Re: Having similar problem

hmc2500 · ‎01-21-2016

Hi I have configured the WAN facing interface with ip address dhcp but do not get an ip address on the router. I have tested the line with a computer and I'm able to get a dhcp address. Does the ISR 4331 block dhcp traffic in from the WAN interface?

Richard Bradfield · ‎01-21-2016

Is the interface up? you are not using the management gigabit interface?

please share the " sh ip int brief"

hmc2500 · ‎01-21-2016

Yes I did the "sh ip int brief" but it showed unassigned for ip address of the gi0/0/0 interface. The gi0/0/0 interface is up. I have configured the management interface with a static address and that is showing with it's ip address just fine. I tried executing the command renew dhcp gi0/0/0 but it does not do anything. When I assign the gi0/0/0 WAN interface a static address it works fine. It just does not get a dhcp address.

Richard Bradfield · ‎01-21-2016

Is there a "debug dhcp" command you can use to see if trying

hmc2500 · ‎01-22-2016

Haven't thought of that. Will try that.

hmc2500 · ‎01-22-2016

Ok tried it and I saw this

*Jan 22 15:25:57.181: B'cast on GigabitEthernet0/0/0 interface from 0.0.0.0

*Jan 22 15:26:09.275: DHCP: Received a BOOTREP pkt Not for us..: xid: 0x1F84BD5A%Unknown DHCP problem.. No allocation possible

*Jan 22 15:26:10.158: DHCP: Waiting for 60 seconds on interface GigabitEthernet0/0/0

I then tried the following, rebooted and than it started working:

ip access-list extended 101

permit udp any any eq bootpc

Int gi0/0/0

ip access-group 101 in

So I think it was blocking it on the outside interface. And I would not want to configure it this way but what other choice do you have if your ISP only allows you to get an ip from DHCP?

Richard Bradfield · ‎01-22-2016

It looks like some ISP use bootp, I found a number of config posts on the Internet where people had to do exactly what you did to get it to work.

hmc2500 · ‎01-25-2016

I now have Radius issues on this ISR 4331? Radius works with other cisco switches with no problem. I can ping the the ISR4331 from the radius server but I cannot ping the radius server from the ISR4331. I even had an ext access list for this applied inbound to the internal interface (not the management interface) but it did not work. Any idea what to try?

Radius debug logs:

*Jan 25 16:36:50.876: AAA/BIND(00000011): Bind i/f
*Jan 25 16:36:50.876: AAA/AUTHEN/LOGIN (00000011): Pick method list 'default'
*Jan 25 16:36:50.876: AAA SRV(00000011): process authen req
*Jan 25 16:36:50.876: AAA SRV(00000011): Authen method=SERVER_GROUP radius
*Jan 25 16:36:50.876: RADIUS/ENCODE(00000011): ask "Username: "
*Jan 25 16:36:50.876: RADIUS/ENCODE(00000011): send packet; GET_USER
*Jan 25 16:36:50.876: AAA SRV(00000011): protocol reply GET_USER for Authentication
*Jan 25 16:36:50.876: AAA SRV(00000011): Return Authentication status=GET_USER
*Jan 25 16:36:59.088: AAA SRV(00000011): process authen req
*Jan 25 16:36:59.088: AAA SRV(00000011): Authen method=SERVER_GROUP radius
*Jan 25 16:36:59.088: RADIUS/ENCODE(00000011): ask "Password: "
*Jan 25 16:36:59.088: RADIUS/ENCODE(00000011): send packet; GET_PASSWORD
*Jan 25 16:36:59.088: AAA SRV(00000011): protocol reply GET_PASSWORD for Authentication
*Jan 25 16:36:59.088: AAA SRV(00000011): Return Authentication status=GET_PASSWORD
*Jan 25 16:37:02.558: AAA SRV(00000011): process authen req
*Jan 25 16:37:02.558: AAA SRV(00000011): Authen method=SERVER_GROUP radius_ew
*Jan 25 16:37:02.558: RADIUS/ENCODE(00000011):Orig. component type = Exec
*Jan 25 16:37:02.558: RADIUS(00000011): Config NAS IP: 0.0.0.0
*Jan 25 16:37:02.558: RADIUS(00000011): Config NAS IPv6: ::
*Jan 25 16:37:02.558: RADIUS/ENCODE(00000011): acct_session_id: 7
*Jan 25 16:37:02.558: RADIUS(00000011): Config NAS IP: 0.0.0.0
*Jan 25 16:37:02.558: RADIUS(00000011): sending
*Jan 25 16:37:02.558: RADIUS/ENCODE: Best Local IP-Address x.x.x.x for Radius-Server 192.168.11.58
*Jan 25 16:37:02.558: RADIUS(00000011): Send Access-Request to y.y.y.y:1645 id 1645/6, len 103
*Jan 25 16:37:02.558: RADIUS: authenticator 92 27 21 1E 2E D6 A7 94 - C1 8C EB 03 6B 18 E5 7C
*Jan 25 16:37:02.558: RADIUS: User-Name [1] 23 "username"
*Jan 25 16:37:02.558: RADIUS: User-Password [2] 18 *
*Jan 25 16:37:02.558: RADIUS: NAS-Port [5] 6 2
*Jan 25 16:37:02.558: RADIUS: NAS-Port-Id [87] 6 "tty2"
*Jan 25 16:37:02.558: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Jan 25 16:37:02.558: RADIUS: Service-Type [6] 6 Login [1]
*Jan 25 16:37:02.558: RADIUS: NAS-IP-Address [4] 6 x.x.x.x
*Jan 25 16:37:02.558: RADIUS: Nas-Identifier [32] 12 "SungardInt"
*Jan 25 16:37:02.558: RADIUS(00000011): Sending a IPv4 Radius Packet
*Jan 25 16:37:02.558: RADIUS(00000011): Started 3 sec timeout
*Jan 25 16:37:05.606: RADIUS(00000011): Request timed out!
*Jan 25 16:37:05.606: RADIUS: Retransmit to (y.y.y.y:1645,1646) for id 1645/6
*Jan 25 16:37:05.606: RADIUS(00000011): Started 3 sec timeout
*Jan 25 16:37:08.619: RADIUS(00000011): Request timed out!
*Jan 25 16:37:08.619: RADIUS: No response from (y.y.y.y:1645,1646) for id 1645/6
*Jan 25 16:37:08.619: RADIUS/DECODE: No response from radius-server; parse response; FAIL
*Jan 25 16:37:08.619: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
*Jan 25 16:37:08.619: AAA SRV(00000011): protocol reply FAIL for Authentication
*Jan 25 16:37:08.619: AAA SRV(00000011): Authen method=LOCAL
*Jan 25 16:37:08.619: AAA SRV(00000011): protocol reply FAIL for Authentication
*Jan 25 16:37:08.619: AAA SRV(00000011): Authen method=NOT_SET - No methods left to try
*Jan 25 16:37:08.619: AAA SRV(00000011): Return Authentication status=FAIL
*Jan 25 16:37:12.619: AAA/AUTHEN/LOGIN (00000011): Pick method list 'default'
*Jan 25 16:37:12.619: AAA SRV(00000011): process authen req
*Jan 25 16:37:12.619: AAA SRV(00000011): Authen method=SERVER_GROUP radius
*Jan 25 16:37:12.619: RADIUS/ENCODE(00000011): ask "Username: "
*Jan 25 16:37:12.619: RADIUS/ENCODE(00000011): send packet; GET_USER
*Jan 25 16:37:12.619: AAA SRV(00000011): protocol reply GET_USER for Authentication
*Jan 25 16:37:12.619: AAA SRV(00000011): Return Authentication status=GET_USER

hmc2500 · ‎01-25-2016

appears to be working now, had to plug in both the management interface and other internal lan port.

Richard Bradfield · ‎01-25-2016

see this link for configuring the management interface

http://www.cisco.com/c/en/us/td/docs/routers/access/4400/software/configuration/guide/isr4400swcfg/bm_isr_4400_sw_config_guide_chapter_011.html#concept_67E9623DDC71491E9D2177A664C2BB94

Configuring a RADIUS or TACACS+ Server Group

To group the Management VRF as part of an AAA server group, enter the ip vrf forward Mgmt-intf command when configuring the AAA server group.

The same concept is true for configuring a TACACS+ server group. To group the Management VRF as part of a TACACS+ server group, enter the ip vrf forwarding Mgmt-intf command when configuring the TACACS+ server group.

The following is an example of configuring a RADIUS server group:

Router(config)# aaa group server radius hello
Router(config-sg-radius)# ip vrf forwarding Mgmt-intf

The following is an example of configuring a TACACS+ server group:

Router(config)# aaa group server tacacs+ hello
Router(config-sg-tacacs+)# ip vrf forwarding Mgmt-intf

ilya.romanenko · ‎02-14-2018

DHCP: SDiscover attempt # 2 for entry:
*Feb 14 14:12:08.834: Temp IP addr: 0.0.0.0 for peer on Interface: GigabitEthernet0/0/0
*Feb 14 14:12:08.835: Temp sub net mask: 0.0.0.0
*Feb 14 14:12:08.835: DHCP Lease server: 0.0.0.0, state: 3 Selecting
*Feb 14 14:12:08.835: DHCP transaction id: 1B90
*Feb 14 14:12:08.835: Lease: 0 secs, Renewal: 0 secs, Rebind: 0 secs
*Feb 14 14:12:08.835: Next timer fires after: 00:00:04
*Feb 14 14:12:08.835: Retry count: 2 Client-ID: cisco-6cdd.30af.b000-Gi0/0/0
*Feb 14 14:12:08.835: Client-ID hex dump: 636973636F2D366364642E333061662E
*Feb 14 14:12:08.835: 623030302D4769302F302F30
*Feb 14 14:12:08.835: Hostname: ciscorouter_SE
*Feb 14 14:12:08.835: DHCP: SDiscover placed class-id option: 636973636F706E70
*Feb 14 14:12:08.835: DHCP: SDiscover: sending 315 byte length DHCP packet
*Feb 14 14:12:08.835: DHCP: SDiscover 315 bytes
*Feb 14 14:12:08.835: B'cast on GigabitEthernet0/0/0 interface from 0.0.0.0
*Feb 14 14:12:12.836: DHCP: SDiscover attempt # 3 for entry:
*Feb 14 14:12:12.836: Temp IP addr: 0.0.0.0 for peer on Interface: GigabitEthernet0/0/0
*Feb 14 14:12:12.836: Temp sub net mask: 0.0.0.0
*Feb 14 14:12:12.836: DHCP Lease server: 0.0.0.0, state: 3 Selecting
*Feb 14 14:12:12.836: DHCP transaction id: 1B90
*Feb 14 14:12:12.836: Lease: 0 secs, Renewal: 0 secs, Rebind: 0 secs
*Feb 14 14:12:12.836: Next timer fires after: 00:00:04
*Feb 14 14:12:12.836: Retry count: 3 Client-ID: cisco-6cdd.30af.b000-Gi0/0/0
*Feb 14 14:12:12.836: Client-ID hex dump: 636973636F2D366364642E333061662E
*Feb 14 14:12:12.837: 623030302D4769302F302F30
*Feb 14 14:12:12.837: Hostname: ciscorouter_SE
*Feb 14 14:12:12.837: DHCP: SDiscover placed class-id option: 636973636F706E70
*Feb 14 14:12:12.837: DHCP: SDiscover: sending 315 byte length DHCP packet
*Feb 14 14:12:12.837: DHCP: SDiscover 315 bytes
*Feb 14 14:12:12.837: B'cast on GigabitEthernet0/0/0 interface from 0.0.0.0
*Feb 14 14:12:16.836: DHCP: QScan: Timed out Selecting state%Unknown DHCP problem.. No allocation possible
*Feb 14 14:12:25.595: DHCP: Waiting for 60 seconds on interface GigabitEthernet0/0/0
*Feb 14 14:12:55.847: DHCP: QScan: Purging entry
*Feb 14 14:12:55.847: DHCP: deleting entry 7F56845B80F8 0.0.0.0 from list
*Feb 14 14:12:55.847: Temp IP addr: 0.0.0.0 for peer on Interface: GigabitEthernet0/0/0
*Feb 14 14:12:55.847: Temp sub net mask: 0.0.0.0
*Feb 14 14:12:55.847: DHCP Lease server: 0.0.0.0, state: 10 Purging
*Feb 14 14:12:55.847: DHCP transaction id: 1B90
*Feb 14 14:12:55.847: Lease: 0 secs, Renewal: 0 secs, Rebind: 0 secs
*Feb 14 14:12:55.847: No timer running
*Feb 14 14:12:55.847: Retry count: 0 Client-ID: cisco-6cdd.30af.b000-Gi0/0/0
*Feb 14 14:12:55.847: Client-ID hex dump: 636973636F2D366364642E333061662E
*Feb 14 14:12:55.847: 623030302D4769302F302F30
*Feb 14 14:12:55.847: Hostname: ciscorouter_SE
*Feb 14 14:13:25.595: DHCP: Try 826 to acquire address for GigabitEthernet0/0/0
*Feb 14 14:13:25.596: DHCP: allocate request
*Feb 14 14:13:25.596: DHCP: new entry. add to queue
*Feb 14 14:13:25.596: DHCP: SDiscover attempt # 1 for entry:
*Feb 14 14:13:25.596: Temp IP addr: 0.0.0.0 for peer on Interface: GigabitEthernet0/0/0
*Feb 14 14:13:25.597: Temp sub net mask: 0.0.0.0
*Feb 14 14:13:25.597: DHCP Lease server: 0.0.0.0, state: 3 Selecting
*Feb 14 14:13:25.597: DHCP transaction id: 1B91
*Feb 14 14:13:25.597: Lease: 0 secs, Renewal: 0 secs, Rebind: 0 secs
*Feb 14 14:13:25.597: Next timer fires after: 00:00:04
*Feb 14 14:13:25.597: Retry count: 1 Client-ID: cisco-6cdd.30af.b000-Gi0/0/0
*Feb 14 14:13:25.597: Client-ID hex dump: 636973636F2D366364642E333061662E
*Feb 14 14:13:25.597: 623030302D4769302F302F30

ilya.romanenko · ‎02-14-2018

We observing same erratic behaviour of ISR4331 ethernet ports on external network (ISP) and on internal network, looks like it is unable to receive IP address from DHCP at all. This is the only device that is unable to do this.

this is how I configure it:

configure terminal
interface gigabitethernet 0/0/0
ip address dhcp
no shutdown
end

Cannot get ip from DHCP on WAN interface ISR 4331 router

Configuring a RADIUS or TACACS+ Server Group