[tac_plus] Network devices frequently report TACACS+ service down

Alan McKinnon alan.mckinnon at gmail.com
Thu Sep 5 15:18:49 UTC 2013 

On 05/09/2013 10:04, Lam Bennie wrote:
>   Dear Sir/Madam,
> 
> Grateful for your help in advance.
> 
> I have installed TACACS+ daemon (version F4.0.4.26 with basic
> configuration) on a HP server (HP ProLiant DL320 G5P operating on Red Hat
> Enterprise Linux 5.9, Kernel: 2.6.18-348.3.1.el5PAE i686).
> 
> My Alcatel-Lucent routers and LAN switches frequently report TACACS+
> service is UP and then DOWN (30+ times per hour).  Below are some of the
> syslog messages.
> 
>  >>>
> Sep  3 10:00:16 xx.yy.kk.1 xx.yy.kk.1 NEWTESTNET: 688680 Base
> SECURITY-MINOR-tacplusInetSrvrOperStatusChange-2025 [tacplus server 2]:
> TACACS+ server xx.yy.zz.59 operational status changed to down.
> Sep  3 10:00:31 xx.yy.kk.1 xx.yy.kk.1 NEWTESTNET: 688703 Base
> SECURITY-MINOR-tacplusInetSrvrOperStatusChange-2025 [tacplus server 2]:
> TACACS+ server xx.yy.zz.59 operational status changed to down.
> Sep  3 10:01:39 xx.yy.kk.1 xx.yy.kk.1 NEWTESTNET: 688713 Base
> SECURITY-MINOR-tacplusInetSrvrOperStatusChange-2025 [tacplus server 2]:
> TACACS+ server xx.yy.zz.59 operational status changed to down.
> Sep  3 10:02:33 xx.yy.kk.1 xx.yy.kk.1 NEWTESTNET: 688727 Base
> SECURITY-MINOR-tacplusInetSrvrOperStatusChange-2025 [tacplus server 2]:
> TACACS+ server xx.yy.zz.59 operational status changed to down.
>>>>
> 
> May I have queries below.
> **
> 
>  *1. Why my Alcatel-Lucent routers and LAN switches frequently report
> the TACACS+
> service is UP and then DOWN (30+ times per hour)?*

I have never observed tac_plus to do this. You may have buggy hardware,
a horrible tacas implementation on your hardware, network issues or
something wrong with your installed RedHat. The last is highly unlikely
(just speaking from experience).

But it is almost certainly not tac_plus

> *2. Do Alcatel-Lucent routers and LAN switches have any compatibility issue
> with TACACS+ daemon? If yes, any workaround or fix?*

I have no experience with that hardware. If no-one else here does
either, we'll have to resort to your logs and tcpdumps running on your
tac_plus server

> *3. How to show/verify that TACACS+ daemon is running normally without
> interruption to my network devices? Can tac_plus "debug" help?*

ps axu | grep tac_plus
check if tcp port 49 is open

That's normally sufficient (the daemon is *very* well-behaved). If you
need more, a perl script using a tacacs client module that merely
authentications a user does the job nicely. That's how I do it, run from
nagios

> *4. Is below pattern of tac_plus connections (i.e. 3 times in 4 seconds)
> plausible although noboby or no job tried to login with tac_plus?*

3 connections in 4 seconds is a tiny load, it won't even show up in top.

Mine run 2000+ connections a minute, day in, day out for 3 years, with
debug set to -d 8 -d 16



I'd say you are most likely dealing with a buggy tacacs implementation
on that hardware. It's not unknown to find terrible implementations on
non-Cisco hardware.





> 
> "debug" of tac_plus was turned on.  Below is the tac_plus command:
>  /var/tacp/tac_plus -C /var/tacp/tac_plus.conf -d 65536 4
> 
> As a result, tac_plus log and syslog messages related to one of my
> Alcatel-Lucent router (IP address: x.y.z.81) are attached below.
> 
>  tac_plus log:
> ...
> Wed Sep  4 14:54:44 2013 [12753]: connect from x.y.z.81 [x.y.z.81]
> Wed Sep  4 14:54:44 2013 [12753]: x.y.z.81: exception on fd 1
> Wed Sep  4 14:54:44 2013 [12753]: Read -1 bytes from x.y.z.81 , expecting 12
> Wed Sep  4 14:55:14 2013 [12832]: connect from x.y.z.81 [x.y.z.81]
> Wed Sep  4 14:55:14 2013 [12832]: x.y.z.81: exception on fd 1
> Wed Sep  4 14:55:14 2013 [12832]: Read -1 bytes from x.y.z.81 , expecting 12
> Wed Sep  4 14:55:44 2013 [12848]: connect from x.y.z.81 [x.y.z.81]
> Wed Sep  4 14:55:44 2013 [12848]: x.y.z.81: exception on fd 1
> Wed Sep  4 14:55:44 2013 [12848]: Read -1 bytes from x.y.z.81 , expecting 12
> ...
> Wed Sep  4 15:02:10 2013 [13458]: connect from x.y.z.81 [x.y.z.81]
> Wed Sep  4 15:02:11 2013 [13460]: connect from x.y.z.81 [x.y.z.81]
> Wed Sep  4 15:02:14 2013 [13469]: connect from x.y.z.81 [x.y.z.81]
> Wed Sep  4 15:02:16 2013 [13469]: x.y.z.81: exception on fd 1
> Wed Sep  4 15:02:16 2013 [13469]: Read -1 bytes from x.y.z.81 , expecting 12
> 
> syslog:
> Sep  4 15:02:14 x.y.z.81 x.y.z.81 NEWTESTNET: 271981 Base
> SECURITY-MINOR-tacplusInetSrvrOperStatusChange-2025 [tacplus server 2]:
> TACACS+ server x.y.p.59 operational status changed to down.
> 
> 
> Thanks
> Bennie
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20130905/cbcb380d/attachment.html>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
> 


-- 
Alan McKinnon
alan.mckinnon at gmail.com

More information about the tac_plus mailing list