simpl3x Posted March 15, 2022 · Report post Есть ASR1006-X в качестве BRAS. Клиенты L2 IPoE. Интерфейсы в сторону клиентов настроены так: ! policy-map type control IPoE-SUBSCRIBER-CONTROL class type control IPoE-UNAUTH-CLASS event timed-policy-expiry 10 service disconnect ! class type control always event session-start 10 authorize aaa list IPoE-AAA password isg-radius-key identifier source-ip-address 90 set-timer IPoE-UNAUTH-TIMER 10 110 service-policy type service name IPoE-OPENGARDEN-POLICY 210 service-policy type service name IPoE-REDIRECT-POLICY ! class type control always event session-restart 10 authorize aaa list IPoE-AAA password isg-radius-key identifier source-ip-address 90 set-timer IPoE-UNAUTH-TIMER 10 110 service-policy type service name IPoE-OPENGARDEN-POLICY 210 service-policy type service name IPoE-REDIRECT-POLICY ! class type control always event radius-timeout 90 set-timer IPoE-UNAUTH-TIMER 5 100 service-policy type service name IPoE-FORWARD-POLICY ! class type control always event account-logoff 10 service disconnect delay 10 ! class type control always event access-reject 90 set-timer IPoE-UNAUTH-TIMER 10 110 service-policy type service name IPoE-OPENGARDEN-POLICY 210 service-policy type service name IPoE-REDIRECT-POLICY 220 service-policy type service name IPoE-FORWARD-LITE-POLICY ! class type control always event service-failed 10 log-session-state aaa list IPoE-AAA ! ! interface Port-channel1.500 description "== ACCESS SUBSCRIBERS INTERFACE SVLAN:500 ==" encapsulation dot1Q 500 second-dot1q any ip dhcp relay information option server-id-override ip dhcp relay information option-insert ip dhcp relay information policy-action replace ip unnumbered Loopback0 ip helper-address IP_HELPER ip nat inside ip access-group SUBSCRIBER-FILTER-NETWORKS in no ip route-cache same-interface arp timeout 43200 service-policy type control IPoE-SUBSCRIBER-CONTROL ip subscriber l2-connected initiator unclassified mac-address initiator dhcp end В общем случае, всё работает отлично, когда клиент стартует по DHCP. Но бывает ситуация, когда клиент в силу каких то обстоятельств приходит на BRAS без DHCP, а со статикой. В этом случае как повезёт, но клиент в 90% остаётся неавторизован на BRAS судя по дебагу, в момент когда клиент не может авторизоваться - BRAS просто не видит трафик от клиента. Первым пакетом от клиента в этот момент идёт ARP Request на адрес BRAS и он ему не отвечает. В статистике дропов вижу примерно такое и я так понимаю, он дропает ARP?: #show platform hardware qfp active statistics drop ------------------------------------------------------------------------- Global Drop Stats Packets Octets ------------------------------------------------------------------------- BadIpChecksum 2135 438693 Discard 10184612 1094010568 EsfDrlDrop 651243993 964953367007 EsfL4rTransSessLimit 155278 13073384 EsfTcDrop 29598543 8000806822 EssBadSessUidb 2112328 162173852 EssIpsubDrop 1 387 EssIpsubFsolDrop 132776765 65954988780 EssIpsubKaDrop 35 2266 ForUs 356200871 31076504538 Icmp 102938 13727969 IpFormatErr 7671 1554547 IpTtlExceeded 1319295 95841413 IpsecInput 274 67373 Ipv4Acl 286941 77528979 Ipv4Martian 80929 13622861 Ipv4NoAdj 537833 54044813 Ipv4Unclassified 191566 94593033 MacMcastIpNonmcast 1855 792242 NatIn2out 2256747 225914236 PuntPerCausePolicerDrops 816313 81679664 QosPolicing 2857 581615 ReassBadLen 1081 74595 ReassDrop 2365876 1792574554 ReassNoFragInfo 2355400 1977653057 ReassOverlap 48 30739 ReassTimeout 1170653 13923671 TooManyIPv4ReassSession 53 70920 UnconfiguredIpv4Fia 1316972 355086647 UnconfiguredIpv6Fia 15490473 1952760700 #show platform hardware qfp active infrastructure punt statistics type per-cause Global Per Cause Statistics Number of punt causes = 110 Per Punt Cause Statistics Packets Packets Counter ID Punt Cause Name Received Transmitted ------------------------------------------------------------------------------------------------ ... 007 ARP request or response 235664452 116568662 ... как есть какие то лимиты на этот случай? как поправить это? Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
simpl3x Posted March 15, 2022 · Report post пример, когда сессия не запустилась. у клиента перевел интерфейс с DHCP на статику: 007110: Mar 15 17:25:03.620 GMT: SSS MGR [uid:4942]: Sending a Session Update ID Mgr request 007111: Mar 15 17:25:03.620 GMT: SSS MGR [uid:4942]: Updating ID Mgr with the following data- smgr hdl0xC9010697 : remote-id-tag 0 "030c000064400001f10001f40a3b" 007112: Mar 15 17:25:03.620 GMT: SSS MGR [uid:4942]: ID Mgr returned status: 'updated' for Session Update 007113: Mar 15 17:25:03.620 GMT: SSS MGR [uid:4942]: Processing a client disconnect 007114: Mar 15 17:25:03.620 GMT: SSS MGR [uid:4942]: Handling Send Service Disconnect action 007115: Mar 15 17:25:03.620 GMT: SSS MGR [uid:4942]: Framed ip/pbhk attributes gathering complete for ctx 7F7B697AF230 007116: Mar 15 17:25:03.620 GMT: SSS MGR [uid:4942]: Framed ip/pbhk attributes gathering complete for ctx 7F7B7520A648 007117: Mar 15 17:25:03.621 GMT: SSS INFO: Element type is IETF-Disc-Cause = 1 (00000001) 007118: Mar 15 17:25:03.621 GMT: SSS INFO: Element type is Ascend-Disc-Cause = 9 (00000009) 007119: Mar 15 17:25:03.621 GMT: SSS MGR [uid:4942]: Handling Disconnecting, Network Service Feature Clean action 007120: Mar 15 17:25:03.621 GMT: SSS MGR [uid:4942]: Disconnect ack sent 007121: Mar 15 17:25:03.622 GMT: SSS MGR [uid:4942]: Sending a Session End ID Mgr request 007122: Mar 15 17:25:03.622 GMT: SSS MGR [uid:4942]: ID Mgr returned status: 'deleted' for Session End 007123: Mar 15 17:25:03.622 GMT: SSS MGR [uid:4942]: Publish session done aaa 267363, uid 4942 007124: Mar 15 17:25:03.622 GMT: IP Subscriber Module Debug: Condition 1, mac-address 0050.5686.fd5e cleared, count 0 007125: Mar 15 17:25:03.623 GMT: DHCP SIP Module Debug: Condition 1, mac-address 0050.5686.fd5e cleared, count 0 через 2 минуты, сделал тоже самое и чудо произошло 007198: Mar 15 17:29:34.718 GMT: SSS MGR [uid:1416]: Sending a Session Update ID Mgr request 007199: Mar 15 17:29:34.718 GMT: SSS MGR [uid:1416]: Updating ID Mgr with the following data- smgr hdl0x5A03005F : remote-id-tag 0 "030c000064400001f10001f40a3b" 007200: Mar 15 17:29:34.718 GMT: SSS MGR [uid:1416]: ID Mgr returned status: 'updated' for Session Update 007201: Mar 15 17:29:34.719 GMT: SSS MGR [uid:1416]: Processing a client disconnect 007202: Mar 15 17:29:34.719 GMT: SSS MGR [uid:1416]: Handling Send Service Disconnect action 007203: Mar 15 17:29:34.719 GMT: SSS MGR [uid:1416]: Framed ip/pbhk attributes gathering complete for ctx 7F7B6909FD58 007204: Mar 15 17:29:34.719 GMT: SSS MGR [uid:1416]: Framed ip/pbhk attributes gathering complete for ctx 7F7B6909E618 007205: Mar 15 17:29:34.719 GMT: SSS INFO: Element type is IETF-Disc-Cause = 1 (00000001) 007206: Mar 15 17:29:34.719 GMT: SSS INFO: Element type is Ascend-Disc-Cause = 9 (00000009) 007207: Mar 15 17:29:34.720 GMT: SSS MGR [uid:1416]: Handling Disconnecting, Network Service Feature Clean action 007208: Mar 15 17:29:34.720 GMT: SSS MGR [uid:1416]: Disconnect ack sent 007209: Mar 15 17:29:34.720 GMT: SSS MGR [uid:1416]: Sending a Session End ID Mgr request 007210: Mar 15 17:29:34.720 GMT: SSS MGR [uid:1416]: ID Mgr returned status: 'deleted' for Session End 007211: Mar 15 17:29:34.720 GMT: SSS MGR [uid:1416]: Publish session done aaa 267433, uid 1416 007212: Mar 15 17:29:34.721 GMT: IP Subscriber Module Debug: Condition 1, mac-address 0050.5686.fd5e cleared, count 0 007213: Mar 15 17:29:34.721 GMT: DHCP SIP Module Debug: Condition 1, mac-address 0050.5686.fd5e cleared, count 0 007214: Mar 15 17:29:38.068 GMT: IP Subscriber Module Debug: Condition 1, mac-address 0050.5686.fd5e triggered, count 1 007215: Mar 15 17:29:38.068 GMT: SSS AAA AUTHOR [uid:12932][AAA ID:267525]: using named author method list "IPoE-AAA" 007216: Mar 15 17:29:38.068 GMT: SSS AAA AUTHOR [uid:12932][AAA ID:267525]: using set aaa password "isg-radius-key" 007217: Mar 15 17:29:38.068 GMT: SSS AAA AUTHOR [uid:12932][AAA ID:267525]: Root SIP IP 007218: Mar 15 17:29:38.068 GMT: SSS AAA AUTHOR [uid:12932][AAA ID:267525]: Enable IP parsing 007219: Mar 15 17:29:38.068 GMT: SSS AAA AUTHOR [uid:12932][AAA ID:267525]: Enable DHCP parsing 007220: Mar 15 17:29:38.068 GMT: SSS AAA AUTHOR [uid:12932][AAA ID:267525]: Enable IP-Interface parsing 007221: Mar 15 17:29:38.068 GMT: SSS AAA AUTHOR [uid:12932][AAA ID:267525]: Event <make request>, state changed from idle to authorizing 007222: Mar 15 17:29:38.068 GMT: SSS AAA AUTHOR [uid:12932][AAA ID:267525]: Active key set to source-ip-address 007223: Mar 15 17:29:38.069 GMT: SSS AAA AUTHOR [uid:12932][AAA ID:267525]: Authorizing key 100.64.1.235 007224: Mar 15 17:29:38.069 GMT: SSS AAA AUTHOR [uid:12932][AAA ID:267525]: Set authorization profile type default - user 007225: Mar 15 17:29:38.069 GMT: SSS AAA AUTHOR [uid:12932][AAA ID:267525]: AAA request sent for key 100.64.1.235 007226: Mar 15 17:29:38.074 GMT: SSS AAA AUTHOR [uid:12932][AAA ID:267525]: TAL authorisation keys added 007227: Mar 15 17:29:38.074 GMT: SSS AAA AUTHOR [uid:12932][AAA ID:267525]: Received an AAA pass 007228: Mar 15 17:29:38.074 GMT: SSS AAA AUTHOR [uid:12932][AAA ID:267525]: [7F7B80BA9EC8]:Reply message not exist 007229: Mar 15 17:29:38.074 GMT: SSS AAA AUTHOR [uid:12932][AAA ID:267525]: Parsed AAA interim interval = 1800 007230: Mar 15 17:29:38.074 GMT: SSS AAA AUTHOR [uid:12932][AAA ID:267525]: SIP IP[7F7C9F69FC10] parsed as Success 007231: Mar 15 17:29:38.074 GMT: SSS AAA AUTHOR [uid:12932][AAA ID:267525]: SIP IP[7F7C9F6FB420] parsed as Ignore 007232: Mar 15 17:29:38.075 GMT: SSS AAA AUTHOR [uid:12932][AAA ID:267525]: SIP DHCP[7F7C9F6FB420] parsed as Ignore 007233: Mar 15 17:29:38.075 GMT: SSS AAA AUTHOR [uid:12932][AAA ID:267525]: Event <service not found>, state changed from authorizing to complete 007234: Mar 15 17:29:38.075 GMT: SSS AAA AUTHOR [uid:12932][AAA ID:267525]: No service authorization info found 007235: Mar 15 17:29:38.075 GMT: SSS AAA AUTHOR [uid:12932][AAA ID:267525]: Active Handle present - 91000E57 007236: Mar 15 17:29:38.075 GMT: SSS AAA AUTHOR [uid:12932][AAA ID:267525]: Freeing Active Handle; SSS Policy Context Handle = F900032A 007237: Mar 15 17:29:38.075 GMT: SSS AAA AUTHOR [uid:12932][AAA ID:267525]: Event <free request>, state changed from complete to terminal 007238: Mar 15 17:29:38.075 GMT: SSS AAA AUTHOR [uid:12932][AAA ID:267525]: Cancel request 007239: Mar 15 17:29:38.075 GMT: SSS AAA AUTHOR [0][AAA ID:0]: Root SIP IP 007240: Mar 15 17:29:38.075 GMT: SSS AAA AUTHOR [0][AAA ID:0]: Enable IP parsing 007241: Mar 15 17:29:38.075 GMT: SSS AAA AUTHOR [0][AAA ID:0]: Enable DHCP parsing 007242: Mar 15 17:29:38.075 GMT: SSS AAA AUTHOR [0][AAA ID:0]: Enable IP-Interface parsing 007243: Mar 15 17:29:38.075 GMT: SSS AAA AUTHOR [0][AAA ID:0]: Enable Web-service-logon parsing 007244: Mar 15 17:29:38.075 GMT: SSS AAA AUTHOR [0][AAA ID:0]: SIP IP[7F7C9F69FC10] parsed as Ignore 007245: Mar 15 17:29:38.075 GMT: SSS AAA AUTHOR [0][AAA ID:0]: SIP IP[7F7C9F6FB420] parsed as Ignore 007246: Mar 15 17:29:38.075 GMT: SSS AAA AUTHOR [0][AAA ID:0]: SIP DHCP[7F7C9F6FB420] parsed as Ignore 007247: Mar 15 17:29:38.077 GMT: SSS MGR [uid:12932]: Handling Local Service Connected action 007248: Mar 15 17:29:38.077 GMT: SSS MGR [uid:12932]: Apply: segment 2040749, owner 1728316690 007249: Mar 15 17:29:38.077 GMT: SSS MGR [uid:12932]: Interface config 7F7B64C24B18 007250: Mar 15 17:29:38.077 GMT: SSS MGR [uid:12932]: Service Profile config 7F7B67298ED8 007251: Mar 15 17:29:38.077 GMT: SSS MGR [uid:12932]: Per-user config B903026E 007252: Mar 15 17:29:38.077 GMT: SSS MGR [uid:12932]: FM Segment Alloc: segment 2040749, owner 1728316690, target cca type 0, target handle 0, cids(0,1) 007253: Mar 15 17:29:38.077 GMT: SSS MGR [uid:12932]: Handling Local Service Connected, Features Applied action 007254: Mar 15 17:29:38.078 GMT: IP Subscriber Module Debug: Condition 1, mac-address 0050.5686.fd5e cleared, count 0 007255: Mar 15 17:29:38.078 GMT: IP Subscriber Module Debug: Condition 1, mac-address 0050.5686.fd5e triggered, count 1 007256: Mar 15 17:29:38.078 GMT: SSS LTERM [uid:12932]: Switching session updated 007257: Mar 15 17:29:38.078 GMT: SSS MGR [uid:12932]: Handling Action Ignore for client-updated 007258: Mar 15 17:29:38.081 GMT: SSS MGR [uid:12932]: Handling Action Ignore for client-updated Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
simpl3x Posted March 15, 2022 · Report post #show platform packet-trace statistics Packets Summary Matched 205 Traced 0 Packets Received Ingress 205 Inject 0 Packets Processed Forward 181 Punt 24 Count Code Cause 16 11 For-us data 8 60 IP subnet or broadcast packet Drop 0 Consume 0 вот такая штука появляется, в случае если переключиться с DHCP на статический Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Spinaker Posted December 5, 2022 · Report post Удалось решить проблему? Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Gray swordsman Posted December 6, 2022 · Report post Проще объяснить почему не работает статика. Вы работаете с идентификатором source-ip-address(L3), а инициатором служит dhcp или неклассифицированный мак(L2). В случае статического адреса должен быть инициатор unclassified ip-address. Тогда на радиус придет запрос о авторизации этого source-ip. Либо надо переделывать политику на authorize aaa list IPoE-aaa password isg-password identifier mac-address. Как-то так. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...