For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Predator21's avatar
Predator21
Icon for Nimbostratus rankNimbostratus
Jan 21, 2025

F5 & TACACS communication

Hello Community, I am currently working to find RCA for an issue in which during Datacentre fail-over testing, we unable to to login to F5 and assuming their is communication issue between F5 and TA...
authentication
f5
security
tacacs
VGF5's avatar
VGF5
Icon for Cumulonimbus rankCumulonimbus
Jan 21, 2025

Hello Predator,

Let's break down each of your questions:

Packet Exchange:

TACACS+ (Terminal Access Controller Access-Control System Plus) is a protocol used for authentication, authorization, and accounting (AAA) services. Here’s a simplified overview of how it functions at the packet level when F5 sends authentication requests:

  1. Initial Request: F5 sends an authentication request to the TACACS+ server. This request is typically encapsulated in a TCP packet, as TACACS+ operates over TCP port 49.
  2. Authentication Start: The packet includes an authentication start message, which contains the username and other relevant information.
  3. Authentication Continue: The TACACS+ server responds with an authentication continue message, possibly requesting additional information such as a password or multi-factor authentication token.
  4. Authentication Reply: Once all required information is provided, the TACACS+ server sends an authentication reply message indicating success or failure.

The packets exchanged are TCP packets with specific TACACS+ headers and payloads.

Failover to Secondary TACACS Server:

When the primary TACACS+ server is down or unreachable, F5 can failover to a secondary TACACS+ server. The process typically involves these steps:

  1. Detection: F5 detects the primary server is down based on timeout and retry logic. This involves:
    • Sending a request to the primary server.
    • Waiting for a response within a configured timeout period.
    • Retries the request a specified number of times if no response is received.
  2. Failover: After exhausting the retry attempts, F5 sends the authentication request to the secondary TACACS+ server.

As for the type of packets and log entries:

  • You would see multiple TCP SYN packets sent to the primary server without an acknowledgment (ACK).
  • Eventually, you would see TCP SYN packets directed to the secondary server.
  • Log entries on the F5 device would indicate the failure to communicate with the primary server and the subsequent attempt to reach the secondary server.

Timeout and Retry Behavior:

The timeout and retry behavior can be configured on the F5 device. Here are the typical parameters and their default values (which can vary depending on the specific F5 configuration and software version):

  1. Retry Attempts: The number of retry attempts F5 makes before switching to the secondary server is configurable. A common default value is 3 attempts.
  2. Timeout Period: The time F5 waits for a response before retrying can also be configured. A common default value is 5 seconds.

These settings are typically found in the AAA or TACACS+ configuration section of the F5 management interface.

Check below articles
https://my.f5.com/manage/s/article/K000130266 
https://my.f5.com/manage/s/article/K8811#:~:text=F5's%20portfolio%20of%20automation%2C%20security,All%20Rights%20Reserved 

If you are using APM
https://techdocs.f5.com/en-us/bigip-14-0-0/big-ip-access-policy-manager-authentication-and-single-sign-on-14-0-0/tacacs-authentication-and-accounting.html