Solved

NEXUS Unable to reach AAA servers

Posted on 2009-04-06
12
3,743 Views
Last Modified: 2012-05-06
Cisco Nexus5020 is unable to reach the tacacs server

THe box is configured as follow:

aaa authentication login default group tacacs
aaa accounting default group tacacs
aaa authentication login error-enable
tacacs-server directed-request
vrf context management
  ip route 0.0.0.0/0 10.2.2.1

tacacs-server host 10.2.3.1
aaa group server tacacs+ tacacs

- The NEXUS5020 is layer 2
- I am able to telnet to the management interface from the LAN (My pc)
- I am able to reach the tacas server from my PC
- Although i am able to telnet to the management interface from PC, but I am unable to ping it from the NEXUS5020 box:

rt-nyccnexus-a# ping 10.2.2.1
PING 10.2.2.1 (10.2.2.1): 56 data bytes
ping: sendto 10.2.2.1 64 chars, No route to host
Request 0 timed out

- I am also unable to ping the tacacs server from the Nexus5020

- I get the following when trying to telnet the NEXUS5020
rt-nyccnexus-a login: admin
Password:

Remote AAA servers unreachable; local authentication done

How can I solve this issue?
0
Comment
Question by:noelnester
  • 7
  • 5
12 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 24087086
Your vrf for management has a default to 10.2.2.1, does 10.2.2.1 have a route for 10.2.3.1? It appears it does not. If you do have a route to 10.2.3.1 then are there any filters in place that are denying icmp ?

More information is needed

harbor235 ;}
0
 

Author Comment

by:noelnester
ID: 24087729
- 10.2.2.1 is the gateway for the NEXUS to reach the LAN.
- From 10.2.2.1 router i can reach my AAA servers.
- I can telnet the NEXUS box from the LAN
It is just that the NEXUS box can not reach the AAA servers.

Harbor235, What other information should i provide?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24088936

Does the AAA servers have a route back to the nexus network? Can the AAA server ping the nexus box?

harbor235 ;}
0
 

Author Comment

by:noelnester
ID: 24089121
Yes it does. I just foundout how to ping the AAA servers but i am still getting the following error.
rt-nexus-a login: admin
Password:
Remote AAA servers unreachable; local authentication done

-So now i am able to ping the AAA servers by telling the NEXUS to use the vrf management interface -
rt-nyccnexus-a# ping 10.164.203.252 vrf management
PING 10.164.203.252 (10.164.203.252): 56 data bytes
64 bytes from 10.164.203.252: icmp_seq=0 ttl=124 time=1.787 ms
64 bytes from 10.164.203.252: icmp_seq=1 ttl=124 time=2.638 ms
64 bytes from 10.164.203.252: icmp_seq=2 ttl=124 time=1.728 ms
64 bytes from 10.164.203.252: icmp_seq=3 ttl=124 time=2.372 ms
64 bytes from 10.164.203.252: icmp_seq=4 ttl=124 time=2.28 ms
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24096461


Ok, so there is proper connectivity, try setting the source interface for tacacs to the management vrf interface.

switch(config)# ip tacacs source-interface <should be the interface with this ip 10.2.2.?>
see if that helps.

habor235 ;}
0
 

Author Comment

by:noelnester
ID: 24097448
The NEXUS does not accept the command (ip tacacs source-interface <should be the interface with this ip 10.2.2.?>)

But i can tell the NEXUS to use the management interface to reach the tacas server with the following command:

aaa group server tacacs+ servergroup
server 10.2.3.1
use-vrf management
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 32

Expert Comment

by:harbor235
ID: 24097791


Very good, does that work? I am very interested in the nexus platform, I would love to see a sanitized config if possible and any information on what your are planning for it. Is it possible to contact you off list?

harbor235@gmail.com ;}
0
 

Author Comment

by:noelnester
ID: 24097961
It did not work - still troubleshooting.
The documents on the cisco website for the NEXUS are not accurate.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24098012


You have connectivity, if you source the traffic from the correct interface/vrf this shoudl work, you are using tacacs (tcp port 69) is it being filtered? Is the tacacs service up? Is this windows tacacs (ACS) or is it running on *NIX? Can other devices authenticate to it from the same segment? Have you added the nexus as a managed device?

There could be a ton of issues? Maybe we hit one

harbor235 ;}
0
 

Accepted Solution

by:
noelnester earned 0 total points
ID: 24168187
tacacs-server host x.x.x.x key 7 "cccccc"
tacacs-server host x.x.x.x key 7 "cccccc"
tacacs-server host x.x.x.x key 7 "cccccc"

aaa group server tacacs+ servergroup
    server x.x.x.x
    server x.x.x.x
    server x.x.x.x
    use-vrf management

aaa authentication login default group servergroup
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24168452


1) Does the nexus have the test aaa command available?  You can actually test your auth and recieve error messages, turn up your logging to informational.

Has the TACACS/RADIUS server been programmed with the correct key? Has the TACACS/READIUS server
added the nexus as a managed device?

harbor235 ;}
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24203713


The answer was the config you had a problem with? What changed and what got it working?

harbor235 ;}
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now