Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2056
Views
0
Helpful
10
Replies

AAA configuration issue with Nexus 9000 won't use correct vrf

Go to solution
tcmckay
Level 1
Level 1

‎02-20-2020 06:46 AM

I have configured RADIUS on a set of new Nexus 9K's and for some reason I cannot get it to use the correct vrf for connections. Here are my configs and the error I get.

aaa group server radius xxxradius
server 192.168.2.20
server 192.168.2.21
server 192.168.2.22
deadtime 5
use-vrf paas
source-interface Vlan11

 

When I look at the logs I see this:

Error sending RADIUS packet to server 192.168.2.20 on vrf default on on 44: No route to host.

There is no route to host on vrf default. When I run: test aaa, the user is authenticated. When logging into the switch using RADIUS it fails.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
tcmckay
Level 1
Level 1
In response to hslai

‎03-11-2020 08:10 AM

I did open a TAC case and while waiting for them to get back to me I did a write erase on the switch and reloaded the configurations. This worked! I don't know why Radius configs seem to hang sometimes and not fully deploy or not deploy changes. This is the second time I have run into this issue. I was hopping for a less invasive method of fixing the issue.

 

I appreciate all the suggestions.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎02-20-2020 07:01 AM

When you mentioned "source-interface Vlan11" is the VLAN 11 belong to VRF PASS?

 

change the source interface correct where the switch can reach IP address 192.168.2.20

 

source-interface mgmt0   <<- an example we use generally mgmt0 port for this kind of communication, change accordingly your setup.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
tcmckay
Level 1
Level 1
In response to balaji.bandi

‎02-20-2020 07:32 AM

The source interface VL11 is in the vrf that is used for connection to the AAA servers. The issue is that I have configured it to use a specific vrf but it seems that AAA is still looking at vrf default which it should not. I did change it to use vrf management but that vrf does not have a route to vl11. Consequently, these configs work on all my other Nexus 9K's. 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to tcmckay

‎02-20-2020 07:44 AM

Can you post the information below :

 

show run interface vlan 11

show ip route vrf all | 192.168.2.20

ping 192.168.2.20 vrf pass

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
tcmckay
Level 1
Level 1
In response to tcmckay

‎02-20-2020 07:46 AM

Here is the config on vl11

interface Vlan11
description Admin
no shutdown
vrf member paas
no ip redirects
ip address 192.168.2.10/24
no ipv6 redirects

 

A show of the ip routes for vfr paas also shows all of the relevant routes. If I ping the servers through vrf paas I connect. It is just strange that the switch is not accepting the use-vrf paas command. 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to tcmckay

‎02-20-2020 08:26 AM

i would like to see the outcome of below, so i can suggest any other method to change.

 

show ip route vrf all | 192.168.2.20

ping 192.168.2.20 vrf pass

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
tcmckay
Level 1
Level 1
In response to balaji.bandi

‎02-20-2020 09:50 AM

Here are the outputs:

 

ping 192.168.2.20 vrf paas
PING 192.168.2.20 (192.168.2.20): 56 data bytes
64 bytes from 192.168.2.20: icmp_seq=0 ttl=127 time=0.752 ms
64 bytes from 192.168.2.20: icmp_seq=1 ttl=127 time=0.506 ms
64 bytes from 192.168.2.20: icmp_seq=2 ttl=127 time=0.527 ms
64 bytes from 192.168.2.20: icmp_seq=3 ttl=127 time=0.603 ms
64 bytes from 192.168.2.20: icmp_seq=4 ttl=127 time=0.653 ms

 

sh ip route vrf all | in 192.168.2.20 returned nothing at all

sh ip route vrf all | in 192.168.2.0
192.168.2.0/24, ubest/mbest: 1/0, attached

 

B17-A# test aaa group ***radius username ********
user has been authenticated

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎02-21-2020 04:34 PM

Configuring Global Periodic RADIUS Server Monitoring shows "ip radius source-interface <>".

If that does not help and if Balaji has no other idea, please open a TAC case.

0 Helpful

Go to solution
tcmckay
Level 1
Level 1
In response to hslai

‎03-11-2020 08:10 AM

I did open a TAC case and while waiting for them to get back to me I did a write erase on the switch and reloaded the configurations. This worked! I don't know why Radius configs seem to hang sometimes and not fully deploy or not deploy changes. This is the second time I have run into this issue. I was hopping for a less invasive method of fixing the issue.

 

I appreciate all the suggestions.

0 Helpful

Go to solution
marce1000
VIP
VIP
In response to tcmckay

‎03-11-2020 09:17 AM

 

 - Perhaps then, you also need to look at the software version the 9000 currently running and or try more recent  release (if available and or if it would become available - also depending on urgency at your side).

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
tcmckay
Level 1
Level 1
In response to marce1000

‎03-11-2020 02:11 PM

This is what I thought so I upgraded the software to the most recent version. Still not working unless I do a full write erase and then reload the configs. I have experienced this a couple of times and so far TAC has not given me a solution.

0 Helpful
Customers Also Viewed These Support Documents