08-28-2013 01:22 AM
Hi Folks,
I have setup a webvpn system, which works perfectly on a 2811. However, when I enable aaa accounting on the context, it seems to be enabled BUT the accounting packet is never sent.
Debug shows this
Aug 28 09:55:56 c2811-test 312: Aug 28 07:55:56.652: WV-AAA: Nas Port ID set to 31.54.80.206.
Aug 28 09:55:56 c2811-test 313: Aug 28 07:55:56.652: AAA/ACCT/HC(00000011): Register SSLVPN/4BFEEA58 64 bit counter support not configured
Aug 28 09:55:56 c2811-test 314: Aug 28 07:55:56.652: AAA/ACCT/HC(00000011): Update SSLVPN/4BFEEA58
Aug 28 09:55:56 c2811-test 315: Aug 28 07:55:56.652: AAA/ACCT/HC(00000011): no HC SSLVPN/4BFEEA58
Aug 28 09:55:56 c2811-test 316: Aug 28 07:55:56.656: AAA/ACCT/EVENT/(00000011): CALL START
Aug 28 09:55:56 c2811-test 317: Aug 28 07:55:56.656: Getting session id for NET(00000011) : db=4F5A7618
Aug 28 09:55:56 c2811-test 318: Aug 28 07:55:56.656: AAA/ACCT(00000000): add node, session 7
Aug 28 09:55:56 c2811-test 319: Aug 28 07:55:56.656: AAA/ACCT/NET(00000011): add, count 1
Aug 28 09:55:56 c2811-test 320: Aug 28 07:55:56.656: WV-AAA: AAA authentication request sent for user: "username"
Aug 28 09:55:56 c2811-test 321: Aug 28 07:55:56.668: WV-AAA: AAA Authentication Passed!
Aug 28 09:55:56 c2811-test 322: Aug 28 07:55:56.668: WV-AAA: User "username" has logged in from "31.54.80.206" to gateway "BBSVPN"
Aug 28 09:55:56 c2811-test 323: context "BABILON"
Aug 28 09:55:56 c2811-test 324: Aug 28 07:55:56.668: Getting session id for NET(00000011) : db=4F5A7618
Aug 28 09:55:56 c2811-test 325: Aug 28 07:55:56.668: WV-AAA: Calling START accounting
Aug 28 09:55:56 c2811-test 326: Aug 28 07:55:56.668: AAA/ACCT/NET(00000011): Pick method list 'bablist'
Aug 28 09:55:56 c2811-test 327: Aug 28 07:55:56.668: AAA/ACCT/SETMLIST(00000011): Handle DE000002, mlist 4AA1D1A8, Name bablist
Aug 28 09:55:56 c2811-test 328: Aug 28 07:55:56.668: WV-AAA: Adding group name pol1
Aug 28 09:55:56 c2811-test 329: Aug 28 07:55:56.668: AAA/ACCT/EVENT/(00000011): NET UP
Aug 28 09:55:56 c2811-test 330: Aug 28 07:55:56.668: AAA/ACCT/HC(00000011): Update SSLVPN/4BFEEA58
Aug 28 09:55:57 c2811-test 331: Aug 28 07:55:56.672: AAA/ACCT/HC(00000011): no HC SSLVPN/4BFEEA58
Aug 28 09:56:00 c2811-test 332: Aug 28 07:55:59.100: AAA/ACCT/NET(00000011): Pick method list 'bablist'
Aug 28 09:56:00 c2811-test 333: Aug 28 07:55:59.100: AAA/ACCT/SETMLIST(00000011): Handle DE000002, mlist 4AA1D1A8, Name bablist
Aug 28 09:56:00 c2811-test 334: Aug 28 07:55:59.104: WV-AAA: Sending TUNL IP (10.192.69.53) addr update
Aug 28 09:56:00 c2811-test 335: Aug 28 07:55:59.104: AAA/ACCT/EVENT/(00000011): ATTR ADD
Aug 28 09:56:00 c2811-test 336: Aug 28 07:55:59.104: AAA/ACCT(00000011): Accounting response status = FAILURE
Aug 28 09:56:00 c2811-test 337: Aug 28 07:55:59.104: AAA/ACCT(00000011): Send NEWINFO accounting notification to EM successfully
Aug 28 10:00:00 c2811-test 340: Aug 28 08:00:00.162: WV-AAA: Calling STOP accounting
Aug 28 10:00:00 c2811-test 341: Aug 28 08:00:00.162: AAA/ACCT/NET(00000011): Pick method list 'bablist'
Aug 28 10:00:00 c2811-test 342: Aug 28 08:00:00.162: AAA/ACCT/SETMLIST(00000011): Handle DE000002, mlist 4AA1D1A8, Name bablist
Aug 28 10:00:00 c2811-test 343: Aug 28 08:00:00.162: AAA/ACCT/EVENT/(00000011): NET DOWN
Aug 28 10:00:00 c2811-test 344: Aug 28 08:00:00.162: AAA/ACCT/HC(00000011): Update SSLVPN/4BFEEA58
Aug 28 10:00:00 c2811-test 345: Aug 28 08:00:00.162: AAA/ACCT/HC(00000011): no HC SSLVPN/4BFEEA58
Aug 28 10:00:00 c2811-test 346: Aug 28 08:00:00.162: AAA/ACCT/NET(00000011): Accounting record not sent
Aug 28 10:00:00 c2811-test 347: Aug 28 08:00:00.162: AAA/ACCT(00000011): del node, session 7
Aug 28 10:00:00 c2811-test 348: Aug 28 08:00:00.162: AAA/ACCT/NET(00000011): free_rec, count 0
Aug 28 10:00:00 c2811-test 349: Aug 28 08:00:00.162: /AAA/ACCTNET(00000011) reccnt 0, csr FALSE, osr 0
Aug 28 10:00:01 c2811-test 350: Aug 28 08:00:00.162: AAA/ACCT/HC(00000011): Update SSLVPN/4BFEEA58
Aug 28 10:00:01 c2811-test 351: Aug 28 08:00:00.162: AAA/ACCT/HC(00000011): no HC SSLVPN/4BFEEA58
Aug 28 10:00:01 c2811-test 352: Aug 28 08:00:00.162: AAA/ACCT/EVENT/(00000011): CALL STOP
Aug 28 10:00:01 c2811-test 353: Aug 28 08:00:00.162: AAA/ACCT(00000011) reccnt 0, osr 0
c2811-test#sh webvpn context BABILON
Admin Status: up
Operation Status: up
Error and Event Logging: Disabled
CSD Status: Disabled
Certificate authentication type: All attributes (like CRL) are verified
AAA Authentication List: WEBVPN
AAA Authorization List not configured
AAA Accounting List: bablist
AAA Authentication Domain not configured
Authentication mode: AAA authentication
Default Group Policy: pol1
Associated WebVPN Gateway: BBSVPN
Domain Name: babilon
Maximum Users Allowed: 1000 (default)
NAT Address not configured
VRF Name not configured
Virtual Template: 1
Virtual Access : 3
aaa accounting network bablist start-stop group babaaa
aaa group server radius babaaa
server 10.192.68.2
ip radius source-interface Tunnel1
deadtime 0
load-balance method least-outstanding
What have a done wrong?
Cheers
Alan
08-28-2013 01:28 AM
Alan,
"debug radius" will tell you in a bit more details what's happening.
All we seem to be seeing is failure response from server (but I might be off it's something I have not been dealing with for a while).
Check also logs on RADIUS server.
M.
08-28-2013 01:52 AM
Thanks for your reply Marcin,
I have added that debug too and checked the server, i have even added ip packet debug too.
I simply dont see the packet sent from the box, at all!
I dont understand why when the debug shows the accounting packet still being built at
Aug 28 07:55:59.104
Why does it report the accounting response failure in the same timestamp?
Bizarre!
08-28-2013 02:43 AM
Alan,
Was there supposed to be a trace of some sort attached?
M.
edit: Scratch that, I see what you mean now. Could be a problem with source of updates... could be, I think RADIUS debugs will help get a clearer picture.
08-28-2013 03:55 AM
I have enabled auth processing and this now gets through to my radius server and i can login via the radius server, but still, no accounting
During the auth phase, i see it finds the correct server and builds the packet, with the acct phase, it only manages to find the list but never mentions the server
Just for info the ios is 15.1-4 M6
08-28-2013 09:02 AM
It must be a bug.
removed the accounting start delay cfg that i had and it now sends the acct start, but with no IP address, with interim updates configured, i get the first update with the IP, however, every subsequent interim update, a new Framed-IP AVP is added, so after a while the interim acct packet has many Framed-IP AVP's
Hey Mr Cisco, can you fix this please?
08-28-2013 10:17 AM
Alan,
Open up a TAC case, if it's a bug the folks there will do what can be done ;-)
Attach debug radius and config when opening it. Give also 624912795 - another example when customer saw similar behavior.
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide