ISG нет аккаунтинга входящего трафика

[megahertz0]

Есть брас на циске 7206. Прикручен к биллингу для реализации фич ISG.

 

Конфиг:

 

Building configuration...

 

Current configuration : 7883 bytes
!
! Last configuration change at 12:30:56 MSK Tue Aug 21 2012 by megahertz
! NVRAM config last updated at 11:15:13 MSK Mon Aug 20 2012 by megahertz
!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
!
hostname bras1
!
boot-start-marker
boot system flash disk2:c7200-adventerprisek9-mz.122-33.SRE5.bin
boot-end-marker
!
!
aaa new-model
!
!
aaa group server tacacs+ tac-int
server 10.201.0.4
!
aaa group server radius ISG-RADIUS
server 10.254.241.1 auth-port 1812 acct-port 1813
!
aaa authentication login admin group tac-int local
aaa authentication login ISG-AUTH-1 group ISG-RADIUS
aaa authorization console
aaa authorization exec admin group tac-int local
aaa authorization commands 15 admin group tac-int local
aaa authorization network ISG-AUTH-1 group ISG-RADIUS
aaa authorization subscriber-service default local group ISG-RADIUS
aaa accounting delay-start
aaa accounting update newinfo periodic 1
aaa accounting network ISG-AUTH-1
action-type start-stop
group ISG-RADIUS
!
aaa accounting network ISG-RADIUS
action-type start-stop
group ISG-RADIUS
!
!
!
!
!
aaa server radius dynamic-author
client 10.254.241.1 server-key 7 08701E1D
auth-type any
!
aaa session-id common
clock timezone MSK 4
no ip subnet-zero
no ip source-route
ip icmp rate-limit unreachable 1000
ip icmp rate-limit unreachable DF 1000
ip cef
!
!
!
!
ip domain name tvintel.local
ip name-server xx.xx.xx.xx
no ipv6 cef
!
!
service-policy type control ISG-CUSTOMERS-POLICY
redirect server-group REDIRECT_NOPAY
server ip 10.20.1.1 port 80
!
multilink bundle-name authenticated
!
!
archive
log config
 hidekeys
path ftp://cisco:xxxxxx@10.201.0.3/config-backups/msk20-bras1
write-memory
username varg privilege 15 secret 5 xxxxxxxx
!
!
ip tcp selective-ack
ip tcp timestamp
ip tcp path-mtu-discovery
ip ssh version 2
class-map type traffic match-any CLASS-TO-REDIRECT
match access-group output 197
match access-group input 197
!
class-map type traffic match-any CLASS-TRUSTED
match access-group output 198
match access-group input 198
!
class-map type control match-all ISG-IP-UNAUTH
match timer UNAUTH-TIMER
match authen-status unauthenticated
!
policy-map type service LOCAL_L4R
1 class type traffic CLASS-TO-REDIRECT
 redirect to group REDIRECT_NOPAY
!
class type traffic default input
 drop
!
!
policy-map type service SERVICE-TRUSTED
1 class type traffic CLASS-TRUSTED
 police input 64000 8000 16000
 police output 64000 8000 16000
!
!
policy-map type control ISG-CUSTOMERS-POLICY
class type control ISG-IP-UNAUTH event timed-policy-expiry
 1 service disconnect
!
class type control always event session-start
 10 authorize aaa list ISG-AUTH-1 password ISG identifier source-ip-address
 20 set-timer UNAUTH-TIMER 1
 30 service-policy type service name SERVICE-TRUSTED
 40 service-policy type service name LOCAL_L4R
!
class type control always event access-reject
 1 service-policy type service name SERVICE-TRUSTED
 2 service-policy type service name LOCAL_L4R
!
class type control always event radius-timeout
 1 service-policy type service name SERVICE-TRUSTED
 2 service-policy type service name LOCAL_L4R
!
!
!
!
!
!
!
!
interface GigabitEthernet0/1
no ip address
media-type rj45
speed auto
duplex auto
negotiation auto
!
interface GigabitEthernet0/2
no ip address
media-type rj45
speed auto
duplex auto
no negotiation auto
!
interface GigabitEthernet0/2.10
encapsulation dot1Q 10
ip address 10.254.241.12 255.255.248.0
!
interface GigabitEthernet0/2.11
encapsulation dot1Q 11
ip address 10.252.0.2 255.255.240.0
!
interface GigabitEthernet0/2.17
description Redirect_iface
encapsulation dot1Q 17
ip address 10.20.1.62 255.255.255.192
!
interface GigabitEthernet0/2.200
encapsulation dot1Q 200
ip address 10.200.0.6 255.255.0.0
!
interface GigabitEthernet0/3
no ip address
media-type rj45
speed auto
duplex auto
no negotiation auto
!
interface GigabitEthernet0/3.8
encapsulation dot1Q 8
ip address 10.20.0.2 255.255.255.0
ip access-group Ipoe-Subnets in
service-policy type control ISG-CUSTOMERS-POLICY
ip subscriber routed
 initiator unclassified ip-address
!
!
router eigrp 43544
default-metric 1000 100 250 100 200
network 10.20.0.0 0.0.0.255
redistribute connected
neighbor 10.20.0.1 GigabitEthernet0/3.8
passive-interface default
no passive-interface GigabitEthernet0/3.8
eigrp router-id 10.20.0.2
!
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.252.0.1
ip route 10.0.100.0 255.255.255.0 10.200.0.1
ip route 10.21.0.0 255.255.0.0 10.20.0.1
ip route 10.201.0.0 255.255.255.0 10.200.0.1
!
ip access-list extended Subnets-isg
permit ip 10.21.0.0 0.0.255.255 any
deny   ip any any
ip access-list extended Tvintel-Subnets
permit ip 10.0.0.0 0.255.255.255 any
permit ip xx.xx.xx.0 0.0.3.255 any
deny   ip any any
ip access-list extended nb-drop
deny   udp any any eq netbios-ns
deny   udp any any eq netbios-dgm
deny   udp any any eq netbios-ss
permit tcp any any
permit udp any any
permit ip any any
!
logging 10.201.0.5
access-list 11 permit 10.201.0.2
access-list 11 permit 10.200.0.0 0.0.255.255
access-list 11 permit 10.0.100.0 0.0.0.255
access-list 11 deny   any log
access-list 102 permit tcp any any
access-list 195 permit ip host 10.21.0.33 host 10.20.1.9
access-list 195 permit ip host 10.20.1.9 host 10.21.0.33
access-list 196 deny   ip host xx.xx.xx.200 any
access-list 196 deny   ip any host xx.xx.xx.200
access-list 196 permit ip any any
access-list 197 permit tcp any any eq www
access-list 197 permit tcp any eq www any
access-list 197 deny   ip any any
access-list 198 permit udp any any eq domain
access-list 198 permit udp any eq domain any
access-list 198 permit tcp any host xx.xx.xx.200 eq www
access-list 198 permit tcp any host xx.xx.xx.200 eq 443
access-list 198 permit icmp any any
access-list 198 deny   ip any any
!
snmp-server community nexus RO 11
snmp-server community puGAMtZCiw RW 11
snmp-server system-shutdown
snmp-server enable traps snmp coldstart warmstart
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server host 10.201.0.2 nexus
!
tacacs-server host 10.201.0.4 key 7 xxxxxxxxxx
tacacs-server directed-request
radius-server attribute 44 include-in-access-req
radius-server attribute 44 extend-with-addr
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 31 mac format unformatted
radius-server host 10.254.241.1 auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxx
radius-server vsa send cisco-nas-port
radius-server vsa send accounting
radius-server vsa send authentication
!
control-plane
!
!
line con 0
session-timeout 15
exec-timeout 0 0
authorization commands 15 admin
authorization exec admin
accounting commands 15 admin
login authentication admin
stopbits 1
line aux 0
stopbits 1
line vty 0 4
session-timeout 15
access-class 11 in
exec-timeout 0 0
authorization commands 15 admin
authorization exec admin
accounting commands 15 admin
login authentication admin
transport input telnet ssh
line vty 5 15
session-timeout 15
access-class 11 in
exec-timeout 5 0
authorization commands 15 admin
authorization exec admin
accounting commands 15 admin
login authentication admin
transport input telnet ssh
!
ntp clock-period 17179779
ntp server 10.200.0.1
end

 

Клиенты терминируются на л3-свитчах, дальше трафик заворачивается в ядро и оттуда в БРАС. С браса отполисеный трафик уходит в тазик с натом на линуксе. GigabitEthernet0/3.8 смотрит в ядро, GigabitEthernet0/2.11 - в НАТ.

Все работает хорошо, трафих нормально ходит и полисится. Но есть олин неприятный момент - нет аккунтинга входящего (для абонента) трафика. При этом трафик у абонента есть. Исходящий трафик аккаунтится нормально.

 

Сервис у абонентся выглядит вот как:

 

002047: Aug 23 22:33:55.179: RADIUS: Received from id 1646/235 10.254.241.1:1813, Accounting-response, len 20
002048: Aug 23 22:33:55.179: RADIUS:  authenticator FF EF 35 67 E2 08 56 FE - D4 D2 00 CE DE 67 81 D9
002049: Aug 23 22:33:56.235: RADIUS/ENCODE(0000038B):Orig. component type = Iedge IP SIP
002050: Aug 23 22:33:56.235: RADIUS(0000038B): Config NAS IP: 0.0.0.0
002051: Aug 23 22:33:56.235: RADIUS(0000038B): Config NAS IP: 0.0.0.0
002052: Aug 23 22:33:56.235: RADIUS(0000038B): sending
002053: Aug 23 22:33:56.235: RADIUS/ENCODE: Best Local IP-Address 10.254.241.12 for Radius-Server 10.254.241.1
002054: Aug 23 22:33:56.235: RADIUS(0000038B): Send Accounting-Request to 10.254.241.1:1813 id 1646/236, len 270
002055: Aug 23 22:33:56.235: RADIUS:  authenticator 4B CC 8D 1E 96 D7 7E B9 - 4C 99 D6 07 23 7D 71 3D
002056: Aug 23 22:33:56.235: RADIUS:  Acct-Session-Id     [44]  18  "0AFEF10C00000673"
002057: Aug 23 22:33:56.235: RADIUS:  Framed-IP-Address   [8]   6   10.21.0.195
002058: Aug 23 22:33:56.235: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
002059: Aug 23 22:33:56.235: RADIUS:  User-Name           [1]   13  "10.21.0.195"
002060: Aug 23 22:33:56.235: RADIUS:  Vendor, Cisco       [26]  32
002061: Aug 23 22:33:56.235: RADIUS:   Cisco AVpair       [1]   26  "connect-progress=Call Up"
002062: Aug 23 22:33:56.235: RADIUS:  Vendor, Cisco       [26]  20
002063: Aug 23 22:33:56.235: RADIUS:   ssg-control-info   [253] 14  "I0;347130822"
002064: Aug 23 22:33:56.235: RADIUS:  Vendor, Cisco       [26]  12
002065: Aug 23 22:33:56.235: RADIUS:   ssg-control-info   [253] 6   "O0;0"
002066: Aug 23 22:33:56.235: RADIUS:  Acct-Session-Time   [46]  6   1263
002067: Aug 23 22:33:56.235: RADIUS:  Acct-Input-Octets   [42]  6   347129356
002068: Aug 23 22:33:56.235: RADIUS:  Acct-Output-Octets  [43]  6   0
002069: Aug 23 22:33:56.235: RADIUS:  Acct-Input-Packets  [47]  6   239747
002070: Aug 23 22:33:56.235: RADIUS:  Acct-Output-Packets [48]  6   0
002071: Aug 23 22:33:56.235: RADIUS:  Acct-Authentic      [45]  6   Local                     [2]
002072: Aug 23 22:33:56.235: RADIUS:  Acct-Status-Type    [40]  6   Watchdog                  [3]
002073: Aug 23 22:33:56.235: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
002074: Aug 23 22:33:56.235: RADIUS:  Vendor, Cisco       [26]  15
002075: Aug 23 22:33:56.235: RADIUS:   cisco-nas-port     [2]   9   "0/0/3/8"
002076: Aug 23 22:33:56.235: RADIUS:  NAS-Port            [5]   6   0
002077: Aug 23 22:33:56.235: RADIUS:  NAS-Port-Id         [87]  9   "0/0/3/8"
002078: Aug 23 22:33:56.235: RADIUS:  Class               [25]  10
002079: Aug 23 22:33:56.235: RADIUS:   30 30 30 31 31 37 32 33          [ 00011723]
002080: Aug 23 22:33:56.235: RADIUS:  Service-Type        [6]   6   Framed                    [2]
002081: Aug 23 22:33:56.235: RADIUS:  NAS-IP-Address      [4]   6   10.254.241.12
002082: Aug 23 22:33:56.235: RADIUS:  Ascend-Session-Svr-K[151] 10
002083: Aug 23 22:33:56.235: RADIUS:   41 43 41 33 37 37 46 33          [ ACA377F3]
002084: Aug 23 22:33:56.235: RADIUS:  Event-Timestamp     [55]  6   1345746836
002085: Aug 23 22:33:56.235: RADIUS:  Nas-Identifier      [32]  21  "bras1.tvintel.local"
002086: Aug 23 22:33:56.235: RADIUS:  Acct-Delay-Time     [41]  6   0 

 

Соответственно сессия выглядит вот так:

 

bras1#sh sss session uid 1053 det
Unique Session ID: 1053
Identifier: 10.21.1.211
SIP subscriber access type(s): IP
Current SIP options: Req Fwding/Req Fwded
Session Up-time: 00:50:26, Last Changed: 00:50:26

Policy information:
 Context 2083A230: Handle 2600043C
 AAA_id 0000037F: Flow_handle 0
 Authentication status: authen
 Downloaded User profile, excluding services:
   timeout              3600 (0xE10)
   service-type         5 [Outbound]
   ssg-account-info     "QU;2048000;256000;768000;D;2048000;256000;768000"
   accounting-list      "ISG-RADIUS"
 Downloaded User profile, including services:
   timeout              3600 (0xE10)
   service-type         5 [Outbound]
   ssg-account-info     "QU;2048000;256000;768000;D;2048000;256000;768000"
   accounting-list      "ISG-RADIUS"
 Config history for session (recent to oldest):
   Access-type: IP Client: SM
    Policy event: Service Selection Request
     Profile name: 10.21.1.211, 2 references
       timeout              3600 (0xE10)
       service-type         5 [Outbound]
       ssg-account-info     "QU;2048000;256000;768000;D;2048000;256000;768000"
       accounting-list      "ISG-RADIUS"
 Rules, actions and conditions executed:
   subscriber rule-map ISG-CUSTOMERS-POLICY
     condition always event session-start
       10 authorize aaa list ISG-AUTH-1 identifier source-ip-address

Session inbound features:
Feature: Session accounting
 Method List: ISG-RADIUS
 Packets = 39619, Bytes = 4100486

Feature: Policing
Upstream Params:
Average rate = 2048000, Normal burst = 256000, Excess burst = 768000
Config level = Per-user

Session outbound features:
Feature: Session accounting
 Method List: ISG-RADIUS
 Packets = 0, Bytes = 0

Feature: Policing
Dnstream Params:
Average rate = 2048000, Normal burst = 256000, Excess burst = 768000
Config level = Per-user

Non-datapath features:
Feature: Session Timeout
 Timeout value is 3600 seconds
 Time remaining is 00:09:33
Configuration sources associated with this session:
Interface: GigabitEthernet0/3.8, Active Time = 00:50:26

 

 

Как видно, аккаунтинг навешен на сессию, но там по нулям.

Подскажите куда копать.

[megahertz0]

И самое интересное, что входящий трафик тоже не полисится....