[tac_plus] seeing lots of Read -1 bytes from router.example.net , expecting 12
Alan McKinnon
alan.mckinnon at gmail.com
Sun Jun 3 09:05:25 UTC 2012
On Sat, 2 Jun 2012 14:07:57 -0400
Asif Iqbal <vadud3 at gmail.com> wrote:
> On Sat, Jun 2, 2012 at 1:38 PM, Asif Iqbal <vadud3 at gmail.com> wrote:
>
> > On Sat, Jun 2, 2012 at 2:46 AM, Kiss Gabor (Bitman)
> > <kissg at ssg.ki.iif.hu>wrote:
> >
> >> > Am I experiencing a bug?
> >> >
> >> > I am running tac_plus F4.0.4.19
> >> >
> >> > I see 110444 of the following type of error in 14 hrs.
> >> >
> >> > Jun 1 16:36:27 hlr-tacacs-01 tac_plus[17512]: Read -1 bytes from
> >> > router.example.net , expecting 12
> >>
> >> It seems to be rather an "attack".
> >>
> >
> > This is valid traffic, not an attack.
> >
> >
> >> Somebody continously connect to router.example.net then
> >> disconnects. The router does the same with your TACACS+ server.
> >>
> >> Gabor
> >>
> >
> >
> How do I verify if those are keep-alive requests. This url suggests I
> am experiencing those keep-alive
> chats
>
> http://blog.xbsd.org/2010/10/20/cisco-css-and-tacacs
>
> I have thousands of routers. It would be lot of work to add the
> disable in all of them.
> Is there may be another approach to this short from ignoring this
> massive amount
> of noises?
If your network is anything like mine, then it's a mess of mis-applied
configs stretching back 10 years through a very long list of templates
in use at the time.
My solution is to fix it with software:
Put all your devices in rancid (hack together some kind of automation
to make this easier on yourself).
Scan the rancid files periodically and hack together a script that will
reconfigure devices you find not to your liking.
It's a fair amount of work and involves building a framework suitable
for your environment. But the results are well worth the effort as it
outs you in a place where you can make massive updates to the entire
network with relative ease.
--
Alan McKinnnon
alan.mckinnon at gmail.com
More information about the tac_plus
mailing list