Guest

Preview Tool

Cisco Bug: CSCvv24985 - ssh authentication is not available when APIC's uplinks are down due to ngiinx shard 17 down

Last Modified

Aug 05, 2020

Products (1)

  • Cisco Application Policy Infrastructure Controller (APIC)

Known Affected Releases

4.2(3n)

Description (partial)

Symptom:
this enhancement is opened to change a behavior of nginx process:
When uplinks of APIC controller are disconnected or down, but OOB is UP, TACACS  via OOB doesnt work and it is not possible to login to APIC via TACACS

Current behavior:
As part of an authentication, Nginx that receives the login request does few more things to complete the authentication process:
 (a) ciscoAvPair authz attribute received from tacacs server is sent to policyMgr of leader node to find the user’s permissions 
(b) it also needs to put in audit record for login. When the links were down, it failed to send those messages or it taking time to figure out the next leader node.
Nginx sends AVPair to PM and waits for response from PM to nginx before responding success. If Nginx to PM message is not successful, Auth will fail.

Conditions:
Fabric links to a controller are down and AAA server is configured via OOB, which is UP.

Fallback domain is set to YES
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.