cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2423
Views
0
Helpful
28
Replies
game123
Beginner

NAS 4.8 communication problem (help plz) in troubleshooting stuck!

"CAS + CAM + TEST XP box is all on SAME L3 SWITCH just in different VLANS "

1> I have a simple setup of inband vg mode for a small set of users .

2> CAM IP is : vlan 41 = 192.168.41.1 , CAS IP : vlan 42 = 192.168.42.1  ( both are pingable from switch and also from each other boxes )

3> SSL Cert is fine and shows CAS connected in CAM.

4> I have a user vlan 29 , which i did vlan map to  429 in CAM. and also defined  a managed subnet (with free ip from dhcp scope, excluded) 192.168.29.253

Following is my port config on the L3 switch :

CAM port config on switch :
===================
interface GigabitEthernet4/16
description Connected to CAM NIC 1 ETH 0
switchport
switchport access vlan 41
switchport mode access
no ip address
spanning-tree portfast
end

CAS port config on switch(trusted eth0):
==============================
interface GigabitEthernet4/18
description CAS trusted Interface ETH 0 NIC 1
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan 10-39,42
switchport mode access
no ip address
end

CAS port config on switch(untrusted eth1):
==============================

interface GigabitEthernet4/20
description CAS Untrusted Interface ETH 1 NIC 2
switchport
switchport access vlan 2
switchport trunk encapsulation dot1q
switchport trunk native vlan 998
switchport trunk allowed vlan 410-439
no ip address
end

Now ......... I was before using XP laptop on vlan 29 and it was working fine ,the moment i put it up on vlan 429 , it stops woerking and not taking IP even.  I wanted to ATLEAST download the AGENT on PC and then proceed on requirements of user ???? EVEN FROM CAS/NAS i did the following command and see the output : ( PLEASE SUGGEST me how to troubleshoot and proceed on this )


[root@cas ~]# more /perfigo/build
VERSION=4.8.0
NAME=Clean Access Server
DATE=2010/07/21
AUTHOR=avinkuma
BUILD_TAG=NAC-4_8_0-RC9
BUILD_INFO=Experimental
BUILT_ON=nacbuild
REBUILD_COUNT=0
[root@cas ~]#

[root@cas ~]# cd /proc/click/intern_arpq/
[root@cas intern_arpq]# more table
[root@cas intern_arpq]#

[root@cas ~]# cd /proc/click/real_routing_table/
[root@cas real_routing_table]# more table
192.168.42.1/32         -               0 0
192.168.42.254/32       -               1 0
192.168.42.0/24         -               2 0
0.0.0.0/0               192.168.42.254  1 0
192.168.10.0/24         192.168.10.254  1 8
192.168.11.0/24         192.168.11.254  1 8
192.168.12.0/24         192.168.12.254  1 8
192.168.13.0/24         192.168.13.254  1 8
192.168.14.0/24         192.168.14.254  1 8
192.168.15.0/24         192.168.15.254  1 8
192.168.16.0/24         192.168.16.254  1 8
192.168.17.0/24         192.168.17.254  1 8
192.168.18.0/24         192.168.18.254  1 8
192.168.19.0/24         192.168.19.254  1 8
192.168.20.0/24         192.168.20.254  1 8
192.168.21.0/24         192.168.21.254  1 8
192.168.22.0/24         192.168.22.254  1 8
192.168.23.0/24         192.168.23.254  1 8
192.168.24.0/24         192.168.24.254  1 8
192.168.25.0/24         192.168.25.254  1 8
192.168.26.0/24         192.168.26.254  1 8
192.168.27.0/24         192.168.27.254  1 8
192.168.28.0/24         192.168.28.254  1 8

I THINK SOME ISSUE is about UNTRUSTED ETH1 in LEARNING ? how to check it further and troubleshoot more ????

my XP desktop is fine and it works fine on vlan 29 , but in auth vlan 429 ( there is no SVI for it ) IT IS NOT WORKING ????

please help..................desperate !

28 REPLIES 28

Okay, I guess I just prefer to watch the actual interface to see if the requests are making it to the untrusted interface. It seems as though your DHCP request is never hiting the CAS, so I'd make sure it's leaving the client, maybe by spannig the port the client is connected to or you could install a sniffer client (wireshark) on the xp client.

hi there Phillips,

how to check if my CAS and CAM are licensed from CLI (Console version of commands)

Plz let me know,

I wanted to see CAS specially !!!!

Hi K,

In the switch config, it shows that the switchport connected to the untrusted CAS port is shutdown. Is this an old config or the current one??

That would be the issue if it is the current config.

-Shrikant

Oh , bro it is NO MORE shutdown. I posted you a bit older config, now it is no more shutdown , but following is the behaviour on CAS :

i can ping happliy to CAM from CAS unit .

but

[root@cas ~]# cd /proc/click/intern_arpq/
[root@cas intern_arpq]# more table
[root@cas intern_arpq]#

[root@cas ~]# cd /proc/click/real_routing_table/
[root@cas real_routing_table]# more table
192.168.42.1/32         -               0 0
192.168.42.254/32       -               1 0
192.168.42.0/24         -               2 0
0.0.0.0/0               192.168.42.254  1 0
192.168.10.0/24         192.168.10.254  1 8
192.168.11.0/24         192.168.11.254  1 8
192.168.12.0/24         192.168.12.254  1 8
192.168.13.0/24         192.168.13.254  1 8
192.168.14.0/24         192.168.14.254  1 8
192.168.15.0/24         192.168.15.254  1 8
192.168.16.0/24         192.168.16.254  1 8
192.168.17.0/24         192.168.17.254  1 8
192.168.18.0/24         192.168.18.254  1 8
192.168.19.0/24         192.168.19.254  1 8
192.168.20.0/24         192.168.20.254  1 8
192.168.21.0/24         192.168.21.254  1 8
192.168.22.0/24         192.168.22.254  1 8
192.168.23.0/24         192.168.23.254  1 8
192.168.24.0/24         192.168.24.254  1 8
192.168.25.0/24         192.168.25.254  1 8
192.168.26.0/24         192.168.26.254  1 8
192.168.27.0/24         192.168.27.254  1 8
192.168.28.0/24         192.168.28.254  1 8

i have put up a simple mspaint diagram as how i want the NAC units to work for me.

tHE CONFIG is also present in posts above.

All ports are "NO SHUT" and up up .

how to check if my CAS and CAM are licensed from CLI (Console version of commands)

Plz let me know,

I wanted to see CAS specially !!!!

Hi game,

You can check your license features from cli with this:

From CLI put:

psql -h localhost -U postgres controlsmartdb

\a

\o /root/licenses.txt

select * from flexlm_licenses;

\q

So, once you entered this lines, on / you can find licences.txt file, put more licenses.txt and you can read it.

Regards.

Hi,

The best way to see if the devices are licensed is fro mthe GUI and NOT from the CLI.

If you can access the CAM GUI then you have the CAM license for sure.

Anyway, both the licenses for shown the CAM GUI -> Administration -> Clean Access Manager -> Licensing.

You should have the list of licenses installed.

If you are still having trouble on your setup i seriously advise you to open a TAC case so that we can login into your devices and findout easily what is worng.

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Hi again,

I did a second look over this thread and not sure if the switch configu is still valid, however, can you pelase clarify if you are attempting OOB or InB?

And do you have managed subnets configured?

If it is OOB, do you have the switch added to your CAM?

Is the port being managed?

Again, at this stage, it would be more efective if you open a TAC case.

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

It is INBAND and VG mode.

all trunks are coming to the core switch where my NAC both units are connected.

I had attached a diagram on the thread discussion also. And switch config posted also.

Well, already managed subnets (IP Addresses which are exclued from DHCP pool of respective VLANS) are already put up in NAC.

and also VLAN Maps are put up as well.

No idea why traffic do not TAKE THE PATH THRU NAC .???

As i said, no traffic pass,es ARP is not cllected on eth 1 of NAS/CAS !

Have you tried with a span session o nswitch and mirroring the traffic of the untrusted interface to a wireshark sniffer trace?

Do you see the DHCP packets there?

If not, it is a L2 problem.

If you see them there, move to the trusted side and check.

If you see them also on the trusted side then the vlan mapping is working and it is again a switch problem.

If you see them on the untrusted and not on the trusted, then there is a problem on the CAS not doing the mappoing properly.

Please make sure you use SAPm on the switch and NOT tcpdump.

In VG tcpdump is not relyable and should not be used.

But again I tend to insist in you openeing a TAC case so we can login into your devices...

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

I posted a few days ago some config here it is again what i did on CAS.

[root@cas ~]# cd /proc/click/intern_arpq/
[root@cas intern_arpq]# more table
[root@cas intern_arpq]#

[root@cas ~]# cd /proc/click/real_routing_table/
[root@cas real_routing_table]# more table
192.168.42.1/32         -               0 0
192.168.42.254/32       -               1 0
192.168.42.0/24         -               2 0
0.0.0.0/0               192.168.42.254  1 0
192.168.10.0/24         192.168.10.254  1 8
192.168.11.0/24         192.168.11.254  1 8
192.168.12.0/24         192.168.12.254  1 8
192.168.13.0/24         192.168.13.254  1 8
192.168.14.0/24         192.168.14.254  1 8
192.168.15.0/24         192.168.15.254  1 8
192.168.16.0/24         192.168.16.254  1 8
192.168.17.0/24         192.168.17.254  1 8
192.168.18.0/24         192.168.18.254  1 8
192.168.19.0/24         192.168.19.254  1 8
192.168.20.0/24         192.168.20.254  1 8
192.168.21.0/24         192.168.21.254  1 8
192.168.22.0/24         192.168.22.254  1 8
192.168.23.0/24         192.168.23.254  1 8
192.168.24.0/24         192.168.24.254  1 8
192.168.25.0/24         192.168.25.254  1 8
192.168.26.0/24         192.168.26.254  1 8
192.168.27.0/24         192.168.27.254  1 8
192.168.28.0/24         192.168.28.254  1 8

Moreover, the test XP Machien if i put it on vlan 29 (real access vlan) it gets ip from dhcp , fine and no probs,  but wehen i put it on vlan 429 (mapping for 29) it is not getting IP and no traffic eth1 happes and no ARP is learnt ?

Any troubleshooting tips there ?

Hi again,

The troubleshooting tips i gave you are the ones you should follow.

With the sniffer traces (and not those cli outputs) you will be sure if the DHCP packets are or not on the untrusted/trusted interfaces.

These are the troubleshooting steps you should follow...

Good luck.

Tiago

Well, Tiago -> wht do you suggest as testing scenario

I have 6500 core switch.

what should be my SPAN source and SPAN destinations ????

i have MY OWN LAPTOP - WINDOWS 7

I have test XP Machine -

I have NAC Mgr = port 4/16

I have NAC Srvr trusted ::eth0 = port 4/18


        NAC Srvr untrusted :: eth1 = port 4/20

Plz advice !

Create
Recognize Your Peers
Content for Community-Ad