Hi,The "%FMANRP_ESS-4-FULLVAI

dcrichter · ‎08-07-2014

I have been able to bring up PPPoE services both on the router itself and sending authentication to a free-radius server. Unfortunately when I initiate Network Authorization. PPPoE sessions fail and i receive this error in the debug radius brief logs " %FMANRP_ESS-4-FULLVAI: Session creation failed due to Full Virtual-Access Interfaces not being supported. Check that all applied Virtual-Template and RADIUS features support Virtual-Access sub-interfaces. swidb= 0x7F7C8307C6B0, ifnum= 50

I found one article on this but was unable to replicate the success of it. Below is the config and some debug logs.

!
aaa new-model
!
!
aaa group server radius RADIUS_SERVER
server xx.xx.xx.66 auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authentication ppp default group RADIUS_SERVER
aaa authorization network default group RADIUS_SERVER
aaa authorization auth-proxy default group RADIUS_SERVER
aaa accounting send stop-record authentication failure
aaa accounting send stop-record always
aaa accounting delay-start
aaa accounting nested
aaa accounting update newinfo periodic 60
aaa accounting exec default start-stop group RADIUS_SERVER
aaa accounting network default start-stop group RADIUS_SERVER
aaa accounting connection default start-stop group RADIUS_SERVER
aaa accounting system default
action-type start-stop
group RADIUS_SERVER
!
aaa accounting resource default stop-failure group RADIUS_SERVER
!
aaa nas port extended
!
!
!
!
aaa session-id common
aaa policy interface-config allow-subinterface
!
!

bba-group pppoe 880
virtual-template 880
vendor-tag circuit-id service
sessions per-vc limit 65000
sessions per-mac limit 2
sessions per-vlan limit 65000
sessions auto cleanup
!

interface GigabitEthernet0/0/1.880
encapsulation dot1Q 880 second-dot1q any
no ip redirects
no ip unreachables
no ip proxy-arp
pppoe enable group 880

!

interface Virtual-Template880
ip unnumbered Loopback1
no ip redirects
no peer default ip address
ppp authentication chap

!

radius-server attribute 8 include-in-access-req
radius-server attribute nas-port format d
radius-server host xx.xx.xx.66 auth-port 1812 acct-port 1813
radius-server timeout 60
radius-server unique-ident 2
radius-server key 7 xxxxxxxxxxxxxxxx
radius-server vsa send accounting
radius-server vsa send authentication

!

*Aug 7 07:17:31.004: RADIUS: acct-timeout for 7F7C777020BC now 240, acct-jitter 0, acct-delay-time (at 7F7C77702276) now 240
*Aug 7 07:17:31.004: RADIUS: No response from (208.123.195.66:1812,1813) for id 1646/69
*Aug 7 07:17:31.004: RADIUS/DECODE: No response from radius-server; parse response; FAIL
*Aug 7 07:17:31.004: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
*Aug 7 07:17:34.901: RADIUS/ENCODE(000042EF):Orig. component type = PPPoE
*Aug 7 07:17:34.901: RADIUS: DSL line rate attributes successfully added
*Aug 7 07:17:34.901: RADIUS(000042EF): Config NAS IP: 66.135.67.4
*Aug 7 07:17:34.902: RADIUS(000042EF): Config NAS IPv6: ::
*Aug 7 07:17:34.902: RADIUS/ENCODE: No idb found! Framed IP Addr might not be included
*Aug 7 07:17:34.902: RADIUS/ENCODE(000042EF): acct_session_id: 30787
*Aug 7 07:17:34.902: RADIUS(000042EF): Config NAS IP: 66.135.67.4
*Aug 7 07:17:34.902: RADIUS(000042EF): sending
*Aug 7 07:17:34.902: RADIUS(000042EF): Sending a IPv4 Radius Packet
*Aug 7 07:17:34.902: RADIUS(000042EF): Send Access-Request to 208.123.195.66:1812 id 1645/35,len 167
*Aug 7 07:17:34.902: RADIUS: authenticator 64 0E 60 7E A9 03 01 4F - 9E 0F DD 36 31 47 FF 51
*Aug 7 07:17:34.902: RADIUS: Framed-Protocol     [7]   6   PPP                       [1]
*Aug 7 07:17:34.902: RADIUS: User-Name           [1]   10 "drichter"
*Aug 7 07:17:34.902: RADIUS: CHAP-Password       [3]   19 *
*Aug 7 07:17:34.902: RADIUS: NAS-Port-Type       [61] 6   PPPoEoQinQ                [34]
*Aug 7 07:17:34.902: RADIUS: NAS-Port            [5]   6   37160851
*Aug 7 07:17:34.902: RADIUS: NAS-Port-Id         [87] 16 "0/0/2/880.1939"
*Aug 7 07:17:34.902: RADIUS: Vendor, Cisco       [26] 41
*Aug 7 07:17:34.902: RADIUS:   Cisco AVpair       [1]   35 "client-mac-address=f8c0.9123.30cc"
*Aug 7 07:17:34.902: RADIUS: Service-Type        [6]   6   Framed                    [2]
*Aug 7 07:17:34.902: RADIUS: NAS-IP-Address      [4]   6   66.135.67.4
*Aug 7 07:17:34.902: RADIUS: Nas-Identifier      [32] 31 "ro.03.core.hoc.montanasat.net"
*Aug 7 07:17:34.902: RADIUS(000042EF): Started 60 sec timeout
*Aug 7 07:17:34.904: RADIUS: Received from id 1645/35 208.123.195.66:1812, Access-Accept, len 115
*Aug 7 07:17:34.904: RADIUS: authenticator 65 9D 3A 60 1B 92 66 6E - 42 18 5F CD C9 4B 32 99
*Aug 7 07:17:34.904: RADIUS: Framed-Protocol     [7]   6   PPP                       [1]
*Aug 7 07:17:34.904: RADIUS: Framed-Compression [13] 6   VJ TCP/IP Header Compressi[1]
*Aug 7 07:17:34.904: RADIUS: Framed-IP-Address   [8]   6   66.135.70.50
*Aug 7 07:17:34.904: RADIUS: NAS-IP-Address      [4]   6   66.135.67.4
*Aug 7 07:17:34.904: RADIUS: Vendor, Cisco       [26] 65
*Aug 7 07:17:34.904: RADIUS:   Cisco AVpair       [1]   59 "interface-config=ppp ipcp dns 216.211.190.3 216.211.191.3"
*Aug 7 07:17:34.904: RADIUS: Framed-IP-Netmask   [9]   6   255.255.255.255
*Aug 7 07:17:34.904: RADIUS(000042EF): Received from id 1645/35
*Aug 7 07:17:34.909: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
*Aug 7 07:17:34.910: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
*Aug 7 07:17:34.928: %FMANRP_ESS-4-FULLVAI: Session creation failed due to Full Virtual-Access Interfaces not being supported. Check that all applied Virtual-Template and RADIUS features support Virtual-Access sub-interfaces. swidb= 0x7F7C8307C6B0, ifnum= 50
*Aug 7 07:17:34.930: RADIUS/ENCODE(000042EF):Orig. component type = PPPoE
*Aug 7 07:17:34.930: RADIUS/ENCODE(000042EF): Acct-session-id pre-pended with Nas Port = 0/0/2/880.1939
*Aug 7 07:17:34.930: RADIUS(000042EF): Config NAS IP: 66.135.67.4
*Aug 7 07:17:34.930: RADIUS(000042EF): Config NAS IPv6: ::
*Aug 7 07:17:34.930: RADIUS: Attribute 55 not sent, as system clock is not set
*Aug 7 07:17:34.931: RADIUS(000042EF): Config NAS IP: 66.135.67.4
*Aug 7 07:17:34.933: RADIUS(000042EF): Sending a IPv4 Radius Packet
*Aug 7 07:17:34.933: RADIUS(000042EF): Started 60 sec timeout
*Aug 7 07:17:34.933: RADIUS/ENCODE(000042EF):Orig. component type = PPPoE
*Aug 7 07:17:34.933: RADIUS/ENCODE(000042EF): Acct-session-id pre-pended with Nas Port = 0/0/2/880.1939
*Aug 7 07:17:34.933: RADIUS(000042EF): Config NAS IP: 66.135.67.4
*Aug 7 07:17:34.933: RADIUS(000042EF): Config NAS IPv6: ::
*Aug 7 07:17:34.933: RADIUS: Attribute 55 not sent, as system clock is not set
*Aug 7 07:17:34.933: RADIUS(000042EF): Config NAS IP: 66.135.67.4
*Aug 7 07:17:34.935: RADIUS(000042EF): Sending a IPv4 Radius Packet
*Aug 7 07:17:34.935: RADIUS(000042EF): Started 60 sec timeout
*Aug 7 07:17:34.936: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
*Aug 7 07:17:34.936: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
*Aug 7 07:17:36.285: RADIUS(000042E6): Request timed out!

Manuel Rodriguez · ‎08-08-2014

Hi,

The "%FMANRP_ESS-4-FULLVAI: Session creation failed due to Full Virtual-Access Interfaces not being supported. Check that all applied Virtual-Template and RADIUS features support Virtual-Access sub-interfaces. swidb= 0x7F7C8307C6B0, ifnum= 50" meesage means that the session came up using a full Virtual-Access Interface (VAI). VAI interfaces are not supported on ASR1k platform dur to scalability. Only sub-interfaces are supported. Most likely here, some configuration is forcing the full VAI.

Looking at the radius profile sent for the user I see you are sending "Framed-Compression [13] 6 VJ TCP/IP Header Compressi[1]". Most likely this is forcing the full VAI. Please remove that attribute from the radius profile and try again. Also make sure you have configured "aaa policy interface-config allow-subinterface" in global config.

Regards

ASR1002x PPPoE Subinterface network authorization problem