[tac_plus] tac_plus problem
john heasley
heas at shrubbery.net
Wed Aug 11 01:53:40 UTC 2010
Tue, Aug 10, 2010 at 04:20:59PM +0100, Rui Vitor Figueiras Meireles:
> Hi there. I've been using your release of tac_plus (F4.0.4.19) because it has ACLs (the others I found didn't have).
> I'm using authentication, authorization and accounting. The authorization part generates lots of log entries, because we have a server that constantly connects automatically to several routers at a time and enters several commands on them. And each command must be authorized by the tacacs+ server...
>
>
> I've been having lots of errors, there are times when the communication between the router and the tacacs+ server fails.
>
> Here are the router logs:
> RP/0/RSP0/CPU0:Aug 10 04:42:09.489 : tacacsd[386]: %SECURITY-TACACSD-6-SERVER_DOWN : TACACS+ server 10.175.255.114/49 is DOWN - Resource temporarily unavailable
>
> Here are the tac_plus logs:
> Tue Aug 10 04:42:09 2010 [664]: session.peerip is 10.181.0.1
> Tue Aug 10 04:42:09 2010 [12126]: connect from 10.181.0.1 [10.181.0.1]
> Tue Aug 10 04:42:09 2010 [12126]: 10.181.0.1 : fd 2 eof (connection closed)
> Tue Aug 10 04:42:09 2010 [12126]: Read -1 bytes from 10.181.0.1 , expecting 12
>
> This happens once every other hour, in every router. So I have dozens of errors like these each day.
>
> Could it be that tac_plus can only handle a certain number of connections? What could this be?
> I'd be most thankful if you could help me here.
this happens in a few scenarios. most often it is due to the cisco
starting a connection, then dropping it. it also occurs if someone
connects, then abruptly disconnects (similar to the first). and two
others.
you can ignore it. maybe the daemon should only log an abrupt
disconnect if debugging is enabled.
More information about the tac_plus
mailing list