F5 & TACACS communication

Question

Hello Community,I am currently working to find RCA for an issue in which during Datacentre fail-over testing, we unable to to login to F5 and assuming their is communication issue between F5 and TACACS Server, and I have a few questions regarding how the authentication process works and how failover occurs when the primary TACACS server is unavailable. Here are my questions:Packet Exchange:How does TACACS function at the packet level when F5 sends authentication requests? What types of packets are exchanged between F5 and the TACACS server during authentication?Failover to Secondary TACACS Server:When the primary TACACS server is down or unreachable, how does F5 detect this and automatically send authentication requests to the secondary TACACS server? What type of packets and log entries should we see on the F5 side when this occurs?Timeout and Retry Behavior:How many retry attempts does F5 make before switching to the secondary TACACS server? How long does F5 wait before retrying, and is this configurable?I would appreciate any insights, best practices, or references to relevant documentation that can help clarify these points. Even packet capture also helps as this is not feasible for me to reproduce issue.Thanks in advance for your help!&nbsp;Best regards,Pradeep

f51 · Answer

Hello Predator,Let's break down each of your questions:Packet Exchange:TACACS+ (Terminal Access Controller Access-Control System Plus) is a protocol used for authentication, authorization, and accounting (AAA) services. Here’s a simplified overview of how it functions at the packet level when F5 sends authentication requests:Initial Request: F5 sends an authentication request to the TACACS+ server. This request is typically encapsulated in a TCP packet, as TACACS+ operates over TCP port 49.Authentication Start: The packet includes an authentication start message, which contains the username and other relevant information.Authentication Continue: The TACACS+ server responds with an authentication continue message, possibly requesting additional information such as a password or multi-factor authentication token.Authentication Reply: Once all required information is provided, the TACACS+ server sends an authentication reply message indicating success or failure.The packets exchanged are TCP packets with specific TACACS+ headers and payloads.Failover to Secondary TACACS Server:When the primary TACACS+ server is down or unreachable, F5 can failover to a secondary TACACS+ server. The process typically involves these steps:Detection: F5 detects the primary server is down based on timeout and retry logic. This involves:Sending a request to the primary server.Waiting for a response within a configured timeout period.Retries the request a specified number of times if no response is received.Failover: After exhausting the retry attempts, F5 sends the authentication request to the secondary TACACS+ server.As for the type of packets and log entries:You would see multiple&nbsp;TCP SYN&nbsp;packets sent to the primary server without an acknowledgment (ACK).Eventually, you would see&nbsp;TCP SYN&nbsp;packets directed to the secondary server.Log entries on the F5 device would indicate the failure to communicate with the primary server and the subsequent attempt to reach the secondary server.Timeout and Retry Behavior:The timeout and retry behavior can be configured on the F5 device. Here are the typical parameters and their default values (which can vary depending on the specific F5 configuration and software version):Retry Attempts: The number of retry attempts F5 makes before switching to the secondary server is configurable. A common default value is 3 attempts.Timeout Period: The time F5 waits for a response before retrying can also be configured. A common default value is 5 seconds.These settings are typically found in the AAA or TACACS+ configuration section of the F5 management interface.Check below articleshttps://my.f5.com/manage/s/article/K000130266&nbsp;https://my.f5.com/manage/s/article/K8811#:~:text=F5's%20portfolio%20of%20automation%2C%20security,All%20Rights%20Reserved&nbsp;If you are using APMhttps://techdocs.f5.com/en-us/bigip-14-0-0/big-ip-access-policy-manager-authentication-and-single-sign-on-14-0-0/tacacs-authentication-and-accounting.html&nbsp;

Forum Discussion

F5 & TACACS communication

Packet Exchange:

Failover to Secondary TACACS Server:

Timeout and Retry Behavior:

Recent Discussions

BIG-IQ REST - Is it possible to expandSubcollections=true

How to avoid conflicts in bigiq by keeping each BIGIP separately.

bigip version 17

CPU high load during specific time periods

R2600 device and tenant/partition configuration

Related Content

Communication between DMZ & Internal devices

F5 log: TACACS errors - wrong session ID in response

HTTPS communication and client and server ssl profile

F5 APM Same leasepool communication

Info on Tacacs+ configuration required on F5 and Tacacs+ server

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS