I am try to create ip session on ASR (ASR 1006 asr1000rp2-advipservices.03.11.01.S.154-1.S1-std.bin). I read this manual "Configuring ISG Access for IP Subscriber Sessions" and create minimal configuration on ASR. But cant start the session
( Router#show subscriber session %No active Subscriber Sessions)
on debug is no messages
SSS: SSS Manager events debugging is on SSS packet detail debugging is on SSS packet full detail debugging is on SSS Manager errors debugging is on SSS Template events debugging is on SSS Template errors debugging is on SSS Manager fsm debugging is on SSS simulator/testing debugging is on all IC debugs debugging is on SSS Feature Manager all debugging is on SSS policy all debugs debugging is on SSS Mobility events debugging is on SSS Mobility errors debugging is on Subscriber SerVice Manager: SSS Service Manager debugging is on IP subscriber lite: IP Lite session events debugging is on IP Lite session errors debugging is on
Subscriber connect to ASR from l2 network.
Router#show startup-config Using 4288 out of 33554432 bytes ! ! Last configuration change at 14:54:15 UTC Thu Jun 26 2014 by vl ! NVRAM config last updated at 14:55:01 UTC Thu Jun 26 2014 by vl ! version 15.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption service internal no platform punt-keepalive disable-kernel-core platform shell ! hostname Router ! boot-start-marker boot system bootflash:asr1000rp2-advipservices.03.11.01.S.154-1.S1-std.bin boot system bootflash:asr1000rp2-advipservices.03.06.00.S.152-2.S.bin boot-end-marker ! aqm-register-fnf ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! no logging buffered enable secret 4 /3cauCNTu3i4Rj9I ! aaa new-model ! ! aaa group server radius ISG-RADIUS server 220.127.116.11 auth-port 1812 acct-port 1813 ! aaa authentication login ISG-AUTH-1 group ISG-RADIUS aaa authorization network ISG-AUTH-1 group ISG-RADIUS aaa authorization subscriber-service default local group ISG-RADIUS aaa accounting network ISG-AUTH-1 start-stop group ISG-RADIUS ! ! ! ! ! aaa session-id common ! ! ! no subscriber templating ! multilink bundle-name authenticated ! ! ! ! ! ! ! spanning-tree extend system-id
! redundancy mode sso ! ! ! ip tftp source-interface GigabitEthernet0 class-map type traffic match-any CLASS-TO-REDIRECT match access-group output 197 match access-group input 197 ! class-map type control match-all ISG-IP-UNAUTH match timer UNAUTH-TIMER match authen-status unauthenticated ! policy-map type service LOCAL_L4R ip access-group 197 in ip access-group 197 out 1 class type traffic CLASS-TO-REDIRECT redirect to ip 10.50.50.7 port 80 ! ! policy-map type control ISG-CUSTOMERS-POLICY class type control ISG-IP-UNAUTH event timed-policy-expiry 1 service disconnect ! class type control always event quota-depleted 1 set-param drop-traffic FALSE ! class type control always event credit-exhausted 1 service-policy type service name LOCAL_L4R ! class type control always event session-start 10 authorize aaa list ISG-AUTH-1 password ISG identifier source-ip-address 20 set-timer UNAUTH-TIMER 1 30 service-policy type service name SERVICE_L4R ! ! ! ! ! ! ! ! ! interface TenGigabitEthernet0/0/0 no ip address ! interface TenGigabitEthernet0/0/0.4000 encapsulation dot1Q 4000 ip address 18.104.22.168 255.255.255.0 ! interface TenGigabitEthernet0/0/0.4026 encapsulation dot1Q 4026 ip address 10.10.10.5 255.255.255.0 ! interface TenGigabitEthernet0/0/0.4027 encapsulation dot1Q 4027 ip address 10.50.50.5 255.255.255.0 service-policy type control ISG-CUSTOMERS-POLICY ip subscriber routed initiator unclassified ip-address ! interface GigabitEthernet0/1/0 no ip address shutdown negotiation auto ! interface GigabitEthernet0/1/1 no ip address shutdown negotiation auto ! interface GigabitEthernet0/1/2 no ip address shutdown negotiation auto ! interface GigabitEthernet0/1/3 no ip address shutdown negotiation auto ! interface GigabitEthernet0/1/4 no ip address shutdown negotiation auto ! interface GigabitEthernet0 vrf forwarding Mgmt-intf ip address 10.254.10.4 255.255.0.0 negotiation auto ! ip forward-protocol nd ! no ip http server ! access-list 195 permit ip 10.50.50.0 0.0.0.255 any access-list 195 permit ip any 10.50.50.0 0.0.0.255 access-list 195 deny ip any any access-list 196 permit ip any any access-list 197 permit tcp any any eq www access-list 197 permit tcp any eq www any access-list 197 deny ip any any ! ! ! radius-server attribute 44 include-in-access-req default-vrf radius-server attribute 44 extend-with-addr radius-server attribute 8 include-in-access-req radius-server attribute 32 include-in-accounting-req radius-server attribute 55 include-in-acct-req radius-server attribute 31 mac format unformatted radius-server host 22.214.171.124 auth-port 1812 acct-port 1813 key 7 0105071742 radius-server vsa send cisco-nas-port ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 logging synchronous ! ! end
I see you are using initiator unclassified ip-address. How exactly are you trying to trigger the session here? What type of traffic are you sending from your CPE? Please make sure you send a packet which 'crosses' the ISG box. A packet with destination the ISG will not trigger a session. Only a packet that needs to be forwarded by the ISG will. If you are not seeing anything with those debugs, it seems like no FSOL is seen to spawn the session.
Also, if your subscriber is connected with L2 network, why do you configure "ip subscriber routed"? This is conceptually wrong since you are telling to ISG that the subscriber is connecting via a L3 routed network which is not correct according to what you say.
show controller npu voq-usage interface all instance all location all
NPU/CORE/VOQ Base information + NPU to port mapping
show platform cpu
Operational Status of all CPU based cards
show platform secur...
Crosswork Cloud - Crosswork Trust Insights FAQ
Cisco Crosswork Trust Insights is a Cloud-hosted Software as a Service platform that helps to track, analyze, and prove hardware and software components running in your network. Trust Insights works w...
Some of you may have watched the session at Cisco’s first all-digital Cisco Live and I hope you found it helpful. This is the first in a series of companion blogs that will later cover in more detail the topics discussed in the session today. ...
CCO documentation lists out the ability to do a password recovery for eXR with a ZTP/PXE boot.
One can also perform the operation manually, like a "turboboot" for classic XR in this facinity.
this procedure will wipe out the complete system and install a...
Below is a link to a video showing how to analyze traceroute output in L3VPN and look up CEF forwarding and MPLS/TE/SR/SR-TE forwarding for labels through a domain. Some basic examples of traffic engineering are used but the concepts lend the...