cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
844
Views
0
Helpful
1
Replies
dcrichter
Beginner

ASR1002x PPPoE Subinterface network authorization problem

I have been able to bring up PPPoE services both on the router itself and sending authentication to a free-radius server. Unfortunately when I initiate Network Authorization. PPPoE sessions fail and i receive this error in the debug radius brief logs " %FMANRP_ESS-4-FULLVAI: Session creation failed due to Full Virtual-Access Interfaces not being supported. Check that all applied Virtual-Template and RADIUS features support Virtual-Access sub-interfaces. swidb= 0x7F7C8307C6B0, ifnum= 50

I found one article on this but was unable to replicate the success of it. Below is the config and some debug logs.

 

!
aaa new-model
!
!
aaa group server radius RADIUS_SERVER
 server xx.xx.xx.66 auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authentication ppp default group RADIUS_SERVER
aaa authorization network default group RADIUS_SERVER
aaa authorization auth-proxy default group RADIUS_SERVER
aaa accounting send stop-record authentication failure
aaa accounting send stop-record always
aaa accounting delay-start
aaa accounting nested
aaa accounting update newinfo periodic 60
aaa accounting exec default start-stop group RADIUS_SERVER
aaa accounting network default start-stop group RADIUS_SERVER
aaa accounting connection default start-stop group RADIUS_SERVER
aaa accounting system default
 action-type start-stop
 group RADIUS_SERVER
!
aaa accounting resource default stop-failure group RADIUS_SERVER
!
aaa nas port extended
!
!
!
!
aaa session-id common
aaa policy interface-config allow-subinterface
!
!

bba-group pppoe 880
 virtual-template 880
 vendor-tag circuit-id service
 sessions per-vc limit 65000
 sessions per-mac limit 2
 sessions per-vlan limit 65000
 sessions auto cleanup
!

interface GigabitEthernet0/0/1.880
 encapsulation dot1Q 880 second-dot1q any
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 pppoe enable group 880

!

interface Virtual-Template880
 ip unnumbered Loopback1
 no ip redirects
 no peer default ip address
 ppp authentication chap

!

radius-server attribute 8 include-in-access-req
radius-server attribute nas-port format d
radius-server host xx.xx.xx.66 auth-port 1812 acct-port 1813
radius-server timeout 60
radius-server unique-ident 2
radius-server key 7 xxxxxxxxxxxxxxxx
radius-server vsa send accounting
radius-server vsa send authentication

!

 

*Aug  7 07:17:31.004: RADIUS: acct-timeout  for 7F7C777020BC now 240, acct-jitter 0, acct-delay-time (at 7F7C77702276) now 240
*Aug  7 07:17:31.004: RADIUS: No response from (208.123.195.66:1812,1813) for id 1646/69
*Aug  7 07:17:31.004: RADIUS/DECODE: No response from radius-server; parse response; FAIL
*Aug  7 07:17:31.004: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
*Aug  7 07:17:34.901: RADIUS/ENCODE(000042EF):Orig. component type = PPPoE
*Aug  7 07:17:34.901: RADIUS: DSL line rate attributes successfully added
*Aug  7 07:17:34.901: RADIUS(000042EF): Config NAS IP: 66.135.67.4
*Aug  7 07:17:34.902: RADIUS(000042EF): Config NAS IPv6: ::
*Aug  7 07:17:34.902: RADIUS/ENCODE: No idb found! Framed IP Addr might not be included
*Aug  7 07:17:34.902: RADIUS/ENCODE(000042EF): acct_session_id: 30787
*Aug  7 07:17:34.902: RADIUS(000042EF): Config NAS IP: 66.135.67.4
*Aug  7 07:17:34.902: RADIUS(000042EF): sending
*Aug  7 07:17:34.902: RADIUS(000042EF): Sending a IPv4 Radius Packet
*Aug  7 07:17:34.902: RADIUS(000042EF): Send Access-Request to 208.123.195.66:1812 id 1645/35,len 167
*Aug  7 07:17:34.902: RADIUS:  authenticator 64 0E 60 7E A9 03 01 4F - 9E 0F DD 36 31 47 FF 51
*Aug  7 07:17:34.902: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
*Aug  7 07:17:34.902: RADIUS:  User-Name           [1]   10  "drichter"
*Aug  7 07:17:34.902: RADIUS:  CHAP-Password       [3]   19  *
*Aug  7 07:17:34.902: RADIUS:  NAS-Port-Type       [61]  6   PPPoEoQinQ                [34]
*Aug  7 07:17:34.902: RADIUS:  NAS-Port            [5]   6   37160851                  
*Aug  7 07:17:34.902: RADIUS:  NAS-Port-Id         [87]  16  "0/0/2/880.1939"
*Aug  7 07:17:34.902: RADIUS:  Vendor, Cisco       [26]  41  
*Aug  7 07:17:34.902: RADIUS:   Cisco AVpair       [1]   35  "client-mac-address=f8c0.9123.30cc"
*Aug  7 07:17:34.902: RADIUS:  Service-Type        [6]   6   Framed                    [2]
*Aug  7 07:17:34.902: RADIUS:  NAS-IP-Address      [4]   6   66.135.67.4               
*Aug  7 07:17:34.902: RADIUS:  Nas-Identifier      [32]  31  "ro.03.core.hoc.montanasat.net"
*Aug  7 07:17:34.902: RADIUS(000042EF): Started 60 sec timeout
*Aug  7 07:17:34.904: RADIUS: Received from id 1645/35 208.123.195.66:1812, Access-Accept, len 115
*Aug  7 07:17:34.904: RADIUS:  authenticator 65 9D 3A 60 1B 92 66 6E - 42 18 5F CD C9 4B 32 99
*Aug  7 07:17:34.904: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
*Aug  7 07:17:34.904: RADIUS:  Framed-Compression  [13]  6   VJ TCP/IP Header Compressi[1]
*Aug  7 07:17:34.904: RADIUS:  Framed-IP-Address   [8]   6   66.135.70.50              
*Aug  7 07:17:34.904: RADIUS:  NAS-IP-Address      [4]   6   66.135.67.4               
*Aug  7 07:17:34.904: RADIUS:  Vendor, Cisco       [26]  65  
*Aug  7 07:17:34.904: RADIUS:   Cisco AVpair       [1]   59  "interface-config=ppp ipcp dns 216.211.190.3 216.211.191.3"
*Aug  7 07:17:34.904: RADIUS:  Framed-IP-Netmask   [9]   6   255.255.255.255           
*Aug  7 07:17:34.904: RADIUS(000042EF): Received from id 1645/35
*Aug  7 07:17:34.909: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
*Aug  7 07:17:34.910: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
*Aug  7 07:17:34.928: %FMANRP_ESS-4-FULLVAI: Session creation failed due to Full Virtual-Access Interfaces not being supported. Check that all applied Virtual-Template and RADIUS features support Virtual-Access sub-interfaces. swidb= 0x7F7C8307C6B0, ifnum= 50
*Aug  7 07:17:34.930: RADIUS/ENCODE(000042EF):Orig. component type = PPPoE
*Aug  7 07:17:34.930: RADIUS/ENCODE(000042EF): Acct-session-id pre-pended with Nas Port = 0/0/2/880.1939
*Aug  7 07:17:34.930: RADIUS(000042EF): Config NAS IP: 66.135.67.4
*Aug  7 07:17:34.930: RADIUS(000042EF): Config NAS IPv6: ::
*Aug  7 07:17:34.930: RADIUS: Attribute 55 not sent, as system clock is not set
*Aug  7 07:17:34.931: RADIUS(000042EF): Config NAS IP: 66.135.67.4
*Aug  7 07:17:34.933: RADIUS(000042EF): Sending a IPv4 Radius Packet
*Aug  7 07:17:34.933: RADIUS(000042EF): Started 60 sec timeout
*Aug  7 07:17:34.933: RADIUS/ENCODE(000042EF):Orig. component type = PPPoE
*Aug  7 07:17:34.933: RADIUS/ENCODE(000042EF): Acct-session-id pre-pended with Nas Port = 0/0/2/880.1939
*Aug  7 07:17:34.933: RADIUS(000042EF): Config NAS IP: 66.135.67.4
*Aug  7 07:17:34.933: RADIUS(000042EF): Config NAS IPv6: ::
*Aug  7 07:17:34.933: RADIUS: Attribute 55 not sent, as system clock is not set
*Aug  7 07:17:34.933: RADIUS(000042EF): Config NAS IP: 66.135.67.4
*Aug  7 07:17:34.935: RADIUS(000042EF): Sending a IPv4 Radius Packet
*Aug  7 07:17:34.935: RADIUS(000042EF): Started 60 sec timeout
*Aug  7 07:17:34.936: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
*Aug  7 07:17:34.936: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
*Aug  7 07:17:36.285: RADIUS(000042E6): Request timed out!

1 REPLY 1
Manuel Rodriguez
Cisco Employee

Hi,

The "%FMANRP_ESS-4-FULLVAI: Session creation failed due to Full Virtual-Access Interfaces not being supported. Check that all applied Virtual-Template and RADIUS features support Virtual-Access sub-interfaces. swidb= 0x7F7C8307C6B0, ifnum= 50" meesage means that the session came up using a full Virtual-Access Interface (VAI). VAI interfaces are not supported on ASR1k platform dur to scalability. Only sub-interfaces are supported. Most likely here, some configuration is forcing the full VAI.

Looking at the radius profile sent for the user I see you are sending "Framed-Compression  [13]  6   VJ TCP/IP Header Compressi[1]". Most likely this is forcing the full VAI. Please remove that attribute from the radius profile and try again. Also make sure you have configured "aaa policy interface-config allow-subinterface" in global config.

 

Regards

 

Content for Community-Ad