Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4223
  • Last Modified:

NEXUS Unable to reach AAA servers

Cisco Nexus5020 is unable to reach the tacacs server

THe box is configured as follow:

aaa authentication login default group tacacs
aaa accounting default group tacacs
aaa authentication login error-enable
tacacs-server directed-request
vrf context management
  ip route 0.0.0.0/0 10.2.2.1

tacacs-server host 10.2.3.1
aaa group server tacacs+ tacacs

- The NEXUS5020 is layer 2
- I am able to telnet to the management interface from the LAN (My pc)
- I am able to reach the tacas server from my PC
- Although i am able to telnet to the management interface from PC, but I am unable to ping it from the NEXUS5020 box:

rt-nyccnexus-a# ping 10.2.2.1
PING 10.2.2.1 (10.2.2.1): 56 data bytes
ping: sendto 10.2.2.1 64 chars, No route to host
Request 0 timed out

- I am also unable to ping the tacacs server from the Nexus5020

- I get the following when trying to telnet the NEXUS5020
rt-nyccnexus-a login: admin
Password:

Remote AAA servers unreachable; local authentication done

How can I solve this issue?
0
noelnester
Asked:
noelnester
  • 7
  • 5
1 Solution
 
harbor235Commented:
Your vrf for management has a default to 10.2.2.1, does 10.2.2.1 have a route for 10.2.3.1? It appears it does not. If you do have a route to 10.2.3.1 then are there any filters in place that are denying icmp ?

More information is needed

harbor235 ;}
0
 
noelnesterAuthor Commented:
- 10.2.2.1 is the gateway for the NEXUS to reach the LAN.
- From 10.2.2.1 router i can reach my AAA servers.
- I can telnet the NEXUS box from the LAN
It is just that the NEXUS box can not reach the AAA servers.

Harbor235, What other information should i provide?
0
 
harbor235Commented:

Does the AAA servers have a route back to the nexus network? Can the AAA server ping the nexus box?

harbor235 ;}
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
noelnesterAuthor Commented:
Yes it does. I just foundout how to ping the AAA servers but i am still getting the following error.
rt-nexus-a login: admin
Password:
Remote AAA servers unreachable; local authentication done

-So now i am able to ping the AAA servers by telling the NEXUS to use the vrf management interface -
rt-nyccnexus-a# ping 10.164.203.252 vrf management
PING 10.164.203.252 (10.164.203.252): 56 data bytes
64 bytes from 10.164.203.252: icmp_seq=0 ttl=124 time=1.787 ms
64 bytes from 10.164.203.252: icmp_seq=1 ttl=124 time=2.638 ms
64 bytes from 10.164.203.252: icmp_seq=2 ttl=124 time=1.728 ms
64 bytes from 10.164.203.252: icmp_seq=3 ttl=124 time=2.372 ms
64 bytes from 10.164.203.252: icmp_seq=4 ttl=124 time=2.28 ms
0
 
harbor235Commented:


Ok, so there is proper connectivity, try setting the source interface for tacacs to the management vrf interface.

switch(config)# ip tacacs source-interface <should be the interface with this ip 10.2.2.?>
see if that helps.

habor235 ;}
0
 
noelnesterAuthor Commented:
The NEXUS does not accept the command (ip tacacs source-interface <should be the interface with this ip 10.2.2.?>)

But i can tell the NEXUS to use the management interface to reach the tacas server with the following command:

aaa group server tacacs+ servergroup
server 10.2.3.1
use-vrf management
0
 
harbor235Commented:


Very good, does that work? I am very interested in the nexus platform, I would love to see a sanitized config if possible and any information on what your are planning for it. Is it possible to contact you off list?

harbor235@gmail.com ;}
0
 
noelnesterAuthor Commented:
It did not work - still troubleshooting.
The documents on the cisco website for the NEXUS are not accurate.
0
 
harbor235Commented:


You have connectivity, if you source the traffic from the correct interface/vrf this shoudl work, you are using tacacs (tcp port 69) is it being filtered? Is the tacacs service up? Is this windows tacacs (ACS) or is it running on *NIX? Can other devices authenticate to it from the same segment? Have you added the nexus as a managed device?

There could be a ton of issues? Maybe we hit one

harbor235 ;}
0
 
noelnesterAuthor Commented:
tacacs-server host x.x.x.x key 7 "cccccc"
tacacs-server host x.x.x.x key 7 "cccccc"
tacacs-server host x.x.x.x key 7 "cccccc"

aaa group server tacacs+ servergroup
    server x.x.x.x
    server x.x.x.x
    server x.x.x.x
    use-vrf management

aaa authentication login default group servergroup
0
 
harbor235Commented:


1) Does the nexus have the test aaa command available?  You can actually test your auth and recieve error messages, turn up your logging to informational.

Has the TACACS/RADIUS server been programmed with the correct key? Has the TACACS/READIUS server
added the nexus as a managed device?

harbor235 ;}
0
 
harbor235Commented:


The answer was the config you had a problem with? What changed and what got it working?

harbor235 ;}
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now