 1) 0 0 ( 0/ 0)%
LICENSE AGENT (240/ 7) 2228 85 ( 0/ 0)% I
emWeb ( 7/ 95) 1235795 20743 ( 0/ 0)% T 300
webJavaTask (240/ 7) 0 0 ( 0/ 0)%
fmcHsTask (100/ 60) 0 0 ( 0/ 0)%
apstatEngineTask (240/ 7) 0 0 ( 0/ 0)%
rrcEngineTask (240/ 7) 0 0 ( 0/ 0)%
spectrumDataTask (255/ 1) 1614480 12 ( 0/ 0)%
spectrumNMSPTask (255/ 1) 28808 3 ( 0/ 0)%
wipsTask (240/ 7) 0 0 ( 0/ 0)%
tsmTask (255/ 1) 0 0 ( 0/ 0)%
cids-cl Task (240/ 7) 0 0 ( 0/ 0)%
ethoipSocketTask ( 7/ 95) 0 0 ( 0/ 0)%
ethoipOsapiMsgRcv (240/ 7) 0 0 ( 0/ 0)%
--More-- or (q)uit
envCtrollerStatus (240/ 7) 0 0 ( 0/ 0)%
rfidTask (240/ 7) 0 0 ( 0/ 0)%
idsTrackEventTask (239/ 8) 0 0 ( 0/ 0)%
DHCP Server (240/ 7) 0 0 ( 0/ 0)%
bcastReceiveTask (240/ 7) 0 0 ( 0/ 0)%
ProcessLoggingTask (240/ 7) 0 0 ( 0/ 0)%
CDP Main (240/ 7) 3100 13 ( 0/ 0)%
sntpMainTask (240/ 7) 0 0 ( 0/ 0)%
sntpReceiveTask (240/ 7) 0 0 ( 0/ 0)%
cdpSocketTask (240/ 7) 0 0 ( 0/ 0)%
grouping Task (255/ 1) 0 0 ( 0/ 0)%
dot11a (255/ 1) 63 3 ( 0/ 0)%
rrm Socket Task ( 1/ 97) 35024 1 ( 0/ 0)%
rrm Socket Task (255/ 1) 35024 1 ( 0/ 0)%
dot11a (255/ 1) 0 0 ( 0/ 0)%
grouping Task (255/ 1) 0 0 ( 0/ 0)%
dot11b (255/ 1) 105 5 ( 0/ 0)%
rrm Socket Task (255/ 1) 35024 1 ( 0/ 0)%
dot11b (255/ 1) 0 0 ( 0/ 0)%
rrm Socket Task (255/ 1) 35024 1 ( 0/ 0)%
apfPmkCacheTimer (240/ 7) 0 0 ( 0/ 0)%
Apf Guest (240/ 7) 0 0 ( 0/ 0)%
RLDP Schedule Task (240/ 7) 0 0 ( 0/ 0)%
--More-- or (q)uit
apfMsConnTask_5 (175/ 32) 0 0 ( 0/ 0)%
apfMsConnTask_4 (175/ 32) 0 0 ( 0/ 0)%
apfMsConnTask_6 (175/ 32) 0 0 ( 0/ 0)%
apfMsConnTask_7 (175/ 32) 0 0 ( 0/ 0)%
apfMsConnTask_3 (175/ 32) 0 0 ( 0/ 0)%
apfMsConnTask_2 (175/ 32) 0 0 ( 0/ 0)%
apfLbsTask (240/ 7) 0 0 ( 0/ 0)%
apfMsConnTask_0 (175/ 32) 0 0 ( 0/ 0)%
apfMsConnTask_1 (175/ 32) 0 0 ( 0/ 0)%
apfProbeThread (200/ 22) 0 0 ( 0/ 0)%
apfOrphanSocketTas (240/ 7) 0 0 ( 0/ 0)%
apfRogueDetectorTh (175/ 32) 0 0 ( 0/ 0)%
apfRogueTask (240/ 7) 0 0 ( 0/ 0)%
apfOpenDtlSocket (175/ 32) 0 0 ( 0/ 0)%
apfRLDP (175/ 32) 424 1 ( 0/ 0)%
apfRLDPRecv (175/ 32) 0 0 ( 0/ 0)%
apfReceiveTask (175/ 32) 0 0 ( 0/ 0)%
mmMfpTask (175/ 32) 0 0 ( 0/ 0)%
mmMobility (240/ 7) 1272 3 ( 0/ 0)%
mmSSHPeerRegister (240/ 7) 0 0 ( 0/ 0)%
mmListen (180/ 30) 99920 227 ( 0/ 0)%
tplusTransportThre (201/ 22) 0 0 ( 0/ 0)%
radiusCoASupportTr (201/ 22) 0 0 ( 0/ 0)%
--More-- or (q)uit
EAP Framework (240/ 7) 0 0 ( 0/ 0)%
aaaQueueReader (225/ 13) 3518 12 ( 0/ 0)%
radiusRFC3576Trans (201/ 22) 0 0 ( 0/ 0)%
radiusTransportThr (201/ 22) 0 0 ( 0/ 0)%
pemReceiveTask (240/ 7) 0 0 ( 0/ 0)%
iappSocketTask (240/ 7) 0 0 ( 0/ 0)%
ccxRmTask (230/ 11) 0 0 ( 0/ 0)%
ccxS69Task (240/ 7) 424 1 ( 0/ 0)%
ccxDiagTask (240/ 7) 0 0 ( 0/ 0)%
ccxL2RoamTask (240/ 7) 240424 3 ( 0/ 0)%
dot1xSocketTask (240/ 7) 0 0 ( 0/ 0)%
Dot1x_NW_MsgTask_7 (240/ 7) 0 0 ( 0/ 0)%
Dot1x_NW_MsgTask_6 (240/ 7) 0 0 ( 0/ 0)%
Dot1x_NW_MsgTask_2 (240/ 7) 0 0 ( 0/ 0)%
Dot1x_NW_MsgTask_3 (240/ 7) 0 0 ( 0/ 0)%
Dot1x_NW_MsgTask_4 (240/ 7) 0 0 ( 0/ 0)%
Dot1x_NW_MsgTask_5 (240/ 7) 0 0 ( 0/ 0)%
Dot1x_NW_MsgTask_1 (240/ 7) 0 0 ( 0/ 0)%
Dot1x_NW_MsgTask_0 (240/ 7) 424 1 ( 0/ 0)%
dot1xMsgTask (240/ 7) 0 0 ( 0/ 0)%
locpTxServerTask (220/ 15) 408 2 ( 0/ 0)%
locpRxServerTask (200/ 22) 428043 1961 ( 0/ 0)%
capwapSocketTask ( 72/ 70) 303104 148 ( 0/ 0)%
--More-- or (q)uit
spamApTask6 (118/ 53) 25929 63 ( 0/ 0)%
spamApTask7 ( 53/ 78) 24233 59 ( 0/ 0)%
spamApTask5 (118/ 53) 23445 61 ( 0/ 0)%
spamApTask4 (118/ 53) 23513 58 ( 0/ 0)%
spamApTask3 (118/ 53) 19569 48 ( 0/ 0)%
spamApTask2 ( 53/ 78) 23809 58 ( 0/ 0)%
spamApTask1 ( 53/ 78) 22961 56 ( 0/ 0)%
spamApTask0 ( 78/ 68) 39189 106 ( 0/ 0)%
spamReceiveTask (120/ 52) 2204024 252 ( 0/ 0)%
spamSocketTask ( 32/ 85) 0 0 ( 0/ 0)%
Image License brok (240/ 7) 0 0 ( 0/ 0)% I
Image License brok (240/ 7) 28 1 ( 0/ 0)% I
IPC Main Thread (240/ 7) 0 0 ( 0/ 0)% I
License Client Lib (240/ 7) 96 1 ( 0/ 0)% I
sshpmLscScepTask (100/ 60) 0 0 ( 0/ 0)%
License Client Lib (240/ 7) 96 1 ( 0/ 0)% I
sshpmLscTask (100/ 60) 25783 1739 ( 0/ 0)%
sshpmReceiveTask (175/ 32) 6697 66 ( 0/ 0)%
sshpmMainTask (100/ 60) 208440 358 ( 0/ 0)%
mfpKeyRefreshTask (255/ 1) 0 0 ( 0/ 0)%
mfpEventTask (255/ 1) 0 0 ( 0/ 0)%
mfpTrapForwardTask (255/ 1) 0 0 ( 0/ 0)%
clientTroubleShoot (100/ 60) 2841248 4 ( 0/ 0)%
--More-- or (q)uit
loggerMainTask (200/ 22) 0 0 ( 0/ 0)%
debugMainTask (200/ 22) 0 0 ( 0/ 0)%
dot3ad_lac_task (240/ 7) 32901 3 ( 0/ 0)%
gccp_t (240/ 7) 5864 5 ( 0/ 0)%
dot1dTimer (240/ 7) 0 0 ( 0/ 0)% T 300
dot1dRecv (250/ 3) 0 0 ( 0/ 0)%
uart_session (240/ 7) 0 0 ( 0/ 0)%
StatsTask (240/ 7) 0 0 ( 0/ 0)%
fdbTask (240/ 7) 0 0 ( 0/ 0)%
broffu_SocketRecei (100/ 60) 13 1 ( 0/ 0)%
SNMPProcMon (240/ 7) 0 0 ( 0/ 0)% T 300
RMONTask ( 71/ 71) 0 0 ( 0/ 0)% I
SNMPTask (240/ 7) 61089 1064 ( 0/ 0)%
DHCP Socket Task (240/ 7) 0 0 ( 0/ 0)%
DHCP Proxy Task (240/ 7) 0 0 ( 0/ 0)%
dhcpClientTimerTas (240/ 7) 0 0 ( 0/ 0)%
DHCP Client Task (240/ 7) 0 0 ( 0/ 0)% T 600
BootP (240/ 7) 0 0 ( 0/ 0)% T 300
TransferTask (240/ 7) 848 2 ( 0/ 0)% I
osapiTimer (100/ 60) 13024 2 ( 0/ 0)% T 300
nim_t (100/ 60) 2447 3 ( 0/ 0)%
dtlArpTask ( 7/ 95) 98436 3 ( 0/ 0)%
dtlTask (100/ 60) 41089 20 ( 0/ 0)%
--More-- or (q)uit
dtlDataLowTask ( 7/ 95) 0 0 ( 0/ 0)%
sysapiprintf (240/ 7) 22657 3 ( 0/ 0)%
osapiBsnTimer ( 95/ 62) 0 0 ( 0/ 0)%
fp_main_task (240/ 7) 153068796 26868 ( 0/ 0)% -
An ACL has been applied on the inside interface to of the ASA 8.4 but it is not working. The aim of this list to allow only a few host for outside access and deny rest of the hosts for outside access. The syntex of the access list is
access-list ACL-Inside extended permit ip host 192.168.100.101 any
access-list ACL-Inside extended permit ip host 192.168.100.108 any
access-list ACL-Inside extended permit ip host 192.168.100.109 any
access-list ACL-Inside extended permit ip host 192.168.100.243 any
access-list ACL-Inside extended permit ip host 192.168.100.241 any
access-group ACL-Inside in interface insideDid you configure the NAT statement for the inside hosts to be mapped to a public IP? The below config will NAT 192.168.100.0 -100.254 to outside interface and the access-list you defined only allow those hosts to go out.
object network Inside_Net
subnet 192.168.100.0 255.255.255.0
nat (inside, outside) dynamic interface
If you alread did the above config please send us the packet capture as Mike requested. -
I have been trying to get my Nexus 1KV working with AAA/TACACS+ and I'm stumped.
The short version is that I see where the issue is, but can't seem to resolve it.
When I try to log in using TACACS, it fails. The ACS server reports InvalidPassword.
The CLI on the Nexus shows:
2011 Sep 9 16:37:13 NY_nexus1000v %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond
2011 Sep 9 16:37:14 NY_nexus1000v %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user gtopf from 192.168.20.151 - sshd[15675]
2011 Sep 9 16:37:23 NY_nexus1000v %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user gtopf from 192.168.20.151 - sshd[15672]
And an AAA test from the nexus fails.
I have good connectivity between the two boxes, I can ping, and obviously the failed login showing on ACS shows that it's talking, but it's just not working.
My config is below (omitted ethernet port configs)
!Command: show running-config
!Time: Fri Sep 9 16:45:49 2011
version 4.2(1)SV1(4a)
no feature telnet
feature tacacs+
feature lacp
username admin password 5 $1$Q50UpgN/$4eu39QmZHLTf3FAkwwdOF1 role network-admin
banner motd #Nexus 1000v Switch#
ssh key rsa 2048
ip domain-lookup
ip domain-lookup
ip name-server 192.168.20.10
tacacs-server timeout 30
tacacs-server host 192.168.20.30 key 7 "j3gp0"
aaa group server tacacs+ TacServer
server 192.168.20.30
deadtime 15
use-vrf management
source-interface mgmt0
hostname NY_nexus1000v
ntp server 192.168.20.10
aaa authentication login default group TacServer
aaa authentication login console group TacServer
aaa authentication login error-enable
tacacs-server directed-request
vrf context management
ip route 0.0.0.0/0 192.168.240.1
vlan 1,20,40,240
lacp offload
port-channel load-balance ethernet source-mac
port-profile default max-ports 32
port-profile type ethernet Unused_Or_Quarantine_Uplink
vmware port-group
shutdown
description Port-group created for Nexus1000V internal usage. Do not use.
state enabled
port-profile type vethernet Unused_Or_Quarantine_Veth
vmware port-group
shutdown
description Port-group created for Nexus1000V internal usage. Do not use.
state enabled
port-profile type ethernet system-uplink
vmware port-group
switchport mode trunk
switchport trunk allowed vlan 20,40,240
channel-group auto mode active
no shutdown
system vlan 240
description "System profile for critical ports"
state enabled
port-profile type vethernet data20
vmware port-group
switchport mode access
switchport access vlan 20
no shutdown
description "Data profile for VM traffic 20 VLAN"
state enabled
port-profile type vethernet data40
vmware port-group
switchport mode access
switchport access vlan 40
no shutdown
description "Data profile for VM traffic 40 VLAN"
state enabled
port-profile type vethernet data240
vmware port-group
switchport mode access
switchport access vlan 240
no shutdown
description "Data profile for VM traffic 240 VLAN"
state enabled
port-profile type vethernet system-upilnk
description "Uplink profile for VM traffic"
vdc NY_nexus1000v id 1
limit-resource vlan minimum 16 maximum 2049
limit-resource monitor-session minimum 0 maximum 2
limit-resource vrf minimum 16 maximum 8192
limit-resource port-channel minimum 0 maximum 768
limit-resource u4route-mem minimum 32 maximum 32
limit-resource u6route-mem minimum 16 maximum 16
limit-resource m4route-mem minimum 58 maximum 58
limit-resource m6route-mem minimum 8 maximum 8
interface port-channel1
inherit port-profile system-uplink
vem 3
interface port-channel2
inherit port-profile system-uplink
vem 4
interface port-channel3
inherit port-profile system-uplink
vem 5
interface port-channel4
inherit port-profile system-uplink
vem 6
interface mgmt0
ip address 192.168.240.10/24
interface control0
line console
boot kickstart bootflash:/nexus-1000v-kickstart-mz.4.2.1.SV1.4a.bin sup-1
boot system bootflash:/nexus-1000v-mz.4.2.1.SV1.4a.bin sup-1
boot kickstart bootflash:/nexus-1000v-kickstart-mz.4.2.1.SV1.4a.bin sup-2
boot system bootflash:/nexus-1000v-mz.4.2.1.SV1.4a.bin sup-2
svs-domain
domain id 500
control vlan 240
packet vlan 240
svs mode L2
svs connection vcenter
protocol vmware-vim
remote ip address 192.168.20.127 port 80
vmware dvs uuid "52 8b 1d 50 44 9d d7 1f-b6 25 76 f1 f7 97 d8 5e" datacenter-name 28th St Datacenter
max-ports 8192
connect
vsn type vsg global
tcp state-checks
vnm-policy-agent
registration-ip 0.0.0.0
shared-secret **********
log-levelFYI...
I was able to get TACACS+ auth working using the commands in the Original Post (without the two additional suggestions) as follows...
1000v# conf t
1000v(config)# feature tacacs+
1000v(config)# tacacs-server host 192.168.1.1 key 0
1000v(config)# aaa group server tacacs+ TacServer
1000v(config-tacacs+)# server 192.168.1.1
1000v(config-tacacs+)# use-vrf management
1000v(config-tacacs+)# source-interface mgmt 0
1000v(config-tacacs+)# aaa authentication login default group TacServer local
1000v(config)# aaa authentication login error-enable
1000v(config)# tacacs-server directed-request
I guess the OP had some other problem (perhaps incorrect shared secret??) -
TACACS not working - Need help
Hi,
I have implemented the TACACS in VPN VRF environment but the same is not working, I am not able to route the ACS servers IP's through the VRF-VPN.
Configuration pasted below
aaa authentication login default group tacacs+ line
aaa authentication login no_tacacs line
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
ip tacacs source-interface VLAN1
tacacs-server host X.X.X.X
tacacs-server host 10.10.10.4
tacacs-server key 7 ####################333
tacacs-server administration
aaa group server tacacs+ tacacs1
server-private 10.10.10.4 key ############
ip vrf forwarding LAN
ip tacacs source-interface VLAN1Hi sorry for late reply.
Please find below the logs from the router
Feb 12 14:10:28.748: AAA/ACCT/CMD(000000B9): free_rec, count 2
Feb 12 14:10:28.748: AAA/ACCT/CMD(000000B9): Setting session id 283 : db=846968EC
Feb 12 14:10:28.748: AAA/ACCT(000000B9): Accouting method=tacacs+ (TACACS+)
Feb 12 14:10:35.450: AAA/BIND(000000BA): Bind i/f
Feb 12 14:10:35.450: AAA/ACCT/EVENT/(000000BA): CALL START
Feb 12 14:10:35.450: Getting session id for NET(000000BA) : db=83E3E3B0
Feb 12 14:10:35.450: AAA/ACCT(00000000): add node, session 284
Feb 12 14:10:35.450: AAA/ACCT/NET(000000BA): add, count 1
Feb 12 14:10:35.450: Getting session id for NONE(000000BA) : db=83E3E3B0
Feb 12 14:10:36.014: AAA/AUTHEN/LOGIN (000000BA): Pick method list 'default'
Feb 12 14:10:38.749: AAA/ACCT/CMD(000000B9): STOP protocol reply FAIL
Feb 12 14:10:38.749: AAA/ACCT(000000B9): Accouting method=NOT_SET
Feb 12 14:10:38.749: AAA/ACCT(000000B9): Send STOP accounting notification to EM successfully
Feb 12 14:10:38.749: AAA/ACCT/CMD(000000B9): Tried all the methods, osr 0
Feb 12 14:10:38.749: AAA/ACCT/CMD(000000B9) Record not present
Feb 12 14:10:38.749: AAA/ACCT/CMD(000000B9) reccnt 2, csr FALSE, osr 0
Feb 12 14:10:46.011: AAA/AUTHEN/LINE(000000BA): GET_PASSWORD
Feb 12 14:11:14.326: AAA/AUTHOR: config command authorization not enabled
Feb 12 14:11:14.326: AAA/ACCT/CMD(000000B9): Pick method list 'default'
Feb 12 14:11:14.326: AAA/ACCT/SETMLIST(000000B9): Handle 0, mlist 83E2FF8C, Name default
Feb 12 14:11:14.330: Getting session id for CMD(000000B9) : db=846968EC
Feb 12 14:11:14.330: AAA/ACCT/CMD(000000B9): add, count 3
Feb 12 14:11:14.330: AAA/ACCT/EVENT/(000000B9): COMMAND
Feb 12 14:11:14.330: AAA/ACCT/CMD(000000B9): Queueing record is COMMAND osr 1
Feb 12 14:11:14.330: AAA/ACCT/CMD(000000B9): free_rec, count 2
Feb 12 14:11:14.330: AAA/ACCT/CMD(000000B9): Setting session id 285 : db=846968EC
Feb 12 14:11:14.330: AAA/ACCT(000000B9): Accouting method=tacacs+ (TACACS+)
Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA): Pick method list 'default'
Feb 12 14:11:16.642: AAA/ACCT/SETMLIST(000000BA): Handle 0, mlist 83E2FEEC, Name default
Feb 12 14:11:16.642: Getting session id for EXEC(000000BA) : db=83E3E3B0
Feb 12 14:11:16.642: AAA/ACCT(000000BA): add common node to avl failed
Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA): add, count 2
Feb 12 14:11:16.642: AAA/ACCT/EVENT/(000000BA): EXEC DOWN
Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA): Accounting record not sent
Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA): free_rec, count 1
Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA) reccnt 1, csr FALSE, osr 0
Feb 12 14:11:18.425: AAA/AUTHOR: config command authorization not enabled
Feb 12 14:11:18.425: AAA/ACCT/243(000000B9): Pick method list 'default'
Feb 12 14:11:18.425: AAA/ACCT/SETMLIST(000000B9): Handle 0, mlist 83144FF8, Name default
Feb 12 14:11:18.425: Getting session id for CMD(000000B9) : db=846968EC
Feb 12 14:11:18.425: AAA/ACCT/CMD(000000B9): add, count 3
Feb 12 14:11:18.425: AAA/ACCT/EVENT/(000000B9): COMMAND
Feb 12 14:11:18.425: AAA/ACCT/CMD(000000B9): Queueing record is COMMAND osr 2
Feb 12 14:11:18.425: AAA/ACCT/CMD(000000B9): free_rec, count 2
Feb 12 14:11:18.425: AAA/ACCT/CMD(000000B9): Setting session id 286 : db=846968EC
Feb 12 14:11:18.429: AAA/ACCT(000000B9): Accouting method=tacacs+ (TACACS+)
Feb 12 14:11:18.649: AAA/ACCT/EVENT/(000000BA): CALL STOP
Feb 12 14:11:18.649: AAA/ACCT/CALL STOP(000000BA): Sending stop requests
Feb 12 14:11:18.649: AAA/ACCT(000000BA): Send all stops
Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA): STOP
Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA): Method list not found
Feb 12 14:11:18.649: AAA/ACCT(000000BA): del node, session 284
Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA): free_rec, count 0
Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA) reccnt 0, csr TRUE, osr 0
Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA): Last rec in db, intf not enqueued -
TACACS Authentication not working with ASA
I have an ACS 4.1 Windows server running TACACS. It si working on all devices within the enterprise except for one new ASA at a remote site. There is no NAT going on or anything and the ASA can ping the ACS box and the ACS box can ping the ASA.
I added the configuration below but the authentication fails and no requests come to the ACS server
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ host 10.x.x.x
key password
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication http console TACACS+ LOCAL
Any help would be greatly appreciatedPlease check shared secret key. Remember NDG key overwrites aaa client key.
Make sure acs should have correct ip address of asa in network configuration.
Do you see any hits on acs failed or passed attempts ? Also try increasing the tacacs timeout to 15 sec. -
Hi Guys
I have added a 2960x switch to my network and configured with tacacs. It does not seems to talk to the tacacs ACS server and I can ping the server as it also authenticates other devices on the network but this new switch only lets me login with local credentials. I have added the switch to ACS aswell
When i tried "test aaa group tacacs username password" Attempting authentication test to server-group tacacs+ using tacacs+
No authoritative response from any server."
My config on the switch is:
aaa group server tacacs+ ACS1
server 10.10.10.10
aaa authentication login default group ACS1 local
aaa authentication enable default group ACS1 enable
aaa authorization config-commands
aaa authorization exec default group ACS1 if-authenticated
aaa authorization commands 1 default group ACS1 if-authenticated
aaa authorization commands 15 default group ACS1 if-authenticated
aaa accounting update newinfo
aaa accounting commands 1 default start-stop broadcast group ACS1
aaa accounting commands 15 default start-stop broadcast group ACS1
tacacs-server host 10.10.10.10
tacacs-server key 12345678
ThanksThanks Reza
After some investigation it seemed the issue is with the tacacs-server host 10.10.10.10 command. I realised upon entering this command the cli accepted it but gave a warning message
"Warning: The cli will be deprecated soon
'tacacs-server host acs-1 key 0 <my-key>'
Please move to 'tacacs server <name>' CLI"
Apparently cisco have made a few changes to the config. The tacacs-server ACS1 commands didnt work.
So I entered tacacs-server host 10.10.10.10 key 12345678
That worked.
Thanks -
Remote Desktop not working via ASA
Hi Everyone,
ASA has 2 interfaces inside and sales.
There is ACL on interface sales that allow RDP on tcp port 3389 from sales to inside subnet 10.0.0.15.
Interface sales is attached to switch.
I did test from switch
2950A#telnet 10.0.0.15 3389
Trying 10.0.0.15, 3389 ...
% Connection refused by remote host
2950A#ping 10.0.0.15
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.15, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms
2950A#
logs on firewall show
May 18 2014 18:50:34: %ASA-6-302013: Built inbound TCP connection 313812 for sales:10.12.12.2/24066 (10.12.12.2/24066) to inside:10.0.0.15/3389 (10.0.0.15/3389)
May 18 2014 18:50:34: %ASA-6-302014: Teardown TCP connection 313812 for sales:10.12.12.2/24066 to inside:10.0.0.15/3389 duration 0:00:00 bytes 0 TCP Reset-I
Where 10.0.0.15 is PC and this PC is configured to allow Remote desktop connection coming in.
Any ideas what can i check?
Regards
MAheshHi Jennifer,
I tested the RDP in both directions no luck.
Sales has security level
interface Vlan3
nameif sales
security-level 50
ip address 10.12.12.1 255.255.255.0
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
Ping works fine in both directions means from switch to PC and PC to switch so this should rule out routing right?
Seems NAT is not configured between inside and sales.
Regards
MAhesh -
Certificate Revocation List not working on ASA 8.3(1)
I've configured my SSL VPN to certificate authentication, in wich the authentication with certificates is working fine. However the ASA is not able to store (cache) the CRL.
Based on debug bellow the asa downloads the CRL file but is not able to open it.
Does anyone know this sitation?
Here is te debug output:
fwlpasa01/pri/act# crypto ca crl request SSL-VPN
CRYPTO_PKI: CRL is being polled from CDP http://10.151.1.9/certlist/certcrl.crl.
crypto_pki_req(7ae32bf0, 24, ...)
CRYPTO_PKI: Crypto CA req queue size = 1.
Crypto CA thread wakes up!
CRYPTO_PKI: http connection opened
CRYPTO_PKI: content dump count 75----------
CRYPTO_PKI: For function crypto_http_send
GET /certlist/certcrl.crl HTTP/1.0
Host: 10.151.1.9
CRYPTO_PKI: For function crypto_http_send
CRYPTO_PKI: content dump-------------------
CRYPTO_PKI: HTTP response header:
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 1482
Content-Type: application/pkix-crl
Server: Microsoft-IIS/7.5
Set-Cookie: ASPSESSIONIDACBQATBA=IEGHHGMBOHNIGEJIEPJKCFCE; path=/
Date: Mon, 26 Nov 2012 15:47:38 GMT
Connection: close
CRYPTO_PKI: CRL data2d 2d 2d 2d 2d 42 45 47 49 4e 20 58 35 30 39 20 | -----BEGIN X509
43 52 4c 2d 2d 2d 2d 2d 0d 0a 4d 49 49 45 44 44 | CRL-----..MIIEDD
43 43 41 76 51 43 41 51 45 77 44 51 59 4a 4b 6f | CCAvQCAQEwDQYJKo
5a 49 68 76 63 4e 41 51 45 46 42 51 41 77 57 54 | ZIhvcNAQEFBQAwWT
45 53 4d 42 41 47 43 67 6d 53 4a 6f 6d 54 38 69 | ESMBAGCgmSJomT8i
78 6b 41 52 6b 57 41 6e 70 73 0d 0a 4d 52 4d 77 | xkARkWAnps..MRMw
45 51 59 4b 43 5a 49 6d 69 5a 50 79 4c 47 51 42 | EQYKCZImiZPyLGQB
47 52 59 44 61 57 35 30 4d 52 67 77 46 67 59 4b | GRYDaW50MRgwFgYK
43 5a 49 6d 69 5a 50 79 4c 47 51 42 47 52 59 49 | CZImiZPyLGQBGRYI
65 6d 6c 73 62 47 39 79 5a 57 34 78 0d 0a 46 44 | emlsbG9yZW4x..FD
41 53 42 67 4e 56 42 41 4d 54 43 31 70 4a 54 45 | ASBgNVBAMTC1pJTE
78 50 55 6b 56 4f 4c 55 4e 42 46 77 30 78 4d 6a | xPUkVOLUNBFw0xMj
45 78 4d 54 6b 78 4e 6a 4d 7a 4d 44 68 61 46 77 | ExMTkxNjMzMDhaFw
30 78 4d 6a 45 78 4d 6a 63 77 4e 44 55 7a 0d 0a | 0xMjExMjcwNDUz..
4d 44 68 61 4d 46 63 77 47 77 49 4b 52 66 65 4b | MDhaMFcwGwIKRfeK
6b 67 41 41 41 41 41 42 67 52 63 4e 4d 54 49 78 | kgAAAAABgRcNMTIx
4d 44 49 35 4d 54 4d 79 4d 7a 41 77 57 6a 41 62 | MDI5MTMyMzAwWjAb
41 67 70 46 31 4f 55 76 41 41 41 41 41 41 47 41 | AgpF1OUvAAAAAAGA
0d 0a 46 77 30 78 4d 6a 45 77 4d 6a 6b 78 4d 7a | ..Fw0xMjEwMjkxMz
49 7a 4d 44 42 61 4d 42 73 43 43 6a 75 71 30 79 | IzMDBaMBsCCjuq0y
41 41 41 41 41 41 41 58 6f 58 44 54 45 79 4d 54 | AAAAAAAXoXDTEyMT
41 79 4f 54 45 7a 4d 6a 49 77 4d 46 71 67 67 67 | AyOTEzMjIwMFqggg
49 4d 0d 0a 4d 49 49 43 43 44 41 66 42 67 4e 56 | IM..MIICCDAfBgNV
48 53 4d 45 47 44 41 57 67 42 52 73 73 75 79 64 | HSMEGDAWgBRssuyd
63 2b 6c 54 32 66 6a 75 62 39 66 70 7a 67 42 38 | c+lT2fjub9fpzgB8
76 45 36 59 78 54 41 51 42 67 6b 72 42 67 45 45 | vE6YxTAQBgkrBgEE
41 59 49 33 0d 0a 46 51 45 45 41 77 49 42 41 44 | AYI3..FQEEAwIBAD
41 4c 42 67 4e 56 48 52 51 45 42 41 49 43 41 31 | ALBgNVHRQEBAICA1
55 77 48 41 59 4a 4b 77 59 42 42 41 47 43 4e 78 | UwHAYJKwYBBAGCNx
55 45 42 41 38 58 44 54 45 79 4d 54 45 79 4e 6a | UEBA8XDTEyMTEyNj
45 32 4e 44 4d 77 0d 0a 4f 46 6f 77 67 63 77 47 | E2NDMw..OFowgcwG
41 31 55 64 4c 67 53 42 78 44 43 42 77 54 43 42 | A1UdLgSBxDCBwTCB
76 71 43 42 75 36 43 42 75 49 61 42 74 57 78 6b | vqCBu6CBuIaBtWxk
59 58 41 36 4c 79 38 76 51 30 34 39 57 6b 6c 4d | YXA6Ly8vQ049WklM
54 45 39 53 52 55 34 74 0d 0a 51 30 45 73 51 30 | TE9SRU4t..Q0EsQ0
34 39 63 33 5a 73 63 47 46 6b 62 54 4d 78 4c 45 | 49c3ZscGFkbTMxLE
4e 4f 50 55 4e 45 55 43 78 44 54 6a 31 51 64 57 | NOPUNEUCxDTj1QdW
4a 73 61 57 4d 6c 4d 6a 42 4c 5a 58 6b 6c 4d 6a | JsaWMlMjBLZXklMj
42 54 5a 58 4a 32 61 57 4e 6c 0d 0a 63 79 78 44 | BTZXJ2aWNl..cyxD
54 6a 31 54 5a 58 4a 32 61 57 4e 6c 63 79 78 44 | Tj1TZXJ2aWNlcyxD
54 6a 31 44 62 32 35 6d 61 57 64 31 63 6d 46 30 | Tj1Db25maWd1cmF0
61 57 39 75 4c 45 52 44 50 58 70 70 62 47 78 76 | aW9uLERDPXppbGxv
63 6d 56 75 4c 45 52 44 50 57 6c 75 0d 0a 64 43 | cmVuLERDPWlu..dC
78 45 51 7a 31 36 62 44 39 6b 5a 57 78 30 59 56 | xEQz16bD9kZWx0YV
4a 6c 64 6d 39 6a 59 58 52 70 62 32 35 4d 61 58 | Jldm9jYXRpb25MaX
4e 30 50 32 4a 68 63 32 55 2f 62 32 4a 71 5a 57 | N0P2Jhc2U/b2JqZW
4e 30 51 32 78 68 63 33 4d 39 59 31 4a 4d 0d 0a | N0Q2xhc3M9Y1JM..
52 47 6c 7a 64 48 4a 70 59 6e 56 30 61 57 39 75 | RGlzdHJpYnV0aW9u
55 47 39 70 62 6e 51 77 67 64 67 47 43 53 73 47 | UG9pbnQwgdgGCSsG
41 51 51 42 67 6a 63 56 44 67 53 42 79 6a 43 42 | AQQBgjcVDgSByjCB
78 7a 43 42 78 4b 43 42 77 61 43 42 76 6f 61 42 | xzCBxKCBwaCBvoaB
0d 0a 75 32 78 6b 59 58 41 36 4c 79 38 76 51 30 | ..u2xkYXA6Ly8vQ0
34 39 57 6b 6c 4d 54 45 39 53 52 55 34 74 51 30 | 49WklMTE9SRU4tQ0
45 73 51 30 34 39 63 33 5a 73 63 47 46 6b 62 54 | EsQ049c3ZscGFkbT
4d 78 4c 45 4e 4f 50 55 4e 45 55 43 78 44 54 6a | MxLENOPUNEUCxDTj
31 51 0d 0a 64 57 4a 73 61 57 4d 6c 4d 6a 42 4c | 1Q..dWJsaWMlMjBL
5a 58 6b 6c 4d 6a 42 54 5a 58 4a 32 61 57 4e 6c | ZXklMjBTZXJ2aWNl
63 79 78 44 54 6a 31 54 5a 58 4a 32 61 57 4e 6c | cyxDTj1TZXJ2aWNl
63 79 78 44 54 6a 31 44 62 32 35 6d 61 57 64 31 | cyxDTj1Db25maWd1
63 6d 46 30 0d 0a 61 57 39 75 4c 45 52 44 50 58 | cmF0..aW9uLERDPX
70 70 62 47 78 76 63 6d 56 75 4c 45 52 44 50 57 | ppbGxvcmVuLERDPW
6c 75 64 43 78 45 51 7a 31 36 62 44 39 6a 5a 58 | ludCxEQz16bD9jZX
4a 30 61 57 5a 70 59 32 46 30 5a 56 4a 6c 64 6d | J0aWZpY2F0ZVJldm
39 6a 59 58 52 70 0d 0a 62 32 35 4d 61 58 4e 30 | 9jYXRp..b25MaXN0
50 32 4a 68 63 32 55 2f 62 32 4a 71 5a 57 4e 30 | P2Jhc2U/b2JqZWN0
51 32 78 68 63 33 4d 39 59 31 4a 4d 52 47 6c 7a | Q2xhc3M9Y1JMRGlz
64 48 4a 70 59 6e 56 30 61 57 39 75 55 47 39 70 | dHJpYnV0aW9uUG9p
62 6e 51 77 44 51 59 4a 0d 0a 4b 6f 5a 49 68 76 | bnQwDQYJ..KoZIhv
63 4e 41 51 45 46 42 51 41 44 67 67 45 42 41 4a | cNAQEFBQADggEBAJ
51 6f 2f 78 73 4e 79 34 67 34 31 66 69 45 2b 67 | Qo/xsNy4g41fiE+g
46 4d 31 39 62 65 59 2b 52 77 36 74 4c 61 42 52 | FM19beY+Rw6tLaBR
34 33 58 64 45 7a 46 4d 63 61 0d 0a 72 55 74 2f | 43XdEzFMca..rUt/
70 39 33 73 63 4c 38 63 45 4a 54 48 6d 42 54 33 | p93scL8cEJTHmBT3
73 33 79 30 50 42 55 59 6d 35 52 58 36 6f 4c 42 | s3y0PBUYm5RX6oLB
41 41 74 4f 42 63 5a 4b 62 33 76 77 58 47 33 2f | AAtOBcZKb3vwXG3/
34 72 65 71 72 6a 39 47 42 61 49 42 0d 0a 30 2b | 4reqrj9GBaIB..0+
4f 34 66 37 43 67 4f 78 42 38 47 6d 44 32 69 42 | O4f7CgOxB8GmD2iB
31 70 79 56 55 7a 76 52 72 44 37 65 30 69 6a 31 | 1pyVUzvRrD7e0ij1
35 63 76 6e 58 46 63 6f 75 31 34 50 45 53 6c 6f | 5cvnXFcou14PESlo
30 2b 34 75 6b 4e 6d 42 4a 44 57 74 67 6c 0d 0a | 0+4ukNmBJDWtgl..
45 47 46 65 6f 4e 30 78 37 2f 63 52 59 53 70 71 | EGFeoN0x7/cRYSpq
52 44 48 71 56 59 39 75 34 69 63 44 49 7a 31 4c | RDHqVY9u4icDIz1L
75 78 5a 72 69 35 76 69 63 41 59 4b 62 44 69 4b | uxZri5vicAYKbDiK
30 4b 77 69 64 39 59 71 4b 43 63 76 2f 73 4c 37 | 0Kwid9YqKCcv/sL7
0d 0a 32 77 2b 53 7a 46 46 75 72 73 54 6c 70 2f | ..2w+SzFFursTlp/
36 74 4c 4d 41 72 6c 30 37 49 4f 65 52 63 51 38 | 6tLMArl07IOeRcQ8
4c 2b 6a 71 69 6e 44 30 6f 6f 62 53 5a 78 49 30 | L+jqinD0oobSZxI0
6b 42 64 54 47 6a 6c 38 68 44 42 77 6d 6a 74 63 | kBdTGjl8hDBwmjtc
33 63 0d 0a 6b 39 68 53 58 78 42 65 65 4d 74 74 | 3c..k9hSXxBeeMtt
53 72 33 48 6f 4c 42 63 6c 76 4d 75 78 64 77 72 | Sr3HoLBclvMuxdwr
41 6f 52 49 48 61 64 4f 4b 52 35 54 70 52 34 3d | AoRIHadOKR5TpR4=
0d 0a 2d 2d 2d 2d 2d 45 4e 44 20 58 35 30 39 20 | ..-----END X509
43 52 4c 2d 2d 2d 2d 2d 0d 0a | CRL-----..
CRYPTO_PKI: transaction HTTPGetCRL completedCrypto CA thread sleeps!
CRYPTO_PKI: Failed to retrieve CRL for trustpoint: SSL-VPN.
Retrying with next CRL DP...Hello everyone!
I've got the issue solved. The issue ware in CA CDP. I published the new http CDP, and it's working fine.
Windows CA
- At Server Manager -> Right click on Certificate Athotity object name -> click properties then extentions
- Create an extention to genearate the following URL
http://winca.pmmagalhaes.com.br/CertEnroll/WINCA.crl
- Then apply -> ok
- Under Windows PKI right click Certificate Athotity object name then Refresh
ASA
Under retrieval policy set for static a then put the url above.
It's done -
Tacacs+ not working on VRF Interface
C4948-10G switch running IOS 15.0(2)SG
ACS 4.2 cannot authenticate on the vrf interface. The issue on vrf aaa authentication.
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login no_tacacs local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization network default group tacacs+ local if-authenticated
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
ip vrf mgmt
rd 100:1
interface fa1
ip vrf forwarding mgmt
IP address 192.168.5.1 255.255.255.0
duplex auto
speed auto
ip vrf forwarding mgmt
aaa group server tacacs+ tacacs+ (command did not prompt to sub-command for server-private ....)
server-private {ip-address | name} [nat] [single-connection] [port port-number] [timeout seconds] [key [0 | 7] string]
tacacs-server host 192.168.5.75 key secret (Then, I decided to use global)
tacacs-server host 192.168.5.76 key secret
ip route vrf mgmt 192.168.5.75 255.255.255.0 192.168.5.2 (ACS 4.2 Tacacs+ server1)
ip route vrf mgmt 192.168.5.76 255.255.255.0 192.168.5.2 (ACS 4.2 Tacacs+ server2)
ip route vrf mgmt 192.168.5.85 255.255.255.0 192.168.5.2 (my management workstation)
ip tacacs source-interface fa1
sw2#debug tacacs
SW2#debug aaa authentication
SW2#test aaa group tacacs+ tester passwordtest new-code
Feb 4 11:36:09.808: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'
Feb 4 11:36:09.808: TPLUS: Queuing AAA Authentication request 0 for processing
Feb 4 11:36:09.808: TPLUS: processing authentication start request id 0
Feb 4 11:36:09.808: TPLUS: Authentication start packet created for 0(tester)
Feb 4 11:36:09.808: TPLUS: Using server 192.168.5.75
Feb 4 11:36:09.808: TPLUS(00000000)/0/NB_WAIT/1AEFC558: Started 5 sec timeout
Feb 4 11:36:14.808: TPLUS(00000000)/0/NB_WAIT/1AEFC558: timed out
Feb 4 11:36:14.808: TPLUS: Choosing next server 192.168.5.76
Feb 4 11:36:14.808: TPLUS(00000000)/1/NB_WAIT/1AEFC558: Started 5 sec timeout
Feb 4 11:36:14.808: TPLUS(00000000)/1AEFC558: releasing old socket 0User rejected
SW2#
Feb 4 11:36:19.808: TPLUS(00000000)/1/NB_WAIT/1AEFC558: timed out
Feb 4 11:36:19.808: TPLUS(00000000)/1/NB_WAIT/1AEFC558: timed out, clean up
Feb 4 11:36:19.808: TPLUS(00000000)/1/1AEFC558: Processing the reply packet
SW2#test aaa group tacacs+ tester passwordtest legacy
Attempting authentication test to server-group tacacs+ using tacacs+
Feb 4 11:39:16.372: AAA: parse name=<no string> idb type=-1 tty=-1
Feb 4 11:39:16.372: AAA/MEMORY: create_user (0x1AEFC4A4) user='tester' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
Feb 4 11:39:16.372: TAC+: send AUTHEN/START packet ver=192 id=153531412
Feb 4 11:39:16.372: TAC+: Using default tacacs server-group "tacacs+" list.
Feb 4 11:39:16.372: TAC+: Opening TCP/IP to 192.168.5.75/49 timeout=5
Feb 4 11:39:21.372: TAC+: TCP/IP open to 192.168.5.76/49 failed -- Connection timed out; remote host not responding
Feb 4 11:39:21.372: TAC+: Opening TCP/IP to 192.168.5.76/49 timeout=5No authoritative response from any server.
SW2#
Feb 4 11:39:26.372: TAC+: TCP/IP open to 192.168.5.75/49 failed -- Connection timed out; remote host not responding
Feb 4 11:39:26.372: AAA/MEMORY: free_user (0x1AEFC4A4) user='tester' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
SW2#ping vrf mgmt 192.168.5.85
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.85, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
SW2#sh ip route vrf mgmt
Routing Table: mgmt
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
192.168.5.0/24 is variably subnetted, 3 subnets, 2 masks
S 192.168.5.75/32 [1/0] via 192.168.5.2
S 192.168.5.76/32 [1/0] via 192.168.5.2
S 192.168.5.85/32 [1/0] via 192.168.5.2
C 192.168.5.0/24 is directly connected, FastEthernet1
SW2#sh ip vrf
Name Default RD Interfaces
mgmt 100:1 Fa1
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080bd091c.shtmlHi,
Your debug output shows time out to ACS server as below.
Feb 4 11:39:21.372: TAC+: TCP/IP open to 192.168.5.76/49 failed -- Connection timed out; remote host not responding
Feb 4 11:39:21.372: TAC+: Opening TCP/IP to 192.168.5.76/49 timeout=5No authoritative response from any server.
Feb 4 11:39:26.372: TAC+: TCP/IP open to 192.168.5.75/49 failed -- Connection timed out; remote host not responding
Considering the fact that you are not able to see any logs on ACS, that means traffic may not be reaching the ACS.
Have you tried pinging the ACS server from the switch mgmt vrf? Your previous example was showing ping responce to the managment workstation (192.168.5.85) and not to the ACS.
Hope that helps
Najaf
Please rate when applicable or helpful !!! -
Hi All,
I have configured tacacs for WLC. But I am not able to login to WLC using TACACS username and password.
Getting following message
Tue Sep 22 15:26:50 2009: Forwarding request to 10.0.0.1
6 port=49
Tue Sep 22 15:26:50 2009: tplus response: type=1 seq_no=2 session_id=ecf27238 le
ngth=6 encrypted=0
Tue Sep 22 15:26:50 2009: TPLUS_AUTHEN_STATUS = UNKNOWN(1)
Thanks
Jamal.SThere is radius happening on the auth portion of the WLC.
There seems to be a misconfiguration issue.
What do the ACS failed logs say?
Can you make sure you followed exactly:
http://cisco.com/en/US/docs/wireless/controller/6.0/configuration/guide/c60sol.html#wpmkr1261119 -
I'm trying to configure per VRF tacacs+ on a 2901 running IOS 15.2(4)M2.
I have the following configured:
aaa new-model
aaa group server tacacs+ MYGROUP
server-private 1.2.3.4 key cisco
ip vrf forwarding vpn_nms
ip tacacs source-interface Loopback100
aaa authentication login default local
aaa authentication login MYGROUP group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group MYGROUP if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
ip cef
ip vrf forwarding
ip vrf vpn_nms
rd 65XXX:3
interface Loopback100
description NMS LOOPBACK
ip vrf forwarding vpn_nms
ip address 10.10.10.10 255.255.255.255
tacacs-server host 1.2.3.4
tacacs-server directed-request
tacacs-server key cisco
line con 0
privilege level 15
logging synchronous
login authentication MYGROUP
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
login authentication MYGROUP
length 0
transport input all
I know some of this config is redundant but I have been trying different things and getting nowhere.Hi,
Your debug output shows time out to ACS server as below.
Feb 4 11:39:21.372: TAC+: TCP/IP open to 192.168.5.76/49 failed -- Connection timed out; remote host not responding
Feb 4 11:39:21.372: TAC+: Opening TCP/IP to 192.168.5.76/49 timeout=5No authoritative response from any server.
Feb 4 11:39:26.372: TAC+: TCP/IP open to 192.168.5.75/49 failed -- Connection timed out; remote host not responding
Considering the fact that you are not able to see any logs on ACS, that means traffic may not be reaching the ACS.
Have you tried pinging the ACS server from the switch mgmt vrf? Your previous example was showing ping responce to the managment workstation (192.168.5.85) and not to the ACS.
Hope that helps
Najaf
Please rate when applicable or helpful !!! -
Arp inspection not working on ASA
Folks,
I configured a transparent firewall on ASA. I have arp inspection enabled, with dynamic mac learning and dynamic arp. I am able to ping through the transparent firewall using 2 routers with the same mac-address. The firewall shows me that it is learning both the mac-addresses and also forwarding packets, can someone help me understand why this is happening?For some reason it will not take the shun command...I've tried every combanation I could think of but it will always fail.. I'm guessing there is a bug or that its just not allowed in transparent mode..
You have to use the vlan before the number or it says invalid host.. when I do specify the vlan 2 it take it and then comes back with "Invalid vlan (2) shun failed -
Route inside does not work on ASA 8.2(3), ASA cannot ping inside hosts
Hi Guys,
I have a problem on one our ASA seems to acting strange.
I have copy these routes below on ASA, and able to ping only 10.126.0.32.
route inside 10.126.0.10 255.225.255.255 10.20.3.1
route inside 10.126.0.30 255.225.255.255 10.20.3.1
route inside 10.126.0.31 255.225.255.255 10.20.3.1
route inside 10.126.0.32 255.225.255.255 10.20.3.1
route inside 10.126.0.140 255.225.255.255 10.20.3.1
route inside 10.126.0.141 255.225.255.255 10.20.3.1
route inside 10.126.0.142 255.225.255.255 10.20.3.1
When I saved the configuration and checking back on ASA running-configuration, none of above routes exists.
MYASA(config)# route inside 10.126.0.10 255.225.255.255 10.20.3.1
MYASA(config)# route inside 10.126.0.30 255.225.255.255 10.20.3.1
MYASA(config)# route inside 10.126.0.31 255.225.255.255 10.20.3.1
MYASA(config)# route inside 10.126.0.32 255.225.255.255 10.20.3.1
MYASA(config)# route inside 10.126.0.140 255.225.255.255 10.20.3.1
MYASA(config)# route inside 10.126.0.141 255.225.255.255 10.20.3.1
MYASA(config)# route inside 10.126.0.142 255.225.255.255 10.20.3.1
MYASA(config)# end
MYASA# show run | in route inside
route inside 10.0.0.0 255.0.0.0 10.20.3.1 1
route inside 10.96.0.0 255.224.0.0 10.20.3.1 1
route inside 10.96.0.10 255.225.255.255 10.20.3.1 1
route inside 10.96.0.30 255.225.255.255 10.20.3.1 1
route inside 10.96.0.31 255.225.255.255 10.20.3.1 1
route inside 10.96.0.32 255.225.255.255 10.20.3.1 1
route inside 10.96.0.140 255.225.255.255 10.20.3.1 1
route inside 10.96.0.141 255.225.255.255 10.20.3.1 1
route inside 10.96.0.142 255.225.255.255 10.20.3.1 1
route inside 10.100.1.61 255.255.255.255 10.20.3.1 1
route inside 10.101.20.112 255.255.255.255 10.0.0.254 1
route inside 10.101.20.113 255.255.255.255 10.0.0.254 1
route inside 10.101.20.114 255.255.255.255 10.0.0.254 1
route inside 10.101.20.115 255.255.255.255 10.0.0.254 1
route inside 10.101.20.201 255.255.255.255 10.0.0.254 1
route inside 10.101.20.202 255.255.255.255 10.0.0.254 1
route inside 10.101.20.204 255.255.255.255 10.0.0.254 1
route inside 10.101.20.205 255.255.255.255 10.0.0.254 1
route inside 10.101.22.22 255.255.255.255 10.20.3.1 1
route inside 10.101.24.100 255.255.255.255 10.0.0.254 1
route inside 10.101.24.101 255.255.255.255 10.0.0.254 1
route inside 10.101.25.0 255.255.255.0 10.20.3.1 1
route inside 10.126.0.32 255.255.255.255 10.20.3.1 1
route inside 67.215.65.132 255.255.255.255 10.20.3.1 1
route inside 192.168.1.3 255.255.255.255 10.0.0.254 1
route inside 192.168.1.4 255.255.255.255 10.0.0.254 1
route inside 192.168.151.0 255.255.255.0 10.20.3.1 1
route inside 192.168.151.48 255.255.255.240 10.0.0.254 1
route inside 205.210.235.0 255.255.255.0 10.0.0.254 1
route inside 205.210.236.0 255.255.255.0 10.20.3.1 1
route inside 205.210.237.0 255.255.255.0 10.0.0.254 1
route inside 205.210.238.0 255.255.255.0 10.0.0.254 1
route inside 205.210.239.0 255.255.255.0 10.0.0.254 1
route inside 205.210.240.0 255.255.255.0 10.0.0.254 1
route inside 205.210.241.0 255.255.255.0 10.0.0.254 1
MYASA#
It maybe a bug on the ASA?
Thanks
Rizwan RafeekHi Vibhor,
Well, problem is resolved from Cisco Tech support, it boiled down a bug.
"route inside 10.126.0.32 255.225.255.255 10.20.3.1", this route already existed, and yet it only one route shows up out of 7 copied, that is a bug.
Thanks for your reply.
Regards
Rizwan Rafeek. -
ACE: probe with serverfarm not working
Hello
When i use one probe configured for port 8080 with serverfarm which users realservers port 8080 everything works fine. But i wanted to create one generic probe and use for all of my serverfarms. I hoped that this generic (tcp probe) probe will use ports of each serverfarm, but it uses default port 80. Is it possible to use one generic probe for all serverfarms which have different ports ? How ?
It worked in CSM, but it does not work in ASA :(
Thanxif you do not define a port in the probe config, it should take the one defined in the serverfarm.
Just like the CSM.
Gilles.
Maybe you are looking for
-
Hello, I have a question regarding Security Files that we load using the ImportSecurity.cmd. The issue is that the program that we will be using to create a security file will be placing the security file on a different location than the default Plan
-
Send a remuneration statement (paystub) as a PDF attachment by e-mail
Hi, Does anybody send to their employees remuneration statement (paystub) as a PDF attachment by e-mail? Could you please share the method that you using for it and advice why you choose this method? I need to analyse at least two options: u2022
-
Looking for SAP entry level training online, maybe free/ virtual training?
Hello, I am trying to find out if there is any free online training? I am looking for some type of test database, free training, or virtual logins, etc... I am interested in Learning SAP but have no experience. I am not working for an employer that u
-
Hi folks, I need faqs on ABAP HR (with answers). Could any body send me some material to attend interview on ABAP HR.Please i want with ansers as i amvery new to ABAP HR. Thanks, Shyam.
-
Need to control my work mac from home
Hello all wise and knowing. I have a G5 at home and 1 at work. I need to be able to control my work computer from home with decent speed. I have a T1 at work and cable at home, but I don't know how to acheive my goal. I tried Chicken of the VNC, but