Solved: ASR BNG - %ROUTING-FIB-3-PD_FAIL

smailmilak · ‎06-12-2013

Hello guys,

I am a rookie with BNG and PPPoE.

After I have configured everything (I think) for PPPoE connections and after the laptop has connected to the BNG I saw this message, and packet forwarding was not working. Please see attached config of ASR9001. For now I am skipping the authentication because I want first to solve this issue.

I will try now to reload, and if it does not help I will upgrade from 4.3.0 to 4.3.1!

fib_mgr[175]: %ROUTING-FIB-3-PD_FAIL : fib_leaf_insert 5225 Cannot insert in switching leaf 80.65.72.245/32 [0x87b4e764] type 5 flags 81 refcnt 1 prot ipv4 table Internet tableid e0000010 vrfid 60000001 ---LDI: [0x879bf5b0] type 6 flags 2010101 refcnt 2 type 3 depth 1 num_slots 1 num_buckets 1 LDI pl 0x87892fb8 ---PL [0x87892fb8] type 7 flags 480002 refcnt 2 path_cnt 1 max_depth 1 ldi 0x879bf5b0 ---: 0x16 Invalid argument : pkg/bin/fib_mgr : (PID=446569) : -Traceback= 40

I found this regarding the ROUTING-FIB message:

%ROUTING-FIB-3-PD_FAIL [chars]

Explanation This is a catch all PD errors.

Recommended Action If the message recurs, copy the error message exactly as it appears on the console or in the system log, call your Cisco technical support representative and provide the representative with the gathered information.

I really hope that you can help me with this.

xthuijs · ‎06-17-2013

Looks like you are trying to terminat subscribers on a phy (sub) interface, that is not yet supported, you need a bundle access interface (which can be a single member link with no lacp if needed).

Check out this ref for some guidance on how to set it all up:

https://supportforums.cisco.com/docs/DOC-23170

‎

There are also some other training docs for ip and pppoe availalbe if you follow that link above.

regards

xander

View solution in original post

xthuijs · ‎06-17-2013

multiple options to format the username for authorization of mac/rid/cid:

policy-map type control subscriber ipsub_policy1

event session-start match-first

class type control subscriber class-dhcp do-all

1 activate dynamic-template ipsub_template

3 authorize aaa list default identifier circuit-id password dhcp123

5 activate dynamic-template acct-default

Attribute definitions that we can reference for the nas-port

!building.

!”MY_AUTH” will take the mac address, circuit ID and remoteIDand

!append them together separated by hash signs. If one of the fields is

!not available, an empty string will be provided for that portion.

!example 0000.1111.2222##remoteid or 0000.2222.1111#circ#remote

!

aaa attribute format MY_AUTH

mac-address plus circuit-id plus remote-id separator #

!

event session-start match-first

class type control subscriber DHCP do-until-failure

10 authorize aaa list default format MY_AUTH password cisco

or you can use the attribute formatting in a c style mode:

format-string "USER:%s%s" mac-address circuit-id which will result in a username string like USER:0000.1111.2222CIRCID

although you use the authorize command to sed this username to the radius, nad if it will return an accept, this means the dhcp transaction will complete and the sub will get everything applied whichever the radius accept returns.

but the internal state is called unauthenticated for BNG, because we have no user username or password.

authorize uses a predefined password based on some circuit info. no user info really.

Most providers would like to get something from teh user like a pass and uname to get the user specific profiles

but this is truly optional.

regards

xander

View solution in original post

smailmilak · ‎06-13-2013

I tried with reload and upgrade to 4.3.1 but still the same.

I also removed all VRF config but still the same error message:

LC/0/0/CPU0:Jun 13 08:57:45.190 : fib_mgr[176]: %ROUTING-FIB-3-PD_FAIL : fib_leaf_insert 5434 Cannot insert in switching leaf 80.65.72.245/32 [0x88676498] type 5 flags 81 refcnt 1 prot ipv4 table default tableid e0000000 vrfid 60000000 ---LDI: [0x87b9e9d8] type 6 flags 2010101 refcnt 2 type 3 depth 1 num_slots 1 num_buckets 1 LDI pl 0x87a0ea18 ---PL [0x87a0ea18] type 7 flags 480002 refcnt 2 path_cnt 1 max_depth 1 ldi 0x87b9e9d8 ---: 0x16 Invalid argument : pkg/bin/fib_mgr : (PID=446570) : -Traceback= 400

I have to call TAC.

xthuijs · ‎06-17-2013

Looks like you are trying to terminat subscribers on a phy (sub) interface, that is not yet supported, you need a bundle access interface (which can be a single member link with no lacp if needed).

Check out this ref for some guidance on how to set it all up:

https://supportforums.cisco.com/docs/DOC-23170

‎

There are also some other training docs for ip and pppoe availalbe if you follow that link above.

regards

xander

smailmilak · ‎06-17-2013

Hi Alex,

a nice TAC engineer helped me already out with this. After I have created bundle interface (I used lacp) error log was gonne and I could terminate the PPPoE session.

I have a question about what you wrote in a guide.

"You can use bundle interfaces with one member and disabling LACP to pull the subs to the RSP so that you have access to these features:

interface GigabitEthernet0/0/0/0

bundle id 100 mode on"

Using mode "on" means that RSP is taking control about the sessions and features, and using LACP means that the LC is responisble for PPPoE sessions and other PPP/IP Sub features?

Second question is about IP Subscriber (DHCP). How can I authenticate the users without using web portals or similar?

I see that mac-address + circuit-id can be used, but what if we have a modem in bridge mode and behind it a 2-3 PCs?

Or did I get the idea of using DHCP for DSL users wrong?

Your guides helped me a lot. I had no experience at all with PPPoE. You are doing a great job.

xthuijs · ‎06-17-2013

Perfect, good to hear the issue is resolved with that trick! And also nice to hear the docs are useful!

the mode "on" basically means we dont run LACP on the member, so with that trick the remote side can be just a phy 10G not in a bundle and the remote doesnt even know we are perceiving it as a bundle interface.

The bundle inerface using itself pulls the control for ppp,dhcp and bng to the RP cpu which is what we need today.

Using a phy interface will leave the control to the LC CPU.

9K will key subscribers based on mac address, so if you have a modem/bridge with 3 devices behind it, you would create 3 subscriber sessions when they al ask for a lease. this is not a common deployment model btw, especially for v4 with its addr exhaution. you typically want to limit the lease to one per subscriber household or let them use a NAT device if multiple devices exist.

When you use mac/RID/CID based auth, it is not really a true authentication as you dont know who the sub really is.

So while a radius may accept the mac/rid/cid, the "state" of the subscriber is still unauthenticated, which is merely an internal state that can move to authetnicate whent he account logon is performed, which is usually done with a user/pass provided from a web portal. But that portion is totally optional.

regards

xander

smailmilak · ‎06-17-2013

Thank you for fast reply.

You are right about multiple subscribers. It's better to use a modem with router functionality, but it's still good to know how to deploy multiple users it if the customer is requesting it.

I am not sure if I understood you right about authentication with DHCP. Authentication can be fully completed with the MAC address of the CPE (using a home router)? Web portal is only a option, because the home router can not use web portal logon by itself?

How does the syntax look for this kind of auth (mac address plus circuit-id or similar) on 4.3.0?

xthuijs · ‎06-17-2013

multiple options to format the username for authorization of mac/rid/cid:

policy-map type control subscriber ipsub_policy1

event session-start match-first

class type control subscriber class-dhcp do-all

1 activate dynamic-template ipsub_template

3 authorize aaa list default identifier circuit-id password dhcp123

5 activate dynamic-template acct-default

Attribute definitions that we can reference for the nas-port

!building.

!”MY_AUTH” will take the mac address, circuit ID and remoteIDand

!append them together separated by hash signs. If one of the fields is

!not available, an empty string will be provided for that portion.

!example 0000.1111.2222##remoteid or 0000.2222.1111#circ#remote

!

aaa attribute format MY_AUTH

mac-address plus circuit-id plus remote-id separator #

!

event session-start match-first

class type control subscriber DHCP do-until-failure

10 authorize aaa list default format MY_AUTH password cisco

or you can use the attribute formatting in a c style mode:

format-string "USER:%s%s" mac-address circuit-id which will result in a username string like USER:0000.1111.2222CIRCID

although you use the authorize command to sed this username to the radius, nad if it will return an accept, this means the dhcp transaction will complete and the sub will get everything applied whichever the radius accept returns.

but the internal state is called unauthenticated for BNG, because we have no user username or password.

authorize uses a predefined password based on some circuit info. no user info really.

Most providers would like to get something from teh user like a pass and uname to get the user specific profiles

but this is truly optional.

regards

xander

smailmilak · ‎06-17-2013

It's much more clear now. I will try to test it in the few days.

Thank you very much.

xthuijs · ‎06-17-2013

Super! When you are ready to test the account logon ref this link for a COA tool and a sample coa logon profile

https://supportforums.cisco.com/docs/DOC-19726

‎have fun playing with it!

xander