[Lesson Learned] Nexus & ISE TACACS+ Issue
Problem:
Problem when configuring TACACS Services for Nexus 7k device and ISE as TACACS Service.
Already configured referring this document.
When attempting to configure any tacacs command, there is error message appeared:
Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=17(0x11)
Problem Verification:
- Getting error “Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=17(0x11)” every time we change command on CLI
- Cannot save the configuration to switch
Additional Information
- Authorization configured with ISE and there were no fall-back configured on the non-working switch; however, we had another working switch which had the fall-back configured for authorization.
- Checked the ISE logs and authorization was succeeding.
Troubleshooting Process
- Perform several show command to switch to check the RAID status info on switches
- Backup all VDC’s config via tftp
- Reload switches
Detailed Solution
- Perform several show command to switch
12345N7k2-DS_02# show system internal raid | grep -A 1 "Current RAID status info"Current RAID status info:RAID data from CMOS = 0xa5 0xc3N7k2-DS_02#0xc3 tells that both primary and secondary had failed.
The only way to recover this situation is by backing up the configuration and reload the whole chassis.Resolution:
Copy the running config to a FTP or USB. Please take backup from all the VDC’s and then reload the chassis. Scenario matches Scenario B. - TAC suggested to reload switch as workaround and upgrade OS to 6.2.16 which is recommended.
- Backup all configuration on all VDC of the switches, including show vlan brief and show run to tftp
123456789N7k2-CS_02# copy run tftp:Enter destination filename: [N7k2-CS_02-running-config]Enter vrf (If no input, current vrf 'default' is considered):Enter hostname for the tftp server: 192.168.1.212Trying to connect to tftp server......Connection to Server Established.TFTP put operation was successfulCopy complete. - Reload the switches
Notes:
There is a chance that all config on all VDC erased, so it’s a best practice to save all VDC configs to tftp server