Re: Cisco 3560 switch has a ghost in it...keeps trying to auth

Any TCL scripts happen to be running on background or something?

A.

On 8 October 2010 10:33, Brad Ellis <brad_at_ccbootcamp.com> wrote:

> It's actually happening on two 3560s, and only those... console port
> looks okay:
>
> (from one of them)
>
> C3560G-24PS #sh line con 0
> Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns
> Int
> 0 CTY - - - - - 0 154 0/0
> -
>
> Line 0, Location: "", Type: ""
> Length: 24 lines, Width: 80 columns
> Baud rate (TX/RX) is 9600/9600, no parity, 2 stopbits, 8 databits
> Status: Ready, 0x40000
> Capabilities: none
> Modem state: Ready
> Special Chars: Escape Hold Stop Start Disconnect Activation
> ^^x none - - none
> Timeouts: Idle EXEC Idle Session Modem Answer Session
> Dispatch
> never never none not
> set
> Idle Session Disconnect Warning
> never
> Login-sequence User Response
> 00:00:30
> Autoselect Initial Wait
> not set
> Modem type is unknown.
> Session limit is not set.
> Time since activation: never
> Editing is enabled.
> History is enabled, history size is 10.
> DNS resolution in show commands is enabled
> Full user help is disabled
> Allowed input transports are none.
> Allowed output transports are telnet.
> Preferred transport is telnet.
> No output characters are padded
> No special data dispatching characters
>
> It's happening on two out of 80 something switches...very weird.
>
> Both devices have the same config as about 100 other 3560s...the mystery
> continues! :)
>
> thanks,
> Brad Ellis
> CCIE#5796 (R&S / Security)
> CCSI# 30482
> CEO / President
> CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
> Email: brad_at_ccbootcamp.com
> Toll Free: 877-654-2243
> International: +1-702-968-5100
> Skype: skype:ccbootcamp?call
> FAX: +1-702-446-8012
> YES! We take Cisco Learning Credits!
> Training And Remote Racks: http://www.ccbootcamp.com
>
> -----Original Message-----
> From: Travis Niedens [mailto:niedentj_at_hotmail.com]
> Sent: Thursday, October 07, 2010 4:18 PM
> To: Brad Ellis; 'Cisco certification'
> Subject: RE: Cisco 3560 switch has a ghost in it...keeps trying to auth
> to an ACS server
>
> Nothing plugged into the console port that might be shorted out?
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Brad Ellis
> Sent: Thursday, October 07, 2010 3:52 PM
> To: Cisco certification
> Subject: Cisco 3560 switch has a ghost in it...keeps trying to auth to
> an ACS server
>
> Crazy stuff...but I thought this would make an interesting problem for
> people to think about.
>
> Every 60 seconds or so:
>
> Oct 7 22:53:21.317: AAA/MEMORY: free_user_quiet (0x27804D8) user=''
> ruser='NULL' port='tty0' rem_addr='async' authen_type=1 service=1 priv=1
> Oct
> 7 22:53:21.317: AAA: parse name=tty0 idb type=-1 tty=-1 Oct 7
> 22:53:21.317:
> AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0
> channel=0 Oct 7 22:53:21.317: AAA/MEMORY: create_user (0x27804D8)
> user='NULL'
> ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII
> service=LOGIN priv=1 initial_task_id='0', vrf= (id=0) Oct 7
> 22:53:21.317:
> AAA/AUTHEN/START (1037375110): port='tty0' list=''
> action=LOGIN service=LOGIN
> Oct 7 22:53:21.317: AAA/AUTHEN/START (1037375110): using "default" list
> Oct
> 7 22:53:21.317: AAA/AUTHEN/START (1037375110): Method=tacacs+
> (tacacs+)
> Oct 7 22:53:21.317: TAC+: send AUTHEN/START packet ver=192
> id=1037375110 Oct 7 22:53:21.569: TAC+: ver=192 id=1037375110 received
> AUTHEN status = GETUSER Oct 7 22:53:21.569: AAA/AUTHEN (1037375110):
> status = GETUSER Oct
> 7 22:53:21.644: AAA/AUTHEN/CONT (1037375110): continue_login
> (user='(undef)')
> Oct 7 22:53:21.644: AAA/AUTHEN (1037375110): status = GETUSER Oct 7
> 22:53:21.644: AAA/AUTHEN (1037375110): Method=tacacs+ (tacacs+) Oct 7
> 22:53:21.644: TAC+: send AUTHEN/CONT packet id=1037375110 Oct 7
> 22:53:21.846: TAC+: ver=192 id=1037375110 received AUTHEN status =
> GETUSER Oct 7 22:53:21.846: AAA/AUTHEN (1037375110): status = GETUSER
> Oct 7
> 22:53:28.179: AAA/AUTHEN/CONT (1037375110): continue_login
> (user='')
> Oct 7 22:53:28.179: AAA/AUTHEN (1037375110): status = GETUSER Oct 7
> 22:53:28.179: AAA/AUTHEN (1037375110): Method=tacacs+ (tacacs+) Oct 7
> 22:53:28.179: TAC+: send AUTHEN/CONT packet id=1037375110 Oct 7
> 22:53:28.380: TAC+: ver=192 id=1037375110 received AUTHEN status =
> GETPASS Oct 7 22:53:28.380: AAA/AUTHEN (1037375110): status = GETPASS
> Oct 7
> 22:53:30.301: AAA/AUTHEN/CONT (1037375110): continue_login
> (user='x~xxxx')
> Oct 7 22:53:30.310: AAA/AUTHEN (1037375110): status = GETPASS Oct 7
> 22:53:30.310: AAA/AUTHEN (1037375110): Method=tacacs+ (tacacs+) Oct 7
> 22:53:30.310: TAC+: send AUTHEN/CONT packet id=1037375110 Oct 7
> 22:53:30.813: TAC+: ver=192 id=1037375110 received AUTHEN status = FAIL
> Oct
> 7 22:53:30.813: AAA/AUTHEN (1037375110): status = FAIL Oct 7
> 22:53:32.818:
> AAA/AUTHEN/ABORT: (1037375110) because Login timed out.
> Oct 7 22:53:32.818: TAC+: send abort reason=Login timed out
>
> I havent figured this one out yet.
>
> thanks,
> Brad Ellis
> CCIE#5796 (R&S / Security)
> CCSI# 30482
> CEO / President
> CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
> Email: brad_at_ccbootcamp.com
> Toll Free: 877-654-2243
> International: +1-702-968-5100
> Skype: skype:ccbootcamp?call
> FAX: +1-702-446-8012
> YES! We take Cisco Learning Credits!
> Training And Remote Racks: http://www.ccbootcamp.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Oct 08 2010 - 12:37:07 ART