The syslog messages can be caused by the device not getting PSH/Acknowledgements from a TACACS server after a TACACS accounting message (such as Missing “R : Authentication”, “R : Accounting” messages) is sent.
The following is seen in the messages log even though there is not a problem pinging the server (Server is reachable) and other nodes do not have any messages logged:
MX960 mgd[9411]: UI_TACPLUS_ERROR: TACACS+ failure: Network read timed out MX960 mgd[8677]: UI_TACPLUS_ERROR: TACACS+ failure: Network read timed out MX960 mgd[9531]: UI_TACPLUS_ERROR: TACACS+ failure: Network read timed out
PUH/ACK is not coming to the client from the TACACS server.
To trigger the issue, set an input firewall filter to discard (not receive) the TCP PUH/ACK packets coming from the TACACS server:
jun@MX960_MODEL1# show interfaces { fxp0 { unit 0 { family inet { filter { input PROTECHOST; } address 172.27.14.78/24; } } } } firewall { filter PROTECHOST { term Rate_Limit { from { destination-address { 172.27.14.78/32; } protocol tcp; tcp-flags 0x18; <---PUH/ACK } then { count TCP_Conection; discard; } } term 10 { then accept; } }
Cisco TACACS server works abnormally on the TCP flow.
Normal TACACS TCP conversation:
172.27.14.78 = TACACS client
172.27.14.177 = TACACS server (Cisco ACS)
Notice the “TACACS+ Q:Authentication” is followed by “TACACS+ R:Authentication” with nothing in between.
Abnormal TACACS TCP conversation:
61.78.42.172 = client
203.236.108.138 = TACACS server (Cisco ACS)
After the client sends “TACACS+ Q:Authentication”, the server sends back a TCP ACK message on it. The server must send “TACACS+ R: Authentication”. The client(=61.78.42.172) waits for “R:Authentication” from TACACS server. (It’s the same as not receiving “R : Accounting”).
As a result, the client did not receive an “R_Authentication” message and logs the “Network read timed out” message.
Analyze the conversation in Wireshark to verify there are no abnormalities such as a failure to receive acknowledgements or missing packets.