[tac_plus] tac_plus problem

john heasley heas at shrubbery.net
Wed Aug 11 01:56:23 UTC 2010 

Tue, Aug 10, 2010 at 06:53:40PM -0700, john heasley:
> Tue, Aug 10, 2010 at 04:20:59PM +0100, Rui Vitor Figueiras Meireles:
> > Hi there. I've been using your release of tac_plus (F4.0.4.19) because it has ACLs (the others I found didn't have).
> > I'm using authentication, authorization and accounting. The authorization part generates lots of log entries, because we have a server that constantly connects automatically to several routers at a time and enters several commands on them. And each command must be authorized by the tacacs+ server...
> > 
> > 
> > I've been having lots of errors, there are times when the communication between the router and the tacacs+ server fails.
> > 
> > Here are the router logs:
> > RP/0/RSP0/CPU0:Aug 10 04:42:09.489 : tacacsd[386]: %SECURITY-TACACSD-6-SERVER_DOWN : TACACS+ server 10.175.255.114/49 is DOWN - Resource temporarily unavailable

sorry, one other thing.  do not use single-connection tacacs.  it does
not work.

> > Here are the tac_plus logs:
> > Tue Aug 10 04:42:09 2010 [664]: session.peerip is 10.181.0.1
> > Tue Aug 10 04:42:09 2010 [12126]: connect from 10.181.0.1 [10.181.0.1]
> > Tue Aug 10 04:42:09 2010 [12126]: 10.181.0.1 : fd 2 eof (connection closed)
> > Tue Aug 10 04:42:09 2010 [12126]: Read -1 bytes from 10.181.0.1 , expecting 12
> > 
> > This happens once every other hour, in every router. So I have dozens of errors like these each day.
> > 
> > Could it be that tac_plus can only handle a certain number of connections? What could this be?
> > I'd be most thankful if you could help me here.
> 
> this happens in a few scenarios.  most often it is due to the cisco
> starting a connection, then dropping it.  it also occurs if someone
> connects, then abruptly disconnects (similar to the first).  and two
> others.
> 
> you can ignore it.  maybe the daemon should only log an abrupt
> disconnect if debugging is enabled.
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus

More information about the tac_plus mailing list