cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6667
Views
2
Helpful
6
Replies

Problem with Automate-tester Probe-on

Nasser Heidari
Level 1
Level 1

Hi, 

I have configured my BNG with two radius servers in one aaa group :

radius server rad-01
address ipv4 10.10.4.20 auth-port 18012 acct-port 18013
timeout 10
retransmit 3
automate-tester username dummy ignore-acct-port probe-on
key *****

radius server rad-02
address ipv4 10.10.4.21 auth-port 18012 acct-port 18013
timeout 10
retransmit 3
automate-tester username dummy ignore-acct-port probe-on
key *****


aaa group server radius freeradius
server name rad-01
server name rad-02

radius-server dead-criteria time 15 tries 3
radius-server deadtime 10

with this configuration, once my first radius server becomes unavailable, BNG will try second radius. This is working fine.

My problem is that once there is a network outage between BNG and Radius, both AAA servers become DEAD and for 10 minutes BNG don't try to check if radius status is UP (radius-server deadtime 10). 

I want to use automate-tester feature to query radius server status when it becomes DEAD.

According to cisco documentation , using probe-on feature can switch server status from DEAD to up:

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-731907.html

The use of this additional key word in the automate-tester command ensures that:

   The probes are sent out only when the RADIUS server is marked DEAD

   A DEAD server will be marked “UP” only when a response is received from the RADIUS server.

I have already configured probe-on feature, but still I don't see any packets from BNG once radius becomes DEAD. Is there any workaround for this issue?

Regards,

Nasser

6 Replies 6

Software?

dhristov
Cisco Employee
Cisco Employee

the problem seems to be related to " automate-tester username dummy ignore-acct-port probe-on". Can you try to remove that CLI. We are working on a fix,

maria.tadeo
Level 1
Level 1

dhristov,

Has a fix been provided for the above?

The bugID provided earlier in this thread lists various Known Fixed Releases. Please check the release notes for the specific code train you are using.

CSCvg79459 - Automate-tester does not send probes when the server is dead 

diduarte
Cisco Employee
Cisco Employee

Just to let you know I tested on version 17.9.4a and not possible to use idle-time and probe-on in the same syntax.Not really know when this will be implemented. Please check info below that may help to understand how it works automate tester as documentation does not explain.

 I was doing some test to see how works the radius automate-tester username test-user ignore-acct-port probe-on. Based on my test I did in three switches 3850 and two 9300 with version 17.9.4a and version 17.6.4 it behaved the same way. It seems the automate-tester username test-user ignore-acct-port probe-on command works based on deadtime configuration.

I configured radius-server deadtime with following numbers for my test:

deadtime 2 minutes the automate-tester username test-user ignore-acct-port probe-on , it takes two minutes with 15 seconds more or less to send 4 request and those request every 5 seconds. Once the 4 request are sent, it needs to wait the two minutes again to send the probe again.

deadtime 3 minutes the automate-tester username test-user ignore-acct-port probe-on , it takes three minutes with 15 seconds more or less to send 4 request and each request every 5 seconds. Once the 4 request are sent, it needs to wait the three minutes again to send the probe again.

deadtime 4 minutes the automate-tester username test-user ignore-acct-port probe-on , it takes four minutes with 15 seconds more or less to send 4 request and each request every 5 seconds. Once the 4 request are sent, it needs to wait the four minutes again to send the probe again.

deadtime 15 minutes the automate-tester username test-user ignore-acct-port probe-on , it takes fifteen minutes with 15 seconds more or less to send 4 request and each request every 5 seconds. Once the 4 request are sent, it needs to wait the fifteen minutes again to send the probe again.

And so on. The only way I really found this useful was leaving the deadtime in 0 witch is the default, as you know when is in default may causing flapping as server is mark dead and alive immediately but when it has the automate-tester username test-user ignore-acct-port probe-on it works just fine.

Explanation:

Automate-tester with probe-on will send probes after every Dead-time expiry.

Default dead-time for automate-tester is 60 seconds. In this case probes will be sent to the server only if the state of the sever is DEAD. To achieve this whenever user configures automate-tester with probe-on sate of the server will be forced to mark DEAD irrespective of current state. So that after dead-time expires probe-on can take a part in sending test packets

Packets will be sent on both IOS and BINOS (Both on SMD and WNCD).

IOS: One authentication packet and one accounting packet

BINOS: Only one authentication packet

Note: As soon as user configures "automate-tester probe-on", server will be intentionally mark the server as DEAD and start the deadtime (default is 60 sec if radius-server deadtime not configured). This will affect user/customer if user is having a large deadtime and during config or bootup server will be marked DEAD for that much of time. once the deadtimer expires packet(probes) will be sent and correct state will be updated based on the result.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: