Jump to content
Калькуляторы

Cisco ISG авторизирует пользователя, но не поднимает сессию

Приветствую!

 

Коллеги, кто-то сталкивался с таким поведением ISG? Сессия инициируется по DHCP Discover, срабатывает событие session-start, пользователь успешно авторизируется через Radius, Radius отдает имя сервиса...и сессия не поднимается.

Поднимается она позже только после того, как от пользователя приедет первый пакет и вызовет ивент session-restart.

 

Это поведение можно изменить? Спасибо.

Share this post


Link to post
Share on other sites

Надо бы кусок конфига и оч. хорошо было бы дебаг по проблемной сессии.

Share this post


Link to post
Share on other sites

Надо бы кусок конфига и оч. хорошо было бы дебаг по проблемной сессии.

Даю:

aaa new-model
!
!
aaa group server radius ISG-RADIUS
server-private 178.214.192.2 auth-port 1812 acct-port 1813 key 7 08344E580F120315
ip radius source-interface Loopback0
!
subscriber authorization enable
!
aaa authentication login DHCP-BRAS group ISG-RADIUS
aaa authorization network DHCP-BRAS group ISG-RADIUS 
aaa authorization subscriber-service default local 
!
!
class-map type traffic match-any cmt-Any-Traffic
match access-group input name acl-Any
match access-group output name acl-Any
!
policy-map type service pms-1M
class type traffic cmt-Any-Traffic
 police input 1000000 187500 375000
 police output 1000000 187500 375000
!
policy-map type control DHCP-Subscriber
class type control always event session-start
 10 authorize aaa list DHCP-BRAS identifier remote-id plus circuit-id plus mac-address separator #
!
class type control always event session-restart
 10 authorize aaa list DHCP-BRAS identifier mac-address
!
!
interface GigabitEthernet0/2.33
encapsulation dot1Q 33
ip dhcp relay information trusted
ip address 178.214.200.1 255.255.255.0
ip helper-address 178.214.192.2
ip directed-broadcast
arp timeout 60
service-policy type control DHCP-Subscriber
ip subscriber l2-connected
 initiator dhcp class-aware

 

Смотрим следующий дебаг:

bras1-gdr.ki#show debugging 
Subscriber Service Switch/Policy rules:
 Subscriber Service Switch policy rules errors debugging is on
 Subscriber Service Switch policy rules events debugging is on

 

Клиент отсылает DHCP DISCOVER и на ISG возникает ивент session-start:

*Feb  6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE: Looking for a rule for event session-start
*Feb  6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE:  Intf CloneSrc Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE:   Evaluate "DHCP-Subscriber" for session-start
*Feb  6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE:    Matched "DHCP-Subscriber/always event session-start/10 authorize aaa list DHCP-BRAS identifier remote-id#cir"
*Feb  6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE[0]: Start
*Feb  6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE[0]: DHCP-Subscriber/always event session-start/10 authorize aaa list DHCP-BRAS identifier remote-id#circuit-id#ms
*Feb  6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE[0]: Using author method AAA service
*Feb  6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE[0]: Have key combo_keys
*Feb  6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE[0]: Using key combo_keys
*Feb  6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE[1]: Start
*Feb  6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE[1]: DHCP-Subscriber/always event session-start/10 authorize aaa list DHCP-BRAS identifier remote-id#circuit-id#ms
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE: VRF Parsing routine:
 keepalive            "protocol ARP"
 service-type         5 [Outbound]
 ssg-account-info     "Apms-1M"

 

Т.е. радиус ответил Access-Accept'ом с тремя параметрами, включая имя сервиса. Дебаг продолжается:

 

*Feb  6 18:11:31.900: SSS PM [12BB34B8]: RULE: Looking for a rule for event service-start
*Feb  6 18:11:31.900: SSS PM [12BB34B8]: RULE:  Intf CloneSrc Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:11:31.900: SSS PM [12BB34B8]: RULE:   Evaluate "DHCP-Subscriber" for service-start
*Feb  6 18:11:31.900: SSS PM [12BB34B8]: RULE:  Intf AccessIE Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:11:31.900: SSS PM [12BB34B8]: RULE:   Evaluate "DHCP-Subscriber" for service-start
*Feb  6 18:11:31.900: SSS PM [12BB34B8]: RULE:  Intf InputI/f Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:11:31.900: SSS PM [12BB34B8]: RULE:   Evaluate "DHCP-Subscriber" for service-start
*Feb  6 18:11:31.900: SSS PM [12BB34B8]: RULE:  Glob: service-rule any: None
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[0]: Continue
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[0]: DHCP-Subscriber/always event session-start/10 authorize aaa list DHCP-BRAS identifier remote-id#circuit-id#ms
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[0]: Author finished
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[1]: Continue
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[1]: DHCP-Subscriber/always event session-start/10 authorize aaa list DHCP-BRAS identifier remote-id#circuit-id#ms
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[1]: TAL authorization succesful, stop
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[2]: Continue
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[2]: DHCP-Subscriber/always event session-start/10 authorize aaa list DHCP-BRAS identifier remote-id#circuit-id#ms
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[2]: Give default directive
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[3]: Continue
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[3]: DHCP-Subscriber/always event session-start/10 authorize aaa list DHCP-BRAS identifier remote-id#circuit-id#ms
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE: Looking for a rule for event session-default-service
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE:  Intf CloneSrc Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE:   Evaluate "DHCP-Subscriber" for session-default-service
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE:  Intf AccessIE Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE:   Evaluate "DHCP-Subscriber" for session-default-service
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE:  Intf InputI/f Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE:   Evaluate "DHCP-Subscriber" for session-default-service
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE:  Glob: service-rule any: None
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE: Looking for a rule for event session-service-found
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE:  Intf CloneSrc Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE:   Evaluate "DHCP-Subscriber" for session-service-found
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE:  Intf AccessIE Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE:   Evaluate "DHCP-Subscriber" for session-service-found
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE:  Intf InputI/f Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE:   Evaluate "DHCP-Subscriber" for session-service-found
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE:  Glob: service-rule any: None
*Feb  6 18:11:31.904: SSS PM [uid:983][12BB34B8]: RULE: VRF Parsing routine:
 username             "pms-1M"
 clid-mac-addr        00 07 E9 0A 75 B2
 password             <hidden>
 traffic-class        "output access-group name acl-Any"
 traffic-class        "input access-group name acl-Any"
 ssg-service-info     "QU;1000000;187500;375000;D;1000000;187500;375000"
*Feb  6 18:11:31.904: SSS PM [uid:983][12BB34B8]: RULE: VRF Check: session logging off or not VRF dependent

 

Все. Сессии нет.

 

Когда клиент пускает например один исходящий ICMP-пакет, дебаг едет дальше, стартуя с ивента session-restart:

*Feb  6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE: Looking for a rule for event session-restart
*Feb  6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE:  Intf CloneSrc Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE:   Evaluate "DHCP-Subscriber" for session-restart
*Feb  6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE:    Matched "DHCP-Subscriber/always event session-restart/10 authorize aaa list DHCP-BRAS identifier mac-address"
*Feb  6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE[0]: Start
*Feb  6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE[0]: DHCP-Subscriber/always event session-restart/10 authorize aaa list DHCP-BRAS identifier mac-address
*Feb  6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE[0]: Using author method AAA service
*Feb  6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE[0]: Have key combo_keys
*Feb  6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE[0]: Using key combo_keys
*Feb  6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE[1]: Start
*Feb  6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE[1]: DHCP-Subscriber/always event session-restart/10 authorize aaa list DHCP-BRAS identifier mac-address
*Feb  6 18:18:18.682: SSS PM [uid:989][12BB3658]: RULE: VRF Parsing routine:
 keepalive            "protocol ARP"
 service-type         5 [Outbound]
 ssg-account-info     "Apms-1M"
*Feb  6 18:18:18.682: SSS PM [12BB34B8]: RULE: Looking for a rule for event service-start
*Feb  6 18:18:18.682: SSS PM [12BB34B8]: RULE:  Intf CloneSrc Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:18:18.682: SSS PM [12BB34B8]: RULE:   Evaluate "DHCP-Subscriber" for service-start
*Feb  6 18:18:18.682: SSS PM [12BB34B8]: RULE:  Intf AccessIE Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:18:18.682: SSS PM [12BB34B8]: RULE:   Evaluate "DHCP-Subscriber" for service-start
*Feb  6 18:18:18.682: SSS PM [12BB34B8]: RULE:  Intf InputI/f Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:18:18.682: SSS PM [12BB34B8]: RULE:   Evaluate "DHCP-Subscriber" for service-start
*Feb  6 18:18:18.682: SSS PM [12BB34B8]: RULE:  Glob: service-rule any: None
*Feb  6 18:18:18.682: SSS PM [uid:989][12BB3658]: RULE[0]: Continue
*Feb  6 18:18:18.682: SSS PM [uid:989][12BB3658]: RULE[0]: DHCP-Subscriber/always event session-restart/10 authorize aaa list DHCP-BRAS identifier mac-address
*Feb  6 18:18:18.682: SSS PM [uid:989][12BB3658]: RULE[0]: Author finished
*Feb  6 18:18:18.682: SSS PM [uid:989][12BB3658]: RULE[1]: Continue
*Feb  6 18:18:18.682: SSS PM [uid:989][12BB3658]: RULE[1]: DHCP-Subscriber/always event session-restart/10 authorize aaa list DHCP-BRAS identifier mac-address
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE[1]: TAL authorization succesful, stop
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE[2]: Continue
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE[2]: DHCP-Subscriber/always event session-restart/10 authorize aaa list DHCP-BRAS identifier mac-address
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE[2]: Give default directive
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE[3]: Continue
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE[3]: DHCP-Subscriber/always event session-restart/10 authorize aaa list DHCP-BRAS identifier mac-address
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE: Looking for a rule for event session-default-service
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE:  Intf CloneSrc Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE:   Evaluate "DHCP-Subscriber" for session-default-service
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE:  Intf AccessIE Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE:   Evaluate "DHCP-Subscriber" for session-default-service
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE:  Intf InputI/f Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE:   Evaluate "DHCP-Subscriber" for session-default-service
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE:  Glob: service-rule any: None
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE: Looking for a rule for event session-service-found
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE:  Intf CloneSrc Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE:   Evaluate "DHCP-Subscriber" for session-service-found
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE:  Intf AccessIE Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE:   Evaluate "DHCP-Subscriber" for session-service-found
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE:  Intf InputI/f Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE:   Evaluate "DHCP-Subscriber" for session-service-found
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE:  Glob: service-rule any: None
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB34B8]: RULE: VRF Parsing routine:
 username             "pms-1M"
 clid-mac-addr        00 07 E9 0A 75 B2 
 password             <hidden>
 traffic-class        "output access-group name acl-Any"
 traffic-class        "input access-group name acl-Any"
 ssg-service-info     "QU;1000000;187500;375000;D;1000000;187500;375000"
*Feb  6 18:18:18.690: SSS PM [uid:989][12BB34B8]: RULE: VRF Check: session logging off or not VRF dependent
*Feb  6 18:18:18.698: SSS PM [uid:989][12BB3658]: RULE: VRF Parsing routine:
 clid-mac-addr        00 07 E9 0A 75 B2 
 addr                 178.214.200.2
 netmask              255.255.255.255
 config-source-dpm    True

 

После этого сессия отлично поднимается.

Я уже сломал мозг, но не могу понять чем отличается происходящее в session-start от происходящего в session-restart, и почему первый не поднимает сессию...

Share this post


Link to post
Share on other sites

Вот еще один дебаг того, что происходит при попытке поднять сессию. Но он тоже пока что не особо проясняет ситуацию:

bras1-gdr.ki#show debugging 
IP Subscriber:
 IP subscriber events debugging is on
 IP subscriber errors debugging is on
 IP subscriber fsm debugging is on

 

*Feb  6 18:42:17.038: IPSUB: Create session keys from SSS key list
*Feb  6 18:42:17.038: IPSUB: Mac_addr = 0007.e90a.75b2, Recvd Macaddr = 0007.e90a.75b2
*Feb  6 18:42:17.038: IPSUB: Session input interface(0x6BD31BC) = GigabitEthernet0/2.33
*Feb  6 18:42:17.038: IPSUB: Circuit_id = 000400210117
*Feb  6 18:42:17.038: IPSUB: Remote_id = 000600226b2a8d52
*Feb  6 18:42:17.038: IPSUB: Vendor_Class_id = MSFT 5.0
*Feb  6 18:42:17.042: IPSUB: Try to create a new session
*Feb  6 18:42:17.042: IPSUB: [uid:0] Request to create a new session
*Feb  6 18:42:17.042: IPSUB: [uid:0] Session start event for session
*Feb  6 18:42:17.042: IPSUB: [uid:0] Event session start, state changed from idle to requesting
*Feb  6 18:42:17.042: IPSUB: [uid:5] AAA unique ID allocated
*Feb  6 18:42:17.042: IPSUB: [uid:5] Added session 0007.e90a.75b2 to L2 session table
*Feb  6 18:42:17.042: IPSUB: [uid:5] Added session to session table with access session keys
*Feb  6 18:42:17.042: IPSUB: [uid:5] IP session(0x130005DF) on L2 interface to be associated to Gi0/2.33, mac 0007.e90a.75b2 
*Feb  6 18:42:17.042: IPSUB: [uid:5] Inserted IP session(0x130005DF) to sessions-per-interface db with interface Gi0/2.33
*Feb  6 18:42:17.058: IPSUB: [uid:5] IP session context 0x12C0BB98 available to authorize
*Feb  6 18:42:17.058: IPSUB-VRFSET: [uid:5] Entered allocate feature info
*Feb  6 18:42:17.058: IPSUB-VRFSET: [uid:5] Allocated sg vrfset info 0x1EA52E48
*Feb  6 18:42:17.058: IPSUB-VRFSET: [uid:5] Freeing the sg vrfset info 0x1EA52E48
*Feb  6 18:42:17.058: IPSUB: [uid:5] IP session context 0x12C0BB98 available to authorize
*Feb  6 18:42:17.058: IPSUB-VRFSET: [uid:5] Entered allocate feature info
*Feb  6 18:42:17.058: IPSUB-VRFSET: [uid:5] Allocated sg vrfset info 0x1EA52E48
*Feb  6 18:42:17.058: IPSUB-VRFSET: [uid:5] Freeing the sg vrfset info 0x1EA52E48
*Feb  6 18:42:17.058: IPSUB: [uid:5] Recieved Message = connect local
*Feb  6 18:42:17.058: IPSUB: [uid:5] Connect Local event for session
*Feb  6 18:42:17.058: IPSUB: [uid:5] Event connect local, state changed from requesting to waiting
*Feb  6 18:42:17.058: IPSUB: [uid:5] Inside processing IPSIP info
*Feb  6 18:42:17.058: IPSUB-ROUTE: [uid:5] Checking whether routes to be inserted/removed
*Feb  6 18:42:17.058: IPSUB-ROUTE: [uid:5] Context not present, creating context
*Feb  6 18:42:17.058: IPSUB-ROUTE: [uid:5] Entered the sg subrte context alloc
*Feb  6 18:42:17.058: IPSUB-ROUTE: [uid:5] Returning the sg subrte context 0x198428F0
*Feb  6 18:42:17.058: IPSUB-ROUTE: [uid:5] Trying to remove Subscriber routes
*Feb  6 18:42:17.058: IPSUB-ROUTE: [uid:5] Entered the plane feature context free
*Feb  6 18:42:17.058: IPSUB-ROUTE: [uid:5] Freeing the sg subrte context 0x198428F0
*Feb  6 18:42:17.058: IPSUB-ROUTE: [uid:5] Removed SG SUBRTE feature
*Feb  6 18:42:17.058: IPSUB-ROUTE: [uid:5] Reqd keys are not available, postponing route insert
*Feb  6 18:42:17.058: IPSUB: [uid:5] Keys not changed, seg needn't be updated
*Feb  6 18:42:17.058: IPSUB: [uid:5] Key list to be created to update SM
*Feb  6 18:42:17.058: IPSUB: [uid:5] Created key list to update SM
*Feb  6 18:42:17.074: Invalid interface number
*Feb  6 18:42:17.074: Invalid interface number
*Feb  6 18:42:17.074: IPSUB: [uid:5] Recieved Message = disconnect
*Feb  6 18:42:17.074: IPSUB: [uid:5] SSS Manager disconnect event for session
*Feb  6 18:42:17.074: IPSUB: [uid:5] Event sss mgr disc, state changed from waiting to disconnecting
*Feb  6 18:42:17.074: IPSUB-VRFSET: [uid:5] Removing SG VRFSET feature
*Feb  6 18:42:17.074: IPSUB-VRFSET: [uid:5] SG VRFSET context is not present
*Feb  6 18:42:17.074: IPSUB-ROUTE: [uid:5] Trying to remove Subscriber routes
*Feb  6 18:42:17.078: IPSUB-ROUTE: [uid:5] SG SUBRTE context is not present
*Feb  6 18:42:17.078: IPSUB: [uid:5] Removed session from session table with access session keys
*Feb  6 18:42:17.078: IPSUB: [uid:5] Removed session from session table with service session keys
*Feb  6 18:42:17.078: IPSUB: [uid:5] Deleted session(0x130005DF) from sessions per interface db with intf: Gi0/2.33
*Feb  6 18:42:17.078: IPSUB: No IP session with handle 0x130005DF, ignore client disconnect message

 

И все.

*Feb 6 18:42:17.074: Invalid interface number

*Feb 6 18:42:17.074: Invalid interface number

в дебаге - смущает.

 

 

Далее, при приходе первого пакета от клиента по session-restart все нормально поднимается:

*Feb  6 18:44:53.642: IPSUB_DP: [uid:0] Insert new entry for mac 0007.e90a.75b2
*Feb  6 18:44:53.646: IPSUB_DP: [uid:0] Processing new in-band session request
*Feb  6 18:44:53.646: IPSUB_DP: [uid:0] Delete mac entry 0007.e90a.75b2
*Feb  6 18:44:53.646: IPSUB_DP: [uid:0] In-band session request event for session
*Feb  6 18:44:53.646: IPSUB_DP: [uid:0] Insert new entry for mac 0007.e90a.75b2
*Feb  6 18:44:53.646: IPSUB_DP: [uid:0] Added upstream entry into the classifier
*Feb  6 18:44:53.646: IPSUB_DP: [uid:0] MAC = 0007.e90a.75b2
*Feb  6 18:44:53.646: IPSUB: Try to create a new session
*Feb  6 18:44:53.646: IPSUB: IPSUB: Check IP DHCP session recovery: 178.214.200.2 Gi0/2.33 mac 0007.e90a.75b2
*Feb  6 18:44:53.646: IPSUB: Create session keys from SSS key list
*Feb  6 18:44:53.646: IPSUB: Mac_addr = 0007.e90a.75b2, Recvd Macaddr = 0007.e90a.75b2
*Feb  6 18:44:53.646: IPSUB: Session input interface(0x6BD31BC) = GigabitEthernet0/2.33
*Feb  6 18:44:53.646: IPSUB: Recovery DHCP session hdl = 452986336
*Feb  6 18:44:53.646: IPSUB: IPSUB: IP DHCP session recovery started
*Feb  6 18:44:53.646: IPSUB: [uid:0] Request to create a new session placeholder for session recovery
*Feb  6 18:44:53.646: IPSUB: [uid:0] Session restart event for session
*Feb  6 18:44:53.646: IPSUB: [uid:0] Event session restart, state changed from idle to recovery-req
*Feb  6 18:44:53.646: IPSUB_DP: [uid:0] Sent message to control plane for in-band session creation
*Feb  6 18:44:53.646: IPSUB_DP: [uid:0] Event inband-session, state changed from idle to intiated
*Feb  6 18:44:53.646: IPSUB: Try to create a new session
*Feb  6 18:44:53.646: IPSUB: Try to complete a DHCP initiated session recovery
*Feb  6 18:44:53.646: IPSUB: [uid:0] Request to convert a new session placeholder and start it
*Feb  6 18:44:53.646: IPSUB: [uid:0] Session start event for session
*Feb  6 18:44:53.646: IPSUB: [uid:0] Event session start, state changed from recovery-req to requesting
*Feb  6 18:44:53.646: IPSUB: [uid:7] AAA unique ID allocated
*Feb  6 18:44:53.646: IPSUB: [uid:7] Added session 0007.e90a.75b2 to L2 session table
*Feb  6 18:44:53.646: IPSUB: [uid:7] Added session to session table with access session keys
*Feb  6 18:44:53.646: IPSUB: [uid:7] IP session(0x1B0005E0) on L2 interface to be associated to Gi0/2.33, mac 0007.e90a.75b2 
*Feb  6 18:44:53.646: IPSUB: [uid:7] Inserted IP session(0x1B0005E0) to sessions-per-interface db with interface Gi0/2.33
*Feb  6 18:44:53.666: IPSUB: [uid:7] IP session context 0x12C0BB98 available to authorize
*Feb  6 18:44:53.666: IPSUB-VRFSET: [uid:7] Entered allocate feature info
*Feb  6 18:44:53.666: IPSUB-VRFSET: [uid:7] Allocated sg vrfset info 0x1EA52E48
*Feb  6 18:44:53.666: IPSUB-VRFSET: [uid:7] Freeing the sg vrfset info 0x1EA52E48
*Feb  6 18:44:53.670: IPSUB: [uid:7] IP session context 0x12C0BB98 available to authorize
*Feb  6 18:44:53.670: IPSUB-VRFSET: [uid:7] Entered allocate feature info
*Feb  6 18:44:53.670: IPSUB-VRFSET: [uid:7] Allocated sg vrfset info 0x1EA52E48
*Feb  6 18:44:53.670: IPSUB-VRFSET: [uid:7] Freeing the sg vrfset info 0x1EA52E48
*Feb  6 18:44:53.670: IPSUB: [uid:7] Recieved Message = connect local
*Feb  6 18:44:53.670: IPSUB: [uid:7] Connect Local event for session
*Feb  6 18:44:53.670: IPSUB: [uid:7] Event connect local, state changed from requesting to waiting
*Feb  6 18:44:53.670: IPSUB: [uid:7] Inside processing IPSIP info
*Feb  6 18:44:53.670: IPSUB-ROUTE: [uid:7] Checking whether routes to be inserted/removed
*Feb  6 18:44:53.670: IPSUB-ROUTE: [uid:7] Context not present, creating context
*Feb  6 18:44:53.670: IPSUB-ROUTE: [uid:7] Entered the sg subrte context alloc
*Feb  6 18:44:53.670: IPSUB-ROUTE: [uid:7] Returning the sg subrte context 0x198428F0
*Feb  6 18:44:53.670: IPSUB-ROUTE: [uid:7] Trying to remove Subscriber routes
*Feb  6 18:44:53.670: IPSUB-ROUTE: [uid:7] Entered the plane feature context free
*Feb  6 18:44:53.670: IPSUB-ROUTE: [uid:7] Freeing the sg subrte context 0x198428F0
*Feb  6 18:44:53.670: IPSUB-ROUTE: [uid:7] Removed SG SUBRTE feature
*Feb  6 18:44:53.670: IPSUB-ROUTE: [uid:7] Reqd keys are not available, postponing route insert
*Feb  6 18:44:53.670: IPSUB: [uid:7] Keys not changed, seg needn't be updated
*Feb  6 18:44:53.670: IPSUB: [uid:7] Key list to be created to update SM
*Feb  6 18:44:53.670: IPSUB: [uid:7] Created key list to update SM
*Feb  6 18:44:53.678: IPSUB: [uid:7] IP session context 0x12C0BB98 available to authorize
*Feb  6 18:44:53.678: IPSUB-VRFSET: [uid:7] Entered allocate feature info
*Feb  6 18:44:53.678: IPSUB-VRFSET: [uid:7] Allocated sg vrfset info 0x1EA52E48
*Feb  6 18:44:53.678: IPSUB-VRFSET: [uid:7] Freeing the sg vrfset info 0x1EA52E48
*Feb  6 18:44:53.678: IPSUB: [uid:7] IPSIP Parsing HostIP: 178.214.200.2 SubnetMask= 255.255.255.0
*Feb  6 18:44:53.678: IPSUB: [uid:7] Recieved Message = update SIP config
*Feb  6 18:44:53.678: IPSUB: [uid:7] Config Update event for session
*Feb  6 18:44:53.678: IPSUB: [uid:7] Event config update, state changed from waiting to waiting
*Feb  6 18:44:53.678: IPSUB: [uid:7] Inside processing IPSIP info
*Feb  6 18:44:53.678: IPSUB: [uid:7] Processing IPSIP info: 0x1832E3CC (APPLY)
*Feb  6 18:44:53.678: IPSUB: [uid:7] Got IP address- IP:-178.214.200.2
*Feb  6 18:44:53.678: IPSUB: [uid:7] Set IP address- IP:-178.214.200.2
*Feb  6 18:44:53.678: IPSUB-VRFSET: [uid:7] Applying SG VRFSET info
*Feb  6 18:44:53.678: IPSUB-VRFSET: [uid:7] DHCP Initiated session, no config, ignore
*Feb  6 18:44:53.678: IPSUB-ROUTE: [uid:7] Checking whether routes to be inserted/removed
*Feb  6 18:44:53.678: IPSUB-ROUTE: [uid:7] Context not present, creating context
*Feb  6 18:44:53.678: IPSUB-ROUTE: [uid:7] Entered the sg subrte context alloc
*Feb  6 18:44:53.678: IPSUB-ROUTE: [uid:7] Returning the sg subrte context 0x198428F0
*Feb  6 18:44:53.678: IPSUB-ROUTE: [uid:7] Installed ARP entry [DFL]: 178.214.200.2
*Feb  6 18:44:53.678: IPSUB-ROUTE: [uid:7] Both IP addresses and VRF are same, no need to add route
*Feb  6 18:44:53.678: IPSUB: [uid:7] Found that seg to be updated with new session keys
*Feb  6 18:44:53.678: IPSUB: [uid:7] Key list to be created to update SM
*Feb  6 18:44:53.678: IPSUB: [uid:7]   Update IP-Address-VRF key: 178.214.200.2:0
*Feb  6 18:44:53.678: IPSUB: [uid:7] Created key list to update SM
*Feb  6 18:44:53.678: IPSUB: [uid:7] Found address change to be notified
*Feb  6 18:44:53.678: IPSUB: [uid:7] Session Keys Available event for session
*Feb  6 18:44:53.678: IPSUB: [uid:7] Event session keys available, state changed from waiting to provisioning
*Feb  6 18:44:53.678: IPSUB: [uid:7] Added session 178.214.200.2 to L3 session table
*Feb  6 18:44:53.678: IPSUB: [uid:7] Added session to session table with service session keys
*Feb  6 18:44:53.686: IPSUB_DP: [uid:0] Setup event for session (session hdl 3170894932)
*Feb  6 18:44:53.686: IPSUB_DP: [uid:7] Added downstream entry into the classifier
*Feb  6 18:44:53.686: IPSUB_DP: [uid:7] VRF = DFL, IP = 178.214.200.2, MASK = 255.255.255.0
*Feb  6 18:44:53.686: IPSUB_DP: [uid:7] Session setup successful
*Feb  6 18:44:53.686: IPSUB_DP: [uid:7] Event setup-session, state changed from intiated to established
*Feb  6 18:44:53.686: IPSUB_DP: [uid:7] Sent update msg to the control plane
*Feb  6 18:44:53.686: IPSUB_DP: [uid:7] Activate event for session
*Feb  6 18:44:53.686: IPSUB_DP: [uid:7] Event activate-session, state changed from established to connected
*Feb  6 18:44:53.686: IPSUB: [uid:7] Data plane prov successful event for session
*Feb  6 18:44:53.686: IPSUB: [uid:7] Event dataplane prov successful, state changed from provisioning to connected
*Feb  6 18:44:53.686: IPSUB: [uid:7] Notifying about address change: 178.214.200.2
*Feb  6 18:45:00.514: IPSUB_DP: [uid:0] Found mac entry 0007.e90a.75b2

Edited by Minotaur

Share this post


Link to post
Share on other sites

Складывется впечатление, что по вот этому запросу:

10 authorize aaa list DHCP-BRAS identifier remote-id plus circuit-id plus mac-address separator #

RADIUS не выдаёт связку IP/MASK, а вот по этому:

10 authorize aaa list DHCP-BRAS identifier mac-address

- выдаёт.

 

Надо смотреть/проверять запросы к RADIUS-у.

Share this post


Link to post
Share on other sites

Складывется впечатление, что по вот этому запросу:

10 authorize aaa list DHCP-BRAS identifier remote-id plus circuit-id plus mac-address separator #

RADIUS не выдаёт связку IP/MASK, а вот по этому:

10 authorize aaa list DHCP-BRAS identifier mac-address

- выдаёт.

Надо смотреть/проверять запросы к RADIUS-у.

 

Стоп. IP/MASK вообще выдается по DHCP. Данный запрос нужен только для того, чтобы сказать ISG, разрешать ли DHCP DISCOVER от этого клиента, или нет.

Share this post


Link to post
Share on other sites

IP/MASK вообще выдается по DHCP.

Тогда пул надо задать. Обычно, всё же, IP/MASK выдаётся через RADIUS из биллинга.

Share this post


Link to post
Share on other sites

Складывется впечатление, что по вот этому запросу:

10 authorize aaa list DHCP-BRAS identifier remote-id plus circuit-id plus mac-address separator #

RADIUS не выдаёт связку IP/MASK, а вот по этому:

10 authorize aaa list DHCP-BRAS identifier mac-address

- выдаёт.

Надо смотреть/проверять запросы к RADIUS-у.

 

Стоп. IP/MASK вообще выдается по DHCP. Данный запрос нужен только для того, чтобы сказать ISG, разрешать ли DHCP DISCOVER от этого клиента, или нет.

Попробую и я навалить, еси у клиента стоит свич умный, и он по валану принимает DHCP или шо там ешо то, ваш умник видит слишком дохера, и при этом дохера заблокировано ! в непонятно каких целях, в итоге получаем или гемор или глючный свич ! цельный год сам с собой;) рубился.

Share this post


Link to post
Share on other sites

Данный запрос нужен только для того, чтобы сказать ISG, разрешать ли DHCP DISCOVER от этого клиента, или нет.

Т.е. DHCP не на этой железке?

Share this post


Link to post
Share on other sites

Данный запрос нужен только для того, чтобы сказать ISG, разрешать ли DHCP DISCOVER от этого клиента, или нет.

Т.е. DHCP не на этой железке?

Cisco ISG работает как DHCP relay. Клиенты все видны на Layer2, подключены к свитчам, которые добавляют Option 82.

DHCP и авторизация отрабатывает нормально. Просто не поднимается сессия.

 

А поток мыслей предыдущего оратора не осилил.

Share this post


Link to post
Share on other sites

Cisco ISG работает как DHCP relay.

Не вижу в первом дебаге даже попыток релея, а во втором - всё на месте.

 

Можно попробовать поставить:

10 authorize aaa list DHCP-BRAS identifier mac-address

В session-start и постепенно добавлять опции, до начала проблем.

Share this post


Link to post
Share on other sites

Cisco ISG работает как DHCP relay.

Не вижу в первом дебаге даже попыток релея, а во втором - всё на месте.

 

Можно попробовать поставить:

10 authorize aaa list DHCP-BRAS identifier mac-address

В session-start и постепенно добавлять опции, до начала проблем.

 

Я упорно не понимаю, причем тут DHCP релей и идентификатор? Клиент нормально получает IP-адрес. А IP-адрес он может получить только в случае успешной авторизации на этапе session-start. Аутентицикация была успешной, Radius отдал настройки сессии на ISG, клиент в свою очередь получил адрес. Дальше - просто не поднимается сессия.

 

Но если Вас мучают смутные сомнения, Вот кусок из радиуса, подтверждающий нормальную авторизацию:

rad_recv: Access-Request packet from host 178.214.192.68 port 1645, id=202, length=128
       User-Name = "000600226b2a8d52#000400210117#0007.e90a.75b2"
       User-Password = "cisco"
       NAS-Port-Type = Virtual
       NAS-Port = 0
       NAS-Port-Id = "0/0/2/33"
       Service-Type = Outbound-User
       NAS-IP-Address = 178.214.192.68
       Acct-Session-Id = "00001283"
server ISG_Authorization {
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/ISG.conf
+- entering group authorize {...}
++[preprocess] returns ok
++[control] returns ok
rlm_perl: Added pair NAS-Port-Type = Virtual
rlm_perl: Added pair Acct-Session-Id = 00001283
rlm_perl: Added pair Service-Type = Outbound-User
rlm_perl: Added pair User-Name = 000600226b2a8d52#000400210117#0007.e90a.75b2
rlm_perl: Added pair User-Password = cisco
rlm_perl: Added pair NAS-Port = 0
rlm_perl: Added pair NAS-IP-Address = 178.214.192.68
rlm_perl: Added pair NAS-Port-Id = 0/0/2/33
rlm_perl: Added pair Cisco-AVPair = subscriber:keepalive=protocol ARP
rlm_perl: Added pair Service-Type = Outbound-User
rlm_perl: Added pair Cisco-Account-Info = Apms-1M
rlm_perl: Added pair Auth-Type = Accept
++[iSG_Auth] returns ok
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [000600226b2a8d52#000400210117#0007.e90a.75b2] (from client bras1-gdr port 0)
 WARNING: Empty post-auth section.  Using default return values.
} # server ISG_Authorization
Sending Access-Accept of id 202 to 178.214.192.68 port 1645
       Cisco-AVPair = "subscriber:keepalive=protocol ARP"
       Service-Type = Outbound-User
       Cisco-Account-Info = "Apms-1M"
Finished request 44.
Going to the next request
Waking up in 4.9 seconds.
Received DHCP-Discover of id 220c03fd from 178.214.200.1:67 to 178.214.192.2:67
       DHCP-Opcode = Client-Message

... ну и дальше пошел DHCP.

 

При session-restart происходит то же самое:

rad_recv: Access-Request packet from host 178.214.192.68 port 1645, id=203, length=98
       User-Name = "0007.e90a.75b2"
       User-Password = "cisco"
       NAS-Port-Type = Virtual
       NAS-Port = 0
       NAS-Port-Id = "0/0/2/33"
       Service-Type = Outbound-User
       NAS-IP-Address = 178.214.192.68
       Acct-Session-Id = "00001286"
server ISG_Authorization {
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/ISG.conf
+- entering group authorize {...}
++[preprocess] returns ok
++[control] returns ok
rlm_perl: Added pair NAS-Port-Type = Virtual
rlm_perl: Added pair Acct-Session-Id = 00001286
rlm_perl: Added pair Service-Type = Outbound-User
rlm_perl: Added pair User-Name = 0007.e90a.75b2
rlm_perl: Added pair User-Password = cisco
rlm_perl: Added pair NAS-Port = 0
rlm_perl: Added pair NAS-IP-Address = 178.214.192.68
rlm_perl: Added pair NAS-Port-Id = 0/0/2/33
rlm_perl: Added pair Cisco-AVPair = subscriber:keepalive=protocol ARP
rlm_perl: Added pair Service-Type = Outbound-User
rlm_perl: Added pair Cisco-Account-Info = Apms-1M
rlm_perl: Added pair Auth-Type = Accept
++[iSG_Auth] returns ok
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [0007.e90a.75b2] (from client bras1-gdr port 0)
 WARNING: Empty post-auth section.  Using default return values.
} # server ISG_Authorization
Sending Access-Accept of id 203 to 178.214.192.68 port 1645
       Cisco-AVPair = "subscriber:keepalive=protocol ARP"
       Service-Type = Outbound-User
       Cisco-Account-Info = "Apms-1M"
Finished request 47.
Going to the next request
Waking up in 4.9 seconds.

Share this post


Link to post
Share on other sites

Тогда может так.

 

Вместо:

ip dhcp relay information trusted

 

 

ip dhcp relay information trust-all

Share this post


Link to post
Share on other sites

Тогда может так.

 

Вместо:

ip dhcp relay information trusted

 

 

ip dhcp relay information trust-all

 

Написанная Вами команда есть у меня в глобальном конфиге, она выполняет то же самое, что ip dhcp relay information trusted в конфигурации интерфейса, и она никак не влияет на сессии.

Share this post


Link to post
Share on other sites

С этой проблемой разобрался.

Очень похоже на баг. Описанная ситуация возникает в том случае, если на ISG уже есть описанный DHCP pool, даже если он не принимает никакого участия в раздаче адресов для подписчиков.

Есть Workaround, посоветованный коллегой: сделать DHCP relay не через ip helper-address, а через relay pool, например так:

 

ip dhcp pool pool-Test
  update arp
  relay source 178.214.200.0 255.255.255.0
  relay destination 178.214.192.2
!
interface GigabitEthernet0/2.33
encapsulation dot1Q 33
ip dhcp relay information trusted
ip dhcp relay information policy-action keep
ip address 178.214.200.1 255.255.255.0
arp timeout 60
service-policy type control DHCP-Subscriber
ip subscriber l2-connected
 initiator dhcp class-aware

 

Так работает, но при такой конфигурации есть сложности с unnumbered на Gi0/2.33. Эта проблема описана в отдельной теме тут.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this