@RobStruthers wrote:
I'm a non-Cisco expert using VIRL to test a TACACS+ server. I am creating a Cisco router inside VIRL, configuring it to use my TACACS+ server, then sending telnet login requests to the router to trigger the router into sending TACACS+ queries to my server-under-test (telnet connection accepted or not should match the TACACS+ configuration); if the connection is accepted, I then send some simple commands (e.g. "terminal length" or "show running config"), so I can check both authentication and authorisation. The purpose of the testing is to use a known good client (a Cisco router) to check the operation of our TACACS+ server.
As VIRL and the TACACS+ server are on different machines, I can use a network analyzer to check the traffic between them -- an independent observer. All network configuration is fixed, with static IP addresses and hard-wired routes, so there should be no DNS issues. The testing is scripted and is strictly serial: send a request, wait for as long as it takes for a reply, check/log the result, next test. Neither VIRL nor the TACACS+ server are doing any other work. Most of the time, all works fine.
The problem: sometimes, the VIRL router doesn't send a TACACS+ request; when this happens, the router acts as if the TACACS+ server said "no", which means some of my tests appear to have passed!. Sometimes, after a few minutes, it will start again; other times, the non-communication continues for more than 2 hours. It seems most prevalent when VIRL is configured to use an XR series router, very rare with Classic or XE models. And by "sometimes" I mean that it isn't the same place each time.
The VIRL host is a 12-core machine with 64Gbyte of RAM and plenty of disk space. In each case, the router configuration is as simple as possible. There is no significant network traffic -- I'm testing TACACS, not routing. Some Cisco-savvy customers of ours have looked at the configurations and can see no issues, but they use real Cisco routers, not VIRL.
Has anyone else seen a similar problem or have any suggestions? I would suspect the root cause is the TACACS+ server (which is why I'm testing it), but I don't see how this could cause the VIRL router to not attempt to open a connection to the TACACS+ server. My only thought is that either the router or VIRL has some limit (e.g. on the number of connections) and this is being exceeded.
I'd appreciate any help, thoughts or suggestions.
Posts: 3
Participants: 2
