Jump to content
Welcome to our new Citrix community!

Load balancing TACACS servers

Recommended Posts

Some of my network devices will support single tacacs server for authentication which is failing frequently and impacting critical device login failures. To address this issue i am configuring TACACS load balancing on ADC.


I configured LB VIP and back-end tacacs servers. All backend communication with ADC subnet IP on TCP 49 ports. ACL defined on tacacs servers with user and device IP.


Scenario 1: If SNIP communication with tacacs severs, users able to login but not getting proper rights (tacacs server not found device ip, all the requests with SNIP) and they are not able to perform any activity. 

Scenario 2: If i enable Use Source IP on service, authentication failing and not seen any request on tacacs server. One more observation, request sending through ADC, but response bypassing ADC ( We have direct connectivity from device network to tacacs server)


How to send the device ip to back-end tacacs server to get proper rights, attached sample diagram for reference



Link to comment
Share on other sites

When you configure a LBVS to use USIP mode, you MUST set the backend server's default gateway to point at the netscaler SNIP, otherwise the response traffic will just bypass the netscaler. Even it it reaches the client, the client will ignore it as the Source IP and TCP settings (eg sequence #) will be completely wrong!

Link to comment
Share on other sites

Hi Paul,


I am not able to add the SNIP as default gateway in Tacacs servers, It's giving (could not find outgoing interface for gateway while trying to add the route) error. Tacacs servers not accepting SNIP as default gateway. 


Tested with Pulse Secure Virtual Traffic Manager (Pulse vTM), their we defined load balanced ip as gateway. Then we added static route in Tacacs server for device network range. So what ever request coming from the network devices, tacacs sending back with the lb ip (tacacs thinks lb IP as gateway, so it is allowing route).


Is there any option in Citrix ADC to configure SNIP as gateway for Tacacs communication ?


Thanks & Regards


Link to comment
Share on other sites

Hi Rajanikanth,


That's normal, the default gateway always needs to be on the same subnet, in your case.

So you will need to add a route scoped to the IP range of the device that does the authentication, in your case, assuming that is the "source IP" that hits the NetScaler and not the actual client's IP, in your case.





Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...