[RADIATOR] Cisco NX-OS TACACS+ problems

Fri Oct 18 03:23:28 CDT 2013

On 2013-10-11 13:56, Caporossi, Steve G. wrote:
> We also have issues with NXOS; in our case using RADIUS.
>
> It always seems to begin with these syslog messages;
> 2013 Oct 10 19:56:14.103 mdf1 %RADIUS-3-RADIUS_ERROR_MESSAGE: Failed looking up IP address for RADIUS server <server address>
> 2013 Oct 10 19:56:14.105 mdf1 %RADIUS-3-RADIUS_ERROR_MESSAGE: Failed looking up IP address for RADIUS server <server address>
> 2013 Oct 10 19:56:14.106 mdf1 %RADIUS-3-RADIUS_ERROR_MESSAGE: Failed looking up IP address for RADIUS server <server address>
> 2013 Oct 10 19:56:14.107 mdf1 %RADIUS-3-RADIUS_ERROR_MESSAGE: All RADIUS servers failed to respon
> d after retries.
>
>  Authentication fails and we to fallback to local authentication to "fix" the issue by sending test authentication to the RADIUS servers.
>
> We have the DNS entries configured on the Nexus devices and when this is happening the device can ping the servers using the hostname. Another strange thing is it happens primarily in one VDC and much less frequently on the others using the same OOB management network.
What do you mean with 'dns entries configured *on* the Nexus'? Does it
happen too if you configure the radius servers ip addresses instead of
their dns names?

@Radiator guys: any update from you?

>
> Steve
>
>
> On Oct 11, 2013, at 4:38 AM, Alexander Hartmaier <alexander.hartmaier at t-systems.at>
>  wrote:
>
>> Hi,
>> our switching guys reported that their Cisco Nexus switches running NX-OS log that their can't reach the tacacs servers. This is what the troubleshooting brought up:
>>
>> 2013 Oct 11 08:47:37.061 sgv20s %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond
>>
>>  
>> 149) Event:E_MTS_TX, length:60, at 60683 usecs after Fri Oct 11 08:47:37 2013
>>
>>     [RSP] Opc:MTS_OPC_TACACS_AAA_REQ(8421), Id:0X0A287795, Ret:SUCCESS
>>
>>     Src:0x00000501/112, Dst:0x00000501/111, Flags:None
>>
>>     HA_SEQNO:0X00000000, RRtoken:0x0A287778, Sync:UNKNOWN, Payloadsize:26
>>
>>     Payload:    
>>
>>     0x0000:  01 03 01 00 3b a2 66 be 00 00 00 00 00 02 00 00 
>>
>>  
>>  
>> 150) Event:E_MTS_RX, length:60, at 46447 usecs after Fri Oct 11 08:47:37 2013
>>
>>     [REQ] Opc:MTS_OPC_TACACS_AAA_REQ(8421), Id:0X0A287778, Ret:SUCCESS
>>
>>     Src:0x00000501/111, Dst:0x00000501/0, Flags:None
>>
>>     HA_SEQNO:0X00000000, RRtoken:0x0A287778, Sync:UNKNOWN, Payloadsize:371
>>
>>     Payload:    
>>
>>     0x0000:  01 03 0c 00 00 00 00 00 00 00 00 00 00 00 02 00 
>>
>>
>> According to Cisco the accounting responses from Radiator (version 4.11 with patches revision 1.1530) contain errors:
>>
>> Accounting Statistics
>>
>>         failed transactions: 1865
>>
>>         successful transactions: 0
>>
>>         requests sent: 1865
>>
>>         requests timed out: 4
>>
>>         responses with no matching requests: 0
>>
>>         responses not processed: 0
>>
>>         responses containing errors: 1861
>>
>>
>> Did someone else notice these problems? Authentication works without any problems.
>>
>> -- 
>> Best regards, Alexander Hartmaier
>>
>> T-Systems Austria GesmbH
>> TSS Security Services
>> Network Security & Monitoring Engineer
>>
>> phone: +43(0)57057-4320
>> fax: +43(0)57057-954320
>>
>>
>>
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
>> Handelsgericht Wien, FN 79340b
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>> Notice: This e-mail contains information that is confidential and may be privileged.
>> If you are not the intended recipient, please notify the sender and then
>> delete this e-mail immediately.
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator