Guest

Preview Tool

Cisco Bug: CSCuq19966 - TACACS drops incoming replies intermittently

Last Modified

Jan 12, 2017

Products (1)

  • Cisco Carrier Routing System

Known Affected Releases

4.0.4.MGBL

Description (partial)

Symptom:Error is seen in log while trying to login via SSH:
%SECURITY-SSHD-3-ERR_ERRNO : AAA authorize failed File exists

locald_DSC process is blocked on tacacsd:

ode:      node0_RP0_CPU0
------------------------------------------------------------------
65546     12298   1             ksh Reply 14815:29:51:0580   12296  devc-conaux
   94     28692   2      umass-enum Reply 14815:30:57:0523       1  kernel
   94     28692   6      umass-enum Reply 14815:30:45:0143   28693  io-usb
   94     28692   7      umass-enum Reply 14815:30:45:0143       1  kernel
65558     28694   2      devb-umass Reply    0:00:43:0360   28693  io-usb
   53    135205   4         attachd Reply  699:30:12:0405   16397  mqueue
   52    143401   2   attach_server Reply 14815:30:18:0172   16397  mqueue
  354    344162   1     tftp_server Reply 2397:51:38:0771   16397  mqueue
  257    356476   8      locald_DSC Reply    0:00:03:0784  557320  tacacsd
  259    544973   2         lpts_fm Reply    0:00:03:0718  422024  lpts_pa
65756 812237020   1            exec Reply    0:00:34:0752       1  kernel
 1108    557317   8       l2vpn_mgr Reply 14815:22:21:0009  557318  lspv_server
65808 812290320   1  show_processes Reply    0:00:00:0000       1  kernel
65811 812290323   1 sshd_child_handler Reply    0:00:03:0800  356476  locald_DSC


tacacs traces show that no reply from server was received and retry starts with another server,
yet there is a reply as seen from packet capture.

If retry is successful then we have login with delay, if same problem happens again then login completely fails.

Failing trace:

     Jul 24 11:29:27.216 tacacs/tacacs_lt 0/RP0/CPU0 2054126# t6  Packet AUTHOR/START (session 50ED5434) to server 192.168.180.90

<after 5 seconds of waiting>

     Jul 24 11:29:32.217 tacacs/tacacs_lt 0/RP0/CPU0 3171800# t6  Freeing socket 29 (sock_st 1000b728)
     Jul 24 11:29:32.217 tacacs/tacacs_lt 0/RP0/CPU0 3631292# t6  Aborting request req=0x1000b454 (50ed5434) expire=0 bo=73/1023410188, bi=0/12 AUTHOR/START sock=855703552,1000b728, reason - 'TACACS' detected the 'fatal' condition 'Timer Failure'

Problem is not seen with accounting packets.

Problem is not seen when debug tacacs is enabled.

Conditions:CRS with multiple SDRs is used.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.