What can cause “UI_TACPLUS_ERROR: TACACS+ failure: Network read timed out”

The syslog messages can be caused by the device not getting PSH/Acknowledgements from a TACACS server after a TACACS accounting message (such as Missing “R : Authentication”, “R : Accounting” messages) is sent.

The following is seen in the messages log even though there is not a problem pinging the server (Server is reachable) and other nodes do not have any messages logged:

PUH/ACK is not coming to the client from the TACACS server.

To trigger the issue, set an input firewall filter to discard (not receive) the TCP PUH/ACK packets coming from the TACACS server:

Cisco TACACS server works abnormally on the TCP flow.

Normal TACACS TCP conversation: = TACACS client = TACACS server (Cisco ACS)


Notice the “TACACS+ Q:Authentication” is followed by “TACACS+ R:Authentication” with nothing in between.

Abnormal TACACS TCP conversation: = client = TACACS server (Cisco ACS)


After the client sends “TACACS+ Q:Authentication”, the server sends back a TCP ACK message on it.  The server must send “TACACS+ R: Authentication”.  The  client(=  waits for “R:Authentication” from TACACS server. (It’s the same as not receiving “R : Accounting”).


As a result, the client did not receive an “R_Authentication” message and logs the “Network read timed out” message.

Analyze the conversation in Wireshark to verify there are no abnormalities such as a failure to receive acknowledgements or missing packets.

About the author

James Palmer

Leave a Comment