Solved: AAA configuration issue with Nexus 9000 won't use correct vrf

tcmckay · ‎02-20-2020

I have configured RADIUS on a set of new Nexus 9K's and for some reason I cannot get it to use the correct vrf for connections. Here are my configs and the error I get.

aaa group server radius xxxradius
server 192.168.2.20
server 192.168.2.21
server 192.168.2.22
deadtime 5
use-vrf paas
source-interface Vlan11

When I look at the logs I see this:

Error sending RADIUS packet to server 192.168.2.20 on vrf default on on 44: No route to host.

There is no route to host on vrf default. When I run: test aaa, the user is authenticated. When logging into the switch using RADIUS it fails.

tcmckay · ‎03-11-2020

I did open a TAC case and while waiting for them to get back to me I did a write erase on the switch and reloaded the configurations. This worked! I don't know why Radius configs seem to hang sometimes and not fully deploy or not deploy changes. This is the second time I have run into this issue. I was hopping for a less invasive method of fixing the issue.

I appreciate all the suggestions.

View solution in original post

balaji.bandi · ‎02-20-2020

When you mentioned "source-interface Vlan11" is the VLAN 11 belong to VRF PASS?

change the source interface correct where the switch can reach IP address 192.168.2.20

source-interface mgmt0 <<- an example we use generally mgmt0 port for this kind of communication, change accordingly your setup.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

tcmckay · ‎02-20-2020

The source interface VL11 is in the vrf that is used for connection to the AAA servers. The issue is that I have configured it to use a specific vrf but it seems that AAA is still looking at vrf default which it should not. I did change it to use vrf management but that vrf does not have a route to vl11. Consequently, these configs work on all my other Nexus 9K's.

balaji.bandi · ‎02-20-2020

Can you post the information below :

show run interface vlan 11

show ip route vrf all | 192.168.2.20

ping 192.168.2.20 vrf pass

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

tcmckay · ‎02-20-2020

Here is the config on vl11

interface Vlan11
description Admin
no shutdown
vrf member paas
no ip redirects
ip address 192.168.2.10/24
no ipv6 redirects

A show of the ip routes for vfr paas also shows all of the relevant routes. If I ping the servers through vrf paas I connect. It is just strange that the switch is not accepting the use-vrf paas command.

balaji.bandi · ‎02-20-2020

i would like to see the outcome of below, so i can suggest any other method to change.

show ip route vrf all | 192.168.2.20

ping 192.168.2.20 vrf pass

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

tcmckay · ‎02-20-2020

Here are the outputs:

ping 192.168.2.20 vrf paas
PING 192.168.2.20 (192.168.2.20): 56 data bytes
64 bytes from 192.168.2.20: icmp_seq=0 ttl=127 time=0.752 ms
64 bytes from 192.168.2.20: icmp_seq=1 ttl=127 time=0.506 ms
64 bytes from 192.168.2.20: icmp_seq=2 ttl=127 time=0.527 ms
64 bytes from 192.168.2.20: icmp_seq=3 ttl=127 time=0.603 ms
64 bytes from 192.168.2.20: icmp_seq=4 ttl=127 time=0.653 ms

sh ip route vrf all | in 192.168.2.20 returned nothing at all

sh ip route vrf all | in 192.168.2.0
192.168.2.0/24, ubest/mbest: 1/0, attached

B17-A# test aaa group ***radius username ********
user has been authenticated

hslai · ‎02-21-2020

Configuring Global Periodic RADIUS Server Monitoring shows "ip radius source-interface <>".

If that does not help and if Balaji has no other idea, please open a TAC case.

tcmckay · ‎03-11-2020

I did open a TAC case and while waiting for them to get back to me I did a write erase on the switch and reloaded the configurations. This worked! I don't know why Radius configs seem to hang sometimes and not fully deploy or not deploy changes. This is the second time I have run into this issue. I was hopping for a less invasive method of fixing the issue.

I appreciate all the suggestions.

marce1000 · ‎03-11-2020

- Perhaps then, you also need to look at the software version the 9000 currently running and or try more recent release (if available and or if it would become available - also depending on urgency at your side).

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

tcmckay · ‎03-11-2020

This is what I thought so I upgraded the software to the most recent version. Still not working unless I do a full write erase and then reload the configs. I have experienced this a couple of times and so far TAC has not given me a solution.