Back to All Scenarios
PASSEDnetwork / tacacs_server_unreachable
TACACS+ Server Unreachable — Network Admin Lockout
Both TACACS+ AAA servers become unreachable due to a VLAN misconfiguration, locking all network administrators out of switches, routers, and firewalls. Only console port access remains available.
Pattern
UNKNOWN
Severity
CRITICAL
Confidence
85%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | UNKNOWN | UNKNOWN | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 30 linked | |
| Cascade Escalation | Yes | Yes | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
Two TACACS+ servers (primary and backup). Both on management VLAN 999. VLAN 999 removed from trunk to server switch during maintenance. All network devices configured for TACACS+ with no local fallback. 35 network devices unmanageable.
Injected Error Messages (3)
TACACS+ primary server unreachable — TCP port 49 on 10.50.0.80 not responding, TACACS+ authentication requests from all network devices not being answered, management VLAN 999 unreachable after trunk misconfiguration removed VLAN from path, TACACS+ server physically online but network-isolated, all AAA authentication for network device management: failing
TACACS+ backup server also unreachable — both TACACS+ servers on management VLAN 999 (both isolated by same trunk misconfiguration), TCP port 49 on 10.50.0.81 not responding, no functional TACACS+ servers available for network device authentication, all 35 managed network devices unable to authenticate admin login attempts
network administrator lockout — all SSH and HTTPS admin access to 35 network devices (switches, routers, firewalls) denied due to TACACS+ server unreachability, no local authentication fallback configured on any device, admin login attempts returning 'authentication server unreachable' after 30-second wait, only physical console port access available, network changes impossible until TACACS+ restored
Neural Engine Root Cause Analysis
The TACACS+ primary server at 10.50.0.80 is physically online but network-isolated due to a trunk misconfiguration that removed management VLAN 999 from the network path. This has severed the network connectivity between network devices and the TACACS+ server, preventing all AAA authentication requests from reaching the server on TCP port 49. The 12 correlated incidents within the same timeframe strongly suggest a shared root cause - likely the VLAN trunk misconfiguration affecting multiple network services simultaneously.
Remediation Plan
1. Immediately verify and restore VLAN 999 (management VLAN) to all relevant trunk ports in the network infrastructure. 2. Check switch configurations to ensure management VLAN 999 is properly tagged/untagged as required on trunk links between network segments. 3. Verify Layer 2/3 connectivity to 10.50.0.80 from network devices after VLAN restoration. 4. Test TACACS+ authentication functionality by attempting device logins. 5. Monitor for resolution of the 12 correlated incidents as network connectivity is restored. 6. Implement configuration backup and change control procedures to prevent similar trunk misconfigurations.
Tested: 2026-03-30Monitors: 3 | Incidents: 3Test ID: cmnckbf50087sobqelce2qmdl