?
Solved

NEXUS Unable to reach AAA servers

Posted on 2009-04-06
12
Medium Priority
?
4,030 Views
Last Modified: 2012-05-06
Cisco Nexus5020 is unable to reach the tacacs server

THe box is configured as follow:

aaa authentication login default group tacacs
aaa accounting default group tacacs
aaa authentication login error-enable
tacacs-server directed-request
vrf context management
  ip route 0.0.0.0/0 10.2.2.1

tacacs-server host 10.2.3.1
aaa group server tacacs+ tacacs

- The NEXUS5020 is layer 2
- I am able to telnet to the management interface from the LAN (My pc)
- I am able to reach the tacas server from my PC
- Although i am able to telnet to the management interface from PC, but I am unable to ping it from the NEXUS5020 box:

rt-nyccnexus-a# ping 10.2.2.1
PING 10.2.2.1 (10.2.2.1): 56 data bytes
ping: sendto 10.2.2.1 64 chars, No route to host
Request 0 timed out

- I am also unable to ping the tacacs server from the Nexus5020

- I get the following when trying to telnet the NEXUS5020
rt-nyccnexus-a login: admin
Password:

Remote AAA servers unreachable; local authentication done

How can I solve this issue?
0
Comment
Question by:noelnester
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
12 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 24087086
Your vrf for management has a default to 10.2.2.1, does 10.2.2.1 have a route for 10.2.3.1? It appears it does not. If you do have a route to 10.2.3.1 then are there any filters in place that are denying icmp ?

More information is needed

harbor235 ;}
0
 

Author Comment

by:noelnester
ID: 24087729
- 10.2.2.1 is the gateway for the NEXUS to reach the LAN.
- From 10.2.2.1 router i can reach my AAA servers.
- I can telnet the NEXUS box from the LAN
It is just that the NEXUS box can not reach the AAA servers.

Harbor235, What other information should i provide?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24088936

Does the AAA servers have a route back to the nexus network? Can the AAA server ping the nexus box?

harbor235 ;}
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:noelnester
ID: 24089121
Yes it does. I just foundout how to ping the AAA servers but i am still getting the following error.
rt-nexus-a login: admin
Password:
Remote AAA servers unreachable; local authentication done

-So now i am able to ping the AAA servers by telling the NEXUS to use the vrf management interface -
rt-nyccnexus-a# ping 10.164.203.252 vrf management
PING 10.164.203.252 (10.164.203.252): 56 data bytes
64 bytes from 10.164.203.252: icmp_seq=0 ttl=124 time=1.787 ms
64 bytes from 10.164.203.252: icmp_seq=1 ttl=124 time=2.638 ms
64 bytes from 10.164.203.252: icmp_seq=2 ttl=124 time=1.728 ms
64 bytes from 10.164.203.252: icmp_seq=3 ttl=124 time=2.372 ms
64 bytes from 10.164.203.252: icmp_seq=4 ttl=124 time=2.28 ms
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24096461


Ok, so there is proper connectivity, try setting the source interface for tacacs to the management vrf interface.

switch(config)# ip tacacs source-interface <should be the interface with this ip 10.2.2.?>
see if that helps.

habor235 ;}
0
 

Author Comment

by:noelnester
ID: 24097448
The NEXUS does not accept the command (ip tacacs source-interface <should be the interface with this ip 10.2.2.?>)

But i can tell the NEXUS to use the management interface to reach the tacas server with the following command:

aaa group server tacacs+ servergroup
server 10.2.3.1
use-vrf management
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24097791


Very good, does that work? I am very interested in the nexus platform, I would love to see a sanitized config if possible and any information on what your are planning for it. Is it possible to contact you off list?

harbor235@gmail.com ;}
0
 

Author Comment

by:noelnester
ID: 24097961
It did not work - still troubleshooting.
The documents on the cisco website for the NEXUS are not accurate.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24098012


You have connectivity, if you source the traffic from the correct interface/vrf this shoudl work, you are using tacacs (tcp port 69) is it being filtered? Is the tacacs service up? Is this windows tacacs (ACS) or is it running on *NIX? Can other devices authenticate to it from the same segment? Have you added the nexus as a managed device?

There could be a ton of issues? Maybe we hit one

harbor235 ;}
0
 

Accepted Solution

by:
noelnester earned 0 total points
ID: 24168187
tacacs-server host x.x.x.x key 7 "cccccc"
tacacs-server host x.x.x.x key 7 "cccccc"
tacacs-server host x.x.x.x key 7 "cccccc"

aaa group server tacacs+ servergroup
    server x.x.x.x
    server x.x.x.x
    server x.x.x.x
    use-vrf management

aaa authentication login default group servergroup
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24168452


1) Does the nexus have the test aaa command available?  You can actually test your auth and recieve error messages, turn up your logging to informational.

Has the TACACS/RADIUS server been programmed with the correct key? Has the TACACS/READIUS server
added the nexus as a managed device?

harbor235 ;}
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24203713


The answer was the config you had a problem with? What changed and what got it working?

harbor235 ;}
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question