I am try to create ip session on ASR (ASR 1006 asr1000rp2-advipservices.03.11.01.S.154-1.S1-std.bin). I read this manual "Configuring ISG Access for IP Subscriber Sessions" and create minimal configuration on ASR. But cant start the session
( Router#show subscriber session %No active Subscriber Sessions)
on debug is no messages
SSS: SSS Manager events debugging is on SSS packet detail debugging is on SSS packet full detail debugging is on SSS Manager errors debugging is on SSS Template events debugging is on SSS Template errors debugging is on SSS Manager fsm debugging is on SSS simulator/testing debugging is on all IC debugs debugging is on SSS Feature Manager all debugging is on SSS policy all debugs debugging is on SSS Mobility events debugging is on SSS Mobility errors debugging is on Subscriber SerVice Manager: SSS Service Manager debugging is on IP subscriber lite: IP Lite session events debugging is on IP Lite session errors debugging is on
Subscriber connect to ASR from l2 network.
Router#show startup-config Using 4288 out of 33554432 bytes ! ! Last configuration change at 14:54:15 UTC Thu Jun 26 2014 by vl ! NVRAM config last updated at 14:55:01 UTC Thu Jun 26 2014 by vl ! version 15.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption service internal no platform punt-keepalive disable-kernel-core platform shell ! hostname Router ! boot-start-marker boot system bootflash:asr1000rp2-advipservices.03.11.01.S.154-1.S1-std.bin boot system bootflash:asr1000rp2-advipservices.03.06.00.S.152-2.S.bin boot-end-marker ! aqm-register-fnf ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! no logging buffered enable secret 4 /3cauCNTu3i4Rj9I ! aaa new-model ! ! aaa group server radius ISG-RADIUS server 220.127.116.11 auth-port 1812 acct-port 1813 ! aaa authentication login ISG-AUTH-1 group ISG-RADIUS aaa authorization network ISG-AUTH-1 group ISG-RADIUS aaa authorization subscriber-service default local group ISG-RADIUS aaa accounting network ISG-AUTH-1 start-stop group ISG-RADIUS ! ! ! ! ! aaa session-id common ! ! ! no subscriber templating ! multilink bundle-name authenticated ! ! ! ! ! ! ! spanning-tree extend system-id
! redundancy mode sso ! ! ! ip tftp source-interface GigabitEthernet0 class-map type traffic match-any CLASS-TO-REDIRECT match access-group output 197 match access-group input 197 ! class-map type control match-all ISG-IP-UNAUTH match timer UNAUTH-TIMER match authen-status unauthenticated ! policy-map type service LOCAL_L4R ip access-group 197 in ip access-group 197 out 1 class type traffic CLASS-TO-REDIRECT redirect to ip 10.50.50.7 port 80 ! ! policy-map type control ISG-CUSTOMERS-POLICY class type control ISG-IP-UNAUTH event timed-policy-expiry 1 service disconnect ! class type control always event quota-depleted 1 set-param drop-traffic FALSE ! class type control always event credit-exhausted 1 service-policy type service name LOCAL_L4R ! class type control always event session-start 10 authorize aaa list ISG-AUTH-1 password ISG identifier source-ip-address 20 set-timer UNAUTH-TIMER 1 30 service-policy type service name SERVICE_L4R ! ! ! ! ! ! ! ! ! interface TenGigabitEthernet0/0/0 no ip address ! interface TenGigabitEthernet0/0/0.4000 encapsulation dot1Q 4000 ip address 18.104.22.168 255.255.255.0 ! interface TenGigabitEthernet0/0/0.4026 encapsulation dot1Q 4026 ip address 10.10.10.5 255.255.255.0 ! interface TenGigabitEthernet0/0/0.4027 encapsulation dot1Q 4027 ip address 10.50.50.5 255.255.255.0 service-policy type control ISG-CUSTOMERS-POLICY ip subscriber routed initiator unclassified ip-address ! interface GigabitEthernet0/1/0 no ip address shutdown negotiation auto ! interface GigabitEthernet0/1/1 no ip address shutdown negotiation auto ! interface GigabitEthernet0/1/2 no ip address shutdown negotiation auto ! interface GigabitEthernet0/1/3 no ip address shutdown negotiation auto ! interface GigabitEthernet0/1/4 no ip address shutdown negotiation auto ! interface GigabitEthernet0 vrf forwarding Mgmt-intf ip address 10.254.10.4 255.255.0.0 negotiation auto ! ip forward-protocol nd ! no ip http server ! access-list 195 permit ip 10.50.50.0 0.0.0.255 any access-list 195 permit ip any 10.50.50.0 0.0.0.255 access-list 195 deny ip any any access-list 196 permit ip any any access-list 197 permit tcp any any eq www access-list 197 permit tcp any eq www any access-list 197 deny ip any any ! ! ! radius-server attribute 44 include-in-access-req default-vrf radius-server attribute 44 extend-with-addr radius-server attribute 8 include-in-access-req radius-server attribute 32 include-in-accounting-req radius-server attribute 55 include-in-acct-req radius-server attribute 31 mac format unformatted radius-server host 22.214.171.124 auth-port 1812 acct-port 1813 key 7 0105071742 radius-server vsa send cisco-nas-port ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 logging synchronous ! ! end
I see you are using initiator unclassified ip-address. How exactly are you trying to trigger the session here? What type of traffic are you sending from your CPE? Please make sure you send a packet which 'crosses' the ISG box. A packet with destination the ISG will not trigger a session. Only a packet that needs to be forwarded by the ISG will. If you are not seeing anything with those debugs, it seems like no FSOL is seen to spawn the session.
Also, if your subscriber is connected with L2 network, why do you configure "ip subscriber routed"? This is conceptually wrong since you are telling to ISG that the subscriber is connecting via a L3 routed network which is not correct according to what you say.
Check out our latest release on Cisco Routed Optical Networking solution. Listen: https://smarturl.it/CCRS8E24Follow us: https://twitter.com/ciscochampion Disruptive network transformation may only happen once a decade. First movers c...
BGP flowspec in a nutshell is a feature that will allow you to receive IPv4/IPv6 traffic flow specification (source X, destination Y, protocol UDP, source port A .. etc) and actions that need to be taken on that traffic (drop, or polic...
In EVPN A/A + IRB both PE in same EVI have BVI playing a default GW role. Its not supported to have BVI to be shutdown on one of PEs, In this case if if traffic hit this PE with DMAc equal to BVI Custom MAC, then it will drop this traffic du...
Crosswork Cloud - Crosswork Traffic Analysis - FAQ
Crosswork Cloud - Crosswork Traffic Analysis is a Cloud-hosted Software as a Service platform that provides Netflow based Traffic Analytics. The Crosswork Traffic Analysis platform Traffic Analysis, Peeri...
Cisco Champion Radio · S8|E9 Innovations to Achieve a Trustworthy Infrastructure
How do you know for certain that a router in your network has not been altered with since you deployed it? Wouldn’t it be great if you can cryptographically challenge your r...