02-14-2023 02:20 AM
I'm trying to get a Virtual Interface running on an ISR4451
vi3 is being created, but no data seems to be sent to that interface.
I assume this log message is the reason.
: %FMANRP_ESS-4-FULLVAI: Session creation failed due to Full Virtual-Access Interfaces not being supported. Check that all applied Virtual-Template and RADIUS features support Virtual-Access sub-interfaces. swidb= 0x80007F082B7E3868, ifnum= 17
So I found I can test the sub-interface creation:
test virtual-Template 1 subinterface
Subinterfaces may be created using Virtual-Template1
So my template doesn't seem to cause the problem.
Radius attributes we're using are
Framed-IP-Address | := | 10.130.1.67 |
Framed-MTU | := | 1300 |
Service-Type | := | 2 |
Framed-Protocol | := | 1 |
Filter-ID | := | 130 |
They are working on a different platform.
Does ISR4451 maybe not support Full Virtual-Access?
Solved! Go to Solution.
02-14-2023 02:53 AM
Framed-Compression = Van-Jacobson-TCP-IP <<- this return from Radius is different than what ISR4K use
02-14-2023 02:53 AM
Framed-Compression = Van-Jacobson-TCP-IP <<- this return from Radius is different than what ISR4K use
02-14-2023 03:27 AM
But what does that mean for me? What do I have to change?
I removed default compression from my radius config
DEFAULT Framed-Protocol == PPP
# Framed-Protocol = PPP,
# Framed-Compression = Van-Jacobson-TCP-IP
The log message is gone, the interface used is now vi2.1 instead of vi3 and I still can't reach 10.130.1.67
02-14-2023 03:29 AM
the log is remove. <<- this solved
there are two virtual-template ? Vi2 and Vi3 ??
02-14-2023 03:40 AM
We are replacing a C3900 and that has nearly the same configuration. I thought when I got the vi up everything would be fine.
There every ppp gets its own interface vixxx, in the end there will be quite a lot of those.
The Radius assigns the filter ID and that access-lists gets hits.
So I expected vi3 is assigned 10.130.1.67 (which it is) and then I can ping 10.130.1.67, or at least I'd get a hit in the access-list 130 (which I don't).
Next connection would get e.g. vi4, address 10.130.1.68 and maybe access-list 131.
02-14-2023 04:20 AM
I've also found this out:
I can receive date from the virtual interface, but replies don't go back.
i.e. 10.130.1.67 can ping something and replies go back to the Cisco, but not out through the vi-interface.
02-14-2023 04:29 AM
I have seen this issue before
are you config NAT ?
can I see the show ip route ?
02-14-2023 05:12 AM
Here is the route:
#show ip route 10.130.1.67
Routing entry for 10.130.1.67/32
Known via "connected", distance 0, metric 0 (connected, via interface)
Redistributing via bgp 65146
Advertised by bgp 65146
Routing Descriptor Blocks:
* directly connected, via Virtual-Access2.1
Route metric is 0, traffic share count is 1
The Virtual Template does have a nat outside, but I removed that as test, no change. And even if that nat did something I would still have assumed that the access-list 130 would have gotten a hit.
Extended IP access list 130
10 permit icmp any any .... (no hits)
interface Virtual-Template1
mtu 1300
ip unnumbered Loopback1
ip nat outside
no logging event link-status
peer match aaa-pools
no peer default ip address
ppp mtu adaptive
ppp authentication pap callin
ppp authorization VPDN
ip virtual-reassembly
#show interfaces vi2.1
Virtual-Access2.1 is up, line protocol is up
Hardware is Virtual Access interface
Interface is unnumbered. Using address of Loopback1 (10.130.0.4)
MTU 1300 bytes, BW 28301 Kbit/sec, DLY 100000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open
Open: IPCP
PPPoVPDN vaccess, cloned from Virtual-Template1
Vaccess status 0x0
Protocol l2tp, tunnel id 50748, session id 14885
Keepalive set (10 sec)
393 packets input, 15836 bytes
246 packets output, 3956 bytes
Last clearing of "show interface" counters never
According to counters bytes go both in and out...
02-14-2023 05:16 AM
Yes I see, let me check note I have
02-15-2023 10:53 AM
two steps here I think you need
1-ip unnumbered Loopback1
ip nat outside
2- remove ip nat outisde from the Virtual-template
do these two steps and check again
02-15-2023 11:25 PM
02-23-2023 01:19 AM
02-14-2023 09:01 AM
- FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh71668
M.
02-15-2023 04:13 AM
Hello,
I have not followed the entire thread, so maybe I am missing something, but can you post the full RADIUS config including the 'Cisco AVPair' parameters ?
02-15-2023 04:39 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide