Diman_xxxx Posted July 30, 2015 · Report post Уважаемы цисководы, просьба помочь при желании. При переезде с cisco 7201 c древней 12-ой IOS на ASR1001 с актуальным на сегодня IOS, (конфиг перелез практически один-в один) столкнулись с бооольшой проблемой. Пользователи с положительным балансом в биллинге, авторизуются со 2 или 3 го раза!!! ( каждый следующий раз наступает по прошествии 3 х минут - см. class type control SUBSCRIBER-NETWORKS event access-reject 5 set-timer UNAUTH-TIMER 3) НО!!! так не должно быть!! и так не было на 7201 со старым IOS. (привет тем, кто любит обновляться) авторизацию пользователи проходили моментально. Наши бесценные абоненты каждый день нервничают! когда видят страницу "нет денег" по редиректу.... а наш главный админ разводить руками..... Помогите кто чем может. Привожу почти полный конфиг. ISG_ASR1#show running-config Building configuration... Current configuration : 18101 bytes ! ! Last configuration change at 11:11:41 MSK Thu Jul 23 2015 by ! NVRAM config last updated at 11:12:26 MSK Thu Jul 23 2015 by ! version 15.4 service nagle no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers no platform punt-keepalive disable-kernel-core ! hostname ISG_ASR1 ! boot-start-marker boot system flash bootflash:asr1001-universalk9.03.13.02.S.154-3.S2-ext.bin boot system flash bootflash:asr1001-universal.03.05.01.S.152-1.S1.bin boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! no logging console ! aaa new-model ! ! aaa group server radius ISG-RADIUS server 192.168.130.3 auth-port 1812 acct-port 1813 ! aaa authentication login default local aaa authentication login ISG-AUTH-1 group ISG-RADIUS aaa authentication login CONS none aaa authentication enable default none aaa authentication ppp ISG-RADIUS group ISG-RADIUS aaa authorization exec default local aaa authorization network ISG-AUTH-1 group ISG-RADIUS aaa authorization subscriber-service default local group ISG-RADIUS aaa accounting update newinfo periodic 1 aaa accounting network ISG-AUTH-1 action-type start-stop group ISG-RADIUS ! aaa accounting network ISG-RADIUS action-type start-stop group ISG-RADIUS ! ! ! ! ! aaa server radius dynamic-author client 192.168.130.3 server-key 7 xxxxx234234234xxxx auth-type any ! aaa session-id common clock timezone MSK 0 0 no ip source-route ip icmp rate-limit unreachable DF 2000 ! ! ! ! ! ! ! ! ! ip domain name kit.ru ip name-server 185.100.22.22 ip dhcp relay information option ip dhcp relay information policy keep no ip dhcp relay information check ip dhcp relay information trust-all ! ! ! ! ! ! ! ! ! ! subscriber templating service-policy type control ISG-CUSTOMERS-POLICY ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ! license udi pid ASR1001 sn JAE162101MK license accept end user agreement license boot level adventerprise file prompt quiet spanning-tree extend system-id ! username root privilege 15 ! redundancy mode none redirect server-group REDIRECT_NOPAY server ip 22.77.44.4 port 80 ! ! ! ! ! ! ! ip tftp source-interface GigabitEthernet0 no ip rcmd domain-lookup ip rcmd rsh-enable ip rcmd remote-host bill_adm 11 root enable ip rcmd remote-host root 192.168.130.16 root enable ip rcmd remote-host root 192.168.130.16 www-data enable class-map type traffic match-any CLASS-BILLING-DOWN match access-group input name ACL-BILLING-DOWN match access-group output name ACL-BILLING-DOWN ! class-map type traffic match-any CLASS-TO-REDIRECT match access-group input 100 ! class-map type traffic match-any CLASS-TRUSTED match access-group input 198 ! class-map type control match-any SUBSCRIBER-NETWORKS match source-ip-address один.0 255.255.255.0 match source-ip-address два.0 255.255.252.0 match source-ip-address три.0 255.255.254.0 match source-ip-address четыре.0 255.255.252.0 ! class-map type control match-all ISG-IP-UNAUTH match authen-status unauthenticated match timer UNAUTH-TIMER ! policy-map type service LOCAL_L4R 1 class type traffic CLASS-TO-REDIRECT redirect to group REDIRECT_NOPAY ! class type traffic default input drop ! ! policy-map type service SERVICE-TRUSTED 1 class type traffic CLASS-TRUSTED police input 64000 8000 16000 police output 64000 8000 16000 ! class type traffic default input drop ! ! policy-map type service allow_for_unauthen 1 class type traffic CLASS-TRUSTED police input 512000 police output 512000 ! class type traffic default input drop ! ! policy-map type service SERVICE-BILLING-DOWN class type traffic CLASS-BILLING-DOWN timeout absolute 1800 police input 10000000 police output 10000000 ! class type traffic default input drop ! ! policy-map type control ISG-CUSTOMERS-POLICY class type control ISG-IP-UNAUTH event timed-policy-expiry 1 service disconnect ! class type control SUBSCRIBER-NETWORKS event session-start 10 authorize aaa list ISG-AUTH-1 password ISG identifier source-ip-address ! class type control SUBSCRIBER-NETWORKS event access-reject 5 set-timer UNAUTH-TIMER 3 10 service-policy type service name SERVICE-TRUSTED 20 service-policy type service name LOCAL_L4R ! class type control SUBSCRIBER-NETWORKS event radius-timeout 5 set-timer UNAUTH-TIMER 3 10 service-policy type service name SERVICE-BILLING-DOWN ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Port-channel2 description ===SUBSCRIBERS-MAIN=== no ip address no negotiation auto ! interface Port-channel2.10 description OSPF encapsulation dot1Q 10 ip address 10.10.10.1 255.255.255.252 ! interface Port-channel2.130 description VLAN130 encapsulation dot1Q 130 ip address 192.168.130.1 255.255.255.0 ip nat inside ip access-group 199 in ! interface Port-channel2.144 description GPON_144 encapsulation dot1Q 144 ip address 185.100.144.1 255.255.255.0 ip helper-address cisco_ip ip verify unicast source reachable-via any ip access-group 180 out service-policy type control ISG-CUSTOMERS-POLICY ip subscriber routed initiator unclassified ip-address ........ тридесятка подобных ........ ! interface GigabitEthernet0/0/0 description MEGA no ip address negotiation auto ! interface GigabitEthernet0/0/0.911 description MEGA_911_TRANK encapsulation dot1Q 911 ip address 888.999.333.111 255.255.255.252 ip nat outside ! interface GigabitEthernet0/0/1 description MEGA_Line1 no ip address negotiation auto ! interface GigabitEthernet0/0/2 description MEGA_Line2 no ip address negotiation auto channel-group 2 ! interface GigabitEthernet0/0/3 no ip address negotiation auto channel-group 2 ! interface GigabitEthernet0 vrf forwarding Mgmt-intf no ip address shutdown negotiation auto ! router bgp 77777 bgp router-id 66.77.111.1 bgp log-neighbor-changes neighbor MEGA peer-group neighbor MEGA remote-as #mega_AS neighbor 88.44.44.44 peer-group MEGA neighbor 88.44.44.44 description MegaFon ! address-family ipv4 network один.0 mask 255.255.255.0 network два.0 mask 255.255.252.0 network три.0 mask 255.255.252.0 network четыре.0 mask 255.255.252.0 redistribute connected neighbor MEGA send-community neighbor MEGA prefix-list PR-TO-MEGA out neighbor MEGA route-map MAP-FROM-MEGA in neighbor MEGA route-map MAP-TO-MEGA out neighbor 88.54.44.44 activate exit-address-family ! ip forward-protocol nd ! ip bgp-community new-format ip as-path access-list 8 permit 43 ip as-path access-list 8 permit ^12 ip as-path access-list 8 permit ^1 ip as-path access-list 8 permit 34 ip as-path access-list 8 permit ^1 ip as-path access-list 8 permit ^12 ip as-path access-list 8 permit ^12 ip as-path access-list 8 permit ^12 ip as-path access-list 8 permit ^12 ip as-path access-list 8 permit ^1 ip as-path access-list 8 permit ^12 ip as-path access-list 8 permit ^123 ip as-path access-list 8 permit ^123 ip as-path access-list 8 permit ^123 ip as-path access-list 8 permit ^12 ip as-path access-list 8 deny _57 ip as-path access-list 8 permit ^12 no ip http server no ip http secure-server ip route 66.77.140.0 255.255.255.0 Null0 254 ip route 88.44.212.0 255.255.252.0 Null0 254 ip route 88.44.212.244 255.255.255.252 81.4.212.243 ip route 88.44.214.80 255.255.255.252 81.4.214.79 ip route 88.44.214.84 255.255.255.252 81.4.214.78 ip route 88.44.222.0 255.255.254.0 Null0 254 ip route 172.16.28.0 255.255.252.0 10.10.10.2 // osfp интерфейс на L3 ip route 88.44.24.0 255.255.252.0 Null0 254 ! ip access-list extended ACL-BILLING-DOWN permit ip any any ! ! ip prefix-list PR-TO-MEGA seq 10 permit один.0/24 ip prefix-list PR-TO-MEGA seq 20 permit два.0/22 ip prefix-list PR-TO-MEGA seq 30 permit три.0/22 ip prefix-list PR-TO-MEGA seq 40 permit четыре.0/22 access-list 11 permit 192.168.130.3 // ip биллинга access-list 11 deny any access-list 100 permit tcp any any eq www access-list 100 permit tcp any eq www any access-list 180 permit tcp host ип_один один 0.0.3.255 eq www access-list 180 permit tcp host ип_два один 0.0.3.255 eq www ..................... access-list 180 permit tcp any any access-list 180 permit ip any any access-list 197 permit tcp any eq www any access-list 197 deny ip any any access-list 198 permit udp any any eq domain access-list 198 permit udp any eq domain any access-list 198 permit icmp any any access-list 198 permit tcp any host 213.180.204.10 access-list 198 permit tcp host 213.180.204.10 any access-list 198 permit tcp any host 91.200.28.169 access-list 198 permit tcp host 91.200.28.169 any access-list 198 permit tcp any host 91.209.85.201 access-list 198 permit tcp host 91.209.85.201 any access-list 198 permit tcp any 194.54.14.0 0.0.0.255 access-list 198 permit tcp 194.54.14.0 0.0.0.255 any access-list 198 permit tcp any host 195.225.39.52 access-list 198 permit tcp host 195.225.39.52 any access-list 198 permit tcp any host 212.118.48.43 access-list 198 permit tcp host 212.118.48.43 any access-list 198 permit tcp any host 213.180.204.32 access-list 198 permit tcp host 213.180.204.32 any access-list 198 permit tcp any host 216.136.151.51 access-list 198 permit tcp host 216.136.151.51 any access-list 198 permit tcp any host 93.190.87.221 access-list 198 permit tcp host 93.190.87.221 any access-list 198 permit tcp any host 109.235.163.229 access-list 198 permit tcp host 109.235.163.229 any access-list 198 permit tcp any host 80.93.62.195 access-list 198 permit tcp host 80.93.62.195 any access-list 198 deny ip any any access-list 199 permit ip 192.168.130.0 0.0.0.255 192.168.130.0 0.0.0.255 access-list 199 deny ip any any ! route-map MAP-FROM-MEGA permit 9 set local-preference 109 ! route-map MAP-TO-MEGA permit 10 ! snmp-server community sssssssss RW ! ! radius-server attribute 44 include-in-access-req default-vrf radius-server attribute 44 extend-with-addr radius-server attribute 8 include-in-access-req radius-server attribute 32 include-in-accounting-req radius-server attribute 55 include-in-acct-req radius-server attribute 31 mac format unformatted radius-server host 192.168.130.3 auth-port 1812 acct-port 1813 key 7 3333333333333333333 radius-server vsa send cisco-nas-port ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 privilege level 15 transport input telnet ! ntp master 5 ntp server ntp server ! end ISG_ASR1# Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
ShyLion Posted July 31, 2015 · Report post Так надо смотреть лог радиуса, че он там отвечает. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Diman_xxxx Posted July 31, 2015 · Report post Так надо смотреть лог радиуса, че он там отвечает. С биллинга я так понимаю ? Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
zhenya` Posted July 31, 2015 · Report post таймаут поставьте повыше на радиус. поди радиус ваш захлебывается Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
ShyLion Posted July 31, 2015 · Report post Так надо смотреть лог радиуса, че он там отвечает. С биллинга я так понимаю ? Да хоть откуда. можно дебажить на кисе debug raduis можно нюхать tcpdump на сервере: tcpdump -s0 -nnvvi eth0 udp and host cisco_asr можно смотреть средставми билинга если позволяет Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Diman_xxxx Posted July 31, 2015 · Report post Я с циской только на вы ) Поэтому если только скажите что нажать - результат покажу. Авторизация по IP Вот sh log ( после debag radius ) ISG_ASR1#sh log Syslog logging: enabled (0 messages dropped, 253 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled) No Active Message Discriminator. No Inactive Message Discriminator. Console logging: disabled Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled Buffer logging: level debugging, 1113170 messages logged, xml disabled, filtering disabled Exception Logging: size (4096 bytes) Count and timestamp logging messages: disabled Persistent logging: disabled No active filter modules. Trap logging: level informational, 228176 message lines logged Logging Source-Interface: VRF Name: Log Buffer (4096 bytes): DIUS: Acct-Delay-Time [41] 6 0 792871: Jul 31 06:19:30.704 MSK: RADIUS(000AC988): Sending a IPv4 Radius Packet 792872: Jul 31 06:19:30.705 MSK: RADIUS(000AC988): Started 5 sec timeout 792873: Jul 31 06:19:30.706 MSK: RADIUS: Received from id 1646/163 192.168.130.3:1813, Accounting-response, len 20 792874: Jul 31 06:19:30.706 MSK: RADIUS: authenticator AC 44 F4 C3 1D 39 7C - 37 FA A6 37 04 2B 72 792875: Jul 31 06:19:31.055 MSK: RADIUS/ENCODE(000AC844):Orig. component type = Iedge IP SIP 792876: Jul 31 06:19:31.055 MSK: RADIUS(000AC844): Config NAS IP: 0.0.0.0 792877: Jul 31 06:19:31.055 MSK: RADIUS(000AC844): Config NAS IPv6: :: 792878: Jul 31 06:19:31.055 MSK: RADIUS(000AC844): Config NAS IP: 0.0.0.0 792879: Jul 31 06:19:31.055 MSK: RADIUS(000AC844): sending 792880: Jul 31 06:19:31.055 MSK: RADIUS/ENCODE: Best Local IP-Address 192.168.130.1 for Radius-Server 192.168.130.3 792881: Jul 31 06:19:31.055 MSK: RADIUS(000AC844): Send Accounting-Request to 192.168.130.3:1813 id 1646/164, len 342 792882: Jul 31 06:19:31.055 MSK: RADIUS: authenticator A4 6B 9D 6B 13 62 - 0A 3E 42 43 10 FE 792883: Jul 31 06:19:31.055 MSK: RADIUS: Acct-Session-Id [44] 18 "C0A88201000AC83A" 792884: Jul 31 06:19:31.055 MSK: RADIUS: Framed-IP-Address [8] 6 185.100.25.3 792885: Jul 31 06:19:31.056 MSK: RADIUS: Vendor, Cisco [26] 64 792886: Jul 31 06:19:31.056 MSK: RADIUS: ssg-account-info [250] 58 "QU;51200000;1024000;51200000;D;51200000;1024000;51200000" 792887: Jul 31 06:19:31.056 MSK: RADIUS: Framed-Protocol [7] 6 PPP [1] 792888: Jul 31 06:19:31.056 MSK: RADIUS: User-Name [1] 14 "185.100.25.3" 792889: Jul 31 06:19:31.056 MSK: RADIUS: Vendor, Cisco [26] 32 792890: Jul 31 06:19:31.056 MSK: RADIUS: Cisco AVpair [1] 26 "connect-progress=Call Up" 792891: Jul 31 06:19:31.056 MSK: RADIUS: Vendor, Cisco [26] 18 792892: Jul 31 06:19:31.056 MSK: RADIUS: ssg-control-info [253] 12 "I0;4196302" 792893: Jul 31 06:19:31.056 MSK: RADIUS: Vendor, Cisco [26] 19 792894: Jul 31 06:19:31.056 MSK: RADIUS: ssg-control-info [253] 13 "O0;73691300" 792895: Jul 31 06:19:31.056 MSK: RADIUS: Acct-Session-Time [46] 6 10823 792896: Jul 31 06:19:31.056 MSK: RADIUS: Acct-Input-Octets [42] 6 4196302 792897: Jul 31 06:19:31.056 MSK: RADIUS: Acct-Output-Octets [43] 6 73691300 792898: Jul 31 06:19:31.056 MSK: RADIUS: Acct-Input-Packets [47] 6 36922 792899: Jul 31 06:19:31.056 MSK: RADIUS: Acct-Output-Packets [48] 6 56990 792900: Jul 31 06:19:31.056 MSK: RADIUS: Acct-Authentic [45] 6 Local [2] 792901: Jul 31 06:19:31.056 MSK: RADIUS: Acct-Status-Type [40] 6 Watchdog [3] 792902: Jul 31 06:19:31.056 MSK: RADIUS: NAS-Port-Type [61] 6 Virtual [5] 792903: Jul 31 06:19:31.056 MSK: RADIUS: Vendor, Cisco [26] 18 792904: Jul 31 06:19:31.056 MSK: RADIUS: cisco-nas-port [2] 12 "15/0/2/251" 792905: Jul 31 06:19:31.056 MSK: RADIUS: NAS-Port [5] 6 0 792906: Jul 31 06:19:31.056 MSK: RADIUS: NAS-Port-Id [87] 12 "15/0/2/251" 792907: Jul 31 06:19:31.056 MSK: RADIUS: Class [25] 10 792908: Jul 31 06:19:31.056 MSK: RADIUS: 30 30 30 30 36 31 39 39 [ 00006199] 792909: Jul 31 06:19:31.056 MSK: RADIUS: Service-Type [6] 6 Framed [2] 792910: Jul 31 06:19:31.056 MSK: RADIUS: NAS-IP-Address [4] 6 192.168.130.1 792911: Jul 31 06:19:31.056 MSK: RADIUS: home-hl-prefix [151] 10 "3435C16D" 792912: Jul 31 06:19:31.056 MSK: RADIUS: Event-Timestamp [55] 6 1438323571 792913: Jul 31 06:19:31.056 MSK: RADIUS: Nas-Identifier [32] 17 "ISG_ASR1.kit.ru" 792914: Jul 31 06:19:31.056 MSK: RADIUS: Acct-Delay-Time [41] 6 0 ISG_ASR1# и еще Log Buffer (4096 bytes): Delay-Time [41] 6 0 916203: Jul 31 06:22:22.593 MSK: RADIUS(000ACA00): Sending a IPv4 Radius Packet 916204: Jul 31 06:22:22.593 MSK: RADIUS(000ACA00): Started 5 sec timeout 916205: Jul 31 06:22:22.595 MSK: RADIUS: Received from id 1646/130 192.168.130.3:1813, Accounting-response, len 20 916206: Jul 31 06:22:22.595 MSK: RADIUS: authenticator 4F 84 39 06 0B A5 C8 - 6E 2F C0 D1 EF 15 C7 916207: Jul 31 06:22:22.721 MSK: RADIUS/ENCODE(000A9586):Orig. component type = Iedge IP SIP 916208: Jul 31 06:22:22.721 MSK: RADIUS(000A9586): Config NAS IP: 0.0.0.0 916209: Jul 31 06:22:22.721 MSK: RADIUS(000A9586): Config NAS IPv6: :: 916210: Jul 31 06:22:22.721 MSK: RADIUS(000A9586): Config NAS IP: 0.0.0.0 916211: Jul 31 06:22:22.721 MSK: RADIUS(000A9586): sending 916212: Jul 31 06:22:22.721 MSK: RADIUS/ENCODE: Best Local IP-Address 192.168.130.1 for Radius-Server 192.168.130.3 916213: Jul 31 06:22:22.721 MSK: RADIUS(000A9586): Send Accounting-Request to 192.168.130.3:1813 id 1646/131, len 357 916214: Jul 31 06:22:22.721 MSK: RADIUS: authenticator 4C 9A 29 84 40 34 09 - 99 DC B5 75 7E 88 59 916215: Jul 31 06:22:22.721 MSK: RADIUS: Acct-Session-Id [44] 18 "C0A88201000A957C" 916216: Jul 31 06:22:22.721 MSK: RADIUS: Framed-IP-Address [8] 6 81.4.214.48 916217: Jul 31 06:22:22.721 MSK: RADIUS: Vendor, Cisco [26] 62 916218: Jul 31 06:22:22.721 MSK: RADIUS: ssg-account-info [250] 56 "QU;10240000;1024000;1536000;D;10240000;1024000;1536000" 916219: Jul 31 06:22:22.721 MSK: RADIUS: Framed-Protocol [7] 6 PPP [1] 916220: Jul 31 06:22:22.721 MSK: RADIUS: User-Name [1] 13 "81.4.214.48" 916221: Jul 31 06:22:22.721 MSK: RADIUS: Vendor, Cisco [26] 32 916222: Jul 31 06:22:22.721 MSK: RADIUS: Cisco AVpair [1] 26 "connect-progress=Call Up" 916223: Jul 31 06:22:22.721 MSK: RADIUS: Vendor, Cisco [26] 20 916224: Jul 31 06:22:22.721 MSK: RADIUS: ssg-control-info [253] 14 "I0;133797405" 916225: Jul 31 06:22:22.721 MSK: RADIUS: Vendor, Cisco [26] 21 916226: Jul 31 06:22:22.721 MSK: RADIUS: ssg-control-info [253] 15 "O1;1439571421" 916227: Jul 31 06:22:22.721 MSK: RADIUS: Acct-Session-Time [46] 6 76270 916228: Jul 31 06:22:22.721 MSK: RADIUS: Acct-Input-Giga-Word[52] 6 0 916229: Jul 31 06:22:22.721 MSK: RADIUS: Acct-Output-Giga-Wor[53] 6 1 916230: Jul 31 06:22:22.721 MSK: RADIUS: Acct-Input-Octets [42] 6 133797405 916231: Jul 31 06:22:22.721 MSK: RADIUS: Acct-Output-Octets [43] 6 1439571421 916232: Jul 31 06:22:22.721 MSK: RADIUS: Acct-Input-Packets [47] 6 1467613 916233: Jul 31 06:22:22.721 MSK: RADIUS: Acct-Output-Packets [48] 6 4071390 916234: Jul 31 06:22:22.721 MSK: RADIUS: Acct-Authentic [45] 6 Local [2] 916235: Jul 31 06:22:22.721 MSK: RADIUS: Acct-Status-Type [40] 6 Watchdog [3] 916236: Jul 31 06:22:22.721 MSK: RADIUS: NAS-Port-Type [61] 6 Virtual [5] 916237: Jul 31 06:22:22.721 MSK: RADIUS: Vendor, Cisco [26] 19 916238: Jul 31 06:22:22.721 MSK: RADIUS: cisco-nas-port [2] 13 "15/0/2/2141" 916239: Jul 31 06:22:22.721 MSK: RADIUS: NAS-Port [5] 6 0 916240: Jul 31 06:22:22.721 MSK: RADIUS: NAS-Port-Id [87] 13 "15/0/2/2141" 916241: Jul 31 06:22:22.721 MSK: RADIUS: Class [25] 10 916242: Jul 31 06:22:22.721 MSK: RADIUS: 30 30 30 30 35 34 33 30 [ 00005430] 916243: Jul 31 06:22:22.721 MSK: RADIUS: Service-Type [6] 6 Framed [2] 916244: Jul 31 06:22:22.721 MSK: RADIUS: NAS-IP-Address [4] 6 192.168.130.1 916245: Jul 31 06:22:22.721 MSK: RADIUS: home-hl-prefix [151] 10 "385B0EDF" 916246: Jul 31 06:22:22.721 MSK: RADIUS: Event-Timestamp [55] 6 1438323742 ISG_ASR1# [/code] в 6:20 какраз я всем авторизацию сбрасывал чтобы сессия стартовала пока все спят По билингу - сейчас есь лог на полтора гига - какие сторики искать / что смотреть ? Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Diman_xxxx Posted July 31, 2015 · Report post таймаут поставьте повыше на радиус. поди радиус ваш захлебывается Спасибо, а как это сделать? Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
zhenya` Posted July 31, 2015 · Report post radius-server transaction max-tries 5 radius-server timeout 30 Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Diman_xxxx Posted July 31, 2015 · Report post radius-server transaction max-tries 5 radius-server timeout 30 Чтото ругнулась на первую строчку ISG_ASR1(config)#radius-server transaction max-tries 5 % Radius retry method reorder not configured ISG_ASR1(config)#radius-server timeout 30 ISG_ASR1(config)# Может попробвать Она хочет это ? : radius-server retry method reorder Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Diman_xxxx Posted July 31, 2015 · Report post Кстати !!! На 7201 было ! radius-server attribute 44 include-in-access-req radius-server attribute 44 extend-with-addr radius-server attribute 8 include-in-access-req radius-server attribute 32 include-in-accounting-req radius-server attribute 55 include-in-acct-req radius-server attribute 31 mac format unformatted radius-server host 192.168.130.3 auth-port 1812 acct-port 1813 key 7 3333333333333333333 radius-server vsa send cisco-nas-port radius-server vsa send accounting radius-server vsa send authentication ! а на ASR1001 стало ! radius-server attribute 44 include-in-access-req default-vrf radius-server attribute 44 extend-with-addr radius-server attribute 8 include-in-access-req radius-server attribute 32 include-in-accounting-req radius-server attribute 55 include-in-acct-req radius-server attribute 31 mac format unformatted radius-server host 192.168.130.3 auth-port 1812 acct-port 1813 key 7 3333333333333333333 radius-server vsa send cisco-nas-port ! ! тоесть нехватает строк radius-server vsa send accounting radius-server vsa send authentication потомучто она их почемуто не хочет ( хотя и не ругается при их вводе) Может это оно ? Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
ShyLion Posted July 31, 2015 · Report post 792873: Jul 31 06:19:30.706 MSK: RADIUS: Received from id 1646/163 192.168.130.3:1813, Accounting-response, len 20 А где запросы на авторизацию и ответы на них? radius-server attribute 44 include-in-access-req default-vrf radius-server attribute 44 extend-with-addr radius-server attribute 8 include-in-access-req radius-server attribute 32 include-in-accounting-req radius-server attribute 55 include-in-acct-req radius-server attribute 31 mac format unformatted radius-server host 192.168.130.3 auth-port 1812 acct-port 1813 key 7 3333333333333333333 radius-server vsa send cisco-nas-port ! ! тоесть нехватает строк radius-server vsa send accounting radius-server vsa send authentication Это нормально, просто сменился метод настройки потому что IOS другой. Старые команды просто транслируюстя в новые для совместимости. Я с циской только на вы ) Поэтому если только скажите что нажать - результат покажу. С такими знаниями к такому лучше не подходить сразу. Нужно тренироваться на чем-то попроще. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Diman_xxxx Posted July 31, 2015 · Report post Это нормально, просто сменился метод настройки потому что IOS другой. Старые команды просто транслируюстя в новые для совместимости. Я с циской только на вы ) Поэтому если только скажите что нажать - результат покажу. С такими знаниями к такому лучше не подходить сразу. Нужно тренироваться на чем-то попроще. Спасибо, те кто на ты пока тоже ничего сделать немогут. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Diman_xxxx Posted July 31, 2015 · Report post radius-server transaction max-tries 5 radius-server timeout 30 Чтото ругнулась на первую строчку ISG_ASR1(config)#radius-server transaction max-tries 5 % Radius retry method reorder not configured ISG_ASR1(config)#radius-server timeout 30 ISG_ASR1(config)# А можно без вреда добавить radius-server retry method reorder radius-server retransmit 0 radius-server transaction max-tries 5 radius-server timeout 30 ? Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
zhenya` Posted August 1, 2015 (edited) · Report post radius-server retransmit поставьте 2. п.с. logging buffered 80960 в логе нет сообщений про радиус дед ? ) Edited August 1, 2015 by zhenya` Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Diman_xxxx Posted August 1, 2015 · Report post radius-server retransmit поставьте 2. п.с. logging buffered 80960 в логе нет сообщений про радиус дед ? ) Спасибо! Про radius ded невидел сообщений Поставил radius-server retransmit 2 logging buffered 80960 Наблюдаем. кусок лога в аттаче А где тут режекты искать ? sh log.txt Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
zhenya` Posted August 1, 2015 · Report post debug radius authentication включайте такой дебаг. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Diman_xxxx Posted August 1, 2015 · Report post debug radius authentication включайте такой дебаг. Включил, написала вот что ISG_ASR1#debug radius authentication Radius protocol debugging is on Radius protocol brief debugging is off Radius protocol verbose debugging is off Radius packet hex dump debugging is off Radius packet protocol debugging is on Radius elog debugging debugging is on Radius packet retransmission debugging is off Radius server fail-over debugging is off log.txt Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
zhenya` Posted August 1, 2015 · Report post в логе все равно один аккаунтинг. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Diman_xxxx Posted August 1, 2015 · Report post в логе все равно один аккаунтинг. Авторизация просто не попала в лог или не включается в лог ? Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
zhenya` Posted August 1, 2015 · Report post show radius statistics в студию. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Diman_xxxx Posted August 1, 2015 (edited) · Report post show radius statistics в студию. Вот: ISG_ASR1#show radius statistics Auth. Acct. Both Maximum inQ length: NA NA 1989 Maximum waitQ length: NA NA 2443 Maximum doneQ length: NA NA 655 Total responses seen: 521612 33341118 33862730 Packets with responses: 520406 33340807 33861213 Packets without responses: 41112 2724377 2765489 Access Rejects : 491847 Average response delay(ms): 61 4 5 Maximum response delay(ms): 90160 30068 90160 Number of Radius timeouts: 166172 10906743 11072915 Duplicate ID detects: 0 0 0 Buffer Allocation Failures: 0 0 0 Maximum Buffer Size (bytes): 177 429 429 Malformed Responses : 0 0 0 Bad Authenticators : 0 2618 2618 Unknown Responses : 0 0 0 Source Port Range: (2 ports only) 1645 - 1646 Last used Source Port/Identifier: 1645/110 1646/25 Elapsed time since counters last cleared: 14w1d7h47m Radius Latency Distribution: <= 2ms : 0 16661063 3-5ms : 317 16365771 5-10ms : 18 238226 10-20ms: 1372 55005 20-50ms: 488560 7844 50-100m: 22684 2083 >100ms : 7455 10815 Current inQ length : 0 Current doneQ length: 0 ISG_ASR1# омг, Rejects -ы нашлись и их много - это нормально ? Edited August 1, 2015 by Diman_xxxx Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
zhenya` Posted August 2, 2015 · Report post И таймауты и пустые пакеты не нормально.сбросьте стату и наблюдайте. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Diman_xxxx Posted August 2, 2015 · Report post И таймауты и пустые пакеты не нормально.сбросьте стату и наблюдайте. Спасибо, Стата на сейчас ISG_ASR1#show radius statistics Auth. Acct. Both Maximum inQ length: NA NA 1989 Maximum waitQ length: NA NA 2443 Maximum doneQ length: NA NA 655 Total responses seen: 533825 34352900 34886725 Packets with responses: 532619 34352589 34885208 Packets without responses: 41112 2724786 2765898 Access Rejects : 503176 Average response delay(ms): 61 4 5 Maximum response delay(ms): 90160 30068 90160 Number of Radius timeouts: 166172 10908057 11074229 Duplicate ID detects: 0 0 0 Buffer Allocation Failures: 0 0 0 Maximum Buffer Size (bytes): 177 429 429 Malformed Responses : 0 0 0 Bad Authenticators : 0 4020 4020 Unknown Responses : 0 0 0 Source Port Range: (2 ports only) 1645 - 1646 Last used Source Port/Identifier: 1645/35 1646/24 Elapsed time since counters last cleared: 14w2d1h29m Radius Latency Distribution: <= 2ms : 0 17273413 3-5ms : 317 16760527 5-10ms : 18 240653 10-20ms: 1433 56524 20-50ms: 499939 8139 50-100m: 23307 2161 >100ms : 7605 11172 Current inQ length : 0 Current doneQ length: 0 Шас сборшу Снимок через 1,5 минуты ISG_ASR1#show radius statistics Auth. Acct. Both Maximum inQ length: NA NA 4 Maximum waitQ length: NA NA 4 Maximum doneQ length: NA NA 0 Total responses seen: 20 1073 1093 Packets with responses: 20 1073 1093 Packets without responses: 0 0 0 Access Rejects : 19 Average response delay(ms): 31 2 2 Maximum response delay(ms): 90 13 90 Number of Radius timeouts: 0 0 0 Duplicate ID detects: 0 0 0 Buffer Allocation Failures: 0 0 0 Maximum Buffer Size (bytes): 173 407 407 Malformed Responses : 0 0 0 Bad Authenticators : 0 0 0 Unknown Responses : 0 0 0 Source Port Range: (2 ports only) 1645 - 1646 Last used Source Port/Identifier: 1645/114 1646/201 Elapsed time since counters last cleared: 1m Radius Latency Distribution: <= 2ms : 0 644 3-5ms : 0 427 5-10ms : 0 0 10-20ms: 1 2 20-50ms: 17 0 50-100m: 2 0 >100ms : 0 0 Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
ShyLion Posted August 3, 2015 (edited) · Report post Total responses seen: 20 1073 1093 Packets with responses: 20 1073 1093 Access Rejects : 19 20-19=1 один положительный ответ билинга из 20. Хотя это может быть неверно настроеный клиент, который постоянно долбится. Короче надо смотреть логи билинга. Edited August 3, 2015 by ShyLion Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
ShyLion Posted August 3, 2015 · Report post Для сравнения моя статистика Auth. Acct. Both Maximum inQ length: NA NA 13 Maximum waitQ length: NA NA 226 Maximum doneQ length: NA NA 12 Total responses seen: 437830 31256520 31694350 Packets with responses: 386912 31256096 31643008 Packets without responses: 104859 57572 162431 Access Rejects : 403079 Average response delay(ms): 16 1 1 Maximum response delay(ms): 20099 18507 20099 Number of Radius timeouts: 419160 231109 650269 Кучу Reject'ов делает один едиственный абоенент, у которого дебильный роутер с ДВУМЯ pppoe учетками, одна из которых левая, но роутер непрерывно пытается ее поднять одновременно с легальной и и работающей. Засирает лог билингу. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...