What can cause “UI_TACPLUS_ERROR: TACACS+ failure: Network read timed out”

The syslog messages can be caused by the device not getting PSH/Acknowledgements from a TACACS server after a TACACS accounting message (such as Missing “R : Authentication”, “R : Accounting” messages) is sent.

The following is seen in the messages log even though there is not a problem pinging the server (Server is reachable) and other nodes do not have any messages logged:

PUH/ACK is not coming to the client from the TACACS server.

To trigger the issue, set an input firewall filter to discard (not receive) the TCP PUH/ACK packets coming from the TACACS server:

Cisco TACACS server works abnormally on the TCP flow.

Normal TACACS TCP conversation:
172.27.14.78 = TACACS client
172.27.14.177 = TACACS server (Cisco ACS)

can-cause-ui_tacplus_error-tacacs-failure-network-read-timed

Notice the “TACACS+ Q:Authentication” is followed by “TACACS+ R:Authentication” with nothing in between.

Abnormal TACACS TCP conversation:
61.78.42.172 = client
203.236.108.138 = TACACS server (Cisco ACS)

can-cause-ui_tacplus_error-tacacs-failure-network-read-timed

After the client sends “TACACS+ Q:Authentication”, the server sends back a TCP ACK message on it.  The server must send “TACACS+ R: Authentication”.  The  client(=61.78.42.172)  waits for “R:Authentication” from TACACS server. (It’s the same as not receiving “R : Accounting”).

can-cause-ui_tacplus_error-tacacs-failure-network-read-timed

As a result, the client did not receive an “R_Authentication” message and logs the “Network read timed out” message.

Analyze the conversation in Wireshark to verify there are no abnormalities such as a failure to receive acknowledgements or missing packets.

About the author

James Palmer

Leave a Comment