Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
290
Views
0
Helpful
2
Replies

AS5350 unable to pass traffic after user has authenticated

abibby
Level 1
Level 1

‎05-12-2003 11:48 PM - edited ‎03-02-2019 07:17 AM

Hi,

I've configured my AS5350 as shown at

http://www.cisco.com/en/US/customer/products/hw/univgate/ps505/products_configuration_example09186a0080094a49.shtml

with the exception I'm using external authentication (CiscoSecure ACS) to validate users.

Now, users happily authenticate (via a post-dial terminal screen) so I know traffic passes during the authentication process but once this is complete the AS5350 seems to show users connected, but very little IP traffic is able to pass

through the interface.

Stats for the Async show counters increasing but I get maybe 1 reply in a 100 for pings just between the AS5350 and the client, with users having similar success when passing 'normal' IP traffic - www, smtp etc.

I have a very similar config running on an AS5300 and that works fine.

I'm running [as shipped] IOS 12.1(5)XM8 - any suggestions?

Many thanks,

Aron

Labels:
0 Helpful
2 Replies 2

makchitale
Level 6
Level 6

‎05-13-2003 09:17 AM

What do we see in "sh ip route x.x.x.x" for a specific user (that you cannot ping)? Is this happening to all users or to only some users?

If you get one ping go thru means that it knows the route but then could be having maybe high CPU that is causing it to timeout or maybe the modem is speedshifting/ retraining.

The below debugs for a single call will be useful:

deb isdn q931 / deb modem / deb csm modem / deb ppp nego / deb aaa authen / deb aaa author / deb vtemp

Thanks, Mak.

0 Helpful

abibby
Level 1
Level 1
In response to makchitale

‎05-14-2003 12:23 AM

Hi Mak,

A 'connected' route gets added upon authentication, all the debugs match what I'm expecting to see, cpu usage is non-existant, it all *looks* like it should work :-(

I know the aaa side is all good as I'm using RSA SecurID and it's telling me the right things.

Interestingly, when I ping client -> AS5350 (as opposed to the other way around) I seem to experience exactly 50% packet loss when ping'ing the loopback interface but I suspect it's because the client is sending packets at a slower rate.

The same client machine works perfectly when I dial into my working AS5300 - which points to the same Cisco SecureACS.

Even when I switch on debug dialer packets/events it's telling me the correct

thing -

As2/10 DDR: ip (s=192.168.x.x, d=192.168.y.y), 60 bytes, outgoing interesting (ip PERMIT)

When I do a 'show interface as2/10' it shows LCP, IPCP and CCP all open. Counters are increase when they should -

239 packets input, 11296 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

212 packets output, 28151 bytes, 0 underruns

0 output errors, 0 collisions, 1 interface resets

0 output buffer failures, 0 output buffers swapped out

0 carrier transitions

and on the client end I'm seeing 0% packets loss, but packets *are* being lost?? That's the frustrating thing - it all appears to be working but the performance is so bad I can't bring it into service :-(

I'll post some debugs soon...

Many thanks,

Aron

0 Helpful
Customers Also Viewed These Support Documents