Symptom

Even though tacacs servers are reachable & fine with configurations, Users are unable to authenticate sometimes. Logs report that all servers are unreachable: %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond

Conditions

1. The servers can be pinged, but the switch is unable to authenticate with the AAA servers. 2. This issue might been seen for the Users who has enabled server monitoring by configuring idle/dead times with 1 or multiple 5 mints This has been observed on Nexus7K running 5.2(3a), but is also applicable to the MDS and Nexus 5k and 3k platforms. This bug is fixed in 5k platform in release 6.0(2)N1(1) and later and for Nexus 3k in 7.0(3)I6(1).

Workaround

1. Do not enable idle/dead server monitoting, Not globally or Not in group Ex: (config)# no tacacs-server deadtime x , (config)# no tacacs-server test username xxx password xxxx idle-time x (config)# aaa group server tacacs+ xxx no deadtime x 2. test aaa server tacacs+ x.x.x.x will bring back the server to alive

Further Problem Description