Knowledge Search


×
 

[SRX] A 15 second delay occurs before CLI prompt shows up

  [KB34200] Show Article Properties


Summary:

After logging into SRX, there is a 15 second delay for the CLI prompt to show up. An error message related to tacplus is also seen in /var/log/messages. This can be resolved by removing tacplus accounting and authentication.

Symptoms:

After waiting about 15 seconds for the CLI prompt to show up, checking /var/log/messages returns the following:

<38>1 2016-06-13T17:37:54.428Z SRX-HOSTNAME sshd 46617 - - Accepted keyboard-interactive/pam for srxadmin from 192.168.100.1 port 48610 ssh2
<190>1 2016-06-13T17:37:55.195Z SRX-HOSTNAME mgd 46622 UI_AUTH_EVENT [junos@2636.1.1.1.2.39 username="remote" authentication-level="j-super-user"] Authenticated user 'remote' at permission level 'j-super-user'
<190>1 2016-06-13T17:37:55.195Z SRX-HOSTNAME mgd 46622 UI_LOGIN_EVENT [junos@2636.1.1.1.2.39 username="srxadmin" class-name="j-super-user" local-peer="" pid="46622" ssh-connection="192.168.100.1 48610 10.1.16.155 22" client-mode="cli"] User 'srxadmin' login, class 'j-super-user' [46622], ssh-connection '192.168.100.1 48610 10.1.16.155 22', client-mode 'cli'
<29>1 2016-06-13T17:38:15.200Z SRX-HOSTNAME mgd 46622 UI_TACPLUS_ERROR [junos@2636.1.1.1.2.39 error-message="connect: timed out"] TACACS+ failure: connect: timed out

SRX has accounting enabled via tacplus:

    authentication-order [ radius tacplus ];
    radius-server {
        10.1.1.1 {
            port 1645;
            timeout 10;
            retry 2;
        }
        10.1.1.2 {
            port 1645;
            timeout 10;
            retry 2;
        }
    }
    tacplus-server {
        10.1.1.3 {
            port 49;
            timeout 10;
            single-connection;
        }
        10.1.1.4 {
            port 49;
            timeout 10;
            single-connection;
        }
    }
    accounting {
        events [ login change-log interactive-commands ];
        destination {
            tacplus {
                server {
                    10.1.1.3 {
                        port 49;
                        timeout 10;
                        single-connection;
                    }
                    10.1.1.4 {
                        port 49;
                        timeout 10;
                        single-connection;
                    }
                }
            }
        }
    }   

Cause:

This is due to SRX having accounting enabled via tacplus servers, but the servers are not reachable.

Solution:

Disable accounting via tacplus or make tacplus servers reachable.

Commands to remove tacplus accounting and authentication if tacplus servers are not reachable any more:

deactivate system tacplus-server
deactivate system accounting
delete system authentication-order tacplus

Related Links: