Korvet_068 Опубликовано 23 апреля, 2015 (изменено) · Жалоба Доброго дня. Имею на работе Cisco ISG для контроля сессий пользователей Wi-Fi. Клиент подключается к нужному SSID, его выкидывает на веб-страницу авторизации и он авторизуется, после чего может ходить в инет с нужной скоростью. После того как коллега увеличил idle timeout сессии до суток (других манипуляций с ISG я не знаю за последнее время) - ISG стал глючить, клиент авторизуется на странице, но скорость инета почти нулевая. Помогает перезагрузка ISG, в последний раз нормальная работа продлилась всего около суток. К ISG прикручен радиус-сервер, передающий определённые параметры сессии. Что нужно посмотреть? Что подебажить? Буду признателен за любые подсказки. Изменено 23 апреля, 2015 пользователем Korvet_068 Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
Andrei Опубликовано 24 апреля, 2015 · Жалоба Конфиг циски посмотреть бы для начала. Раз "прикручен радиус-сервер", то авторизация по pppoe? Посмотреть на циске rate-limit-ы на создаваемых виртуальных интерфейсах. Что-то типа: c7204_core#sh u | i Kse Vi42 Kseхххххххххххххххх PPPoE 00:00:06 172.21.40.27 c7204_core#sh int Vi42 rate Virtual-Access42 Input matches: access-group 136 params: 3144000 bps, 589824 limit, 1179648 extended limit conformed 255086 packets, 20333889 bytes; action: transmit exceeded 0 packets, 0 bytes; action: drop last packet: 10548ms ago, current burst: 0 bytes last cleared 1d18h ago, conformed 1000 bps, exceeded 0 bps matches: access-group 135 params: 10240000 bps, 3840000 limit, 3840000 extended limit conformed 229616 packets, 16962757 bytes; action: transmit exceeded 0 packets, 0 bytes; action: drop last packet: 7293536ms ago, current burst: 0 bytes last cleared 1d18h ago, conformed 0 bps, exceeded 0 bps Output matches: access-group 136 params: 3144000 bps, 589824 limit, 1179648 extended limit conformed 337206 packets, 463649133 bytes; action: transmit exceeded 11007 packets, 15671990 bytes; action: drop last packet: 10516ms ago, current burst: 0 bytes last cleared 1d18h ago, conformed 24000 bps, exceeded 0 bps matches: access-group 135 params: 10240000 bps, 3840000 limit, 3840000 extended limit conformed 339669 packets, 469294631 bytes; action: transmit exceeded 0 packets, 0 bytes; action: drop last packet: 7293496ms ago, current burst: 0 bytes last cleared 1d18h ago, conformed 24000 bps, exceeded 0 bps Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
Korvet_068 Опубликовано 24 апреля, 2015 · Жалоба sh run | tee http:\ //1.1.1.1 Building configuration... Current configuration : 20752 bytes ! ! version 12.2 no service pad no service timestamps debug uptime service timestamps log datetime localtime service password-encryption ! hostname R7206-itc-hp3 ! boot-start-marker boot system disk2:c7200p-advipservicesk9-mz.122-33.SRD8.bin boot-end-marker ! logging buffered 2048000 enable secret 5 $1$fndN$KaUpu3to8 ! aaa new-model ! ! aaa group server radius SME_AAA server 61.143.0.119 auth-port 1645 acct-port 1646 ! aaa authentication login VTY local aaa authentication login IP_AUTHEN_LIST group SME_AAA aaa authentication ppp VPDN_AUTH local aaa authorization console aaa authorization exec VTY local aaa authorization network default group SME_AAA aaa authorization network AUTHOR_LIST1 group SME_AAA aaa authorization network VPDN_AUTH local aaa authorization network VPDN_AUTHOR none aaa authorization subscriber-service default local group SME_AAA aaa accounting delay-start vrf default aaa accounting delay-start all aaa accounting update periodic 1 aaa accounting network default none aaa accounting network SME_ACCT_LIST start-stop group SME_AAA aaa accounting network NO_ACC none ! ! ! ! aaa server radius dynamic-author client 61.143.0.119 client 61.143.0.120 client 61.143.0.116 client 61.143.0.122 server-key 7 0231307834250111674B10 port 1712 auth-type any ! aaa session-id common clock timezone MSK 3 ip subnet-zero ip source-route ip vrf MGT rd 40:0 ! ! ! no ip dhcp use vrf connected ip dhcp excluded-address 172.16.0.1 172.16.0.20 ip dhcp excluded-address 172.16.1.1 172.16.1.20 ip dhcp excluded-address 172.16.2.1 172.16.2.20 ip dhcp excluded-address 172.16.3.1 172.16.3.20 ip dhcp excluded-address 172.16.4.1 172.16.4.20 ip dhcp excluded-address 172.16.5.1 172.16.5.20 ip dhcp excluded-address 172.16.6.1 172.16.6.20 ip dhcp excluded-address 172.19.0.1 172.19.0.20 ip dhcp excluded-address 10.40.2.251 10.40.2.255 ip dhcp excluded-address 10.45.3.250 10.45.3.254 ip dhcp excluded-address 10.40.3.250 10.40.3.254 ip dhcp excluded-address 10.45.3.1 ip dhcp excluded-address 10.40.2.1 ip dhcp excluded-address 172.16.130.1 ip dhcp excluded-address 172.19.0.1 ip dhcp excluded-address 10.40.2.1 10.40.2.250 ! ip dhcp pool VL730 network 172.16.130.0 255.255.255.0 default-router 172.16.130.1 dns-server 61.143.12.10 8.8.8.8 lease 0 1 ! ip dhcp pool VL710 network 172.16.0.0 255.255.255.0 default-router 172.16.0.1 dns-server 61.143.12.10 8.8.8.8 lease 0 1 ! ip dhcp pool VL711 network 172.16.1.0 255.255.255.0 default-router 172.16.1.1 dns-server 61.143.12.10 8.8.8.8 lease 0 1 ! ip dhcp pool VL712 network 172.16.2.0 255.255.255.0 default-router 172.16.2.1 dns-server 61.143.12.10 8.8.8.8 lease 0 1 ! ip dhcp pool VL714 network 172.16.4.0 255.255.255.0 default-router 172.16.4.1 dns-server 61.143.12.10 8.8.8.8 lease 0 1 ! ip dhcp pool VL715 network 172.16.5.0 255.255.255.0 default-router 172.16.5.1 dns-server 61.143.12.10 8.8.8.8 lease 0 1 ! ip dhcp pool VL716 network 172.16.6.0 255.255.255.0 default-router 172.16.6.1 dns-server 61.143.12.10 8.8.8.8 lease 0 1 ! ip dhcp pool VL713 network 172.16.3.0 255.255.255.0 default-router 172.16.3.1 dns-server 61.143.12.10 8.8.8.8 lease 0 1 ! ip dhcp pool VL703 network 10.40.2.0 255.255.254.0 default-router 10.40.2.1 option 43 hex f104.0a01.013c dns-server 61.143.12.10 lease 0 3 ! ip dhcp pool VL717 network 172.19.0.0 255.255.0.0 default-router 172.19.0.1 dns-server 61.143.12.10 8.8.8.8 lease 0 1 ! ip dhcp pool VL705 network 10.45.2.0 255.255.254.0 default-router 10.45.3.1 dns-server 61.143.12.10 option 43 hex f104.0a2d.03fb lease 0 3 ! ! ip cef ip flow-cache entries 8192 no ip domain lookup ip domain name wtc.msk.ru ip name-server 61.143.12.10 ip name-server 61.143.12.20 login delay 1 login on-failure log ! subscriber feature prepaid default threshold time 120 seconds threshold volume 0 bytes interim-interval 1 minutes method-list author AUTHOR_LIST1 method-list accounting SME_ACCT_LIST password WTC_PolicyKey ! subscriber service password 7 13322331343C0B2622273118303B redirect server-group SME_PORTAL server ip 61.143.0.116 port 3200 ! multilink bundle-name authenticated vpdn enable vpdn source-ip 61.143.0.114 vpdn session accounting network NO_ACC vpdn session-limit 2 ! vpdn-group VPDN ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 source-ip 61.143.0.114 ! ! crypto pki trustpoint TP-self-signed-36323601 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-36323601 revocation-check none rsakeypair TP-self-signed-36323601 ! ! crypto pki certificate chain TP-self-signed-36323601 certificate self-signed 01 3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33363332 33363031 301E170D 31333038 31333039 32363330 5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53 2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D333633 32333630 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100A81A C1AA88F7 E8D6EADB 30189824 87D389A6 040C428B 5D07120B CFFA8D2F BEC182CB 8414507E 9901AF65 1AD07C92 5C0A8C0A 350BB291 2F1A9F35 BAC9EEB8 298757C1 2957CC7A FC129DB5 96C19182 24AD5C68 E9C52BAD 178F0F09 979ECEFC 51029BE0 03F4813F 990822E2 116907AE BB8802AB 09CCF3D9 0E2189B5 6A437A7A 00EF0203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603 551D1104 1C301A82 18523732 30362D69 74632D68 70332E77 74632E6D 736B2E72 75301F06 03551D23 04183016 8014FBB9 715B701D 1E467224 8DFF696D E55408D4 501A301D 0603551D 0E041604 14FBB971 5B701D1E 4672248D FF696DE5 5408D450 1A300D06 092A8648 86F70D01 01040500 03818100 097FCA7F E9E85FF0 489CC9B9 5A5D6AD6 B57356EA 4BC02FC5 CA261B05 3620E6BB B0D6FFBF 4135ED53 A73D23E0 63E58E81 A213A7E0 60F0C20F C0CEDEE6 DA8462BD B2E6740A BF167626 35F14695 0D0705A8 C0A6E705 ADA32721 4780EC0A B2B7AAAE 59DD3820 AEDD758B 2A575A27 30DBD59E 7CB07D78 970393C9 C1FDB8BA 64825B7E quit archive log config hidekeys username dima privilege 15 secret 5 $1$XBlW$b9quxUIp9kP username hawk privilege 15 secret 5 $1$gLRK$bgW5.GFgp username silver privilege 15 secret 5 $1$4NOC$BSLPm username loginov privilege 15 secret 5 $1$3hXX$P1b ! ! ip ssh version 2 class-map type traffic match-any TC_L4REDIRECT match access-group input name ACL_L4REDIRECT ! class-map type traffic match-any TC_OPENGARDEN match access-group output name OPENGARDEN_ACL_OUT match access-group input name OPENGARDEN_ACL_IN ! class-map type control match-all IP_UNAUTH_COND match timer IP_UNAUTH_TIMER match authen-status unauthenticated ! class-map type control match-all TAL_IP_BASED match source-ip-address 0.0.0.0 0.0.0.0 ! policy-map type service SRV_L4REDIRECT 5 class type traffic TC_L4REDIRECT redirect to group SME_PORTAL ! ! policy-map type service OPENGARDEN_SERVICE 20 class type traffic TC_OPENGARDEN ! ! policy-map type control SME_POLICY_RULE class type control IP_UNAUTH_COND event timed-policy-expiry 10 service disconnect ! class type control always event session-start 10 service-policy type service name PBHK_SERVICE 20 service-policy type service name SRV_L4REDIRECT 30 service-policy type service name OPENGARDEN_SERVICE 40 set-timer IP_UNAUTH_TIMER 600 ! class type control always event session-restart 10 service-policy type service name PBHK_SERVICE 20 service-policy type service name SRV_L4REDIRECT 30 service-policy type service name OPENGARDEN_SERVICE 40 set-timer IP_UNAUTH_TIMER 600 ! class type control always event account-logon 10 authenticate aaa list IP_AUTHEN_LIST 20 service-policy type service unapply name SRV_L4REDIRECT ! class type control always event service-start 10 service-policy type service identifier service-name ! class type control always event service-stop 1 service-policy type service unapply identifier service-name 10 service-policy type service unapply identifier service-name ! ! policy-map type control TAL_IP_BASED class type control TAL_IP_BASED event session-start 5 service-policy type service name OPENGARDEN_SERVICE 7 set-timer IP_UNAUTH_TIMER 1 10 authorize aaa list AUTHOR_LIST1 password cisco identifier source-ip-address ! class type control IP_UNAUTH_COND event timed-policy-expiry 10 service disconnect ! ! policy-map type control SME_POLICY_RULE_VPDN class type control IP_UNAUTH_COND event timed-policy-expiry 10 service disconnect ! class type control always event session-start 10 service-policy type service name PBHK_SERVICE 20 service-policy type service name SRV_L4REDIRECT 30 service-policy type service name OPENGARDEN_SERVICE 40 set-timer IP_UNAUTH_TIMER 600 ! class type control always event session-restart 10 service-policy type service name PBHK_SERVICE 20 service-policy type service name SRV_L4REDIRECT 30 service-policy type service name OPENGARDEN_SERVICE 40 set-timer IP_UNAUTH_TIMER 600 ! class type control always event account-logon 10 authenticate aaa list IP_AUTHEN_LIST 20 service-policy type service unapply name SRV_L4REDIRECT ! class type control always event service-start 10 service-policy type service name PBHK_SERVICE 20 service-policy type service name L4REDIRECT_SERVICE 30 service-policy type service name OPENGARDEN_SERVICE ! class type control always event service-stop 1 service-policy type service unapply identifier service-name 10 service-policy type service unapply identifier service-name ! ! ! ! bridge irb ! ! ! ! interface Loopback0 ip address 10.10.1.1 255.255.255.255 ! interface GigabitEthernet0/1 no ip address media-type rj45 speed auto duplex auto negotiation auto ! interface GigabitEthernet0/1.40 encapsulation dot1Q 40 bridge-group 40 ! interface GigabitEthernet0/1.93 encapsulation dot1Q 93 bridge-group 93 ! interface GigabitEthernet0/1.703 encapsulation dot1Q 703 bridge-group 203 ! interface GigabitEthernet0/1.705 encapsulation dot1Q 705 bridge-group 205 ! interface GigabitEthernet0/1.710 encapsulation dot1Q 710 bridge-group 210 ! interface GigabitEthernet0/1.711 encapsulation dot1Q 711 bridge-group 211 ! interface GigabitEthernet0/1.712 encapsulation dot1Q 712 bridge-group 212 ! interface GigabitEthernet0/1.713 encapsulation dot1Q 713 bridge-group 213 ! interface GigabitEthernet0/1.714 encapsulation dot1Q 714 bridge-group 214 ! interface GigabitEthernet0/1.715 encapsulation dot1Q 715 bridge-group 215 ! interface GigabitEthernet0/1.716 encapsulation dot1Q 716 bridge-group 216 ! interface GigabitEthernet0/1.717 encapsulation dot1Q 717 bridge-group 217 ! interface GigabitEthernet0/1.730 encapsulation dot1Q 730 bridge-group 130 ! interface GigabitEthernet0/1.740 encapsulation dot1Q 740 bridge-group 140 ! interface FastEthernet0/2 no ip address shutdown speed auto duplex auto ! interface GigabitEthernet0/2 no ip address media-type rj45 speed auto duplex auto negotiation auto ! interface GigabitEthernet0/2.40 encapsulation dot1Q 40 bridge-group 40 ! interface GigabitEthernet0/2.93 encapsulation dot1Q 93 bridge-group 93 ! interface GigabitEthernet0/2.703 encapsulation dot1Q 703 bridge-group 203 ! interface GigabitEthernet0/2.705 encapsulation dot1Q 705 bridge-group 205 ! interface GigabitEthernet0/2.710 encapsulation dot1Q 710 bridge-group 210 ! interface GigabitEthernet0/2.711 encapsulation dot1Q 711 bridge-group 211 ! interface GigabitEthernet0/2.712 encapsulation dot1Q 712 bridge-group 212 ! interface GigabitEthernet0/2.713 encapsulation dot1Q 713 bridge-group 213 ! interface GigabitEthernet0/2.714 encapsulation dot1Q 714 bridge-group 214 ! interface GigabitEthernet0/2.715 encapsulation dot1Q 715 bridge-group 215 ! interface GigabitEthernet0/2.716 encapsulation dot1Q 716 bridge-group 216 ! interface GigabitEthernet0/2.717 encapsulation dot1Q 717 bridge-group 217 ! interface GigabitEthernet0/2.730 encapsulation dot1Q 730 bridge-group 130 ! interface GigabitEthernet0/2.740 encapsulation dot1Q 740 bridge-group 140 ! interface GigabitEthernet0/3 no ip address shutdown media-type rj45 speed auto duplex auto negotiation auto ! interface Virtual-Template1 description #VPN_for_Inline-Croc ip address 4.4.4.1 255.255.255.0 ip nat inside peer ip address forced peer default ip address pool VPDN_POOL ppp authentication ms-chap-v2 chap ppp authorization VPDN_AUTHOR service-policy type control SME_POLICY_RULE ! interface BVI40 description #MGT vrf for management only ip address 10.1.1.40 255.255.255.0 ip nat outside ! interface BVI93 description #ASR_Servers ip address 61.143.0.114 255.255.255.240 ip access-group BVI93_IN in ip nat outside ip portbundle outside ! interface BVI130 description -=LAN Users Group 730=- ip address 172.16.130.1 255.255.255.0 ip nat inside service-policy type control SME_POLICY_RULE ip subscriber routed initiator dhcp ! interface BVI140 description -=Real IP LAN Users Group 740=- ip address 61.143.0.65 255.255.255.248 service-policy type control TAL_IP_BASED ip subscriber routed initiator unclassified ip-address ! interface BVI203 description VLAN703 AP management ip address 10.40.2.1 255.255.254.0 ! interface BVI205 description VLAN705 temporary AP managment ip address 10.45.3.1 255.255.254.0 ! interface BVI210 description VLAN710 Users WiFi ip address 172.16.0.1 255.255.255.0 ip nat inside service-policy type control SME_POLICY_RULE ip subscriber routed initiator dhcp ! interface BVI211 description VLAN711 Users WiFi ip address 172.16.1.1 255.255.255.0 ip nat inside service-policy type control SME_POLICY_RULE ip subscriber routed initiator dhcp ! interface BVI212 description VLAN712 Users WiFi ip address 172.16.2.1 255.255.255.0 ip nat inside service-policy type control SME_POLICY_RULE ip subscriber routed initiator dhcp ! interface BVI213 description VLAN713 Users WiFi ip address 172.16.3.1 255.255.255.0 ip nat inside service-policy type control SME_POLICY_RULE ip subscriber routed initiator dhcp ! interface BVI214 description VLAN714 Users WiFi ip address 172.16.4.1 255.255.255.0 ip nat inside service-policy type control SME_POLICY_RULE ip subscriber routed initiator dhcp ! interface BVI215 description VLAN715 Users WiFi ip address 172.16.5.1 255.255.255.0 ip nat inside service-policy type control SME_POLICY_RULE ip subscriber routed initiator dhcp ! interface BVI216 description VLAN716 Users WiFi ip address 172.16.6.1 255.255.255.0 ip nat inside service-policy type control SME_POLICY_RULE ip subscriber routed initiator dhcp ! interface BVI217 description VLAN717 Users WiFi ip address 172.19.0.1 255.255.0.0 ip nat inside ! ip local pool VPDN_POOL 4.4.4.2 4.4.4.20 ip nat inside source list NATBVI40 interface BVI40 overload ip nat inside source list NATBVI93 interface BVI93 overload ! ip portbundle match access-list 198 source BVI93 ! ip classless ip route 0.0.0.0 0.0.0.0 61.143.0.113 ip route vrf MGT 0.0.0.0 0.0.0.0 10.1.1.1 ! ip flow-export source BVI93 ip flow-export version 5 ip flow-export destination 61.143.0.121 9800 ! no ip http server no ip http secure-server ! ip access-list standard SNMP permit 61.143.0.56 permit 61.143.0.62 permit 61.143.14.48 permit 61.143.14.19 permit 61.143.14.25 permit 61.143.14.26 permit 10.1.1.254 ip access-list standard VTY permit 10.1.1.0 0.0.0.255 permit 61.143.14.0 0.0.0.255 permit 61.143.0.0 0.0.0.63 ! ip access-list extended ACL_L4REDIRECT deny ip any 61.143.0.112 0.0.0.15 deny ip any 10.1.1.0 0.0.0.255 permit tcp any any eq www ip access-list extended BVI93_IN permit ip any any ip access-list extended INTERNET_ACL_IN permit ip any any ip access-list extended INTERNET_ACL_OUT permit ip any any ip access-list extended NATBVI40 permit ip 4.4.4.0 0.0.0.255 10.1.1.0 0.0.0.255 ip access-list extended NATBVI93 deny ip 4.4.4.0 0.0.0.255 10.1.1.0 0.0.0.255 permit ip 172.16.0.0 0.0.255.255 any permit ip 4.4.4.0 0.0.0.255 any permit ip 172.19.0.0 0.0.255.255 any ip access-list extended OPENGARDEN_ACL_IN permit ip any host 61.143.0.2 permit ip any host 61.143.1.2 permit ip any host 90.156.153.98 permit ip any 61.143.0.112 0.0.0.15 permit ip any host 61.143.14.7 permit ip any host 10.1.1.60 permit ip any host 10.1.1.61 permit ip any host 10.1.1.62 permit ip any host 93.158.134.3 permit ip any host 61.143.14.10 permit ip any host 61.143.14.20 ip access-list extended OPENGARDEN_ACL_OUT permit ip host 61.143.0.2 any permit ip host 61.143.1.2 any permit ip 61.143.0.112 0.0.0.15 any permit ip host 61.143.14.7 any permit ip host 10.1.1.60 any permit ip host 10.1.1.61 any permit ip host 10.1.1.62 any permit ip host 93.158.134.3 any permit ip host 61.143.14.10 any permit ip host 61.143.14.20 any ip access-list extended TAL_IPBASED permit ip any any ! ip radius source-interface BVI93 vrf default ip sla 1 icmp-echo 61.143.0.113 source-ip 61.143.0.114 timeout 1000 frequency 3 ip sla schedule 1 life forever start-time now logging trap debugging logging facility local6 logging 61.143.0.119 access-list 100 permit ip any any access-list 101 permit ip any any access-list 198 permit ip any host 61.143.0.119 access-list 198 permit ip any host 61.143.0.120 access-list 198 permit ip any host 61.143.0.116 access-list 198 deny ip any any access-list 199 permit tcp any any eq www access-list 199 permit tcp any eq www any ! snmp-server community public RO snmp-server location Of1 307 snmp-server contact Dmitry S. Levin snmp-server chassis-id CISCO 7206 VXR Router snmp-server enable traps config-copy snmp-server enable traps config snmp-server host 61.143.14.101 public ! radius-server attribute 44 include-in-access-req radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 32 include-in-access-req radius-server attribute 32 include-in-accounting-req radius-server attribute 55 include-in-acct-req radius-server attribute 55 access-request include radius-server attribute 61 extended radius-server attribute 31 remote-id radius-server host 61.143.0.119 auth-port 1645 acct-port 1646 key 7 14202628330A2F3C1629373C37002C131A radius-server retransmit 1 radius-server timeout 3 radius-server deadtime 1 radius-server key 7 046C3F25302F49593B18011E0718270133 radius-server vsa send accounting radius-server vsa send authentication bridge 40 protocol ieee bridge 40 route ip bridge 40 priority 40000 bridge 93 protocol ieee bridge 93 route ip bridge 93 priority 40000 bridge 130 protocol ieee bridge 130 route ip bridge 130 priority 40000 bridge 140 protocol ieee bridge 140 route ip bridge 140 priority 40000 bridge 203 protocol ieee bridge 203 route ip bridge 203 priority 40000 bridge 205 protocol ieee bridge 205 route ip bridge 205 priority 40000 bridge 210 protocol ieee bridge 210 route ip bridge 210 priority 40000 bridge 211 protocol ieee bridge 211 route ip bridge 211 priority 40000 bridge 212 protocol ieee bridge 212 route ip bridge 212 priority 40000 bridge 213 protocol ieee bridge 213 route ip bridge 213 priority 40000 bridge 214 protocol ieee bridge 214 route ip bridge 214 priority 40000 bridge 215 protocol ieee bridge 215 route ip bridge 215 priority 40000 bridge 216 protocol ieee bridge 216 route ip bridge 216 priority 40000 bridge 217 protocol ieee bridge 217 route ip bridge 217 priority 40000 ! control-plane ! alias exec cssa cle subsc sess all alias exec ssa show subsc sess all alias exec ss show subsc sess alias exec ssb show subsc sess brief ! line con 0 exec-timeout 0 0 authorization exec VTY login authentication VTY length 0 stopbits 1 line aux 0 no exec stopbits 1 line vty 0 4 access-class VTY in exec-timeout 0 0 authorization exec VTY login authentication VTY transport input ssh ! ntp clock-period 17181005 ntp master ntp update-calendar ntp server 61.143.14.10 source BVI40 end R7206-itc-hp3# Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
Korvet_068 Опубликовано 24 апреля, 2015 (изменено) · Жалоба sh u у меня показывает только тех кто на vty залогинен, virtual-access интерфейсы не создаются, у меня только BVI. Есть ещё команда show subscriber session. Вот детальная сессия с суточным idle timeout. R7206-itc-hp3#show subscriber session uid 2309 detailed Unique Session ID: 2309 Identifier: 04f04515 SIP subscriber access type(s): IP Current SIP options: Req Fwding/Req Fwded Session Up-time: 03:17:29, Last Changed: 00:33:37 Policy information: Context 0425F624: Handle 1100071E AAA_id 00000691: Flow_handle 0 Authentication status: authen Downloaded User profile, excluding services: timeout 86400 (0x15180) accounting-list "SME_ACCT_LIST" idletime 86400 (0x15180) ssg-account-info "Ainternet_1024_512_3" service-type 2 [Framed] clid-mac-addr 8C FA BA 9B 14 43 addr 172.16.2.28 netmask 255.255.255.255 config-source-dpm True Downloaded User profile, including services: portbundle "enable" username "OPENGARDEN_SERVICE" timeout 86400 (0x15180) accounting-list "SME_ACCT_LIST" idletime 86400 (0x15180) ssg-account-info "Ainternet_1024_512_3" service-type 2 [Framed] traffic-class "out access-group name INTERNET_ACL_OUT priority 20" ssg-service-info "R0.0.0.0;0.0.0.0" ssg-service-info "MC" traffic-class "out default drop" ssg-service-info "QU;512000;D;1024000" traffic-class "in default drop" ssg-service-info "Iinternet_1024_512_3" traffic-class "in access-group name INTERNET_ACL_IN priority 20" clid-mac-addr 8C FA BA 9B 14 43 addr 172.16.2.28 netmask 255.255.255.255 config-source-dpm True Config history for session (recent to oldest): Access-type: Web-user-logon Client: DHCP Policy event: Session-Update Profile name: apply-config-only, 5 references clid-mac-addr 8C FA BA 9B 14 43 addr 172.16.2.28 netmask 255.255.255.255 config-source-dpm True Access-type: Web-user-logon Client: DHCP Policy event: Session-Update Profile name: apply-config-only, 5 references clid-mac-addr 8C FA BA 9B 14 43 addr 172.16.2.28 netmask 255.255.255.255 config-source-dpm True Access-type: Web-user-logon Client: DHCP Policy event: Session-Update Profile name: apply-config-only, 5 references clid-mac-addr 8C FA BA 9B 14 43 addr 172.16.2.28 netmask 255.255.255.255 config-source-dpm True Access-type: Web-service-logon Client: Account Command-Handler Policy event: Got More Keys (Service) Profile name: internet_1024_512_3, 384 references timeout 86400 (0x15180) service-type 2 [Framed] traffic-class "out access-group name INTERNET_ACL_OUT priority 20" ssg-service-info "R0.0.0.0;0.0.0.0" ssg-service-info "MC" traffic-class "out default drop" ssg-service-info "QU;512000;D;1024000" service-type 5 [Outbound] traffic-class "in default drop" ssg-service-info "Iinternet_1024_512_3" traffic-class "in access-group name INTERNET_ACL_IN priority 20" Access-type: Max Client: Account Command-Handler Policy event: Got More Keys (Unapplied) (Service) Profile name: SRV_L4REDIRECT, 670 references clid-mac-addr 9C 04 EB 0F 05 AF password <hidden> traffic-class "input access-group name ACL_L4REDIRECT priority 5" l4redirect "redirect to group SME_PORTAL" Access-type: Web-user-logon Client: Account Command-Handler Policy event: Got More Keys Profile name: 04f04515, 3 references timeout 86400 (0x15180) accounting-list "SME_ACCT_LIST" idletime 86400 (0x15180) ssg-account-info "Ainternet_1024_512_3" service-type 2 [Framed] Access-type: IP Client: DHCP Policy event: Session-Update Profile name: apply-config-only, 5 references clid-mac-addr 8C FA BA 9B 14 43 addr 172.16.2.28 netmask 255.255.255.255 config-source-dpm True Access-type: IP Client: SM Policy event: Service Selection Request (Service) Profile name: OPENGARDEN_SERVICE, 424 references username "OPENGARDEN_SERVICE" clid-mac-addr 9C 04 EB 0F 05 AF password <hidden> traffic-class "input access-group name OPENGARDEN_ACL_IN priority 20" traffic-class "output access-group name OPENGARDEN_ACL_OUT priority 20" Access-type: IP Client: SM Policy event: Service Selection Request (Service) Profile name: SRV_L4REDIRECT, 670 references clid-mac-addr 9C 04 EB 0F 05 AF password <hidden> traffic-class "input access-group name ACL_L4REDIRECT priority 5" l4redirect "redirect to group SME_PORTAL" Access-type: IP Client: SM Policy event: Service Selection Request (Service) Profile name: PBHK_SERVICE, 424 references timeout 86400 (0x15180) idletime 1800 (0x708) service-type 2 [Framed] portbundle "enable" service-type 5 [Outbound] Active services associated with session: name "internet_1024_512_3" name "OPENGARDEN_SERVICE", applied before account logon name "PBHK_SERVICE", applied before account logon Rules, actions and conditions executed: subscriber rule-map SME_POLICY_RULE condition always event session-start 10 service-policy type service name PBHK_SERVICE 20 service-policy type service name SRV_L4REDIRECT 30 service-policy type service name OPENGARDEN_SERVICE 40 set-timer IP_UNAUTH_TIMER 600 subscriber rule-map SME_POLICY_RULE condition always event account-logon 10 authenticate aaa list IP_AUTHEN_LIST 20 service-policy type service unapply name SRV_L4REDIRECT subscriber rule-map SME_POLICY_RULE condition always event service-start 10 service-policy type service identifier service-name Session inbound features: Traffic classes: Traffic class session ID: 1022 ACL Name: OPENGARDEN_ACL_IN, Packets = 540, Bytes = 41924 Traffic class session ID: 2220 ACL Name: INTERNET_ACL_IN, Packets = 58137, Bytes = 18943740 Default traffic is dropped Unmatched Packets = 0, Re-classified packets (redirected) = 25 Feature: IP Idle Timeout Timeout value is 86400 Idle time is 00:07:39 Feature: Session accounting Method List: SME_ACCT_LIST Packets = 58024, Bytes = 18266231 Feature: Portbundle Hostkey Portbundle IP = 61.143.0.114 Bundle Number = 1677 Session outbound features: Traffic classes: Traffic class session ID: 1022 ACL Name: OPENGARDEN_ACL_OUT, Packets = 514, Bytes = 206522 Traffic class session ID: 2220 ACL Name: INTERNET_ACL_OUT, Packets = 63396, Bytes = 59074550 Default traffic is dropped Unmatched Packets = 0, Re-classified packets (redirected) = 0 Feature: Session accounting Method List: SME_ACCT_LIST Packets = 60777, Bytes = 55292421 Non-datapath features: Feature: Session Timeout Timeout value is 86400 seconds Time remaining is 20:42:42 Configuration sources associated with this session: Service: internet_1024_512_3, Active Time = 03:17:17 Service: OPENGARDEN_SERVICE, Active Time = 03:17:31 Service: PBHK_SERVICE, Active Time = 03:17:31 Interface: BVI212, Active Time = 03:17:31 R7206-itc-hp3# Изменено 24 апреля, 2015 пользователем Korvet_068 Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
Korvet_068 Опубликовано 22 сентября, 2015 · Жалоба Возникло подозрение что проблема в избытке сессий NAT. Применил вот такой конфиг от знающих камрадов: ip nat translation timeout 900 ip nat translation tcp-timeout 300 ip nat translation pptp-timeout 1800 ip nat translation udp-timeout 45 ip nat translation dns-timeout 5 ip nat translation port-timeout tcp 1600 10 ip nat translation port-timeout tcp 8080 10 ip nat translation port-timeout tcp 110 60 ip nat translation port-timeout tcp 25 60 ip nat translation port-timeout tcp 80 15 Сутки ещё не прошли. Наблюдаю. Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
zhenya` Опубликовано 23 сентября, 2015 (изменено) · Жалоба А без деталки покажи сессию? Нат ещё желательно резать по трансляциям на хост ) Изменено 23 сентября, 2015 пользователем zhenya` Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
NikAlexAn Опубликовано 23 сентября, 2015 · Жалоба Нат ещё желательно резать по трансляциям на хост ) Если не ошибаюсь на 1.22 не поддерживается. То ТС - а загрузку процессора мониторите? Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
Korvet_068 Опубликовано 23 сентября, 2015 · Жалоба А без деталки покажи сессию? R7206-itc-hp3#sh subscriber session username arzamas Unique Session ID: 1339 Identifier: arzamas SIP subscriber access type(s): IP Current SIP options: Req Fwding/Req Fwded Session Up-time: 02:39:34, Last Changed: 01:30:12 Policy information: Authentication status: authen Active services associated with session: name "internet_service" name "OPENGARDEN_SERVICE", applied before account logon name "PBHK_SERVICE", applied before account logon Rules, actions and conditions executed: subscriber rule-map SME_POLICY_RULE condition always event session-start 10 service-policy type service name PBHK_SERVICE 20 service-policy type service name SRV_L4REDIRECT 30 service-policy type service name OPENGARDEN_SERVICE 40 set-timer IP_UNAUTH_TIMER 600 subscriber rule-map SME_POLICY_RULE condition always event account-logon 10 authenticate aaa list IP_AUTHEN_LIST 20 service-policy type service unapply name SRV_L4REDIRECT subscriber rule-map SME_POLICY_RULE condition always event service-start 10 service-policy type service identifier service-name Session inbound features: Traffic classes: Traffic class session ID: 1543 ACL Name: OPENGARDEN_ACL_IN, Packets = 570, Bytes = 51378 Traffic class session ID: 1612 ACL Name: INTERNET_ACL_IN, Packets = 48705, Bytes = 6489261 Default traffic is dropped Unmatched Packets = 995, Re-classified packets (redirected) = 93 Feature: IP Idle Timeout Timeout value is 1800 Idle time is 00:04:38 Feature: Session accounting Method List: SME_ACCT_LIST Packets = 48505, Bytes = 6056279 Feature: Portbundle Hostkey Portbundle IP = 62.148.0.114 Bundle Number = 3093 Session outbound features: Traffic classes: Traffic class session ID: 1543 ACL Name: OPENGARDEN_ACL_OUT, Packets = 523, Bytes = 206039 Traffic class session ID: 1612 ACL Name: INTERNET_ACL_OUT, Packets = 57902, Bytes = 75671186 Default traffic is dropped Unmatched Packets = 1006, Re-classified packets (redirected) = 0 Feature: Session accounting Method List: SME_ACCT_LIST Packets = 53097, Bytes = 68537856 Non-datapath features: Feature: Session Timeout Timeout value is 86400 seconds Time remaining is 22:29:48 Configuration sources associated with this session: Service: internet_service, Active Time = 01:30:12 Service: OPENGARDEN_SERVICE, Active Time = 02:39:34 Service: PBHK_SERVICE, Active Time = 02:39:34 Interface: BVI213, Active Time = 02:39:34 R7206-itc-hp3# Порезать нат по числу сессий на хост нельзя, только на vrf, либо надо указать этот хост конкретно. Можно указать внешний адрес интерфейса ISG, но я с натом стал возиться уже после перезагрузки и не посмотрел примерно сколько сессий нужно для нормальной работы. Загрузку проца мониторю, но аномалий там не видел. Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
Andrei Опубликовано 28 сентября, 2015 · Жалоба Порезать нат по числу сессий на хост нельзя, только на vrf, либо надо указать этот хост конкретно. У меня сделано вот так ip nat translation max-entries all-host 650 Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...