cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4408
Views
0
Helpful
10
Replies

HTTP-Redirect doesn't work on BNG (ASR9000, XR 4.3.0)

o-evdokimov
Level 1
Level 1

Hi, All

1) I need to do http-redirect for IPoE subscribers. Ideally I need to do http-redirect only for some users depending on reply recieved from Radius (accept/reject) or depending on some attribute from Radius. For test I add 15 rule in my control policy-map.

If I remove 15 rule in the policy-map IPOE_POLICYMAP than session activate. But If I use policy-map with 15 rule my BNG send DHCP NAK in reply and user try to re-obtain IP-address. Discover/NAK-Discover/NAK and so on. Session don't establish. Where is issue?

without 15 rule:

DHCPD PROXY: TP1908: Requesting handler called for chaddr aaaa.bbbb.cccc with event PACKET

DHCPD PROXY: TP2483: Will use reply server identifier 213.x.x.254 for yiaddr 213.x.x.211 for chaddr aaaa.bbbb.cccc

with 15 rule:

DHCPD PROXY: TP1908: Requesting handler called for chaddr 0015.582c.96cb with event DPM_DISCONNECT

DHCPD PROXY: TP2805: Client delete called for chaddr 0015.582c.96cb due to reason Session disconnected

DHCPD PROXY: TP1908: Requesting handler called for chaddr 0015.582c.96cb with event DROP-PACKET

2) Can I force to do "http-redirect" via VSA Avpair attributes sent from Radius to BNG in ACCESS-ACCEPT? For example I

successfully do car limit via "sub-qos-policy-in/sub-qos-policy-out". It seems cisco-avpair= "url-redirect=http://..." doesn't work with ASR9000.

3) Why IPoE session stay unauthenticated after ACCESS_ACCEPT has been recieved from Radius? It is normal for IPoE?

I see "sh ipsubscriber session all detail" and "sh radius".

-------

interface Bundle-Ether1.10

description HOMENET

ipv4 point-to-point

ipv4 unnumbered Loopback1

arp learning disable

service-policy type control subscriber IPOE_POLICYMAP

encapsulation dot1q 10

ipsubscriber ipv4 l2-connected

   initiator dhcp

class-map type control subscriber match-any DHCP_INIT

match protocol dhcpv4

end-class-map

policy-map type control subscriber IPOE_POLICYMAP

event session-start match-all

  class type control subscriber DHCP_INIT do-until-failure

    5 authorize aaa list default format SUB_AUTH password cisco

   10 activate dynamic-template IBSUB_TEMPLATE

   15 activate dynamic-template IPSUB_UNAUTH_TEMPLATE         <-- !!!!!!!!!!

dynamic-template

!

type ipsubscriber IBSUB_TEMPLATE

  ipv4 unnumbered Loopback1

  ipv4 access-group 100 ingress

  ipv4 access-group 100 egress

!

type ipsubscriber IPSUB_UNAUTH_TEMPLATE

  service-policy type pbr l4_redirect

policy-map type pbr l4_redirect

class type traffic IPSUB_PERMIT_CLASS

   transmit

!

class type traffic HTTP_TRAF_REDIRECT_CLASS

   http-redirect http://113.x.x.5

!

class type traffic class-default

   drop   

!

end-policy-map

class-map type traffic match-any IPSUB_PERMIT_CLASS

match access-group ipv4 110

end-class-map

!

class-map type traffic match-all HTTP_TRAF_REDIRECT_CLASS

match access-group ipv4 120

end-class-map

ipv4 access-list 100

10 permit icmp any any

20 permit udp any any

30 permit tcp any 113.x.x.0/24 eq www

40 permit tcp 113.x.x.0/24 eq www any

100 deny ipv4 any any

!

ipv4 access-list 110

10 permit icmp any any

20 permit udp any any

30 permit tcp any 113.x.x.0/24 eq www

100 deny ipv4 any any

!

ipv4 access-list 120

30 permit tcp any any eq www

100 deny ipv4 any any

---

Regards

1 Accepted Solution

Accepted Solutions

Oleg, another pointer, the first thing you should see is if the pbr is actually being applied to your session, like this:

RP/0/RSP0/CPU0:BNG#show policy-map type pbr int all

Mon Oct  7 23:54:19.361 UTC

node0_0_CPU0: (null): Service Policy not installed

node0_RSP0_CPU0:

Bundle-Ether100.540.ip395 input: HTTPRDRT_PBR

Policy Name: HTTPRDRT_PBR

Class SRVS_CM

  Classification statistics          (packets/bytes) (May be 10secs old)

    Matched             :                 197/17039               

  Transmitted statistics             (packets/bytes) (May be 10secs old)

    Total Transmitted   :                 197/17039               

Class HTTPRDRT_CM

  Classification statistics             (packets)    

    Matched             :                   0 

  Httpr statistics                      (packets)    

    Requests Received   :                   0

    Responses Sent      :                   0

    Redirect drops      :                   0

Class class-default

  Classification statistics          (packets/bytes) (May be 10secs old)

    Matched             :                   1/102                 

  Dropped statistics                 (packets/bytes) (May be 10secs old)

    Total Dropped       :                   1/102   

IF you see this and it still doesn't work, then you need to take a look at your redirect config, that for my testing i used and ACL that would permit all tcp/www traffic. i never denied any traffic, like you do on line 100.

View solution in original post

10 Replies 10

xthuijs
Cisco Employee
Cisco Employee

Looks like you are redirecting your redirected traffic baed on this httpr service definition...
Can you google asr9000 http redirect, you find a YouTube with a CFO example
Regards Xander

Sent from Cisco Technical Support iPad App

Alexander, thank you for answer. Of course, I have seen "asr9000 http redirect" from YouTube. But I don't see any differencies between it and mine example. I don't understand what is mean "...you are redirecting your redirected...".

My "open-garden" and "redirect" acls are seen identical to youtube's example. My portal has IP from subnet 113.x.x/24

# open-garden

ipv4 access-list 110

10 permit tcp any 113.x.x.0/24 eq www log

20 permit udp any any eq domain log

30 permit icmp any any log

100 deny ipv4 any any

#redirect

ipv4 access-list 120

10 permit tcp any any eq www syn log

20 permit tcp any any eq www ack log

30 permit tcp any any eq www log

100 deny ipv4 any any

My DHCP dump from client:

# with "15 activate dynamic-template IPSUB_UNAUTH_TEMPLATE" -> get DHCP NAK

0.0.0.0          255.255.255.255     DHCP     342     DHCP Discover - Transaction ID 0xae04c951
ASR9000          255.255.255.255     DHCP     363     DHCP Offer    - Transaction ID 0xae04c951
0.0.0.0          255.255.255.255     DHCP     344     DHCP Request  - Transaction ID 0xae04c951
ASR9000          255.255.255.255     DHCP     303     DHCP NAK      - Transaction ID 0xae04c951

# without rule 15 -> get DHCP ACK 0.0.0.0          255.255.255.255     DHCP     342     DHCP Discover - Transaction ID 0xc9c27e06 ASR9000          255.255.255.255     DHCP     363     DHCP Offer    - Transaction ID 0xc9c27e06 0.0.0.0          255.255.255.255     DHCP     344     DHCP Request  - Transaction ID 0xc9c27e06 ASR9000          255.255.255.255     DHCP     363     DHCP ACK      - Transaction ID 0xc9c27e06

Do you have any ideas?

Hi Oleg,

I tried to use that ipad app and it didn't pay off, I immediately started to give crap answers, apologies

I see what is going wrong now; your PBR template is type ipsubscriber, and it needs to be type service

otherwise the configs dont merge properly.

ps. better not use log in the ACL's for policies, not sure if this even meant to work...

Say as for alternatives, you can also use the author failure event (access reject) in a logic like this below.

And yes you can also enable a service via an access-accept and even a COA request!

The precise attributes I have documented in the article for all the VSA's, let me know if you cant find it.

you're using 430, we have 432 out this week, may want to try that also but merely as deployment release when you're ready.

Example TAL policy with HTTPR on auth failure.

policy-map type control subscriber TAL_WEB_LOGON_PM

event session-start match-first

  class type control subscriber DHCP do-until-failure

   10 activate dynamic-template IBSUB_TEMPLATE

   20 authorize aaa list AAA identifier source-address-mac password cisco

  !

!

event authorization-failure match-first

  class type control subscriber DHCP do-until-failure

   10 activate dynamic-template IPSUB_UNAUTH_TEMPLATE

   20 set-timer UNAUTH_TMR 7

  !

!

event account-logon match-first

  class type control subscriber DHCP do-until-failure

   10 authenticate aaa list AAA

   20 deactivate dynamic-template HTTPRDRT_TPL

   30 activate dynamic-template IBSUB_TEMPLATE

  !

!

event timer-expiry match-first

  class type control subscriber DHCP do-until-failure

   10 disconnect

  !

!

end-policy-map

Hi Alexander

I need help. A little.

Step 1:

I have done the both dynamic templates as "type service" as you advise. As before the session is not establish and user host don't get IP-address by dhcp (user get DHCP NAK).

==============================================================

Step 2:

I've found the guide "ASR9000/XR: BNG VSA's." and there is VSA "sub-pbr-policy-in" attribute in.

URL https://supportforums.cisco.com/docs/DOC-35624

I try to use the VSA "subscriber:sub-pbr-policy-in=" from it.

If I get this VSA in radius ACCEPT I have the same situation as in Step 1.

RADIUS: cisco-avpair="subscriber:sub-pbr-policy-in=l4_redirect"

ASR9k:

policy-map type pbr l4_redirect

class type traffic IPSUB_PERMIT_CLASS

  transmit

!

class type traffic HTTP_TRAF_REDIRECT_CLASS

  http-redirect http://10.10.10.10

!

class type traffic class-default

  drop

!

class-map type traffic match-any IPSUB_PERMIT_CLASS

match access-group ipv4 110

end-class-map

!

class-map type traffic match-any HTTP_TRAF_REDIRECT_CLASS

match access-group ipv4 120

end-class-map

!

ipv4 access-list 110

10 permit tcp any 10.10.10.0/24 eq www

20 permit udp any any eq domain

30 permit icmp any any

100 deny ipv4 any any

!

ipv4 access-list 120

10 permit tcp any any eq www syn

20 permit tcp any any eq www ack

30 permit tcp any any eq www

100 deny ipv4 any any

!

And I cannot find VSA "sub-pbr-policy-in" in the official Configuration Guide Release 4.3.x for ASR9k.

==============================================================

Step 3:

OK. I move http-redirect rule to another ASR9k event "logoff" and then I do COA request (logoff).

1) ASR9k: Session IPoE is established

Policy Executed:

policy-map type control subscriber IPOE_POLICYMAP

  event Session-Start match-all [at Thu Oct 17 01:12:45 2013]

    class type control subscriber DHCP_INIT do-until-failure [Succeeded]

      2 authorize aaa list default [Succeeded]

      5 activate dynamic-template IBSUB_TEMPLATE [Succeeded]

Session Accounting: disabled

Last COA request received: unavailable

2) Sent COA request

# echo "User-Name=\"0015.582c.96cb\",cisco-avpair=\"subscriber:command=account-logoff\",Cisco-Account-Info=\"S0015.582c.96cb\",Idle-Timeout=200" | radclient -x :1700 coa coa-pass

3) ASR9k: Upgrade session

Policy Executed:

policy-map type control subscriber IPOE_POLICYMAP

  event Session-Start match-all [at Thu Oct 17 01:12:45 2013]

    class type control subscriber DHCP_INIT do-until-failure [Succeeded]

      2 authorize aaa list default [Succeeded]

      5 activate dynamic-template IBSUB_TEMPLATE [Succeeded]

  event Account-Logoff match-all [at Thu Oct 17 01:13:02 2013]

    class type control subscriber class-default do-until-failure [Succeeded]

      10 activate dynamic-template IPSUB_UNAUTH_TEMPLATE [Succeeded]

      20 set-timer UNAUTH-TIMER 1 [Succeeded]

Session Accounting: disabled

Last COA request: Thu Oct 17 01:13:02 2013

COA Request  Attribute List: 0x500eba58

1:  idletimeout     len=  4  value= 200(c8)

2:  command         len= 15  value= account-logoff

Last COA response: Result ACK

COA Response  Attribute List: 0x500ebc68

4) Checking...

TIMER UNAUTH-TIMER set to 1 minute

but HTTP-REDIRECT don't work  !!!

5) Timer expire  (1 minute)

6) Session IPoE destroy

So

- timer works fine

- HTTP REDIRECT don't work  (dynamic-template IPSUB_UNAUTH_TEMPLATE)

I don't understand why.

==============================================================

Hi Oleg,

In order to traige this further I probably need a lot of debugs, I see this working fine for me.

It might be best to open a tac case so we can assemble those logs and troubleshoot this more effectively.

regards

xander

Oleg,

when you say http redirect don't work, what do you mean? what is the behavior that you see?

do you turn off your browser and reopen it when trying to see if it works?

regards,

c.

Oleg, another pointer, the first thing you should see is if the pbr is actually being applied to your session, like this:

RP/0/RSP0/CPU0:BNG#show policy-map type pbr int all

Mon Oct  7 23:54:19.361 UTC

node0_0_CPU0: (null): Service Policy not installed

node0_RSP0_CPU0:

Bundle-Ether100.540.ip395 input: HTTPRDRT_PBR

Policy Name: HTTPRDRT_PBR

Class SRVS_CM

  Classification statistics          (packets/bytes) (May be 10secs old)

    Matched             :                 197/17039               

  Transmitted statistics             (packets/bytes) (May be 10secs old)

    Total Transmitted   :                 197/17039               

Class HTTPRDRT_CM

  Classification statistics             (packets)    

    Matched             :                   0 

  Httpr statistics                      (packets)    

    Requests Received   :                   0

    Responses Sent      :                   0

    Redirect drops      :                   0

Class class-default

  Classification statistics          (packets/bytes) (May be 10secs old)

    Matched             :                   1/102                 

  Dropped statistics                 (packets/bytes) (May be 10secs old)

    Total Dropped       :                   1/102   

IF you see this and it still doesn't work, then you need to take a look at your redirect config, that for my testing i used and ACL that would permit all tcp/www traffic. i never denied any traffic, like you do on line 100.

First I've done "sh policy-map type pbr interface all". PBR wasn't applied.

Then I've removed "deny any any" and [oh, miracle!] IPoE session has established and HTTP-Redirect begun to work correctly.   

[I do http-redirect by getting VSA with radius ACCEPT - cisco-avpair="subscriber:sub-pbr-policy-in=l4_redirect"].

RP/0/RSP0/CPU0:BNG1#sh policy-map type pbr interface all

Bundle-Ether1.900.ip9 input: l4_redirect

Policy Name: l4_redirect

Class HTTP_TRAF_REDIRECT_CLASS

  Classification statistics             (packets)    

    Matched             :                 147 

  Httpr statistics                      (packets)    

    Requests Received   :                 147

    Responses Sent      :                  68

    Redirect drops      :                  79

Then I've been tried to return back "deny any any" and after commit ASR9k wrote:

"process : pkg/bin/pbr_ea pid : 508058 node : node0_0_CPU0 rc :'platforms/viking/lc/feature/pbr' detected the 'warning' condition 'Deny ACE not supported in ACL when used in PBR policy'"

But if first do "incorrect" ACL and after do PBR used it ASR9k will do "commit" config without any errors!

Carlos and Aleksander, thank you for help.

Hi Oleg, very good to hear the issue is resolved.

and yes, the PBR ACL doesnt like "deny" statements, similar as QOS ACL btw.

xander