master_kka Опубликовано 26 декабря, 2013 · Жалоба Возникли трудности с ISG на Cisco. Проблема в следующем, на prepaid-тарифах есть постоянный перерасход трафика. Может работал кто-нибудь плотно с данной тематикой? Конфиг на ISG вообщем-то стандартный. Платформа: System image file is "disk0:/c7200p-advipservicesk9-mz.122-33.SRE9.bin" Cisco 7201 (c7201) processor (revision B) with 917504K/65536K bytes of memory. На описанный BUG CSCei41904 не похоже. Во первых софт не тот, в которых обнаружен данный bug, во вторых - убирал полисинг, безрезультатно. Хотя проблему с софтом не исключаю - поэтому, если кто-нибудь поднимал ISG на 7201 с положительным результатом, прошу сообщить версию IOS. Спасибо. Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
master_kka Опубликовано 26 декабря, 2013 · Жалоба Добавлю кусок конфига, касаемо ISG. Никаких изысков нет, сервисы падают с radius-сервера. aaa group server radius ISG-RADIUS server "IP RADIUS-сервера" auth-port 1645 acct-port 1646 ip radius source-interface "GigabitEthernetX.X" aaa authentication login ISG-AUTH-1 group ISG-RADIUS aaa authorization network ISG-AUTH-1 group ISG-RADIUS aaa authorization subscriber-service default local group ISG-RADIUS aaa accounting delay-start all aaa accounting jitter maximum 0 aaa accounting update periodic 15 aaa accounting network ISG-AUTH-1 action-type start-stop group ISG-RADIUS aaa server radius dynamic-author client "IP RADIUS-сервера" server-key cisco subscriber feature prepaid default threshold time 60 seconds threshold volume 1 Mbytes interim-interval 1 minutes method-list author ISG-AUTH-1 method-list accounting ISG-AUTH-1 password cisco subscriber service password cisco subscriber authorization enable service-policy type control ISG-CUSTOMERS-POLICY redirect server-group REDIRECT-CAB server ip "IP личного кабинета" port 80 class-map type traffic match-any CLASS-PASSTHROUGH match access-group input name ACL-PASSTHROUGH match access-group output name ACL-PASSTHROUGH class-map type traffic match-any CLASS-REDIRECT match access-group output name ACL-REDIRECT match access-group input name ACL-REDIRECT class-map type traffic match-any CLASS-TRUSTED match access-group output name ACL-TRUSTED match access-group input name ACL-TRUSTED class-map type control match-all ISG-IP-UNAUTH match authen-status unauthenticated match timer UNAUTH-TIMER policy-map type service LOCAL_L4R 10 class type traffic CLASS-REDIRECT redirect to group REDIRECT-CAB class type traffic default input drop policy-map type service SERVICE-TRUSTED 10 class type traffic CLASS-TRUSTED class type traffic default input drop policy-map type service SERVICE-PASSTHROUGH 10 class type traffic CLASS-PASSTHROUGH class type traffic default input drop policy-map type control ISG-CUSTOMERS-POLICY class type control ISG-IP-UNAUTH event timed-policy-expiry 1 service disconnect class type control always event session-start 10 authorize aaa list ISG-AUTH-1 identifier source-ip-address 20 set-timer UNAUTH-TIMER 5 25 service-policy type service name SERVICE-PASSTHROUGH 30 service-policy type service name SERVICE-TRUSTED 40 service-policy type service name LOCAL_L4R class type control always event service-start 1 service-policy type service unapply name LOCAL_L4R 20 service-policy type service identifier service-name class type control always event service-stop 1 service-policy type service unapply identifier service-name 20 service-policy type service name LOCAL_L4R class type control always event quota-depleted 1 set-param drop-traffic FALSE class type control always event credit-exhausted 1 service-policy type service name LOCAL_L4R class type control always event account-logon 10 authenticate aaa list ISG-AUTH-1 20 service-policy type service unapply name LOCAL_L4R interface GigabitEthernetY/Y service-policy type control ISG-CUSTOMERS-POLICY ip subscriber routed initiator unclassified ip-address ip access-list extended ACL-Internet remark --- Internet ACL for ISG --- permit ip any any ip access-list extended ACL-PASSTHROUGH remark --- Passthrough ACL for ISG --- permit ip any 10.0.0.0 0.255.255.255 permit ip 10.0.0.0 0.255.255.255 any deny ip any any log ip access-list extended ACL-REDIRECT remark --- Redirect to LC ACL for ISG --- permit tcp any any eq www deny ip any any ip access-list extended ACL-TRUSTED remark --- Trusted ACL for ISG --- permit ip any host "DNS1" permit ip any host "DNS2" permit ip any host "BILLING" permit ip host "DNS1" any permit ip host "DNS2" any permit ip host "BILLING" any deny ip any any radius-server attribute 44 include-in-access-req radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 55 include-in-acct-req radius-server attribute 55 access-request include radius-server attribute 25 access-request include radius-server attribute nas-port format c radius-server host "IP RADIUS-сервера" auth-port 1645 acct-port 1646 key cisco radius-server unique-ident 10 radius-server vsa send cisco-nas-port radius-server vsa send accounting radius-server vsa send authentication Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
triam Опубликовано 27 декабря, 2013 · Жалоба А какие вы сервисы высылаете клиенту при аутентификации? Есть ли там для сервиса указанный Prepaid профиль? http://www.cisco.com/en/US/docs/ios/isg/configuration/guide/isg_suprt_ppaid_blng.html#wp1078903 Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
master_kka Опубликовано 27 декабря, 2013 (изменено) · Жалоба А какие вы сервисы высылаете клиенту при аутентификации? Есть ли там для сервиса указанный Prepaid профиль? http://www.cisco.com/en/US/docs/ios/isg/configuration/guide/isg_suprt_ppaid_blng.html#wp1078903 Да, безусловно. Атрибуты, передаваемые радиусом для одного из рабочих сервисов: Cisco-AVPair prepaid-config=default Cisco-AVPair ip:traffic-class=in default drop Cisco-AVPair ip:traffic-class=out default drop Cisco-AVPair ip:traffic-class=in access-group name ACL-Internet priority 100 Cisco-AVPair ip:traffic-class=out access-group name ACL-Internet priority 100 Cisco-Service-Info Iinternet1024/16384 Cisco-Service-Info R0.0.0.0;0.0.0.0 Cisco-Service-Info QU;1024000;D;16384000 Service-Type Outbound-User По дефолту всем прописанным в биллинге пользователям вещается локальный сервис, который ограничивает скорость и дает доступ только к локальным ресурсам. SIP subscriber access type(s): IP Current SIP options: Req Fwding/Req Fwded Session Up-time: 16:22:55, Last Changed: 16:22:55 Policy information: Context 06DD132C: Handle C5000085 AAA_id 00000030: Flow_handle 0 Authentication status: authen Downloaded User profile, excluding services: timeout 604800 (0x93A80) accounting-list "ISG-AUTH-1" ssg-account-info "Aisg_local" netmask 255.255.255.255 service-type 2 [Framed] Downloaded User profile, including services: timeout 604800 (0x93A80) accounting-list "ISG-AUTH-1" ssg-account-info "Aisg_local" netmask 255.255.255.255 service-type 2 [Framed] traffic-class "out access-group name ACL-TRUSTED priority 100" traffic-class "in access-group name ACL-TRUSTED priority 100" ssg-service-info "R0.0.0.0;0.0.0.0" ssg-service-info "QU;128000;D;128000" traffic-class "out default drop" ssg-service-info "Ilocal" traffic-class "in default drop" Config history for session (recent to oldest): Access-type: Web-service-logon Client: SM Policy event: Apply Config Success (Service) Profile name: isg_local, 4 references timeout 604800 (0x93A80) traffic-class "out access-group name ACL-TRUSTED priority 100" traffic-class "in access-group name ACL-TRUSTED priority 100" ssg-service-info "R0.0.0.0;0.0.0.0" ssg-service-info "QU;128000;D;128000" traffic-class "out default drop" service-type 5 [Outbound] ssg-service-info "Ilocal" traffic-class "in default drop" Access-type: IP Client: SM Policy event: Service Selection Request Profile name: x.x.x.x, 2 references timeout 604800 (0x93A80) accounting-list "ISG-AUTH-1" ssg-account-info "Aisg_local" netmask 255.255.255.255 service-type 2 [Framed] Active services associated with session: name "isg_local" Rules, actions and conditions executed: subscriber rule-map ISG-CUSTOMERS-POLICY condition always event session-start 10 authorize aaa list ISG-AUTH-1 identifier source-ip-address subscriber rule-map ISG-CUSTOMERS-POLICY condition always event service-start 1 service-policy type service unapply name LOCAL_L4R 20 service-policy type service identifier service-name Session inbound features: Traffic classes: Traffic class session ID: 209 ACL Name: ACL-TRUSTED, Packets = 413, Bytes = 25598 Default traffic is dropped Unmatched Packets = 683, Re-classified packets (redirected) = 0 Feature: Session accounting Method List: ISG-AUTH-1 Packets = 413, Bytes = 25598 Session outbound features: Traffic classes: Traffic class session ID: 209 ACL Name: ACL-TRUSTED, Packets = 408, Bytes = 32412 Default traffic is dropped Unmatched Packets = 349, Re-classified packets (redirected) = 0 Feature: Session accounting Method List: ISG-AUTH-1 Packets = 408, Bytes = 32412 Non-datapath features: Feature: Session Timeout Timeout value is 604800 seconds Time remaining is 6d07h Configuration sources associated with this session: Service: isg_local, Active Time = 16:22:55 AAA Service ID = 754974721 Interface: GigabitEthernet0/2, Active Time = 16:22:55 При активации услуги вешаются рабочие сервисы. В зависимости от услуг варьируется скорость, vrf и пр. SIP subscriber access type(s): IP Current SIP options: Req Fwding/Req Fwded Session Up-time: 00:01:09, Last Changed: 00:01:09 Policy information: Context 07577EC4: Handle 25000853 AAA_id 00055D73: Flow_handle 0 Authentication status: authen Downloaded User profile, excluding services: timeout 390297 (0x5F499) accounting-list "ISG-AUTH-1" ssg-account-info "Ainet_1024_16384" netmask 255.255.255.255 service-type 2 [Framed] Downloaded User profile, including services: timeout 390297 (0x5F499) accounting-list "ISG-AUTH-1" ssg-account-info "Ainet_1024_16384" netmask 255.255.255.255 service-type 2 [Framed] ssg-service-info "QU;1024000;D;16384000" ssg-service-info "R0.0.0.0;0.0.0.0" ssg-service-info "Iinternet1024/16384" traffic-class "out access-group name ACL-Internet priority 100" traffic-class "in access-group name ACL-Internet priority 100" traffic-class "out default drop" traffic-class "in default drop" Config history for session (recent to oldest): Access-type: Web-service-logon Client: SM Policy event: Apply Config Success (Service) Profile name: inet_1024_16384, 4 references timeout 604800 (0x93A80) ssg-service-info "QU;1024000;D;16384000" service-type 5 [Outbound] ssg-service-info "R0.0.0.0;0.0.0.0" ssg-service-info "Iinternet1024/16384" traffic-class "out access-group name ACL-Internet priority 100" traffic-class "in access-group name ACL-Internet priority 100" traffic-class "out default drop" traffic-class "in default drop" Access-type: IP Client: SM Policy event: Service Selection Request Profile name: x.x.x.x, 2 references timeout 390297 (0x5F499) accounting-list "ISG-AUTH-1" ssg-account-info "Ainet_1024_16384" netmask 255.255.255.255 service-type 2 [Framed] Active services associated with session: name "inet_1024_16384" Rules, actions and conditions executed: subscriber rule-map ISG-CUSTOMERS-POLICY condition always event session-start 10 authorize aaa list ISG-AUTH-1 identifier source-ip-address subscriber rule-map ISG-CUSTOMERS-POLICY condition always event service-start 1 service-policy type service unapply name LOCAL_L4R 20 service-policy type service identifier service-name Session inbound features: Traffic classes: Traffic class session ID: 500 ACL Name: ACL-Internet, Packets = 167, Bytes = 11091 Default traffic is dropped Unmatched Packets = 0, Re-classified packets (redirected) = 0 Feature: Session accounting Method List: ISG-AUTH-1 Packets = 167, Bytes = 11091 Session outbound features: Traffic classes: Traffic class session ID: 500 ACL Name: ACL-Internet, Packets = 158, Bytes = 14256 Default traffic is dropped Unmatched Packets = 0, Re-classified packets (redirected) = 0 Feature: Session accounting Method List: ISG-AUTH-1 Packets = 158, Bytes = 14256 Non-datapath features: Feature: Session Timeout Timeout value is 390297 seconds Time remaining is 4d12h Configuration sources associated with this session: Service: inet_1024_16384, Active Time = 00:01:09 AAA Service ID = 2 Interface: GigabitEthernet0/2, Active Time = 00:01:09 Изменено 27 декабря, 2013 пользователем master_kka Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
master_kka Опубликовано 27 декабря, 2013 (изменено) · Жалоба Хотя надо сказать, что в выводе отсутствует Prepaid context: default и это странно. Если у кого есть возможность, покажите вывод живой сессии с prepaid по команде: sh sss session detailed | begin ID: "номер сессии" или sh subscriber session uid "номер сессии" detailed Изменено 27 декабря, 2013 пользователем master_kka Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
triam Опубликовано 27 декабря, 2013 · Жалоба Я бы рекомендовал 12.2SB =) Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
