Jump to content
Калькуляторы

Cisco ISG периодически некорректно режет скорость сессий

Доброго дня.

Имею на работе Cisco ISG для контроля сессий пользователей Wi-Fi. Клиент подключается к нужному SSID, его выкидывает на веб-страницу авторизации и он авторизуется, после чего может ходить в инет с нужной скоростью.

После того как коллега увеличил idle timeout сессии до суток (других манипуляций с ISG я не знаю за последнее время) - ISG стал глючить, клиент авторизуется на странице, но скорость инета почти нулевая. Помогает перезагрузка ISG, в последний раз нормальная работа продлилась всего около суток.

К ISG прикручен радиус-сервер, передающий определённые параметры сессии.

 

Что нужно посмотреть? Что подебажить?

 

Буду признателен за любые подсказки.

Edited by Korvet_068

Share this post


Link to post
Share on other sites

Конфиг циски посмотреть бы для начала.

Раз "прикручен радиус-сервер", то авторизация по pppoe? Посмотреть на циске rate-limit-ы на создаваемых виртуальных интерфейсах. Что-то типа:

c7204_core#sh u | i Kse
 Vi42         Kseхххххххххххххххх        PPPoE        00:00:06 172.21.40.27
c7204_core#sh int Vi42 rate
Virtual-Access42
 Input
   matches: access-group 136
     params:  3144000 bps, 589824 limit, 1179648 extended limit
     conformed 255086 packets, 20333889 bytes; action: transmit
     exceeded 0 packets, 0 bytes; action: drop
     last packet: 10548ms ago, current burst: 0 bytes
     last cleared 1d18h ago, conformed 1000 bps, exceeded 0 bps
   matches: access-group 135
     params:  10240000 bps, 3840000 limit, 3840000 extended limit
     conformed 229616 packets, 16962757 bytes; action: transmit
     exceeded 0 packets, 0 bytes; action: drop
     last packet: 7293536ms ago, current burst: 0 bytes
     last cleared 1d18h ago, conformed 0 bps, exceeded 0 bps
 Output
   matches: access-group 136
     params:  3144000 bps, 589824 limit, 1179648 extended limit
     conformed 337206 packets, 463649133 bytes; action: transmit
     exceeded 11007 packets, 15671990 bytes; action: drop
     last packet: 10516ms ago, current burst: 0 bytes
     last cleared 1d18h ago, conformed 24000 bps, exceeded 0 bps
   matches: access-group 135
     params:  10240000 bps, 3840000 limit, 3840000 extended limit
     conformed 339669 packets, 469294631 bytes; action: transmit
     exceeded 0 packets, 0 bytes; action: drop
     last packet: 7293496ms ago, current burst: 0 bytes
     last cleared 1d18h ago, conformed 24000 bps, exceeded 0 bps

Share this post


Link to post
Share on other sites
sh run | tee http:\ //1.1.1.1
Building configuration...

Current configuration : 20752 bytes
!

!
version 12.2
no service pad
no service timestamps debug uptime
service timestamps log datetime localtime
service password-encryption
!
hostname R7206-itc-hp3
!
boot-start-marker
boot system disk2:c7200p-advipservicesk9-mz.122-33.SRD8.bin
boot-end-marker
!
logging buffered 2048000
enable secret 5 $1$fndN$KaUpu3to8
!
aaa new-model
!
!
aaa group server radius SME_AAA
server 61.143.0.119  auth-port 1645 acct-port 1646
!
aaa authentication login VTY local
aaa authentication login IP_AUTHEN_LIST group SME_AAA
aaa authentication ppp VPDN_AUTH local
aaa authorization console
aaa authorization exec VTY local 
aaa authorization network default group SME_AAA 
aaa authorization network AUTHOR_LIST1 group SME_AAA 
aaa authorization network VPDN_AUTH local 
aaa authorization network VPDN_AUTHOR none 
aaa authorization subscriber-service default local group SME_AAA 
aaa accounting delay-start vrf default
aaa accounting delay-start all
aaa accounting update periodic 1
aaa accounting network default none
aaa accounting network SME_ACCT_LIST start-stop group SME_AAA
aaa accounting network NO_ACC none
!
!
!
!
aaa server radius dynamic-author
client 61.143.0.119
client 61.143.0.120
client 61.143.0.116
client 61.143.0.122
server-key 7 0231307834250111674B10
port 1712
auth-type any
!
aaa session-id common
clock timezone MSK 3
ip subnet-zero
ip source-route
ip vrf MGT
rd 40:0
!
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.0.1 172.16.0.20
ip dhcp excluded-address 172.16.1.1 172.16.1.20
ip dhcp excluded-address 172.16.2.1 172.16.2.20
ip dhcp excluded-address 172.16.3.1 172.16.3.20
ip dhcp excluded-address 172.16.4.1 172.16.4.20
ip dhcp excluded-address 172.16.5.1 172.16.5.20
ip dhcp excluded-address 172.16.6.1 172.16.6.20
ip dhcp excluded-address 172.19.0.1 172.19.0.20
ip dhcp excluded-address 10.40.2.251 10.40.2.255
ip dhcp excluded-address 10.45.3.250 10.45.3.254
ip dhcp excluded-address 10.40.3.250 10.40.3.254
ip dhcp excluded-address 10.45.3.1
ip dhcp excluded-address 10.40.2.1
ip dhcp excluded-address 172.16.130.1
ip dhcp excluded-address 172.19.0.1
ip dhcp excluded-address 10.40.2.1 10.40.2.250
!
ip dhcp pool VL730
  network 172.16.130.0 255.255.255.0
  default-router 172.16.130.1 
  dns-server 61.143.12.10 8.8.8.8 
  lease 0 1
!
ip dhcp pool VL710
  network 172.16.0.0 255.255.255.0
  default-router 172.16.0.1 
  dns-server 61.143.12.10 8.8.8.8 
  lease 0 1
!
ip dhcp pool VL711
  network 172.16.1.0 255.255.255.0
  default-router 172.16.1.1 
  dns-server 61.143.12.10 8.8.8.8 
  lease 0 1
!
ip dhcp pool VL712
  network 172.16.2.0 255.255.255.0
  default-router 172.16.2.1 
  dns-server 61.143.12.10 8.8.8.8 
  lease 0 1
!
ip dhcp pool VL714
  network 172.16.4.0 255.255.255.0
  default-router 172.16.4.1 
  dns-server 61.143.12.10 8.8.8.8 
  lease 0 1
!
ip dhcp pool VL715
  network 172.16.5.0 255.255.255.0
  default-router 172.16.5.1 
  dns-server 61.143.12.10 8.8.8.8 
  lease 0 1
!
ip dhcp pool VL716
  network 172.16.6.0 255.255.255.0
  default-router 172.16.6.1 
  dns-server 61.143.12.10 8.8.8.8 
  lease 0 1
!
ip dhcp pool VL713
  network 172.16.3.0 255.255.255.0
  default-router 172.16.3.1 
  dns-server 61.143.12.10 8.8.8.8 
  lease 0 1
!
ip dhcp pool VL703
  network 10.40.2.0 255.255.254.0
  default-router 10.40.2.1 
  option 43 hex f104.0a01.013c
  dns-server 61.143.12.10 
  lease 0 3
!
ip dhcp pool VL717
  network 172.19.0.0 255.255.0.0
  default-router 172.19.0.1 
  dns-server 61.143.12.10 8.8.8.8 
  lease 0 1
!
ip dhcp pool VL705
  network 10.45.2.0 255.255.254.0
  default-router 10.45.3.1 
  dns-server 61.143.12.10 
  option 43 hex f104.0a2d.03fb
  lease 0 3
!
!
ip cef
ip flow-cache entries 8192
no ip domain lookup
ip domain name wtc.msk.ru
ip name-server 61.143.12.10
ip name-server 61.143.12.20
login delay 1
login on-failure log
!
subscriber feature prepaid default
threshold time 120 seconds
threshold volume 0 bytes
interim-interval 1 minutes
method-list author AUTHOR_LIST1
method-list accounting SME_ACCT_LIST
password WTC_PolicyKey
!
subscriber service password 7 13322331343C0B2622273118303B
redirect server-group SME_PORTAL
server ip 61.143.0.116 port 3200
!
multilink bundle-name authenticated
vpdn enable
vpdn source-ip 61.143.0.114
vpdn session accounting network NO_ACC
vpdn session-limit 2
!
vpdn-group VPDN
! Default PPTP VPDN group
accept-dialin
 protocol pptp
 virtual-template 1
source-ip 61.143.0.114
!
!
crypto pki trustpoint TP-self-signed-36323601
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-36323601
revocation-check none
rsakeypair TP-self-signed-36323601
!
!
crypto pki certificate chain TP-self-signed-36323601
certificate self-signed 01
 3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
 2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274 
 69666963 6174652D 33363332 33363031 301E170D 31333038 31333039 32363330 
 5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53 
 2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D333633 32333630 
 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100A81A 
 C1AA88F7 E8D6EADB 30189824 87D389A6 040C428B 5D07120B CFFA8D2F BEC182CB 
 8414507E 9901AF65 1AD07C92 5C0A8C0A 350BB291 2F1A9F35 BAC9EEB8 298757C1 
 2957CC7A FC129DB5 96C19182 24AD5C68 E9C52BAD 178F0F09 979ECEFC 51029BE0 
 03F4813F 990822E2 116907AE BB8802AB 09CCF3D9 0E2189B5 6A437A7A 00EF0203 
 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603 551D1104 
 1C301A82 18523732 30362D69 74632D68 70332E77 74632E6D 736B2E72 75301F06 
 03551D23 04183016 8014FBB9 715B701D 1E467224 8DFF696D E55408D4 501A301D 
 0603551D 0E041604 14FBB971 5B701D1E 4672248D FF696DE5 5408D450 1A300D06 
 092A8648 86F70D01 01040500 03818100 097FCA7F E9E85FF0 489CC9B9 5A5D6AD6 
 B57356EA 4BC02FC5 CA261B05 3620E6BB B0D6FFBF 4135ED53 A73D23E0 63E58E81 
 A213A7E0 60F0C20F C0CEDEE6 DA8462BD B2E6740A BF167626 35F14695 0D0705A8 
 C0A6E705 ADA32721 4780EC0A B2B7AAAE 59DD3820 AEDD758B 2A575A27 30DBD59E 
 7CB07D78 970393C9 C1FDB8BA 64825B7E
 quit
archive
log config
 hidekeys
username dima privilege 15 secret 5 $1$XBlW$b9quxUIp9kP
username hawk privilege 15 secret 5 $1$gLRK$bgW5.GFgp
username silver privilege 15 secret 5 $1$4NOC$BSLPm
username loginov privilege 15 secret 5 $1$3hXX$P1b
!
!
ip ssh version 2
class-map type traffic match-any TC_L4REDIRECT
match access-group input name ACL_L4REDIRECT
!
class-map type traffic match-any TC_OPENGARDEN
match access-group output name OPENGARDEN_ACL_OUT
match access-group input name OPENGARDEN_ACL_IN
!
class-map type control match-all IP_UNAUTH_COND
match timer IP_UNAUTH_TIMER 
match authen-status unauthenticated 
!
class-map type control match-all TAL_IP_BASED
match source-ip-address 0.0.0.0 0.0.0.0 
!
policy-map type service SRV_L4REDIRECT
5 class type traffic TC_L4REDIRECT
 redirect to group SME_PORTAL
!
!
policy-map type service OPENGARDEN_SERVICE
20 class type traffic TC_OPENGARDEN
!
!
policy-map type control SME_POLICY_RULE
class type control IP_UNAUTH_COND event timed-policy-expiry
 10 service disconnect
!
class type control always event session-start
 10 service-policy type service name PBHK_SERVICE
 20 service-policy type service name SRV_L4REDIRECT
 30 service-policy type service name OPENGARDEN_SERVICE
 40 set-timer IP_UNAUTH_TIMER 600
!
class type control always event session-restart
 10 service-policy type service name PBHK_SERVICE
 20 service-policy type service name SRV_L4REDIRECT
 30 service-policy type service name OPENGARDEN_SERVICE
 40 set-timer IP_UNAUTH_TIMER 600
!
class type control always event account-logon
 10 authenticate aaa list IP_AUTHEN_LIST 
 20 service-policy type service unapply name SRV_L4REDIRECT
!
class type control always event service-start
 10 service-policy type service identifier service-name
!
class type control always event service-stop
 1 service-policy type service unapply identifier service-name
 10 service-policy type service unapply identifier service-name
!
!
policy-map type control TAL_IP_BASED
class type control TAL_IP_BASED event session-start
 5 service-policy type service name OPENGARDEN_SERVICE
 7 set-timer IP_UNAUTH_TIMER 1
 10 authorize aaa list AUTHOR_LIST1 password cisco identifier source-ip-address
!
class type control IP_UNAUTH_COND event timed-policy-expiry
 10 service disconnect
!
!
policy-map type control SME_POLICY_RULE_VPDN
class type control IP_UNAUTH_COND event timed-policy-expiry
 10 service disconnect
!
class type control always event session-start
 10 service-policy type service name PBHK_SERVICE
 20 service-policy type service name SRV_L4REDIRECT
 30 service-policy type service name OPENGARDEN_SERVICE
 40 set-timer IP_UNAUTH_TIMER 600
!
class type control always event session-restart
 10 service-policy type service name PBHK_SERVICE
 20 service-policy type service name SRV_L4REDIRECT
 30 service-policy type service name OPENGARDEN_SERVICE
 40 set-timer IP_UNAUTH_TIMER 600
!
class type control always event account-logon
 10 authenticate aaa list IP_AUTHEN_LIST 
 20 service-policy type service unapply name SRV_L4REDIRECT
!
class type control always event service-start
 10 service-policy type service name PBHK_SERVICE
 20 service-policy type service name L4REDIRECT_SERVICE
 30 service-policy type service name OPENGARDEN_SERVICE
!
class type control always event service-stop
 1 service-policy type service unapply identifier service-name
 10 service-policy type service unapply identifier service-name
!
!
! 
!
bridge irb
!
!
!
!
interface Loopback0
ip address 10.10.1.1 255.255.255.255
!
interface GigabitEthernet0/1
no ip address
media-type rj45
speed auto
duplex auto
negotiation auto
!
interface GigabitEthernet0/1.40
encapsulation dot1Q 40
bridge-group 40
!
interface GigabitEthernet0/1.93
encapsulation dot1Q 93
bridge-group 93
!
interface GigabitEthernet0/1.703
encapsulation dot1Q 703
bridge-group 203
!
interface GigabitEthernet0/1.705
encapsulation dot1Q 705
bridge-group 205
!
interface GigabitEthernet0/1.710
encapsulation dot1Q 710
bridge-group 210
!
interface GigabitEthernet0/1.711
encapsulation dot1Q 711
bridge-group 211
!
interface GigabitEthernet0/1.712
encapsulation dot1Q 712
bridge-group 212
!
interface GigabitEthernet0/1.713
encapsulation dot1Q 713
bridge-group 213
!
interface GigabitEthernet0/1.714
encapsulation dot1Q 714
bridge-group 214
!
interface GigabitEthernet0/1.715
encapsulation dot1Q 715
bridge-group 215
!
interface GigabitEthernet0/1.716
encapsulation dot1Q 716
bridge-group 216
!
interface GigabitEthernet0/1.717
encapsulation dot1Q 717
bridge-group 217
!
interface GigabitEthernet0/1.730
encapsulation dot1Q 730
bridge-group 130
!
interface GigabitEthernet0/1.740
encapsulation dot1Q 740
bridge-group 140
!
interface FastEthernet0/2
no ip address
shutdown
speed auto
duplex auto
!
interface GigabitEthernet0/2
no ip address
media-type rj45
speed auto
duplex auto
negotiation auto
!
interface GigabitEthernet0/2.40
encapsulation dot1Q 40
bridge-group 40
!
interface GigabitEthernet0/2.93
encapsulation dot1Q 93
bridge-group 93
!
interface GigabitEthernet0/2.703
encapsulation dot1Q 703
bridge-group 203
!
interface GigabitEthernet0/2.705
encapsulation dot1Q 705
bridge-group 205
!
interface GigabitEthernet0/2.710
encapsulation dot1Q 710
bridge-group 210
!
interface GigabitEthernet0/2.711
encapsulation dot1Q 711
bridge-group 211
!
interface GigabitEthernet0/2.712
encapsulation dot1Q 712
bridge-group 212
!
interface GigabitEthernet0/2.713
encapsulation dot1Q 713
bridge-group 213
!
interface GigabitEthernet0/2.714
encapsulation dot1Q 714
bridge-group 214
!
interface GigabitEthernet0/2.715
encapsulation dot1Q 715
bridge-group 215
!
interface GigabitEthernet0/2.716
encapsulation dot1Q 716
bridge-group 216
!
interface GigabitEthernet0/2.717
encapsulation dot1Q 717
bridge-group 217
!
interface GigabitEthernet0/2.730
encapsulation dot1Q 730
bridge-group 130
!
interface GigabitEthernet0/2.740
encapsulation dot1Q 740
bridge-group 140
!
interface GigabitEthernet0/3
no ip address
shutdown
media-type rj45
speed auto
duplex auto
negotiation auto
!
interface Virtual-Template1 
description #VPN_for_Inline-Croc
ip address 4.4.4.1 255.255.255.0
ip nat inside
peer ip address forced
peer default ip address pool VPDN_POOL
ppp authentication ms-chap-v2 chap
ppp authorization VPDN_AUTHOR
service-policy type control SME_POLICY_RULE
!
interface BVI40
description #MGT vrf for management only
ip address 10.1.1.40 255.255.255.0
ip nat outside
!
interface BVI93
description #ASR_Servers
ip address 61.143.0.114 255.255.255.240
ip access-group BVI93_IN in
ip nat outside
ip portbundle outside
!
interface BVI130
description -=LAN Users Group 730=-
ip address 172.16.130.1 255.255.255.0
ip nat inside
service-policy type control SME_POLICY_RULE
ip subscriber routed
 initiator dhcp
!
interface BVI140
description -=Real IP LAN Users Group 740=-
ip address 61.143.0.65 255.255.255.248
service-policy type control TAL_IP_BASED
ip subscriber routed
 initiator unclassified ip-address
!
interface BVI203
description VLAN703 AP management
ip address 10.40.2.1 255.255.254.0
!
interface BVI205
description VLAN705 temporary AP managment
ip address 10.45.3.1 255.255.254.0
!
interface BVI210
description VLAN710 Users WiFi
ip address 172.16.0.1 255.255.255.0
ip nat inside
service-policy type control SME_POLICY_RULE
ip subscriber routed
 initiator dhcp
!
interface BVI211
description VLAN711 Users WiFi
ip address 172.16.1.1 255.255.255.0
ip nat inside
service-policy type control SME_POLICY_RULE
ip subscriber routed
 initiator dhcp
!
interface BVI212
description VLAN712 Users WiFi
ip address 172.16.2.1 255.255.255.0
ip nat inside
service-policy type control SME_POLICY_RULE
ip subscriber routed
 initiator dhcp
!
interface BVI213
description VLAN713 Users WiFi
ip address 172.16.3.1 255.255.255.0
ip nat inside
service-policy type control SME_POLICY_RULE
ip subscriber routed
 initiator dhcp
!
interface BVI214
description VLAN714 Users WiFi
ip address 172.16.4.1 255.255.255.0
ip nat inside
service-policy type control SME_POLICY_RULE
ip subscriber routed
 initiator dhcp
!
interface BVI215
description VLAN715 Users WiFi
ip address 172.16.5.1 255.255.255.0
ip nat inside
service-policy type control SME_POLICY_RULE
ip subscriber routed
 initiator dhcp
!
interface BVI216
description VLAN716 Users WiFi
ip address 172.16.6.1 255.255.255.0
ip nat inside
service-policy type control SME_POLICY_RULE
ip subscriber routed
 initiator dhcp
!
interface BVI217
description VLAN717 Users WiFi
ip address 172.19.0.1 255.255.0.0
ip nat inside
!
ip local pool VPDN_POOL 4.4.4.2 4.4.4.20
ip nat inside source list NATBVI40 interface BVI40 overload
ip nat inside source list NATBVI93 interface BVI93 overload
!
ip portbundle
match access-list 198
source BVI93
!
ip classless
ip route 0.0.0.0 0.0.0.0 61.143.0.113
ip route vrf MGT 0.0.0.0 0.0.0.0 10.1.1.1
!
ip flow-export source BVI93
ip flow-export version 5
ip flow-export destination 61.143.0.121 9800
!
no ip http server
no ip http secure-server
!
ip access-list standard SNMP
permit 61.143.0.56
permit 61.143.0.62
permit 61.143.14.48
permit 61.143.14.19
permit 61.143.14.25
permit 61.143.14.26
permit 10.1.1.254
ip access-list standard VTY
permit 10.1.1.0 0.0.0.255
permit 61.143.14.0 0.0.0.255
permit 61.143.0.0 0.0.0.63
!
ip access-list extended ACL_L4REDIRECT
deny   ip any 61.143.0.112 0.0.0.15
deny   ip any 10.1.1.0 0.0.0.255
permit tcp any any eq www
ip access-list extended BVI93_IN
permit ip any any
ip access-list extended INTERNET_ACL_IN
permit ip any any
ip access-list extended INTERNET_ACL_OUT
permit ip any any
ip access-list extended NATBVI40
permit ip 4.4.4.0 0.0.0.255 10.1.1.0 0.0.0.255
ip access-list extended NATBVI93
deny   ip 4.4.4.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip 172.16.0.0 0.0.255.255 any
permit ip 4.4.4.0 0.0.0.255 any
permit ip 172.19.0.0 0.0.255.255 any
ip access-list extended OPENGARDEN_ACL_IN
permit ip any host 61.143.0.2
permit ip any host 61.143.1.2
permit ip any host 90.156.153.98
permit ip any 61.143.0.112 0.0.0.15
permit ip any host 61.143.14.7
permit ip any host 10.1.1.60
permit ip any host 10.1.1.61
permit ip any host 10.1.1.62
permit ip any host 93.158.134.3
permit ip any host 61.143.14.10
permit ip any host 61.143.14.20
ip access-list extended OPENGARDEN_ACL_OUT
permit ip host 61.143.0.2 any
permit ip host 61.143.1.2 any
permit ip 61.143.0.112 0.0.0.15 any
permit ip host 61.143.14.7 any
permit ip host 10.1.1.60 any
permit ip host 10.1.1.61 any
permit ip host 10.1.1.62 any
permit ip host 93.158.134.3 any
permit ip host 61.143.14.10 any
permit ip host 61.143.14.20 any
ip access-list extended TAL_IPBASED
permit ip any any
!
ip radius source-interface BVI93 vrf default
ip sla 1
icmp-echo 61.143.0.113 source-ip 61.143.0.114
timeout 1000
frequency 3
ip sla schedule 1 life forever start-time now
logging trap debugging
logging facility local6
logging 61.143.0.119
access-list 100 permit ip any any
access-list 101 permit ip any any
access-list 198 permit ip any host 61.143.0.119
access-list 198 permit ip any host 61.143.0.120
access-list 198 permit ip any host 61.143.0.116
access-list 198 deny   ip any any
access-list 199 permit tcp any any eq www
access-list 199 permit tcp any eq www any
!
snmp-server community public RO
snmp-server location Of1 307
snmp-server contact Dmitry S. Levin
snmp-server chassis-id CISCO 7206 VXR Router
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server host 61.143.14.101 public 
!
radius-server attribute 44 include-in-access-req
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req 
radius-server attribute 32 include-in-accounting-req 
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server attribute 61 extended
radius-server attribute 31 remote-id
radius-server host 61.143.0.119 auth-port 1645 acct-port 1646 key 7 14202628330A2F3C1629373C37002C131A
radius-server retransmit 1
radius-server timeout 3
radius-server deadtime 1
radius-server key 7 046C3F25302F49593B18011E0718270133
radius-server vsa send accounting
radius-server vsa send authentication
bridge 40 protocol ieee
bridge 40 route ip
bridge 40 priority 40000
bridge 93 protocol ieee
bridge 93 route ip
bridge 93 priority 40000
bridge 130 protocol ieee
bridge 130 route ip
bridge 130 priority 40000
bridge 140 protocol ieee
bridge 140 route ip
bridge 140 priority 40000
bridge 203 protocol ieee
bridge 203 route ip
bridge 203 priority 40000
bridge 205 protocol ieee
bridge 205 route ip
bridge 205 priority 40000
bridge 210 protocol ieee
bridge 210 route ip
bridge 210 priority 40000
bridge 211 protocol ieee
bridge 211 route ip
bridge 211 priority 40000
bridge 212 protocol ieee
bridge 212 route ip
bridge 212 priority 40000
bridge 213 protocol ieee
bridge 213 route ip
bridge 213 priority 40000
bridge 214 protocol ieee
bridge 214 route ip
bridge 214 priority 40000
bridge 215 protocol ieee
bridge 215 route ip
bridge 215 priority 40000
bridge 216 protocol ieee
bridge 216 route ip
bridge 216 priority 40000
bridge 217 protocol ieee
bridge 217 route ip
bridge 217 priority 40000
!
control-plane
!
alias exec cssa cle subsc sess all
alias exec ssa show subsc sess all
alias exec ss show subsc sess
alias exec ssb show subsc sess brief
!
line con 0
exec-timeout 0 0
authorization exec VTY
login authentication VTY
length 0
stopbits 1
line aux 0
no exec
stopbits 1
line vty 0 4
access-class VTY in
exec-timeout 0 0
authorization exec VTY
login authentication VTY
transport input ssh
!
ntp clock-period 17181005
ntp master
ntp update-calendar
ntp server 61.143.14.10 source BVI40
end

R7206-itc-hp3#

Share this post


Link to post
Share on other sites

sh u у меня показывает только тех кто на vty залогинен, virtual-access интерфейсы не создаются, у меня только BVI.

 

Есть ещё команда show subscriber session.

 

Вот детальная сессия с суточным idle timeout.

 

R7206-itc-hp3#show subscriber session uid 2309 detailed 
Unique Session ID: 2309
Identifier: 04f04515
SIP subscriber access type(s): IP
Current SIP options: Req Fwding/Req Fwded
Session Up-time: 03:17:29, Last Changed: 00:33:37

Policy information:
 Context 0425F624: Handle 1100071E
 AAA_id 00000691: Flow_handle 0
 Authentication status: authen
 Downloaded User profile, excluding services:
   timeout              86400 (0x15180)
   accounting-list      "SME_ACCT_LIST"
   idletime             86400 (0x15180)
   ssg-account-info     "Ainternet_1024_512_3"
   service-type         2 [Framed]
   clid-mac-addr        8C FA BA 9B 14 43 
   addr                 172.16.2.28
   netmask              255.255.255.255
   config-source-dpm    True
 Downloaded User profile, including services:
   portbundle           "enable"
   username             "OPENGARDEN_SERVICE"
   timeout              86400 (0x15180)
   accounting-list      "SME_ACCT_LIST"
   idletime             86400 (0x15180)
   ssg-account-info     "Ainternet_1024_512_3"
   service-type         2 [Framed]
   traffic-class        "out access-group name INTERNET_ACL_OUT priority 20"
   ssg-service-info     "R0.0.0.0;0.0.0.0"
   ssg-service-info     "MC"
   traffic-class        "out default drop"
   ssg-service-info     "QU;512000;D;1024000"
   traffic-class        "in default drop"
   ssg-service-info     "Iinternet_1024_512_3"
   traffic-class        "in access-group name INTERNET_ACL_IN priority 20"
   clid-mac-addr        8C FA BA 9B 14 43 
   addr                 172.16.2.28
   netmask              255.255.255.255
   config-source-dpm    True
 Config history for session (recent to oldest):
   Access-type: Web-user-logon Client: DHCP
    Policy event: Session-Update
     Profile name: apply-config-only, 5 references 
       clid-mac-addr        8C FA BA 9B 14 43 
       addr                 172.16.2.28
       netmask              255.255.255.255
       config-source-dpm    True
   Access-type: Web-user-logon Client: DHCP
    Policy event: Session-Update
     Profile name: apply-config-only, 5 references 
       clid-mac-addr        8C FA BA 9B 14 43 
       addr                 172.16.2.28
       netmask              255.255.255.255
       config-source-dpm    True
   Access-type: Web-user-logon Client: DHCP
    Policy event: Session-Update
     Profile name: apply-config-only, 5 references 
       clid-mac-addr        8C FA BA 9B 14 43 
       addr                 172.16.2.28
       netmask              255.255.255.255
       config-source-dpm    True
   Access-type: Web-service-logon Client: Account Command-Handler
    Policy event: Got More Keys (Service)
     Profile name: internet_1024_512_3, 384 references 
       timeout              86400 (0x15180)
       service-type         2 [Framed]
       traffic-class        "out access-group name INTERNET_ACL_OUT priority 20"
       ssg-service-info     "R0.0.0.0;0.0.0.0"
       ssg-service-info     "MC"
       traffic-class        "out default drop"
       ssg-service-info     "QU;512000;D;1024000"
       service-type         5 [Outbound]
       traffic-class        "in default drop"
       ssg-service-info     "Iinternet_1024_512_3"
       traffic-class        "in access-group name INTERNET_ACL_IN priority 20"
   Access-type: Max Client: Account Command-Handler
    Policy event: Got More Keys (Unapplied) (Service)
     Profile name: SRV_L4REDIRECT, 670 references 
       clid-mac-addr        9C 04 EB 0F 05 AF 
       password             <hidden>
       traffic-class        "input access-group name ACL_L4REDIRECT priority 5"
       l4redirect           "redirect to group SME_PORTAL"
   Access-type: Web-user-logon Client: Account Command-Handler
    Policy event: Got More Keys
     Profile name: 04f04515, 3 references 
       timeout              86400 (0x15180)
       accounting-list      "SME_ACCT_LIST"
       idletime             86400 (0x15180)
       ssg-account-info     "Ainternet_1024_512_3"
       service-type         2 [Framed]
   Access-type: IP Client: DHCP
    Policy event: Session-Update
     Profile name: apply-config-only, 5 references 
       clid-mac-addr        8C FA BA 9B 14 43 
       addr                 172.16.2.28
       netmask              255.255.255.255
       config-source-dpm    True
   Access-type: IP Client: SM
    Policy event: Service Selection Request (Service)
     Profile name: OPENGARDEN_SERVICE, 424 references 
       username             "OPENGARDEN_SERVICE"
       clid-mac-addr        9C 04 EB 0F 05 AF 
       password             <hidden>
       traffic-class        "input access-group name OPENGARDEN_ACL_IN priority 20"
       traffic-class        "output access-group name OPENGARDEN_ACL_OUT priority 20"
   Access-type: IP Client: SM
    Policy event: Service Selection Request (Service)
     Profile name: SRV_L4REDIRECT, 670 references 
       clid-mac-addr        9C 04 EB 0F 05 AF 
       password             <hidden>
       traffic-class        "input access-group name ACL_L4REDIRECT priority 5"
       l4redirect           "redirect to group SME_PORTAL"
   Access-type: IP Client: SM
    Policy event: Service Selection Request (Service)
     Profile name: PBHK_SERVICE, 424 references 
       timeout              86400 (0x15180)
       idletime             1800 (0x708)
       service-type         2 [Framed]
       portbundle           "enable"
       service-type         5 [Outbound]
 Active services associated with session:
   name "internet_1024_512_3"
   name "OPENGARDEN_SERVICE", applied before account logon
   name "PBHK_SERVICE", applied before account logon
 Rules, actions and conditions executed:
   subscriber rule-map SME_POLICY_RULE
     condition always event session-start
       10 service-policy type service name PBHK_SERVICE
       20 service-policy type service name SRV_L4REDIRECT
       30 service-policy type service name OPENGARDEN_SERVICE
       40 set-timer IP_UNAUTH_TIMER 600
   subscriber rule-map SME_POLICY_RULE
     condition always event account-logon
       10 authenticate aaa list IP_AUTHEN_LIST 
       20 service-policy type service unapply name SRV_L4REDIRECT
   subscriber rule-map SME_POLICY_RULE
     condition always event service-start
       10 service-policy type service identifier service-name

Session inbound features:
Traffic classes:
 Traffic class session ID: 1022
  ACL Name: OPENGARDEN_ACL_IN, Packets = 540, Bytes = 41924
 Traffic class session ID: 2220
  ACL Name: INTERNET_ACL_IN, Packets = 58137, Bytes = 18943740
Default traffic is dropped
Unmatched Packets = 0, Re-classified packets (redirected) = 25

Feature: IP Idle Timeout
 Timeout value is 86400
 Idle time is 00:07:39
Feature: Session accounting
 Method List: SME_ACCT_LIST
 Packets = 58024, Bytes = 18266231

Feature: Portbundle Hostkey
Portbundle IP = 61.143.0.114     Bundle Number = 1677

Session outbound features:
Traffic classes:
 Traffic class session ID: 1022
  ACL Name: OPENGARDEN_ACL_OUT, Packets = 514, Bytes = 206522
 Traffic class session ID: 2220
  ACL Name: INTERNET_ACL_OUT, Packets = 63396, Bytes = 59074550
Default traffic is dropped
Unmatched Packets = 0, Re-classified packets (redirected) = 0

Feature: Session accounting
 Method List: SME_ACCT_LIST
 Packets = 60777, Bytes = 55292421

Non-datapath features:
Feature: Session Timeout
 Timeout value is 86400 seconds
 Time remaining is 20:42:42
Configuration sources associated with this session:
Service: internet_1024_512_3, Active Time = 03:17:17
Service: OPENGARDEN_SERVICE, Active Time = 03:17:31
Service: PBHK_SERVICE, Active Time = 03:17:31
Interface: BVI212, Active Time = 03:17:31

R7206-itc-hp3#           

Edited by Korvet_068

Share this post


Link to post
Share on other sites

Возникло подозрение что проблема в избытке сессий NAT.

Применил вот такой конфиг от знающих камрадов:

 

ip nat translation timeout 900

ip nat translation tcp-timeout 300

ip nat translation pptp-timeout 1800

ip nat translation udp-timeout 45

ip nat translation dns-timeout 5

ip nat translation port-timeout tcp 1600 10

ip nat translation port-timeout tcp 8080 10

ip nat translation port-timeout tcp 110 60

ip nat translation port-timeout tcp 25 60

ip nat translation port-timeout tcp 80 15

 

 

Сутки ещё не прошли. Наблюдаю.

Share this post


Link to post
Share on other sites

А без деталки покажи сессию?

 

Нат ещё желательно резать по трансляциям на хост )

Edited by zhenya`

Share this post


Link to post
Share on other sites

Нат ещё желательно резать по трансляциям на хост )

Если не ошибаюсь на 1.22 не поддерживается.

 

То ТС - а загрузку процессора мониторите?

Share this post


Link to post
Share on other sites

А без деталки покажи сессию?

 

R7206-itc-hp3#sh subscriber session username arzamas
Unique Session ID: 1339
Identifier: arzamas
SIP subscriber access type(s): IP
Current SIP options: Req Fwding/Req Fwded
Session Up-time: 02:39:34, Last Changed: 01:30:12

Policy information:
 Authentication status: authen
 Active services associated with session:
   name "internet_service"
   name "OPENGARDEN_SERVICE", applied before account logon
   name "PBHK_SERVICE", applied before account logon
 Rules, actions and conditions executed:
   subscriber rule-map SME_POLICY_RULE
     condition always event session-start
       10 service-policy type service name PBHK_SERVICE
       20 service-policy type service name SRV_L4REDIRECT
       30 service-policy type service name OPENGARDEN_SERVICE
       40 set-timer IP_UNAUTH_TIMER 600
   subscriber rule-map SME_POLICY_RULE
     condition always event account-logon
       10 authenticate aaa list IP_AUTHEN_LIST 
       20 service-policy type service unapply name SRV_L4REDIRECT
   subscriber rule-map SME_POLICY_RULE
     condition always event service-start
       10 service-policy type service identifier service-name

Session inbound features:
Traffic classes:
 Traffic class session ID: 1543
  ACL Name: OPENGARDEN_ACL_IN, Packets = 570, Bytes = 51378
 Traffic class session ID: 1612
  ACL Name: INTERNET_ACL_IN, Packets = 48705, Bytes = 6489261
Default traffic is dropped
Unmatched Packets = 995, Re-classified packets (redirected) = 93

Feature: IP Idle Timeout
 Timeout value is 1800
 Idle time is 00:04:38
Feature: Session accounting
 Method List: SME_ACCT_LIST
 Packets = 48505, Bytes = 6056279

Feature: Portbundle Hostkey
Portbundle IP = 62.148.0.114     Bundle Number = 3093

Session outbound features:
Traffic classes:
 Traffic class session ID: 1543
  ACL Name: OPENGARDEN_ACL_OUT, Packets = 523, Bytes = 206039
 Traffic class session ID: 1612
  ACL Name: INTERNET_ACL_OUT, Packets = 57902, Bytes = 75671186
Default traffic is dropped
Unmatched Packets = 1006, Re-classified packets (redirected) = 0

Feature: Session accounting
 Method List: SME_ACCT_LIST
 Packets = 53097, Bytes = 68537856

Non-datapath features:
Feature: Session Timeout
 Timeout value is 86400 seconds
 Time remaining is 22:29:48
Configuration sources associated with this session:
Service: internet_service, Active Time = 01:30:12
Service: OPENGARDEN_SERVICE, Active Time = 02:39:34
Service: PBHK_SERVICE, Active Time = 02:39:34
Interface: BVI213, Active Time = 02:39:34

R7206-itc-hp3# 

 

Порезать нат по числу сессий на хост нельзя, только на vrf, либо надо указать этот хост конкретно.

Можно указать внешний адрес интерфейса ISG, но я с натом стал возиться уже после перезагрузки и не посмотрел примерно сколько сессий нужно для нормальной работы.

 

Загрузку проца мониторю, но аномалий там не видел.

Share this post


Link to post
Share on other sites

Порезать нат по числу сессий на хост нельзя, только на vrf, либо надо указать этот хост конкретно.

У меня сделано вот так

ip nat translation max-entries all-host 650

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this