[nsp] TACACS / ACE Server timeouts
John Tobias
JTobias at gilead.com
Mon Jul 21 19:54:33 EDT 2003
I believe the ACE server tries to do a name lookup of the Agent Host before
sending back a reply. This can cause timeouts if your Agent Hosts aren't in
DNS, or other DNS problems. Adding all your Agent Hosts names and IPs to the
local host file of the ACE server has done the trick for me in the past.
Hth,
JT
-----Original Message-----
From: Streiner, Justin [mailto:streiner at stargate.net]
Sent: Monday, July 21, 2003 3:44 PM
To: cisco-nsp at puck.nether.net
Subject: [nsp] TACACS / ACE Server timeouts
We use TACACS to authenticate admin sessions into many network devices.
The authentication is provided by an ACE server with SecurID hardware
tokens for single-use password capabilities. If for some reason the ACE
server is down, the router will fall back to locally configured passwords.
>From time to time, a login session attempt to a device that authenticates
this way will time out and fall back to the local password. Subsequent
authentication requests such as the start of a new login session or
enabling on an existing session will be authenticated by the ACE server
normally.
I'm beginning to suspect it's something with the ACE server itself, as
this happens on all sorts of different routers running different versions
of code. It even happens on the router that sits directly upstream of the
ACE server ;-) The link to the server is very lightly used and the
resources on the server from what I can see are well within reasonable
limits.
It seems to happen more during the day, however the devices on the network
are not overloaded CPU or link-wise. IP-level response times from the
machine are consistently good with no packet loss, however I don't have a
good way to measure application-level response time (e.g. a TACACS
authentication cycle) at the moment.
Has anyone run into this problem if you're operating a similar setup?
I realize that this may get beyond the scope of *cisco*-nsp - I'm just
trying to make sure there isn't something on the network that may be
causing the issue.
Thanks
jms
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list