• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4463
  • Last Modified:

NEXUS Unable to reach AAA servers

Cisco Nexus5020 is unable to reach the tacacs server

THe box is configured as follow:

aaa authentication login default group tacacs
aaa accounting default group tacacs
aaa authentication login error-enable
tacacs-server directed-request
vrf context management
  ip route 0.0.0.0/0 10.2.2.1

tacacs-server host 10.2.3.1
aaa group server tacacs+ tacacs

- The NEXUS5020 is layer 2
- I am able to telnet to the management interface from the LAN (My pc)
- I am able to reach the tacas server from my PC
- Although i am able to telnet to the management interface from PC, but I am unable to ping it from the NEXUS5020 box:

rt-nyccnexus-a# ping 10.2.2.1
PING 10.2.2.1 (10.2.2.1): 56 data bytes
ping: sendto 10.2.2.1 64 chars, No route to host
Request 0 timed out

- I am also unable to ping the tacacs server from the Nexus5020

- I get the following when trying to telnet the NEXUS5020
rt-nyccnexus-a login: admin
Password:

Remote AAA servers unreachable; local authentication done

How can I solve this issue?
0
noelnester
Asked:
noelnester
  • 7
  • 5
1 Solution
 
harbor235Commented:
Your vrf for management has a default to 10.2.2.1, does 10.2.2.1 have a route for 10.2.3.1? It appears it does not. If you do have a route to 10.2.3.1 then are there any filters in place that are denying icmp ?

More information is needed

harbor235 ;}
0
 
noelnesterAuthor Commented:
- 10.2.2.1 is the gateway for the NEXUS to reach the LAN.
- From 10.2.2.1 router i can reach my AAA servers.
- I can telnet the NEXUS box from the LAN
It is just that the NEXUS box can not reach the AAA servers.

Harbor235, What other information should i provide?
0
 
harbor235Commented:

Does the AAA servers have a route back to the nexus network? Can the AAA server ping the nexus box?

harbor235 ;}
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
noelnesterAuthor Commented:
Yes it does. I just foundout how to ping the AAA servers but i am still getting the following error.
rt-nexus-a login: admin
Password:
Remote AAA servers unreachable; local authentication done

-So now i am able to ping the AAA servers by telling the NEXUS to use the vrf management interface -
rt-nyccnexus-a# ping 10.164.203.252 vrf management
PING 10.164.203.252 (10.164.203.252): 56 data bytes
64 bytes from 10.164.203.252: icmp_seq=0 ttl=124 time=1.787 ms
64 bytes from 10.164.203.252: icmp_seq=1 ttl=124 time=2.638 ms
64 bytes from 10.164.203.252: icmp_seq=2 ttl=124 time=1.728 ms
64 bytes from 10.164.203.252: icmp_seq=3 ttl=124 time=2.372 ms
64 bytes from 10.164.203.252: icmp_seq=4 ttl=124 time=2.28 ms
0
 
harbor235Commented:


Ok, so there is proper connectivity, try setting the source interface for tacacs to the management vrf interface.

switch(config)# ip tacacs source-interface <should be the interface with this ip 10.2.2.?>
see if that helps.

habor235 ;}
0
 
noelnesterAuthor Commented:
The NEXUS does not accept the command (ip tacacs source-interface <should be the interface with this ip 10.2.2.?>)

But i can tell the NEXUS to use the management interface to reach the tacas server with the following command:

aaa group server tacacs+ servergroup
server 10.2.3.1
use-vrf management
0
 
harbor235Commented:


Very good, does that work? I am very interested in the nexus platform, I would love to see a sanitized config if possible and any information on what your are planning for it. Is it possible to contact you off list?

harbor235@gmail.com ;}
0
 
noelnesterAuthor Commented:
It did not work - still troubleshooting.
The documents on the cisco website for the NEXUS are not accurate.
0
 
harbor235Commented:


You have connectivity, if you source the traffic from the correct interface/vrf this shoudl work, you are using tacacs (tcp port 69) is it being filtered? Is the tacacs service up? Is this windows tacacs (ACS) or is it running on *NIX? Can other devices authenticate to it from the same segment? Have you added the nexus as a managed device?

There could be a ton of issues? Maybe we hit one

harbor235 ;}
0
 
noelnesterAuthor Commented:
tacacs-server host x.x.x.x key 7 "cccccc"
tacacs-server host x.x.x.x key 7 "cccccc"
tacacs-server host x.x.x.x key 7 "cccccc"

aaa group server tacacs+ servergroup
    server x.x.x.x
    server x.x.x.x
    server x.x.x.x
    use-vrf management

aaa authentication login default group servergroup
0
 
harbor235Commented:


1) Does the nexus have the test aaa command available?  You can actually test your auth and recieve error messages, turn up your logging to informational.

Has the TACACS/RADIUS server been programmed with the correct key? Has the TACACS/READIUS server
added the nexus as a managed device?

harbor235 ;}
0
 
harbor235Commented:


The answer was the config you had a problem with? What changed and what got it working?

harbor235 ;}
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now