<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jul 10, 2013 at 5:00 PM, Alan McKinnon <span dir="ltr"><<a href="mailto:alan.mckinnon@gmail.com" target="_blank">alan.mckinnon@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div>On 10/07/2013 19:55, Asif Iqbal wrote:<br>
> Hi All<br>
><br>
> We have two TACACS+ server and only one of them is heavily loaded.<br>
><br>
> What is the best practice on balancing the load. Once in a while we<br>
> need to restart tacacs+ since the CPU usage goes over 50%, on the primary<br>
> server<br>
> while the secondary one is almost idle.<br>
><br>
> We are using x2270 servers and they are 4G each with 2 Intel 2.00GHz<br>
> Quad-Core Xeon E5504<br>
> on each.<br>
><br>
> I see about 31 tac_plus running on primary, while secondary one has just 1.<br>
><br>
><br>
> Thanks<br>
><br>
<br>
<br>
</div>Hi Asif,<br>
<br>
Before doing anything else, you need to sort out those cpu load numbers<br>
as they should not be anywhere near that level. For a point of<br>
reference, I have 3 main tacacs servers, they do about 1800 requests<br>
(login and command in total) a minute, and one of them takes about half<br>
that load. Occasionally the munin graph creeps above 1% or 2% and that's<br>
an oldish Dell dual core.<br>
<br>
50% load on your hardware spells something badly wrong and in my<br>
experience that behaviour with tcp connections is almost always IO blocking.<br></blockquote><div><br></div><div>I usually restart the tac_plus and that fixes it immediately. That sounds like</div><div>a memory leak. How to find out the total memory usage for tac_plus? VSZ or</div>
<div>RSS count of 25 threads is not it.</div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
Do you do per-device controls in your tac_plus.conf somehow? Do you need<br>
to do DNS lookups for this, and is your DNS setup fast and reliable?<br></blockquote><div><br></div><div>No per device config. Yes using the -L and DNS cache is running with dnscache </div><div>for local lookup and that is fast. We need that to co-relate the events for cisco</div>
<div>syslog and AAAs in splunk for reporting.</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
What are the hash types you use for your passwords and is it a method<br>
that be hashed quickly by the OS<br>
<br></blockquote><div><br></div><div>using PAM -> AD.</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Those would be the first thing I'd look at. Second is to post your<br>
tac_plus.conf. there aren't really any best practices as such for this,<br>
tac_plus is more than adequate to deal with just about any realistic<br>
scenario so the "best practice" is whatever works for you and gives<br>
*you* the control *you* need.<br></blockquote><div><br></div><div><br></div><div>Need to sanitize a lot before posting it, but I have 31 group stanzas, 1325 user stanzas, </div><div>19 acl stanzas and some of those acls have about 130 permit lines. </div>
<div><br></div><div>currently I have 24 tac_plus instance running like below</div><div><br></div><div><div>$ ps -e -o pid,ppid,vsz,rss,cmd | grep tac_pl[u]s</div><div> 4692 1 78296 53708 /usr/local/bin/tac_plus -L -B 192.168.6.20 -l /var/log/tacacs.daemon.log -C /etc/tacacs.conf </div>
<div>27276 4692 78296 53340 /usr/local/bin/tac_plus -L -B 192.168.6.20 -l /var/log/tacacs.daemon.log -C /etc/tacacs.conf </div></div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<span><font color="#888888"><br>
--<br>
Alan McKinnon<br>
<a href="mailto:alan.mckinnon@gmail.com" target="_blank">alan.mckinnon@gmail.com</a><br>
<br>
_______________________________________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus</a><br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br>Asif Iqbal<br>PGP Key: 0xE62693C5 KeyServer: <a href="http://pgp.mit.edu" target="_blank">pgp.mit.edu</a><br>A: Because it messes up the order in which people normally read text.<br>
Q: Why is top-posting such a bad thing?<br><br>
</div></div>