cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1125
Views
0
Helpful
1
Replies

ASR 1006 ISG create session

vlasglass
Level 1
Level 1

Hello,

please can you help me,what i do wrong ?

I am try to create ip session on ASR (ASR 1006 asr1000rp2-advipservices.03.11.01.S.154-1.S1-std.bin).
 I read this manual "Configuring ISG Access for IP Subscriber Sessions" and create minimal configuration on ASR. But cant start the session

( Router#show subscriber session
%No active Subscriber Sessions)

on debug is no messages

SSS:
  SSS Manager events debugging is on
  SSS packet detail debugging is on
  SSS packet full detail debugging is on
  SSS Manager errors debugging is on
  SSS Template events debugging is on
  SSS Template errors debugging is on
  SSS Manager fsm debugging is on
  SSS simulator/testing debugging is on
  all IC debugs debugging is on
  SSS Feature Manager all debugging is on
  SSS policy all debugs debugging is on
  SSS Mobility events debugging is on
  SSS Mobility errors debugging is on
Subscriber SerVice Manager:
  SSS Service Manager debugging is on
IP subscriber lite:
  IP Lite session events debugging is on
  IP Lite session errors debugging is on

 

Subscriber connect to ASR from l2 network.

 

 Router#show startup-config
Using 4288 out of 33554432 bytes
!
! Last configuration change at 14:54:15 UTC Thu Jun 26 2014 by vl
! NVRAM config last updated at 14:55:01 UTC Thu Jun 26 2014 by vl
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
no platform punt-keepalive disable-kernel-core
platform shell
!
hostname Router
!
boot-start-marker
boot system bootflash:asr1000rp2-advipservices.03.11.01.S.154-1.S1-std.bin
boot system bootflash:asr1000rp2-advipservices.03.06.00.S.152-2.S.bin
boot-end-marker
!
aqm-register-fnf
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
no logging buffered
enable secret 4 /3cauCNTu3i4Rj9I
!
aaa new-model
!
!
aaa group server radius ISG-RADIUS
 server 172.50.50.7 auth-port 1812 acct-port 1813
!
aaa authentication login ISG-AUTH-1 group ISG-RADIUS
aaa authorization network ISG-AUTH-1 group ISG-RADIUS
aaa authorization subscriber-service default local group ISG-RADIUS
aaa accounting network ISG-AUTH-1 start-stop group ISG-RADIUS
!
!
!
!
!
aaa session-id common
!
!
!
no subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
spanning-tree extend system-id

!
redundancy
 mode sso
!
!
!
ip tftp source-interface GigabitEthernet0
class-map type traffic match-any CLASS-TO-REDIRECT
 match access-group output 197
 match access-group input 197
!
class-map type control match-all ISG-IP-UNAUTH
 match timer UNAUTH-TIMER
 match authen-status unauthenticated
!         
policy-map type service LOCAL_L4R
 ip access-group 197 in
 ip access-group 197 out
 1 class type traffic CLASS-TO-REDIRECT
  redirect to ip 10.50.50.7 port 80
 !
!
policy-map type control ISG-CUSTOMERS-POLICY
 class type control ISG-IP-UNAUTH event timed-policy-expiry
  1 service disconnect
 !
 class type control always event quota-depleted
  1 set-param drop-traffic FALSE
 !
 class type control always event credit-exhausted
  1 service-policy type service name LOCAL_L4R
 !
 class type control always event session-start
  10 authorize aaa list ISG-AUTH-1 password ISG identifier source-ip-address
  20 set-timer UNAUTH-TIMER 1
  30 service-policy type service name SERVICE_L4R
 !
!
!
!
!
!
!
!
!
interface TenGigabitEthernet0/0/0
 no ip address
!
interface TenGigabitEthernet0/0/0.4000
 encapsulation dot1Q 4000
 ip address 172.50.50.3 255.255.255.0
!
interface TenGigabitEthernet0/0/0.4026
 encapsulation dot1Q 4026
 ip address 10.10.10.5 255.255.255.0
!
interface TenGigabitEthernet0/0/0.4027
 encapsulation dot1Q 4027
 ip address 10.50.50.5 255.255.255.0
 service-policy type control ISG-CUSTOMERS-POLICY
 ip subscriber routed
  initiator unclassified ip-address
!
interface GigabitEthernet0/1/0
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/1/1
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/1/2
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/1/3
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/1/4
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 ip address 10.254.10.4 255.255.0.0
 negotiation auto
!
ip forward-protocol nd
!
no ip http server
!
access-list 195 permit ip 10.50.50.0 0.0.0.255 any
access-list 195 permit ip any 10.50.50.0 0.0.0.255
access-list 195 deny   ip any any
access-list 196 permit ip any any
access-list 197 permit tcp any any eq www
access-list 197 permit tcp any eq www any
access-list 197 deny   ip any any
!
!
!
radius-server attribute 44 include-in-access-req default-vrf
radius-server attribute 44 extend-with-addr
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 31 mac format unformatted
radius-server host 172.50.50.7 auth-port 1812 acct-port 1813 key 7 0105071742
radius-server vsa send cisco-nas-port
!
!         
control-plane
!
 !
 !
 !
 !
!
!
!
!
!
line con 0
 exec-timeout 0 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 logging synchronous
!
!
end

 

1 Reply 1

Manuel Rodriguez
Cisco Employee
Cisco Employee

Hi,

 

I see you are using initiator unclassified ip-address. How exactly are you trying to trigger the session here? What type of traffic are you sending from your CPE? Please make sure you send a packet which 'crosses' the ISG box. A packet with destination the ISG will not trigger a session. Only a packet that needs to be forwarded by the ISG will. If you are not seeing anything with those debugs, it seems like no FSOL is seen to spawn the session.

Also, if your subscriber is connected with L2 network, why do you configure "ip subscriber routed"? This is conceptually wrong since you are telling to ISG that the subscriber is connecting via a L3 routed network which is not correct according to what you say.

Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: