2.0.31: strange udp and xtacacs problem...

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Ernest JW ter Kuile: "Re: Subject: Re: ext3 to include capabilities?"
• Previous message: George Bonser: "Re: NetGear troubles"

here a description of the problem.

I've a network with this topology:

___ Linux 2.0.31
| ___ modem 1
| dedicated line |
L |-cisco 2511 ------------- cisco 2511-|--- ...
A | dedicated line |___ modem n
N |-cisco 2511 ------------------ cisco2511
| |
|---cisco xxxx ---- |---- modem 1
| |____ modem n
|
internet

The dedicated line is a serial line.
The ciscos are connected to the LAN via ethernet and to dedicated line
with a serial port.

I use xtacacsd to auth the users on the cisco. The xtacacsd run on the
linux box. The guy who has setup the network did a privated network
between the ciscos the are on the same dedicated line. (a 192.168.1.xxx
network) while the ethernet have a valid internet ip :

I had to add static routes to the linux box, becouse xtacacsd works over
UDP and send the packets wich IP is the one of the serial interface,
which is a private address.

After some months a strange problem shows sometimes. One of the 2 ciscos
is unable to auth via xtacacs versus the linux box. Rebooting the
cisco doesn't solve the problem, while rebooting the linux box solves it.

The guy told me that seems that the linux boxes loose the wy to answer
back to the cisco, because the xtacacs client on the cisco times out.

The trouble is that the problem appear randomly, after some months
whithout any change. I've also tried to delete and add again the static
routes, but no luck. Also shutting down and rerunning the xtacacsd
deamon doen't work. The problem appear with only one of the two ciscos.

Here an example of a failed connection (from xtacacsd logs):

Apr 3 20:51:02 dns xtacacsd[433]: (1) main: request from 192.168.1.10
[192.168.
1.10]
Apr 3 20:51:02 dns xtacacsd[433]: new_process: Querytype 7 for 'liviano'
Apr 3 20:51:02 dns xtacacsd[433]: (2)xlogout: user liviano (uid 30682) @
192.16
8.1.10 (line tty1), Quit
Apr 3 20:51:02 dns xtacacsd[433]: STAT:xlogout:liviano:30682:-1 @
192.168.1.10:
line tty1:43404::Quit
Apr 3 20:51:02 dns xtacacsd[433]: uwtmp_entry: LOGOUT 'liviano'@tty1
192.168.1.
10, time= 923165462, comment= ' Quit'
Apr 3 20:51:03 dns xtacacsd[433]: (1) main: request from 192.168.1.10
[192.168.
1.10]
Apr 3 20:51:03 dns xtacacsd[433]: new_process: Querytype 1 for 'liviano'
Apr 3 20:51:03 dns xtacacsd[433]: xlogin: starting
Apr 3 20:51:03 dns xtacacsd[433]: xlogin: user 'liviano' @ 192.168.1.10
(line t
ty1)
Apr 3 20:51:03 dns xtacacsd[433]: authent_system: checking user="liviano"
Apr 3 20:51:03 dns xtacacsd[433]: authent_system: Password match failed
(real x
, query xxi51Jx58PRMc)
Apr 3 20:51:03 dns xtacacsd[433]: search_pwname: looking in shadow pwd
file
Apr 3 20:51:03 dns xtacacsd[433]: authent_system (shadow): expiredays =
-1
Apr 3 20:51:03 dns xtacacsd[433]: authent_system: Password matched
(jHj2g.Ssj.R
qs)
Apr 3 20:51:03 dns xtacacsd[433]: Checking expiration from pw shell
field
Apr 3 20:51:03 dns xtacacsd[433]: check_perm: User- liviano/GID-
102/Geco- Pens
ione Liviano, host- 192.168.1.10, req_type- 1
Apr 3 20:51:03 dns xtacacsd[433]: check_perm: checking with group- 101
host- al
l req_type- 255
Apr 3 20:51:03 dns xtacacsd[433]: check_perm: checking if user belongs to
group
101
Apr 3 20:51:03 dns xtacacsd[433]: check_perm: User belongs to 0 groups:
Apr 3 20:51:03 dns xtacacsd[433]: check_perm: checking with group- 102
host- al
l req_type- 255
Apr 3 20:51:03 dns xtacacsd[433]: Connessione Accettata, Utente non
presente
Apr 3 20:51:03 dns xtacacsd[433]: check_key: User 'liviano', matched
permission
line 'group 102' req 'all', doing action time
Apr 3 20:51:03 dns xtacacsd[433]: check_key: Richiesta permessa da
192.168.1.10
,ok limiti di tempo
Apr 3 20:51:03 dns xtacacsd[433]: uwtmp_entry: LOGIN 'liviano'@tty1
192.168.1.1
0, time= 923165463, comment= ' GID102'
Apr 3 20:51:03 dns xtacacsd[433]: utmp_entry: writing in erased utmp
entry
Apr 3 20:51:03 dns xtacacsd[433]: xlogin: query from 192.168.1.10 tty1
for livi
ano (Pensione L..) accepted (ACL 4)
Apr 3 20:51:03 dns xtacacsd[433]: STAT:xlogin:liviano:30343:102 @
192.168.1.10:
line tty1:43408:accepted:4
Apr 3 20:51:03 dns xtacacsd[433]: (2)xlogin: Sent response to client
Apr 3 20:51:03 dns xtacacsd[433]: xlogin: done
Apr 3 20:51:04 dns xtacacsd[433]: (1) main: request from 192.168.1.10
[192.168.
1.10]
Apr 3 20:51:04 dns xtacacsd[433]: new_process: Querytype 1 for 'liviano'
Apr 3 20:51:04 dns xtacacsd[433]: xlogin: starting
Apr 3 20:51:04 dns xtacacsd[433]: xlogin: user 'liviano' @ 192.168.1.10
(line t
ty1)
Apr 3 20:51:04 dns xtacacsd[433]: authent_system: checking user="liviano"
Apr 3 20:51:04 dns xtacacsd[433]: authent_system: Password match failed
(real x
, query xxi51Jx58PRMc)
Apr 3 20:51:04 dns xtacacsd[433]: search_pwname: looking in shadow pwd
file
Apr 3 20:51:04 dns xtacacsd[433]: authent_system (shadow): expiredays =
-1
Apr 3 20:51:04 dns xtacacsd[433]: authent_system: Password matched
(jHj2g.Ssj.R
qs)
Apr 3 20:51:04 dns xtacacsd[433]: Checking expiration from pw shell
field
Apr 3 20:51:04 dns xtacacsd[433]: check_perm: User- liviano/GID-
102/Geco- Pens
ione Liviano, host- 192.168.1.10, req_type- 1
Apr 3 20:51:04 dns xtacacsd[433]: check_perm: checking with group- 101
host- al
l req_type- 255
Apr 3 20:51:04 dns xtacacsd[433]: check_perm: checking if user belongs to
group
101
Apr 3 20:51:04 dns xtacacsd[433]: check_perm: User belongs to 0 groups:
Apr 3 20:51:04 dns xtacacsd[433]: check_perm: checking with group- 102
host- al
l req_type- 255
Apr 3 20:51:04 dns xtacacsd[433]: Connessione Accettata, Utente non
presente
Apr 3 20:51:04 dns xtacacsd[433]: check_key: User 'liviano', matched
permission
line 'group 102' req 'all', doing action time
Apr 3 20:51:04 dns xtacacsd[433]: check_key: Richiesta permessa da
192.168.1.10
,ok limiti di tempo
Apr 3 20:51:04 dns xtacacsd[433]: uwtmp_entry: LOGIN 'liviano'@tty1
192.168.1.1
0, time= 923165464, comment= ' GID102'
Apr 3 20:51:04 dns xtacacsd[433]: utmp_entry: overwriting existing entry
for li
viano on tty1@192.168.1.10
Apr 3 20:51:04 dns xtacacsd[433]: xlogin: query from 192.168.1.10 tty1
for livi
ano (Pensione L..) accepted (ACL 4)
Apr 3 20:51:04 dns xtacacsd[433]: STAT:xlogin:liviano:30343:102 @
192.168.1.10:
line tty1:43408:accepted:4
Apr 3 20:51:04 dns xtacacsd[433]: (2)xlogin: Sent response to client
Apr 3 20:51:04 dns xtacacsd[433]: xlogin: done

( As you can see, it does a similar thing twice)
Here after 6 seconds:

Apr 3 20:51:10 dns xtacacsd[433]: (1) main: request from 192.168.1.10
[192.168.
1.10]
Apr 3 20:51:10 dns xtacacsd[433]: new_process: Querytype 7 for 'liviano'
Apr 3 20:51:10 dns xtacacsd[433]: (2)xlogout: user liviano (uid 30682) @
192.16
8.1.10 (line tty1), Quit
Apr 3 20:51:10 dns xtacacsd[433]: STAT:xlogout:liviano:30682:-1 @
192.168.1.10:
line tty1:43404::Quit
Apr 3 20:51:10 dns xtacacsd[433]: uwtmp_entry: LOGOUT 'liviano'@tty1
192.168.1.
10, time= 923165470, comment= ' Quit'
Apr 3 20:51:10 dns xtacacsd[433]: utmp_entry: deleting 192.168.1.10
liviano tty1

And he cannot connect.

Can someone give me an hint? :)

Yuri

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

• Next message: Ernest JW ter Kuile: "Re: Subject: Re: ext3 to include capabilities?"
• Previous message: George Bonser: "Re: NetGear troubles"