Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] A 15 second delay occurs before CLI prompt shows up

0

0

Article ID: KB34200 KB Last Updated: 07 Aug 2019Version: 1.0
Summary:

After logging into SRX, there is a 15 second delay for the CLI prompt to show up. An error message related to tacplus is also seen in /var/log/messages. This can be resolved by removing tacplus accounting and authentication.

Symptoms:

After waiting about 15 seconds for the CLI prompt to show up, checking /var/log/messages returns the following:

<38>1 2016-06-13T17:37:54.428Z SRX-HOSTNAME sshd 46617 - - Accepted keyboard-interactive/pam for srxadmin from 192.168.100.1 port 48610 ssh2
<190>1 2016-06-13T17:37:55.195Z SRX-HOSTNAME mgd 46622 UI_AUTH_EVENT [junos@2636.1.1.1.2.39 username="remote" authentication-level="j-super-user"] Authenticated user 'remote' at permission level 'j-super-user'
<190>1 2016-06-13T17:37:55.195Z SRX-HOSTNAME mgd 46622 UI_LOGIN_EVENT [junos@2636.1.1.1.2.39 username="srxadmin" class-name="j-super-user" local-peer="" pid="46622" ssh-connection="192.168.100.1 48610 10.1.16.155 22" client-mode="cli"] User 'srxadmin' login, class 'j-super-user' [46622], ssh-connection '192.168.100.1 48610 10.1.16.155 22', client-mode 'cli'
<29>1 2016-06-13T17:38:15.200Z SRX-HOSTNAME mgd 46622 UI_TACPLUS_ERROR [junos@2636.1.1.1.2.39 error-message="connect: timed out"] TACACS+ failure: connect: timed out

SRX has accounting enabled via tacplus:

    authentication-order [ radius tacplus ];
    radius-server {
        10.1.1.1 {
            port 1645;
            timeout 10;
            retry 2;
        }
        10.1.1.2 {
            port 1645;
            timeout 10;
            retry 2;
        }
    }
    tacplus-server {
        10.1.1.3 {
            port 49;
            timeout 10;
            single-connection;
        }
        10.1.1.4 {
            port 49;
            timeout 10;
            single-connection;
        }
    }
    accounting {
        events [ login change-log interactive-commands ];
        destination {
            tacplus {
                server {
                    10.1.1.3 {
                        port 49;
                        timeout 10;
                        single-connection;
                    }
                    10.1.1.4 {
                        port 49;
                        timeout 10;
                        single-connection;
                    }
                }
            }
        }
    }   

Cause:

This is due to SRX having accounting enabled via tacplus servers, but the servers are not reachable.

Solution:

Disable accounting via tacplus or make tacplus servers reachable.

Commands to remove tacplus accounting and authentication if tacplus servers are not reachable any more:

deactivate system tacplus-server
deactivate system accounting
delete system authentication-order tacplus

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search