[tac_plus] tac_plus problem

Wed Aug 11 16:00:42 UTC 2010

Wed, Aug 11, 2010 at 11:27:01AM +0100, Rui Vitor Figueiras Meireles:
> Thanks a lot for the quick reply.
> I happen to have sometimes 1800 simultaneous tac_plus connections, I was wondering if it could be too much for it to handle.

that is possible in a sense; if the listen(2) queue fills, the host will
RST or drop additional SYNs.  its normally possible to adjust the
system-wide listen queue, which often defaults to 1024.  also, as it is
currently, tac_plus is a forking server, meaning that it forks for each
connection.  since hosts usually limit the number of total processes 
per-system and per-user, you could hit that limit as well.

you probably need second server to take some of the load.

none of that would cause the tacacs daemon log you've quoted below.

> I now noticed in tac_plus accounting log that there is a 5 second pause between commands whenever these errors occur. Let's hope that's all the harm that it does.
> 
> 
> Thanks again.
> Rui Meireles
> 
> -----Original Message-----
> From: john heasley [mailto:heas at shrubbery.net] 
> Sent: quarta-feira, 11 de Agosto de 2010 2:54
> To: Rui Vitor Figueiras Meireles
> Cc: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] tac_plus problem
> 
> Tue, Aug 10, 2010 at 04:20:59PM +0100, Rui Vitor Figueiras Meireles:
> > Hi there. I've been using your release of tac_plus (F4.0.4.19) because it has ACLs (the others I found didn't have).
> > I'm using authentication, authorization and accounting. The authorization part generates lots of log entries, because we have a server that constantly connects automatically to several routers at a time and enters several commands on them. And each command must be authorized by the tacacs+ server...
> > 
> > 
> > I've been having lots of errors, there are times when the communication between the router and the tacacs+ server fails.
> > 
> > Here are the router logs:
> > RP/0/RSP0/CPU0:Aug 10 04:42:09.489 : tacacsd[386]: %SECURITY-TACACSD-6-SERVER_DOWN : TACACS+ server 10.175.255.114/49 is DOWN - Resource temporarily unavailable
> > 
> > Here are the tac_plus logs:
> > Tue Aug 10 04:42:09 2010 [664]: session.peerip is 10.181.0.1
> > Tue Aug 10 04:42:09 2010 [12126]: connect from 10.181.0.1 [10.181.0.1]
> > Tue Aug 10 04:42:09 2010 [12126]: 10.181.0.1 : fd 2 eof (connection closed)
> > Tue Aug 10 04:42:09 2010 [12126]: Read -1 bytes from 10.181.0.1 , expecting 12
> > 
> > This happens once every other hour, in every router. So I have dozens of errors like these each day.
> > 
> > Could it be that tac_plus can only handle a certain number of connections? What could this be?
> > I'd be most thankful if you could help me here.
> 
> this happens in a few scenarios.  most often it is due to the cisco
> starting a connection, then dropping it.  it also occurs if someone
> connects, then abruptly disconnects (similar to the first).  and two
> others.
> 
> you can ignore it.  maybe the daemon should only log an abrupt
> disconnect if debugging is enabled.
> 