Solved: Re: HTTP-Redirect doesn't work on BNG (ASR9000, XR 4.3.0)

o-evdokimov · ‎09-03-2013

Hi, All

1) I need to do http-redirect for IPoE subscribers. Ideally I need to do http-redirect only for some users depending on reply recieved from Radius (accept/reject) or depending on some attribute from Radius. For test I add 15 rule in my control policy-map.

If I remove 15 rule in the policy-map IPOE_POLICYMAP than session activate. But If I use policy-map with 15 rule my BNG send DHCP NAK in reply and user try to re-obtain IP-address. Discover/NAK-Discover/NAK and so on. Session don't establish. Where is issue?

without 15 rule:

DHCPD PROXY: TP1908: Requesting handler called for chaddr aaaa.bbbb.cccc with event PACKET

DHCPD PROXY: TP2483: Will use reply server identifier 213.x.x.254 for yiaddr 213.x.x.211 for chaddr aaaa.bbbb.cccc

with 15 rule:

DHCPD PROXY: TP1908: Requesting handler called for chaddr 0015.582c.96cb with event DPM_DISCONNECT

DHCPD PROXY: TP2805: Client delete called for chaddr 0015.582c.96cb due to reason Session disconnected

DHCPD PROXY: TP1908: Requesting handler called for chaddr 0015.582c.96cb with event DROP-PACKET

2) Can I force to do "http-redirect" via VSA Avpair attributes sent from Radius to BNG in ACCESS-ACCEPT? For example I

successfully do car limit via "sub-qos-policy-in/sub-qos-policy-out". It seems cisco-avpair= "url-redirect=http://..." doesn't work with ASR9000.

3) Why IPoE session stay unauthenticated after ACCESS_ACCEPT has been recieved from Radius? It is normal for IPoE?

I see "sh ipsubscriber session all detail" and "sh radius".

-------

interface Bundle-Ether1.10

description HOMENET

ipv4 point-to-point

ipv4 unnumbered Loopback1

arp learning disable

service-policy type control subscriber IPOE_POLICYMAP

encapsulation dot1q 10

ipsubscriber ipv4 l2-connected

initiator dhcp

class-map type control subscriber match-any DHCP_INIT

match protocol dhcpv4

end-class-map

policy-map type control subscriber IPOE_POLICYMAP

event session-start match-all

class type control subscriber DHCP_INIT do-until-failure

5 authorize aaa list default format SUB_AUTH password cisco

10 activate dynamic-template IBSUB_TEMPLATE

15 activate dynamic-template IPSUB_UNAUTH_TEMPLATE <-- !!!!!!!!!!

dynamic-template

!

type ipsubscriber IBSUB_TEMPLATE

ipv4 unnumbered Loopback1

ipv4 access-group 100 ingress

ipv4 access-group 100 egress

!

type ipsubscriber IPSUB_UNAUTH_TEMPLATE

service-policy type pbr l4_redirect

policy-map type pbr l4_redirect

class type traffic IPSUB_PERMIT_CLASS

transmit

!

class type traffic HTTP_TRAF_REDIRECT_CLASS

http-redirect http://113.x.x.5

!

class type traffic class-default

drop

!

end-policy-map

class-map type traffic match-any IPSUB_PERMIT_CLASS

match access-group ipv4 110

end-class-map

!

class-map type traffic match-all HTTP_TRAF_REDIRECT_CLASS

match access-group ipv4 120

end-class-map

ipv4 access-list 100

10 permit icmp any any

20 permit udp any any

30 permit tcp any 113.x.x.0/24 eq www

40 permit tcp 113.x.x.0/24 eq www any

100 deny ipv4 any any

!

ipv4 access-list 110

10 permit icmp any any

20 permit udp any any

30 permit tcp any 113.x.x.0/24 eq www

100 deny ipv4 any any

!

ipv4 access-list 120

30 permit tcp any any eq www

100 deny ipv4 any any

---

Regards

Carlos A. Silva · ‎10-18-2013

Oleg, another pointer, the first thing you should see is if the pbr is actually being applied to your session, like this:

RP/0/RSP0/CPU0:BNG#show policy-map type pbr int all

Mon Oct 7 23:54:19.361 UTC

node0_0_CPU0: (null): Service Policy not installed

node0_RSP0_CPU0:

Bundle-Ether100.540.ip395 input: HTTPRDRT_PBR

Policy Name: HTTPRDRT_PBR

Class SRVS_CM

Classification statistics (packets/bytes) (May be 10secs old)

Matched : 197/17039

Transmitted statistics (packets/bytes) (May be 10secs old)

Total Transmitted : 197/17039

Class HTTPRDRT_CM

Classification statistics (packets)

Matched : 0

Httpr statistics (packets)

Requests Received : 0

Responses Sent : 0

Redirect drops : 0

Class class-default

Classification statistics (packets/bytes) (May be 10secs old)

Matched : 1/102

Dropped statistics (packets/bytes) (May be 10secs old)

Total Dropped : 1/102

IF you see this and it still doesn't work, then you need to take a look at your redirect config, that for my testing i used and ACL that would permit all tcp/www traffic. i never denied any traffic, like you do on line 100.

View solution in original post

xthuijs · ‎09-05-2013

Looks like you are redirecting your redirected traffic baed on this httpr service definition...
Can you google asr9000 http redirect, you find a YouTube with a CFO example
Regards Xander

Sent from Cisco Technical Support iPad App

o-evdokimov · ‎09-06-2013

Alexander, thank you for answer. Of course, I have seen "asr9000 http redirect" from YouTube. But I don't see any differencies between it and mine example. I don't understand what is mean "...you are redirecting your redirected...".

My "open-garden" and "redirect" acls are seen identical to youtube's example. My portal has IP from subnet 113.x.x/24

# open-garden

ipv4 access-list 110

10 permit tcp any 113.x.x.0/24 eq www log

20 permit udp any any eq domain log

30 permit icmp any any log

100 deny ipv4 any any

#redirect

ipv4 access-list 120

10 permit tcp any any eq www syn log

20 permit tcp any any eq www ack log

30 permit tcp any any eq www log

100 deny ipv4 any any

My DHCP dump from client:

# with "15 activate dynamic-template IPSUB_UNAUTH_TEMPLATE" -> get DHCP NAK

0.0.0.0          255.255.255.255     DHCP     342     DHCP Discover - Transaction ID 0xae04c951
ASR9000          255.255.255.255     DHCP     363     DHCP Offer    - Transaction ID 0xae04c951
0.0.0.0          255.255.255.255     DHCP     344     DHCP Request  - Transaction ID 0xae04c951
ASR9000          255.255.255.255     DHCP     303     DHCP NAK      - Transaction ID 0xae04c951

# without rule 15 -> get DHCP ACK 
0.0.0.0          255.255.255.255     DHCP     342     DHCP Discover - Transaction ID 0xc9c27e06
ASR9000          255.255.255.255     DHCP     363     DHCP Offer    - Transaction ID 0xc9c27e06
0.0.0.0          255.255.255.255     DHCP     344     DHCP Request  - Transaction ID 0xc9c27e06
ASR9000          255.255.255.255     DHCP     363     DHCP ACK      - Transaction ID 0xc9c27e06

Do you have any ideas?

xthuijs · ‎09-06-2013

Hi Oleg,

I tried to use that ipad app and it didn't pay off, I immediately started to give crap answers, apologies

I see what is going wrong now; your PBR template is type ipsubscriber, and it needs to be type service

otherwise the configs dont merge properly.

ps. better not use log in the ACL's for policies, not sure if this even meant to work...

Say as for alternatives, you can also use the author failure event (access reject) in a logic like this below.

And yes you can also enable a service via an access-accept and even a COA request!

The precise attributes I have documented in the article for all the VSA's, let me know if you cant find it.

you're using 430, we have 432 out this week, may want to try that also but merely as deployment release when you're ready.

Example TAL policy with HTTPR on auth failure.

policy-map type control subscriber TAL_WEB_LOGON_PM

event session-start match-first

class type control subscriber DHCP do-until-failure

10 activate dynamic-template IBSUB_TEMPLATE

20 authorize aaa list AAA identifier source-address-mac password cisco

!

event authorization-failure match-first

class type control subscriber DHCP do-until-failure

10 activate dynamic-template IPSUB_UNAUTH_TEMPLATE

20 set-timer UNAUTH_TMR 7

!

event account-logon match-first

class type control subscriber DHCP do-until-failure

10 authenticate aaa list AAA

20 deactivate dynamic-template HTTPRDRT_TPL

30 activate dynamic-template IBSUB_TEMPLATE

!

event timer-expiry match-first

class type control subscriber DHCP do-until-failure

10 disconnect

!

end-policy-map

o-evdokimov · ‎10-17-2013

Hi Alexander

I need help. A little.

Step 1:

I have done the both dynamic templates as "type service" as you advise. As before the session is not establish and user host don't get IP-address by dhcp (user get DHCP NAK).

==============================================================

Step 2:

I've found the guide "ASR9000/XR: BNG VSA's." and there is VSA "sub-pbr-policy-in" attribute in.

URL https://supportforums.cisco.com/docs/DOC-35624

I try to use the VSA "subscriber:sub-pbr-policy-in=" from it.

If I get this VSA in radius ACCEPT I have the same situation as in Step 1.

RADIUS: cisco-avpair="subscriber:sub-pbr-policy-in=l4_redirect"

ASR9k:

policy-map type pbr l4_redirect

class type traffic IPSUB_PERMIT_CLASS

transmit

!

class type traffic HTTP_TRAF_REDIRECT_CLASS

http-redirect http://10.10.10.10

!

class type traffic class-default

drop

!

class-map type traffic match-any IPSUB_PERMIT_CLASS

match access-group ipv4 110

end-class-map

!

class-map type traffic match-any HTTP_TRAF_REDIRECT_CLASS

match access-group ipv4 120

end-class-map

!

ipv4 access-list 110

10 permit tcp any 10.10.10.0/24 eq www

20 permit udp any any eq domain

30 permit icmp any any

100 deny ipv4 any any

!

ipv4 access-list 120

10 permit tcp any any eq www syn

20 permit tcp any any eq www ack

30 permit tcp any any eq www

100 deny ipv4 any any

!

And I cannot find VSA "sub-pbr-policy-in" in the official Configuration Guide Release 4.3.x for ASR9k.

==============================================================

Step 3:

OK. I move http-redirect rule to another ASR9k event "logoff" and then I do COA request (logoff).

1) ASR9k: Session IPoE is established

Policy Executed:

policy-map type control subscriber IPOE_POLICYMAP

event Session-Start match-all [at Thu Oct 17 01:12:45 2013]

class type control subscriber DHCP_INIT do-until-failure [Succeeded]

2 authorize aaa list default [Succeeded]

5 activate dynamic-template IBSUB_TEMPLATE [Succeeded]

Session Accounting: disabled

Last COA request received: unavailable

2) Sent COA request

# echo "User-Name=\"0015.582c.96cb\",cisco-avpair=\"subscriber:command=account-logoff\",Cisco-Account-Info=\"S0015.582c.96cb\",Idle-Timeout=200" | radclient -x :1700 coa coa-pass

3) ASR9k: Upgrade session

Policy Executed:

policy-map type control subscriber IPOE_POLICYMAP

event Session-Start match-all [at Thu Oct 17 01:12:45 2013]

class type control subscriber DHCP_INIT do-until-failure [Succeeded]

2 authorize aaa list default [Succeeded]

5 activate dynamic-template IBSUB_TEMPLATE [Succeeded]

event Account-Logoff match-all [at Thu Oct 17 01:13:02 2013]

class type control subscriber class-default do-until-failure [Succeeded]

10 activate dynamic-template IPSUB_UNAUTH_TEMPLATE [Succeeded]

20 set-timer UNAUTH-TIMER 1 [Succeeded]

Session Accounting: disabled

Last COA request: Thu Oct 17 01:13:02 2013

COA Request Attribute List: 0x500eba58

1: idletimeout len= 4 value= 200(c8)

2: command len= 15 value= account-logoff

Last COA response: Result ACK

COA Response Attribute List: 0x500ebc68

4) Checking...

TIMER UNAUTH-TIMER set to 1 minute

but HTTP-REDIRECT don't work !!!

5) Timer expire (1 minute)

6) Session IPoE destroy

So

- timer works fine

- HTTP REDIRECT don't work (dynamic-template IPSUB_UNAUTH_TEMPLATE)

I don't understand why.

==============================================================

xthuijs · ‎10-18-2013

Hi Oleg,

In order to traige this further I probably need a lot of debugs, I see this working fine for me.

It might be best to open a tac case so we can assemble those logs and troubleshoot this more effectively.

regards

xander

Carlos A. Silva · ‎10-18-2013

Oleg,

when you say http redirect don't work, what do you mean? what is the behavior that you see?

do you turn off your browser and reopen it when trying to see if it works?

regards,

c.

Carlos A. Silva · ‎10-18-2013

Oleg, another pointer, the first thing you should see is if the pbr is actually being applied to your session, like this:

RP/0/RSP0/CPU0:BNG#show policy-map type pbr int all

Mon Oct 7 23:54:19.361 UTC

node0_0_CPU0: (null): Service Policy not installed

node0_RSP0_CPU0:

Bundle-Ether100.540.ip395 input: HTTPRDRT_PBR

Policy Name: HTTPRDRT_PBR

Class SRVS_CM

Classification statistics (packets/bytes) (May be 10secs old)

Matched : 197/17039

Transmitted statistics (packets/bytes) (May be 10secs old)

Total Transmitted : 197/17039

Class HTTPRDRT_CM

Classification statistics (packets)

Matched : 0

Httpr statistics (packets)

Requests Received : 0

Responses Sent : 0

Redirect drops : 0

Class class-default

Classification statistics (packets/bytes) (May be 10secs old)

Matched : 1/102

Dropped statistics (packets/bytes) (May be 10secs old)

Total Dropped : 1/102

IF you see this and it still doesn't work, then you need to take a look at your redirect config, that for my testing i used and ACL that would permit all tcp/www traffic. i never denied any traffic, like you do on line 100.

o-evdokimov · ‎10-24-2013

First I've done "sh policy-map type pbr interface all". PBR wasn't applied.

Then I've removed "deny any any" and [oh, miracle!] IPoE session has established and HTTP-Redirect begun to work correctly.

[I do http-redirect by getting VSA with radius ACCEPT - cisco-avpair="subscriber:sub-pbr-policy-in=l4_redirect"].

RP/0/RSP0/CPU0:BNG1#sh policy-map type pbr interface all

Bundle-Ether1.900.ip9 input: l4_redirect

Policy Name: l4_redirect

Class HTTP_TRAF_REDIRECT_CLASS

Classification statistics (packets)

Matched : 147

Httpr statistics (packets)

Requests Received : 147

Responses Sent : 68

Redirect drops : 79

Then I've been tried to return back "deny any any" and after commit ASR9k wrote:

"process : pkg/bin/pbr_ea pid : 508058 node : node0_0_CPU0 rc :'platforms/viking/lc/feature/pbr' detected the 'warning' condition 'Deny ACE not supported in ACL when used in PBR policy'"

But if first do "incorrect" ACL and after do PBR used it ASR9k will do "commit" config without any errors!

o-evdokimov · ‎10-24-2013

Carlos and Aleksander, thank you for help.

xthuijs · ‎10-24-2013

Hi Oleg, very good to hear the issue is resolved.

and yes, the PBR ACL doesnt like "deny" statements, similar as QOS ACL btw.

xander