[tac_plus] Two TACACS+ server and primary one is always busy

[Alan McKinnon]

On 10/07/2013 19:55, Asif Iqbal wrote:
> Hi All
> 
> We have two TACACS+ server and only one of them is heavily loaded.
> 
> What is the best practice on balancing the load. Once in a while we
> need to restart tacacs+ since the CPU usage goes over 50%, on the primary
> server
> while the secondary one is almost idle.
> 
> We are using x2270 servers and they are 4G each with 2 Intel 2.00GHz
> Quad-Core Xeon E5504
> on each.
> 
> I see about 31 tac_plus running on primary, while secondary one has just 1.
> 
> 
> Thanks
> 


Hi Asif,

Before doing anything else, you need to sort out those cpu load numbers
as they should not be anywhere near that level. For a point of
reference, I have 3 main tacacs servers, they do about 1800 requests
(login and command in total) a minute, and one of them takes about half
that load. Occasionally the munin graph creeps above 1% or 2% and that's
an oldish Dell dual core.

50% load on your hardware spells something badly wrong and in my
experience that behaviour with tcp connections is almost always IO blocking.

Do you do per-device controls in your tac_plus.conf somehow? Do you need
to do DNS lookups for this, and is your DNS setup fast and reliable?
What are the hash types you use for your passwords and is it a method
that be hashed quickly by the OS

Those would be the first thing I'd look at. Second is to post your
tac_plus.conf. there aren't really any best practices as such for this,
tac_plus is more than adequate to deal with just about any realistic
scenario so the "best practice" is whatever works for you and gives
*you* the control *you* need.

-- 
Alan McKinnon
alan.mckinnon at gmail.com