The syslog messages can be caused by the device not getting PSH/Acknowledgements from a TACACS server after a TACACS accounting message (such as Missing “R : Authentication”, “R : Accounting” messages) is sent.
The following is seen in the messages log even though there is not a problem pinging the server (Server is reachable) and other nodes do not have any messages logged:
MX960 mgd[9411]: UI_TACPLUS_ERROR: TACACS+ failure: Network read timed out MX960 mgd[8677]: UI_TACPLUS_ERROR: TACACS+ failure: Network read timed out MX960 mgd[9531]: UI_TACPLUS_ERROR: TACACS+ failure: Network read timed out
PUH/ACK is not coming to the client from the TACACS server.
To trigger the issue, set an input firewall filter to discard (not receive) the TCP PUH/ACK packets coming from the TACACS server:
jun@MX960_MODEL1# show
interfaces {
fxp0 {
unit 0 {
family inet {
filter {
input PROTECHOST;
}
address 172.27.14.78/24;
}
}
}
}
firewall {
filter PROTECHOST {
term Rate_Limit {
from {
destination-address {
172.27.14.78/32;
}
protocol tcp;
tcp-flags 0x18; <---PUH/ACK
}
then {
count TCP_Conection;
discard;
}
}
term 10 {
then accept;
}
}
Cisco TACACS server works abnormally on the TCP flow.
Normal TACACS TCP conversation:
172.27.14.78 = TACACS client
172.27.14.177 = TACACS server (Cisco ACS)
Notice the “TACACS+ Q:Authentication” is followed by “TACACS+ R:Authentication” with nothing in between.
Abnormal TACACS TCP conversation:
61.78.42.172 = client
203.236.108.138 = TACACS server (Cisco ACS)
After the client sends “TACACS+ Q:Authentication”, the server sends back a TCP ACK message on it. The server must send “TACACS+ R: Authentication”. The client(=61.78.42.172) waits for “R:Authentication” from TACACS server. (It’s the same as not receiving “R : Accounting”).
As a result, the client did not receive an “R_Authentication” message and logs the “Network read timed out” message.
Analyze the conversation in Wireshark to verify there are no abnormalities such as a failure to receive acknowledgements or missing packets.