Configuring LTM to authenticate using two TACACS+ servers

Hi Techies!

 

 

I've set up a Big-IP running the latest code 10.2, to authenticate the administrative users via TACACS+. Everything works fine when I configure just one TACACS+ server, but when I add the second server, I can notice a weird behavior. If, for some reason, the first configured server goes down, and a user try accessing the Big-IP (from both SSH or HTTPS), the Big-IP takes more than 3 minutes trying to establish a TCP session with the first server before noticing that it is down and open the session with the second server. As a result, if the user is accessing the box through the web browser, he or she will have to wait over 3 minutes to get access. If the user tries SSH, he or she doesn't even get success, once the SSH conection times out before receiving the authentication. In this case, both the users and the servers are connected to the managment port.

 

 

One more information. If the service (TACACS+) is not running on the server, but the server itself is up (ethernet port is up), then, when it receives the TCP SYN packet coming from the Big IP it gives back a TCP RST, and in this case the BIg-IP tries the second server immediately. So the problem can be seen only when the first server is disconnected or unresponsive.

 

 

So, I would like to know if there is a way to speed up this process. In other words, if there is a way to configure a timeout for the first server to be tried, as well as the number of retries, so that the Big IP can establish the connection with the second server quickly in case of fault in the first server.

 

 

Thanks a lot!

 

 

VR