ASR 9001 BNG IPoE problems - Page 2

Goergi Genov · ‎09-23-2013

Hi,

I have read and try these guides

https://supportforums.cisco.com/docs/DOC-23170

https://supportforums.cisco.com/docs/DOC-19702

https://supportforums.cisco.com/docs/DOC-19726

But have some problems , here is my config ( almost same like the guides )

radius-server host xxx.xxx.xxx.46 auth-port 1812 acct-port 1813

!

aaa server radius dynamic-author

port 3799

client yyy.yyy.yyy.102 vrf default

!

client xxx.xxx.xxx.46 vrf default

!

aaa attribute format MY_AUTH

mac-address

!

aaa attribute format NAS_PORT_FORMAT

circuit-id plus remote-id separator .

!

aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU type 32

aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU

aaa radius attribute nas-port-id format NAS_PORT_FORMAT

aaa group server radius RADIUS_GR

server xxx.xxx.xxx.46 auth-port 1812 acct-port 1813

source-interface Loopback0

!

aaa authorization network default group RADIUS_GR

aaa accounting subscriber default group RADIUS_GR

aaa authorization subscriber AUTH_GR group RADIUS_GR

aaa authorization subscriber default group RADIUS_GR

aaa authorization subscriber RADIUS_GR group RADIUS_GR

aaa authentication subscriber default group RADIUS_GR

aaa accounting update periodic 10

dhcp ipv4

profile IP_DEFAULT proxy

class IP_DEFAULT

helper-address vrf default yyy.yyy.yyy.102 giaddr zzz.zzz.zzz.1

!

helper-address vrf default yyy.yyy.yyy.102 giaddr zzz.zzz.zzz.1

relay information option

relay information policy keep

relay information option allow-untrusted

!

interface Bundle-Ether100.361 proxy profile IP_DEFAULT

!

ipv4 access-list PERM_ALL

10 permit ipv4 any any

20 permit icmp any any

30 permit ipv4 any any

!

interface Bundle-Ether100

bundle load-balancing hash dst-ip

!

interface Bundle-Ether100.361

ipv4 point-to-point

ipv4 unnumbered Loopback100

service-policy type control subscriber IP_PM

encapsulation dot1q 361

ipsubscriber ipv4 l2-connected

initiator dhcp

!

interface Loopback0

ipv4 address ccc.ccc.ccc.174 255.255.255.255

!

interface Loopback100

description 4dhcp

ipv4 address zzz.zzz.zzz.1 255.255.255.0

!

interface TenGigE0/0/2/0

bundle id 100 mode on

!

interface TenGigE0/0/2/1

!

dynamic-template

type ipsubscriber IPSUB_TPL

ipv4 unnumbered Loopback100

ipv4 access-group PERM_ALL ingress

ipv4 access-group PERM_ALL egress

!

class-map type control subscriber match-any DHCP

match protocol dhcpv4

end-class-map

!

policy-map type control subscriber IP_PM

event session-start match-first

class type control subscriber DHCP do-until-failure

5 activate dynamic-template IPSUB_TPL

10 authorize aaa list AUTH_GR format MY_AUTH password cisco

!

end-policy-map

!

Without service-policy type control subscriber IP_PM on the interface , CPE gets ip address and all works.

The radius server is configured always to autothenticate with access-accept but there are errors

Total Deadtime: 0s Last Deadtime: 0s

Timeout: 5 sec, Retransmit limit: 3

Quarantined: No

Authentication:

468 requests, 1 pending, 154 retransmits

0 accepts, 0 rejects, 0 challenges

204 timeouts, 417 bad responses, 417 bad authenticators

0 unknown types, 417 dropped, 0 ms latest rtt

Throttled: 0 transactions, 0 timeout, 0 failures

Estimated Throttled Access Transactions: 0

Maximum Throttled Access Transactions: 0

The most strange issue is this

000c.42a8.71e2 0.0.0.0 INIT 57 BE100.361 default 0x0

and

RP/0/RSP0/CPU0:Sep 23 17:08:03.507 : dhcpd[1077]: DHCPD ERROR: TP2468: rib route delete failed, null ifhandle or IPv4 address

Here is the subscriber session info

RP/0/RSP0/CPU0:ASR9001#show subscriber session all

Mon Sep 23 17:08:46.995 EET

Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated,

ID - Idle, DN - Disconnecting, ED - End

Type Interface State Subscriber IP Addr / Prefix

LNS Address (Vrf)

--------------------------------------------------------------------------------

IP:DHCP No CN -

RP/0/RSP0/CPU0:ASR9001#show subscriber session all detail

Mon Sep 23 17:08:48.394 EET

Interface: None

Circuit ID: 000401690107

Remote ID: 0006001ebd7b2f00

Type: IP: DHCP-trigger

IPv4 State: Up Pending, Mon Sep 23 17:08:32 2013

Mac Address: 000c.42a8.71e2

Account-Session Id: 000001e0

Nas-Port: 67114640

User name: unknown

Outer VLAN ID: 361

Subscriber Label: 0x0000005f

Created: Mon Sep 23 17:08:32 2013

State: Connecting

Authentication: unauthenticated

Access-interface: Bundle-Ether100.361

Policy Executed:

policy-map type control subscriber IP_PM

event Session-Start match-first [at Mon Sep 23 17:08:32 2013]

class type control subscriber DHCP do-until-failure [Succeeded]

5 activate dynamic-template IPSUB_TPL [Succeeded]

Session Accounting: disabled

Last COA request received: unavailable

Pending Callbacks:

Waiting for Authorization to complete

Waiting for Authentication response from AAA

Carlos A. Silva · ‎01-09-2014

let me correct that last comment. not exactly the same, but what caught my eye is the version in which is fixed:

https://tools.cisco.com/bugsearch/bug/CSCuj06414

Known Fixed Releases:

(4)

5.1.1.11i.BASE

5.1.2.1i.BASE

5.1.11.4i.BASE

5.2.0.7i.BASE

rommykuntoro · ‎01-09-2014

Hi Carlos,

thank you very much your information. so the version 4.3.4 it seem having bug also ?

Carlos A. Silva · ‎01-09-2014

Honestly, the best I can tell you is: if you're 100 % sure you don't have a routing or firewall problem and your sniffer captures are correct, i've seen this before on 4.2. The url I sent you is for a bug on 4.2.3 that apparently is fixed on 5.1.1x. Not the exact same problem though.

Like I said, I'm working with 4.3.2 no problem, so maybe you want to try that, but before you do make sure you have everything right one last time.

rommykuntoro · ‎01-09-2014

at last, it is my bad. i never deploy bundle-ether since beginning. we should bring up the ether-bundle to subscriber interface until version 5.1.1.

P/0/RSP0/CPU0:Jan 10 11:14:49.399 : radiusd[1103]: RADIUS: Received from id 0 202.aaa.bbb.60:1645, Access-Accept, len 20

RP/0/RSP0/CPU0:Jan 10 11:14:49.399 : radiusd[1103]: RADIUS: authenticator AA 04 BD 4F 84 E8 8C 85 - 46 00 4E F8 FA 8C C1 8E

#

Restrictions before 5.1.1:

* On BNG, only dynamic creation of subscribers is supported. Also, the subscriber must be present only on the bundle interfaces.

#

sh subscriber session all

Fri Jan 10 11:20:19.284 GMT

Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated,

ID - Idle, DN - Disconnecting, ED - End

Type Interface State Subscriber IP Addr / Prefix

LNS Address (Vrf)

--------------------------------------------------------------------------------

IP:DHCP BE100.905.ip1 AC 101.aaa.bbb.2 (default)

thank you carlos and xander.

Carlos A. Silva · ‎01-09-2014

Never would've thought that would have an effect on radius behavior. Nice catch!

xthuijs · ‎01-10-2014

ah of course, I totally missed this line you had in your config earlier:

interface GigabitEthernet0/0/0/0.905 proxy profile DHCPv4

that means you want to terminate on the linecard that we don't support until 511.

the reason for that is, when you have a phy (sub) interface then AAA, the control policy, dhcp and ppp run on the linecard.

When you are using bundle that control is moved to the RSP.

Upto 511 we need to have that control on the RSP, hence that requirement.

If you dont need bundle, you could always create a single member bundle without lacp so that the remote side doesnt even know it is pulled into a bundle on teh 9k side.

cheers!

xander