OPERATIONAL DEFECT DATABASE
...
...
When a device [switch/router/...] is running IOS-XE release 17.04.01 or earlier and has aaa server group configuration block referencing VRF to provide connectivity to TACACS+ or RADIUS server outside of the global routing table, and this VRF is configured using the ip vrf syntax, such configuration will be rejected upon upgrade to 17.05.01 or later release. This will result in the loss of connectivity to the affected TACACS+ or RADIUS server unless it is also reachable within the global routing table. The following messages will be seen on the console upon bootup [depending on whether IPv4 or IPv6 connectivity towards TACACS+ or RADIUS server is used] IPv4 Table-id not existing for tacacs sg VRF, config may fail IPv6 table-id not existing for tacacs sg VRF, config may fail IPv4 Tableid not existing for radius sg VRF, config may fail IPv6 Tableid not existing for radius sg VRF config may fail
- device is running IOS-XE release 17.04.01 or earlier - aaa server group configured for RADIUS or TACACS+ servers is using VRF to provide connectivity to the server(s) - VRF is configured using the ip vrf syntax If these conditions are met, and the device is upgraded to 17.05.01 or later release, the VRF configuration under the aaa group server configuration block will be rejected. This will result in the loss of connectivity to the affected TACACS+ or RADIUS server unless it is also reachable within the global routing table.
Convert the VRF configuration from the ip vrf syntax to the vrf definition syntax vrf upgrade-cli multi-af-mode non-common-policies vrf or vrf upgrade-cli multi-af-mode common-policies vrf
A sample of the problematic configuration could look like this: ! aaa new-model aaa group server radius server-private key ip vrf forwarding aaa group server tacacs+ server-private key ip vrf forwarding ! ip vrf VRF_NAME ! This configuration has been accepted and works fine in IOS-XE releases up to 17.04.01. Starting from the 17.05.01 release, additional validation of the supplied VRF is performed in AAA code, and if the VRF referenced within the aaa group server configuration block does not exist, the line is rejected. The reason for this rejection upon bootup is that VRF is configured using the ip vrf syntax is located below the aaa group server configuration block, and thus, at the time when AAA code is validating the supplied VRF, such VRF has not been created yet.
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
