(RADIATOR) Cisco CSS, ERR: Could not accept on Tacacs listen socket: Software caused connection abort

Ulf Fischer ulf.fischer at de.easynet.net
Fri Oct 6 05:32:39 CDT 2006


Hi,

it's a very basic configuration there are no special things configured.
you will see this error messages also with the simplest configuration you could do.

here is our configuration:

BindAddress     192.168.0.5
AuthPort        1812
AcctPort        1813
LogDir          /usr/local/radiator/log
DbDir           /usr/local/radiator/etc
LogFile         %L/logfile
DictionaryFile  %D/dictionary

Trace 4

<AuthLog FILE>
        Identifier authlog
        LogSuccess 1
        LogFailure 1
        Filename %L/authlog
        SuccessFormat %l SRC=%c DST=%N  %{Called-Station-Id}    User="%n" Success: %1
        FailureFormat %l SRC=%c DST=%N  %{Called-Station-Id}    User="%n" Failure: %1
</AuthLog>

<Client 192.168.1.8>
        Identifier      LocalRouters
        Secret  removed
</Client>

<ServerTACACSPLUS>
        Identifier      LocalRouters
        Key             removed
        BindAddress     192.168.0.5

        AddToRequest NAS-Identifier=TACACS

        GroupMemberAttr TacacsGroup

        GroupAuthAttr GroupShowOnly priv-lvl=15
        CommandAuth GroupShowOnly permit show:.*
        CommandAuth GroupShowOnly permit ping:.*
        CommandAuth GroupShowOnly permit traceroute:.*
        CommandAuth GroupShowOnly deny .* Only 'show' commands allowed for GroupShowOnly

        GroupAuthAttr GroupRoot priv-lvl=15
        CommandAuth GroupRoot permit .*

        GroupAuthAttr DEFAULT priv-lvl=0
        CommandAuth DEFAULT deny .* Contact your Administrator, you are in TacacsGroup DEFAULT
</ServerTACACSPLUS>

<Handler>
        <AuthBy FILE>
                Filename %D/users
        </AuthBy>
        AuthLog authlog
        AcctLogFileName %L/tacacs
        PreProcessingHook       sub { my $p=${$_[0]}; \
                                      if (my @avpair = $p->get_attr('cisco-avpair')) { \
                                         foreach my $avpair (@avpair) { \
                                            $p->add_attr(split('=',$avpair)); \
                                         } \
                                      } \
                                   }
        AcctLogFileFormat       %l SRC=%{User-Name}@%c DST=%{NAS-Port-Id}@%N:priv=%{priv-lvl} cmd=%{cmd}
</Handler>

in the log there is nothing to see befor the error message, also not with Trace 4 which is everytime
enabled in our config. you just have to configure a Cisco CSS with Tacacs, then you get this error
messages every 5 seconds if you don't change the tacacs-server frequency value on the CSS.
(the packets which are causing this error message are keepalive checks from the Cisco CSS to check
if the Tacacs server is alive or dead, you could see the status on the CSS with show tacacs-server)

Fri Oct  6 12:24:21 2006: ERR: Could not accept on Tacacs listen socket: Software caused connection abort
Fri Oct  6 12:25:22 2006: ERR: Could not accept on Tacacs listen socket: Software caused connection abort
Fri Oct  6 12:26:23 2006: ERR: Could not accept on Tacacs listen socket: Software caused connection abort

if you need some more informations/traces/debugs please ask me.

--
regards,
ulf


Hugh Irvine schrieb:
> 
> Hello Ulf -
> 
> We have not seen this before, so could you please send us a copy of your
> configuration file and a trace 4 debug showing what is happening?
> 
> We'll take a look and see if we can add support for this message type.
> 
> thanks and regards
> 
> Hugh
> 
> 
> On 5 Oct 2006, at 23:31, Ulf Fischer wrote:
> 
>> Hi,
>>
>> we have some Cisco CSS (Content Service Switches)
>> since we configured them to use our radiator servers for
>> authentication we see the following error message in
>> the logfile:
>>
>> Thu Oct  5 14:57:13 2006: ERR: Could not accept on Tacacs listen
>> socket: Software caused connection abort
>>
>> i find out that there is an command called:
>> tacacs-server frequency number
>> this are keepalives which the CSS send to check if the Tacacs server
>> is running or not.
>> i get the error messages exact in that time interval i configure the
>> tacacs-server frequency.
>> (The default is 5 seconds, so until i find out what is the cause of
>> this error message we had a lot of them.)
>>
>> we don't get any other problems just this error messages.
>> but if somebody knows how we could avoid this error messages i'm
>> interessted.
>>
>> regards,
>> ulf
>>
>> --Easynet GmbH | www.de.easynet.net
>> Ulf Fischer | Network Engineer
>> Harburger Schlossstrasse 1 | D-21079 Hamburg
>> T: +49 40 771 75-621 | F: +49 40 771 75-279
>>
>> Easynet is part of the Easynet Group PLC | www.easynetgroup.net
>>
>> -- 
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
> 
> 
> 
> NB:
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> 
> --Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
> 
> 


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list