Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
630
Views
0
Helpful
1
Replies

radius is not functioning with fastethernet0 on 2960X

SMD28316
Level 1
Level 1

‎09-19-2021 11:50 AM - edited ‎09-19-2021 11:51 AM

This is a follow up to my question here:

https://community.cisco.com/t5/switching/fast-ethernet-0-fails-as-a-radius-source-interface/td-p/4466414

 

I checked the NPS server (radius server), I can see that it receives access-request, and sends access-challenge so reachability isn't an issue, but I see no response back from the problematic 2960X switch to the access challenge, here is the packet capture from NPS server:

1 0.000000 __SW_IP___ __NPS_IP___ RADIUS 336 Access-Request id=69
2 0.007825 __NPS_IP___ __SW_IP___ RADIUS 132 Access-Challenge id=69
3 0.022065 __SW_IP___ __NPS_IP___ RADIUS 512 Access-Request id=70
4 0.034445 __NPS_IP___ __SW_IP___ IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=2586) [Reassembled in #5]
5 0.034445 __NPS_IP___ __SW_IP___ RADIUS 152 Access-Challenge id=70
6 5.039077 __SW_IP___ __NPS_IP___ RADIUS 512 Access-Request id=70, Duplicate Request
7 5.039468 __NPS_IP___ __SW_IP___ IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=2587) [Reassembled in #8]
8 5.039468 __NPS_IP___ __SW_IP___ RADIUS 152 Access-Challenge id=70, Duplicate Response
9 10.100604 __SW_IP___ __NPS_IP___ RADIUS 512 Access-Request id=70, Duplicate Request
10 10.101052 __NPS_IP___ __SW_IP___ IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=2588) [Reassembled in #11]
11 10.101052 __NPS_IP___ __SW_IP___ RADIUS 152 Access-Challenge id=70, Duplicate Response
12 15.139430 __SW_IP___ __NPS_IP___ RADIUS 512 Access-Request id=70, Duplicate Request
13 15.139846 __NPS_IP___ __SW_IP___ IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=2589) [Reassembled in #14]
14 15.139846 __NPS_IP___ __SW_IP___ RADIUS 152 Access-Challenge id=70, Duplicate Response
15 20.156202 __SW_IP___ __NPS_IP___ RADIUS 512 Access-Request id=70, Duplicate Request
16 20.156567 __NPS_IP___ __SW_IP___ IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=258a) [Reassembled in #17]
17 20.156567 __NPS_IP___ __SW_IP___ RADIUS 152 Access-Challenge id=70, Duplicate Response
18 29.019876 __SW_IP___ __NPS_IP___ RADIUS 336 Access-Request id=71
19 29.024155 __NPS_IP___ __SW_IP___ RADIUS 132 Access-Challenge id=71
20 29.033635 __SW_IP___ __NPS_IP___ RADIUS 512 Access-Request id=72
21 29.035850 __NPS_IP___ __SW_IP___ IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=258c) [Reassembled in #22]
22 29.035850 __NPS_IP___ __SW_IP___ RADIUS 152 Access-Challenge id=72
23 34.096709 __SW_IP___ __NPS_IP___ RADIUS 512 Access-Request id=72, Duplicate Request
24 34.097089 __NPS_IP___ __SW_IP___ IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=258d) [Reassembled in #25]
25 34.097089 __NPS_IP___ __SW_IP___ RADIUS 152 Access-Challenge id=72, Duplicate Response
26 39.136073 __SW_IP___ __NPS_IP___ RADIUS 512 Access-Request id=72, Duplicate Request
27 39.136460 __NPS_IP___ __SW_IP___ IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=258e) [Reassembled in #28]
28 39.136460 __NPS_IP___ __SW_IP___ RADIUS 152 Access-Challenge id=72, Duplicate Response
29 44.173830 __SW_IP___ __NPS_IP___ RADIUS 512 Access-Request id=72, Duplicate Request
30 44.174227 __NPS_IP___ __SW_IP___ IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=258f) [Reassembled in #31]
31 44.174227 __NPS_IP___ __SW_IP___ RADIUS 152 Access-Challenge id=72, Duplicate Response
32 47.041264 __SW_IP___ __NPS_IP___ RADIUS 336 Access-Request id=73
33 47.045507 __NPS_IP___ __SW_IP___ RADIUS 132 Access-Challenge id=73
34 47.060580 __SW_IP___ __NPS_IP___ RADIUS 512 Access-Request id=74
35 47.062646 __NPS_IP___ __SW_IP___ IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=2591) [Reassembled in #36]
36 47.062646 __NPS_IP___ __SW_IP___ RADIUS 152 Access-Challenge id=74
37 49.214090 __SW_IP___ __NPS_IP___ RADIUS 512 Access-Request id=72, Duplicate Request
38 49.214560 __NPS_IP___ __SW_IP___ IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=2592) [Reassembled in #39]
39 49.214560 __NPS_IP___ __SW_IP___ RADIUS 152 Access-Challenge id=72, Duplicate Response
40 52.093857 __SW_IP___ __NPS_IP___ RADIUS 512 Access-Request id=74, Duplicate Request
41 52.094240 __NPS_IP___ __SW_IP___ IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=2593) [Reassembled in #42]
42 52.094240 __NPS_IP___ __SW_IP___ RADIUS 152 Access-Challenge id=74, Duplicate Response
43 54.577225 __SW_IP___ __NPS_IP___ ICMP 70 Time-to-live exceeded (Fragment reassembly time exceeded)
44 54.577369 __SW_IP___ __NPS_IP___ ICMP 70 Time-to-live exceeded (Fragment reassembly time exceeded)
45 54.577508 __SW_IP___ __NPS_IP___ ICMP 70 Time-to-live exceeded (Fragment reassembly time exceeded)
46 57.119618 __SW_IP___ __NPS_IP___ RADIUS 512 Access-Request id=74, Duplicate Request
47 57.120034 __NPS_IP___ __SW_IP___ IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=2594) [Reassembled in #48]
48 57.120034 __NPS_IP___ __SW_IP___ RADIUS 152 Access-Challenge id=74, Duplicate Response
49 62.137343 __SW_IP___ __NPS_IP___ RADIUS 512 Access-Request id=74, Duplicate Request
50 62.137738 __NPS_IP___ __SW_IP___ IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=2595) [Reassembled in #51]
51 62.137738 __NPS_IP___ __SW_IP___ RADIUS 152 Access-Challenge id=74, Duplicate Response
52 65.093093 __SW_IP___ __NPS_IP___ RADIUS 336 Access-Request id=75
53 65.097385 __NPS_IP___ __SW_IP___ RADIUS 132 Access-Challenge id=75
54 65.104595 __SW_IP___ __NPS_IP___ RADIUS 512 Access-Request id=76
55 65.106749 __NPS_IP___ __SW_IP___ IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=2597) [Reassembled in #56]
56 65.106749 __NPS_IP___ __SW_IP___ RADIUS 152 Access-Challenge id=76
57 67.175741 __SW_IP___ __NPS_IP___ RADIUS 512 Access-Request id=74, Duplicate Request
58 67.176147 __NPS_IP___ __SW_IP___ IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=2598) [Reassembled in #59]
59 67.176147 __NPS_IP___ __SW_IP___ RADIUS 152 Access-Challenge id=74, Duplicate Response
60 70.134165 __SW_IP___ __NPS_IP___ RADIUS 512 Access-Request id=76, Duplicate Request
61 70.134557 __NPS_IP___ __SW_IP___ IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=2599) [Reassembled in #62]
62 70.134557 __NPS_IP___ __SW_IP___ RADIUS 152 Access-Challenge id=76, Duplicate Response
63 75.177515 __SW_IP___ __NPS_IP___ RADIUS 512 Access-Request id=76, Duplicate Request
64 75.177919 __NPS_IP___ __SW_IP___ IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=259a) [Reassembled in #65]
65 75.177919 __NPS_IP___ __SW_IP___ RADIUS 152 Access-Challenge id=76, Duplicate Response
66 80.210855 __SW_IP___ __NPS_IP___ RADIUS 512 Access-Request id=76, Duplicate Request
67 80.211273 __NPS_IP___ __SW_IP___ IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=259b) [Reassembled in #68]
68 80.211273 __NPS_IP___ __SW_IP___ RADIUS 152 Access-Challenge id=76, Duplicate Response
69 83.118317 __SW_IP___ __NPS_IP___ RADIUS 336 Access-Request id=77
70 83.123099 __NPS_IP___ __SW_IP___ RADIUS 132 Access-Challenge id=77
71 83.137886 __SW_IP___ __NPS_IP___ RADIUS 512 Access-Request id=78
72 83.140758 __NPS_IP___ __SW_IP___ IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=259d) [Reassembled in #73]
73 83.140758 __NPS_IP___ __SW_IP___ RADIUS 152 Access-Challenge id=78
74 85.237107 __SW_IP___ __NPS_IP___ RADIUS 512 Access-Request id=76, Duplicate Request
75 85.237468 __NPS_IP___ __SW_IP___ IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=259e) [Reassembled in #76]
76 85.237468 __NPS_IP___ __SW_IP___ RADIUS 152 Access-Challenge id=76, Duplicate Response
77 88.175269 __SW_IP___ __NPS_IP___ RADIUS 512 Access-Request id=78, Duplicate Request
78 88.175629 __NPS_IP___ __SW_IP___ IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=259f) [Reassembled in #79]
79 88.175629 __NPS_IP___ __SW_IP___ RADIUS 152 Access-Challenge id=78, Duplicate Response
80 93.214901 __SW_IP___ __NPS_IP___ RADIUS 512 Access-Request id=78, Duplicate Request
81 93.215359 __NPS_IP___ __SW_IP___ IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=25a0) [Reassembled in #82]
82 93.215359 __NPS_IP___ __SW_IP___ RADIUS 152 Access-Challenge id=78, Duplicate Response
83 98.253634 __SW_IP___ __NPS_IP___ RADIUS 512 Access-Request id=78, Duplicate Request
84 98.254141 __NPS_IP___ __SW_IP___ IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=25a1) [Reassembled in #85]
85 98.254141 __NPS_IP___ __SW_IP___ RADIUS 152 Access-Challenge id=78, Duplicate Response
86 103.292315 __SW_IP___ __NPS_IP___ RADIUS 512 Access-Request id=78, Duplicate Request
87 103.292790 __NPS_IP___ __SW_IP___ IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=25a2) [Reassembled in #88]
88 103.292790 __NPS_IP___ __SW_IP___ RADIUS 152 Access-Challenge id=78, Duplicate Response
89 114.572690 __SW_IP___ __NPS_IP___ ICMP 70 Time-to-live exceeded (Fragment reassembly time exceeded)
90 114.572776 __SW_IP___ __NPS_IP___ ICMP 70 Time-to-live exceeded (Fragment reassembly time exceeded)
91 114.572951 __SW_IP___ __NPS_IP___ ICMP 70 Time-to-live exceeded (Fragment reassembly time exceeded)
92 114.573089 __SW_IP___ __NPS_IP___ ICMP 70 Time-to-live exceeded (Fragment reassembly time exceeded)
93 114.573229 __SW_IP___ __NPS_IP___ ICMP 70 Time-to-live exceeded (Fragment reassembly time exceeded)
94 174.568841 __SW_IP___ __NPS_IP___ ICMP 70 Time-to-live exceeded (Fragment reassembly time exceeded)
95 174.570003 __SW_IP___ __NPS_IP___ ICMP 70 Time-to-live exceeded (Fragment reassembly time exceeded)
96 174.571046 __SW_IP___ __NPS_IP___ ICMP 70 Time-to-live exceeded (Fragment reassembly time exceeded)
97 174.572213 __SW_IP___ __NPS_IP___ ICMP 70 Time-to-live exceeded (Fragment reassembly time exceeded)
98 174.573364 __SW_IP___ __NPS_IP___ ICMP 70 Time-to-live exceeded (Fragment reassembly time exceeded)

There are so may duplicate requests, and TTL messages sent from the switch to the NPS server, below is the content of ICMP messages:

Internet Control Message Protocol
    Type: 11 (Time-to-live exceeded)
    Code: 1 (Fragment reassembly time exceeded)
    Checksum: 0xf004 [correct]
    [Checksum Status: Good]
    Unused: 00000000
    Internet Protocol Version 4, Src: NPS_IP , Dst: SW_IP
    User Datagram Protocol, Src Port: 0, Dst Port: 1479
        Source Port: 0
        Destination Port: 1479
        Length: 0 (bogus, must be >= 8)
            [Expert Info (Error/Malformed): Bad length value 0 < 8]
                [Bad length value 0 < 8]
                [Severity level: Error]
                [Group: Malformed]

Two things I noticed for the working and non working switches:

  1. I can't ping NPS server with MTU Size of 1500 from fa0 on the problematic switch.
  2. Fa0 on the problematic switch has 0 hits in cache, unlike the working one.
    FastEthernet0-Physical buffers, 1524 bytes (total 32, permanent 32):
          24 in free list (0 min, 32 max allowed)
          8 hits, 0 fallbacks
          8 max cache size, 8 in cache
    -     0 hits in cache, 0 misses in cache
    +     70223883 hits in cache, 0 misses in cache

Why is this difference since both switches have the same configuration and same MTU size (globally and under Fa0)?

Labels:
0 Helpful
1 Reply 1

Georg Pauwen
VIP
VIP

‎09-19-2021 01:44 PM

Hello,

 

not sure if your previous post already contains this, but can you post the full running configuration of the 2960X ?

0 Helpful
Customers Also Viewed These Support Documents