From: Muhammad Nasim (muhammad.nasim@gmail.com)
Date: Fri Jun 20 2008 - 11:48:20 ART
go the ACS service control . stop it and then start it
May be this helps if not then restart ACS server
2008/6/20 Tim <ccie2be@nyc.rr.com>:
> Luca,
>
> You're 100% right.
>
> I did the netstat -na command like you said and saw that Tacacs+ is running
> on the wrong ip address, 0.0.0.0, not 10.0.0.100 which
>
> Is the address it should be running on.
>
> I don't understand why Tacacs is NOT running on 10.0.0.100 because when I
> defined the AAA server in ACS, I specified 10.0.0.100 as the address.
>
> Do you know how I can fix this problem?
>
> Thanks so much,
>
> Tim
>
> -----Original Message-----
> From: Luca Hall [mailto:lhall@setnine.com]
> Sent: Friday, June 20, 2008 9:55 AM
> To: Tim
> Cc: 'Cisco certification'; security@groupstudy.com
> Subject: Re: AAA authentication
>
>
> just because the aaa box is up dosent mean radius/tacacs is running on it
> which is what its telling you with the debug message:
> "AAA authentication server not accessible"
> id make sure aaa is running and you have the ports correct on the server
> and
> the router (old 1812 vs new 1645). netstat -na on your aaa box then nmap
> the
> ports radius/tacacs is running on to make sure you can access it.
>
> ----- Original Message -----
> From: Tim <ccie2be@nyc.rr.com>
> To: 'Cisco certification' <ccielab@groupstudy.com>,
> security@groupstudy.com
> Sent: Fri, 20 Jun 2008 09:33:12 -0400 (EDT)
> Subject: AAA authentication
>
> Hey guys,
>
> This is driving me batty.
>
> I setup aaa authen but it's failing.
>
> Here's the debug output:
>
> %PIX-6-113014: AAA authentication server not accessible : server =
> 10.0.0.100 : <----- NOT TRUE, see ping below.
> user = cisco123
>
> %PIX-6-109006: Authentication failed for user 'cisco123' from
> 183.1.19.12/2811 t
> o 183.1.19.100/80 on interface inside
>
> %PIX-6-302014: Teardown TCP connection 9230 for inside:10.0.0.100/49 to NP
> Ident ity Ifc:183.1.19.9/1048 duration 0:00:01 bytes 96 TCP FINs
>
> %PIX-6-302014: Teardown TCP connection 9227 for outside:183.1.19.100/80 to
> insid
> e:183.1.19.12/2811 duration 0:00:59 bytes 135 TCP FINs
>
> %PIX-6-302013: Built outbound TCP connection 9231 for
> outside:183.1.19.100/80 (1
> 83.1.19.100/80) to inside:183.1.19.12/2834 (183.1.19.12/2834)
>
> %PIX-6-109001: Auth start for user '???' from 183.1.19.12/2834 to
> 183.1.19.100/8
> 0
>
> %PIX-6-302013: Built outbound TCP connection 9232 for inside:10.0.0.100/49
> (10.0
> .0.100/49) to NP Identity Ifc:183.1.19.9/1049 (183.1.19.9/1049)
>
>
>
>
> PIX(config)# ping 10.0.0.100
>
> Type escape sequence to abort.
>
> Sending 5, 100-byte ICMP Echos to 10.0.0.100, timeout is 2 seconds:
>
> !!!!!
>
> Why would the debug say "AAA authen server not accessible when it is?
>
> I thought maybe the shared key wasn't correct or maybe the ip addresses
> weren't correct but I checked them and they're all correct.
>
> Thanks, Tim
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
-- Muhammad Nasim Network Engineer Saudi Arabia
This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:22 ART