04-05-2011 11:29 PM - edited 03-09-2019 11:28 PM
"CAS + CAM + TEST XP box is all on SAME L3 SWITCH just in different VLANS "
1> I have a simple setup of inband vg mode for a small set of users .
2> CAM IP is : vlan 41 = 192.168.41.1 , CAS IP : vlan 42 = 192.168.42.1 ( both are pingable from switch and also from each other boxes )
3> SSL Cert is fine and shows CAS connected in CAM.
4> I have a user vlan 29 , which i did vlan map to 429 in CAM. and also defined a managed subnet (with free ip from dhcp scope, excluded) 192.168.29.253
Following is my port config on the L3 switch :
CAM port config on switch :
===================
interface GigabitEthernet4/16
description Connected to CAM NIC 1 ETH 0
switchport
switchport access vlan 41
switchport mode access
no ip address
spanning-tree portfast
end
CAS port config on switch(trusted eth0):
==============================
interface GigabitEthernet4/18
description CAS trusted Interface ETH 0 NIC 1
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan 10-39,42
switchport mode access
no ip address
end
CAS port config on switch(untrusted eth1):
==============================
interface GigabitEthernet4/20
description CAS Untrusted Interface ETH 1 NIC 2
switchport
switchport access vlan 2
switchport trunk encapsulation dot1q
switchport trunk native vlan 998
switchport trunk allowed vlan 410-439
no ip address
end
Now ......... I was before using XP laptop on vlan 29 and it was working fine ,the moment i put it up on vlan 429 , it stops woerking and not taking IP even. I wanted to ATLEAST download the AGENT on PC and then proceed on requirements of user ???? EVEN FROM CAS/NAS i did the following command and see the output : ( PLEASE SUGGEST me how to troubleshoot and proceed on this )
[root@cas ~]# more /perfigo/build
VERSION=4.8.0
NAME=Clean Access Server
DATE=2010/07/21
AUTHOR=avinkuma
BUILD_TAG=NAC-4_8_0-RC9
BUILD_INFO=Experimental
BUILT_ON=nacbuild
REBUILD_COUNT=0
[root@cas ~]#
[root@cas ~]# cd /proc/click/intern_arpq/
[root@cas intern_arpq]# more table
[root@cas intern_arpq]#
[root@cas ~]# cd /proc/click/real_routing_table/
[root@cas real_routing_table]# more table
192.168.42.1/32 - 0 0
192.168.42.254/32 - 1 0
192.168.42.0/24 - 2 0
0.0.0.0/0 192.168.42.254 1 0
192.168.10.0/24 192.168.10.254 1 8
192.168.11.0/24 192.168.11.254 1 8
192.168.12.0/24 192.168.12.254 1 8
192.168.13.0/24 192.168.13.254 1 8
192.168.14.0/24 192.168.14.254 1 8
192.168.15.0/24 192.168.15.254 1 8
192.168.16.0/24 192.168.16.254 1 8
192.168.17.0/24 192.168.17.254 1 8
192.168.18.0/24 192.168.18.254 1 8
192.168.19.0/24 192.168.19.254 1 8
192.168.20.0/24 192.168.20.254 1 8
192.168.21.0/24 192.168.21.254 1 8
192.168.22.0/24 192.168.22.254 1 8
192.168.23.0/24 192.168.23.254 1 8
192.168.24.0/24 192.168.24.254 1 8
192.168.25.0/24 192.168.25.254 1 8
192.168.26.0/24 192.168.26.254 1 8
192.168.27.0/24 192.168.27.254 1 8
192.168.28.0/24 192.168.28.254 1 8
I THINK SOME ISSUE is about UNTRUSTED ETH1 in LEARNING ? how to check it further and troubleshoot more ????
my XP desktop is fine and it works fine on vlan 29 , but in auth vlan 429 ( there is no SVI for it ) IT IS NOT WORKING ????
please help..................desperate !
04-14-2011 07:53 AM
Okay, I guess I just prefer to watch the actual interface to see if the requests are making it to the untrusted interface. It seems as though your DHCP request is never hiting the CAS, so I'd make sure it's leaving the client, maybe by spannig the port the client is connected to or you could install a sniffer client (wireshark) on the xp client.
04-16-2011 12:33 AM
hi there Phillips,
how to check if my CAS and CAM are licensed from CLI (Console version of commands)
Plz let me know,
I wanted to see CAS specially !!!!
04-14-2011 06:58 AM
Hi K,
In the switch config, it shows that the switchport connected to the untrusted CAS port is shutdown. Is this an old config or the current one??
That would be the issue if it is the current config.
-Shrikant
04-14-2011 07:31 AM
Oh , bro it is NO MORE shutdown. I posted you a bit older config, now it is no more shutdown , but following is the behaviour on CAS :
i can ping happliy to CAM from CAS unit .
but
[root@cas ~]# cd /proc/click/intern_arpq/
[root@cas intern_arpq]# more table
[root@cas intern_arpq]#
[root@cas ~]# cd /proc/click/real_routing_table/
[root@cas real_routing_table]# more table
192.168.42.1/32 - 0 0
192.168.42.254/32 - 1 0
192.168.42.0/24 - 2 0
0.0.0.0/0 192.168.42.254 1 0
192.168.10.0/24 192.168.10.254 1 8
192.168.11.0/24 192.168.11.254 1 8
192.168.12.0/24 192.168.12.254 1 8
192.168.13.0/24 192.168.13.254 1 8
192.168.14.0/24 192.168.14.254 1 8
192.168.15.0/24 192.168.15.254 1 8
192.168.16.0/24 192.168.16.254 1 8
192.168.17.0/24 192.168.17.254 1 8
192.168.18.0/24 192.168.18.254 1 8
192.168.19.0/24 192.168.19.254 1 8
192.168.20.0/24 192.168.20.254 1 8
192.168.21.0/24 192.168.21.254 1 8
192.168.22.0/24 192.168.22.254 1 8
192.168.23.0/24 192.168.23.254 1 8
192.168.24.0/24 192.168.24.254 1 8
192.168.25.0/24 192.168.25.254 1 8
192.168.26.0/24 192.168.26.254 1 8
192.168.27.0/24 192.168.27.254 1 8
192.168.28.0/24 192.168.28.254 1 8
04-14-2011 07:43 AM
04-16-2011 12:33 AM
how to check if my CAS and CAM are licensed from CLI (Console version of commands)
Plz let me know,
I wanted to see CAS specially !!!!
04-16-2011 07:05 PM
Hi game,
You can check your license features from cli with this:
From CLI put:
psql -h localhost -U postgres controlsmartdb
\a
\o /root/licenses.txt
select * from flexlm_licenses;
\q
So, once you entered this lines, on / you can find licences.txt file, put more licenses.txt and you can read it.
Regards.
04-20-2011 01:03 AM
Hi,
The best way to see if the devices are licensed is fro mthe GUI and NOT from the CLI.
If you can access the CAM GUI then you have the CAM license for sure.
Anyway, both the licenses for shown the CAM GUI -> Administration -> Clean Access Manager -> Licensing.
You should have the list of licenses installed.
If you are still having trouble on your setup i seriously advise you to open a TAC case so that we can login into your devices and findout easily what is worng.
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
04-20-2011 01:08 AM
Hi again,
I did a second look over this thread and not sure if the switch configu is still valid, however, can you pelase clarify if you are attempting OOB or InB?
And do you have managed subnets configured?
If it is OOB, do you have the switch added to your CAM?
Is the port being managed?
Again, at this stage, it would be more efective if you open a TAC case.
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
04-20-2011 01:11 AM
It is INBAND and VG mode.
all trunks are coming to the core switch where my NAC both units are connected.
I had attached a diagram on the thread discussion also. And switch config posted also.
Well, already managed subnets (IP Addresses which are exclued from DHCP pool of respective VLANS) are already put up in NAC.
and also VLAN Maps are put up as well.
No idea why traffic do not TAKE THE PATH THRU NAC .???
As i said, no traffic pass,es ARP is not cllected on eth 1 of NAS/CAS !
04-20-2011 01:22 AM
Have you tried with a span session o nswitch and mirroring the traffic of the untrusted interface to a wireshark sniffer trace?
Do you see the DHCP packets there?
If not, it is a L2 problem.
If you see them there, move to the trusted side and check.
If you see them also on the trusted side then the vlan mapping is working and it is again a switch problem.
If you see them on the untrusted and not on the trusted, then there is a problem on the CAS not doing the mappoing properly.
Please make sure you use SAPm on the switch and NOT tcpdump.
In VG tcpdump is not relyable and should not be used.
But again I tend to insist in you openeing a TAC case so we can login into your devices...
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
04-20-2011 01:30 AM
I posted a few days ago some config here it is again what i did on CAS.
[root@cas ~]# cd /proc/click/intern_arpq/
[root@cas intern_arpq]# more table
[root@cas intern_arpq]#
[root@cas ~]# cd /proc/click/real_routing_table/
[root@cas real_routing_table]# more table
192.168.42.1/32 - 0 0
192.168.42.254/32 - 1 0
192.168.42.0/24 - 2 0
0.0.0.0/0 192.168.42.254 1 0
192.168.10.0/24 192.168.10.254 1 8
192.168.11.0/24 192.168.11.254 1 8
192.168.12.0/24 192.168.12.254 1 8
192.168.13.0/24 192.168.13.254 1 8
192.168.14.0/24 192.168.14.254 1 8
192.168.15.0/24 192.168.15.254 1 8
192.168.16.0/24 192.168.16.254 1 8
192.168.17.0/24 192.168.17.254 1 8
192.168.18.0/24 192.168.18.254 1 8
192.168.19.0/24 192.168.19.254 1 8
192.168.20.0/24 192.168.20.254 1 8
192.168.21.0/24 192.168.21.254 1 8
192.168.22.0/24 192.168.22.254 1 8
192.168.23.0/24 192.168.23.254 1 8
192.168.24.0/24 192.168.24.254 1 8
192.168.25.0/24 192.168.25.254 1 8
192.168.26.0/24 192.168.26.254 1 8
192.168.27.0/24 192.168.27.254 1 8
192.168.28.0/24 192.168.28.254 1 8
Moreover, the test XP Machien if i put it on vlan 29 (real access vlan) it gets ip from dhcp , fine and no probs, but wehen i put it on vlan 429 (mapping for 29) it is not getting IP and no traffic eth1 happes and no ARP is learnt ?
Any troubleshooting tips there ?
04-20-2011 01:33 AM
Hi again,
The troubleshooting tips i gave you are the ones you should follow.
With the sniffer traces (and not those cli outputs) you will be sure if the DHCP packets are or not on the untrusted/trusted interfaces.
These are the troubleshooting steps you should follow...
Good luck.
Tiago
04-20-2011 01:56 AM
Well, Tiago -> wht do you suggest as testing scenario
I have 6500 core switch.
what should be my SPAN source and SPAN destinations ????
i have MY OWN LAPTOP - WINDOWS 7
I have test XP Machine -
I have NAC Mgr = port 4/16
I have NAC Srvr trusted ::eth0 = port 4/18
NAC Srvr untrusted :: eth1 = port 4/20
Plz advice !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide