[tac_plus] seeing lots of Read -1 bytes from router.example.net , expecting 12

Sun Jun 3 09:05:25 UTC 2012

On Sat, 2 Jun 2012 14:07:57 -0400
Asif Iqbal <vadud3 at gmail.com> wrote:

> On Sat, Jun 2, 2012 at 1:38 PM, Asif Iqbal <vadud3 at gmail.com> wrote:
> 
> > On Sat, Jun 2, 2012 at 2:46 AM, Kiss Gabor (Bitman)
> > <kissg at ssg.ki.iif.hu>wrote:
> >
> >> > Am I experiencing a bug?
> >> >
> >> > I am running tac_plus F4.0.4.19
> >> >
> >> > I see 110444 of the following type of error in 14 hrs.
> >> >
> >> > Jun  1 16:36:27 hlr-tacacs-01 tac_plus[17512]: Read -1 bytes from
> >> > router.example.net , expecting 12
> >>
> >> It seems to be rather an "attack".
> >>
> >
> > This is valid traffic, not an attack.
> >
> >
> >> Somebody continously connect to router.example.net then
> >> disconnects. The router does the same with your TACACS+ server.
> >>
> >> Gabor
> >>
> >
> >
> How do I verify if those are keep-alive requests. This url suggests I
> am experiencing those keep-alive
> chats
> 
>  http://blog.xbsd.org/2010/10/20/cisco-css-and-tacacs
> 
> I have thousands of routers. It would be lot of work to add the
> disable in all of them.
> Is there may be another approach to this short from ignoring this
> massive amount
> of noises?

If your network is anything like mine, then it's a mess of mis-applied
configs stretching back 10 years through a very long list of templates
in use at the time.

My solution is to fix it with software:

Put all your devices in rancid (hack together some kind of automation
to make this easier on yourself).
Scan the rancid files periodically and hack together a script that will
reconfigure devices you find not to your liking.

It's a fair amount of work and involves building a framework suitable
for your environment. But the results are well worth the effort as it
outs you in a place where you can make massive updates to the entire
network with relative ease.

-- 
Alan McKinnnon
alan.mckinnon at gmail.com