RE: Cisco 3560 switch has a ghost in it...keeps trying to auth

From: Tyson Scott <tscott_at_ipexpert.com>
Date: Thu, 7 Oct 2010 23:22:22 -0400

On the console device connected the switches make sure there is "no exec",
"stopbits 1", "modem InOut", and "flowcontrol hardware".

I don't remember exactly which one fixes this issue.

But essentially the terminal is sending characters to the 3560 that is
causing the 3560 to authenticate the session.

Regards,
 
Tyson Scott - CCIE #13513 R&S, Security, and SP
Managing Partner / Sr. Instructor - IPexpert, Inc.
Mailto: tscott_at_ipexpert.com

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Brad
Ellis
Sent: Thursday, October 07, 2010 7:54 PM
To: Travis Niedens; Cisco certification
Subject: RE: Cisco 3560 switch has a ghost in it...keeps trying to auth to
an ACS server

Yeah, bounced her already. I'm guessing there's something plugged into
the con port as well...we'll have to see. :)

thanks,
Brad Ellis
CCIE#5796 (R&S / Security)
CCSI# 30482
CEO / President
CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
Email: brad_at_ccbootcamp.com
Toll Free: 877-654-2243
International: +1-702-968-5100
Skype: skype:ccbootcamp?call
FAX: +1-702-446-8012
YES! We take Cisco Learning Credits!
Training And Remote Racks: http://www.ccbootcamp.com

-----Original Message-----
From: Travis Niedens [mailto:niedentj_at_hotmail.com]
Sent: Thursday, October 07, 2010 4:49 PM
To: Brad Ellis; 'Cisco certification'
Subject: RE: Cisco 3560 switch has a ghost in it...keeps trying to auth
to an ACS server

Unplug the cable? Reload ? Perhaps solar flares ? :) No tracebacks
either?

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Brad Ellis
Sent: Thursday, October 07, 2010 4:33 PM
To: Travis Niedens; Cisco certification
Subject: RE: Cisco 3560 switch has a ghost in it...keeps trying to auth
to an ACS server

It's actually happening on two 3560s, and only those... console port
looks
okay:

(from one of them)

C3560G-24PS #sh line con 0
   Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns
Int
     0 CTY - - - - - 0 154 0/0
-

Line 0, Location: "", Type: ""
Length: 24 lines, Width: 80 columns
Baud rate (TX/RX) is 9600/9600, no parity, 2 stopbits, 8 databits
Status: Ready, 0x40000
Capabilities: none
Modem state: Ready
Special Chars: Escape Hold Stop Start Disconnect Activation
                ^^x none - - none
Timeouts: Idle EXEC Idle Session Modem Answer Session
Dispatch
                never never none not
set
                            Idle Session Disconnect Warning
                              never
                            Login-sequence User Response
                             00:00:30
                            Autoselect Initial Wait
                              not set
Modem type is unknown.
Session limit is not set.
Time since activation: never
Editing is enabled.
History is enabled, history size is 10.
DNS resolution in show commands is enabled Full user help is disabled
Allowed input transports are none.
Allowed output transports are telnet.
Preferred transport is telnet.
No output characters are padded
No special data dispatching characters

It's happening on two out of 80 something switches...very weird.

Both devices have the same config as about 100 other 3560s...the mystery
continues! :)

thanks,
Brad Ellis
CCIE#5796 (R&S / Security)
CCSI# 30482
CEO / President
CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
Email: brad_at_ccbootcamp.com
Toll Free: 877-654-2243
International: +1-702-968-5100
Skype: skype:ccbootcamp?call
FAX: +1-702-446-8012
YES! We take Cisco Learning Credits!
Training And Remote Racks: http://www.ccbootcamp.com

-----Original Message-----
From: Travis Niedens [mailto:niedentj_at_hotmail.com]
Sent: Thursday, October 07, 2010 4:18 PM
To: Brad Ellis; 'Cisco certification'
Subject: RE: Cisco 3560 switch has a ghost in it...keeps trying to auth
to an ACS server

Nothing plugged into the console port that might be shorted out?

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Brad Ellis
Sent: Thursday, October 07, 2010 3:52 PM
To: Cisco certification
Subject: Cisco 3560 switch has a ghost in it...keeps trying to auth to
an ACS server

Crazy stuff...but I thought this would make an interesting problem for
people to think about.

Every 60 seconds or so:

Oct 7 22:53:21.317: AAA/MEMORY: free_user_quiet (0x27804D8) user=''
ruser='NULL' port='tty0' rem_addr='async' authen_type=1 service=1 priv=1
Oct
7 22:53:21.317: AAA: parse name=tty0 idb type=-1 tty=-1 Oct 7
22:53:21.317:
AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0
channel=0 Oct 7 22:53:21.317: AAA/MEMORY: create_user (0x27804D8)
user='NULL'
ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII
service=LOGIN priv=1 initial_task_id='0', vrf= (id=0) Oct 7
22:53:21.317:
AAA/AUTHEN/START (1037375110): port='tty0' list=''
action=LOGIN service=LOGIN
Oct 7 22:53:21.317: AAA/AUTHEN/START (1037375110): using "default" list
Oct
7 22:53:21.317: AAA/AUTHEN/START (1037375110): Method=tacacs+
(tacacs+)
Oct 7 22:53:21.317: TAC+: send AUTHEN/START packet ver=192
id=1037375110 Oct 7 22:53:21.569: TAC+: ver=192 id=1037375110 received
AUTHEN status = GETUSER Oct 7 22:53:21.569: AAA/AUTHEN (1037375110):
status = GETUSER Oct
7 22:53:21.644: AAA/AUTHEN/CONT (1037375110): continue_login
(user='(undef)')
Oct 7 22:53:21.644: AAA/AUTHEN (1037375110): status = GETUSER Oct 7
22:53:21.644: AAA/AUTHEN (1037375110): Method=tacacs+ (tacacs+) Oct 7
22:53:21.644: TAC+: send AUTHEN/CONT packet id=1037375110 Oct 7
22:53:21.846: TAC+: ver=192 id=1037375110 received AUTHEN status =
GETUSER Oct 7 22:53:21.846: AAA/AUTHEN (1037375110): status = GETUSER
Oct 7
22:53:28.179: AAA/AUTHEN/CONT (1037375110): continue_login
(user='')
Oct 7 22:53:28.179: AAA/AUTHEN (1037375110): status = GETUSER Oct 7
22:53:28.179: AAA/AUTHEN (1037375110): Method=tacacs+ (tacacs+) Oct 7
22:53:28.179: TAC+: send AUTHEN/CONT packet id=1037375110 Oct 7
22:53:28.380: TAC+: ver=192 id=1037375110 received AUTHEN status =
GETPASS Oct 7 22:53:28.380: AAA/AUTHEN (1037375110): status = GETPASS
Oct 7
22:53:30.301: AAA/AUTHEN/CONT (1037375110): continue_login
(user='x~xxxx')
Oct 7 22:53:30.310: AAA/AUTHEN (1037375110): status = GETPASS Oct 7
22:53:30.310: AAA/AUTHEN (1037375110): Method=tacacs+ (tacacs+) Oct 7
22:53:30.310: TAC+: send AUTHEN/CONT packet id=1037375110 Oct 7
22:53:30.813: TAC+: ver=192 id=1037375110 received AUTHEN status = FAIL
Oct
7 22:53:30.813: AAA/AUTHEN (1037375110): status = FAIL Oct 7
22:53:32.818:
AAA/AUTHEN/ABORT: (1037375110) because Login timed out.
Oct 7 22:53:32.818: TAC+: send abort reason=Login timed out

I havent figured this one out yet.

thanks,
Brad Ellis
CCIE#5796 (R&S / Security)
CCSI# 30482
CEO / President
CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
Email: brad_at_ccbootcamp.com
Toll Free: 877-654-2243
International: +1-702-968-5100
Skype: skype:ccbootcamp?call
FAX: +1-702-446-8012
YES! We take Cisco Learning Credits!
Training And Remote Racks: http://www.ccbootcamp.com

Blogs and organic groups at http://www.ccie.net
Received on Thu Oct 07 2010 - 23:22:22 ART

This archive was generated by hypermail 2.2.0 : Mon Nov 01 2010 - 06:42:05 ART