Jump to content
Калькуляторы

Не поднимается сессия ISG - initiator dhcp и ip subscriber routed

Здравствуйте.

Помогите.

 

Не поднимается ISG сессия:

 

policy-map type control isg
class type control always event session-restart
 10 authorize aaa list ipoe password cisco identifier circuit-id plus remote-id
 20 set-timer UNAUTH-TIMER 1
!
class type control always event session-start
 10 authorize aaa list ipoe password cisco identifier circuit-id plus remote-id
 20 set-timer UNAUTH-TIMER 1
!
!

interface TenGigabitEthernet0/0/0.1
service-policy type control isg
  ip subscriber routed
    initiator dhcp

 

При этом "unclassified ip-address" при "authorize aaa list ipoe password cisco identifier source-ip-address" успешно поднимается при любом ответов от радиуса (не успешные - unauthen).

 

Запрос на радиус идет с circuit-id:remote-id в поле User-Name... Но сессии на циске не вижу.... Что может быть?

Share this post


Link to post
Share on other sites

Дебаг включали?

 

А не пробовали

ip subscriber connected или l2-connected (не помню дословно) и initiator dhcp?

Share this post


Link to post
Share on other sites

авторизовать - авторизовали, а где сервис? service local в старт-рестарт допишите для начала. если поднимется - дебажьте навешивание сервисов с радиуса, либо оставляйте как есть

Share this post


Link to post
Share on other sites

l2-connected работает... Но она не подходит т.к. за интерфейсом l3 сеть за которой находиться множество коммутаторов посылающих opt82 на циску в dhcp релай запросах.

 

Сервисы убрал пока, т.к. как-раз сессия и не поднимается сервисы уже потом навешиваются...

 

Она не поднимается даже в процессе авторизации - отправки запросов на радиус.

 

В дебаге:

DHCPD: Reload workspace interface TenGigabitEthernet0/0/0.1 tableid 0.
DHCPD: tableid for 172.16.1.1 on TenGigabitEthernet0/0/0.1 is 0
DHCPD: client's VPN is .
DHCPD: using received relay info.
DHCPD: Sending notification of DISCOVER:
 DHCPD: htype 1 chaddr 2cab.253b.9b53
 DHCPD: remote id 00063408043a3f10
 DHCPD: circuit id 0004012d0012
 DHCPD: giaddr = 172.16.101.15
 DHCPD: interface = TenGigabitEthernet0/0/0.1
 DHCPD: class id 756468637020302e392e38
DHCPD: DHCPDISCOVER received from client 012c.ab25.3b9b.53 through relay 172.16.101.15.
DHCPD: using received relay info.
DHCPD: Sending notification of DISCOVER:
 DHCPD: htype 1 chaddr 2cab.253b.9b53
 DHCPD: remote id 00063408043a3f10
 DHCPD: circuit id 0004012d0012
 DHCPD: giaddr = 172.16.101.15
 DHCPD: interface = TenGigabitEthernet0/0/0.1
 DHCPD: class id 756468637020302e392e38
AAA/BIND(00BA4FBF): Bind i/f
AAA/BIND(00BA4FBF): Bind i/f TenGigabitEthernet0/0/0.1
Adding mac 2cab.253b.9b53 to SIP common DB
Added mac 2cab.253b.9b53 to SIP common DB
DHCPD: FSM state change WAIT-FOR-CONFIG
DHCPD: Workspace state changed from INIT to WAIT-FOR-CONFIG
DHCPD: Saving workspace (ID=0x910004FD)
DHCPD: New packet workspace 0x7F85E92E7940 (ID=0x5F0004FF)
SSS AAA AUTHOR [uid:5089]: using named author method list "ipoe"
SSS AAA AUTHOR [uid:5089]: using set aaa password "cisco"
SSS AAA AUTHOR [uid:5089]: Root SIP DHCP
SSS AAA AUTHOR [uid:5089]:  Enable IP parsing
SSS AAA AUTHOR [uid:5089]:  Enable DHCP parsing
SSS AAA AUTHOR [uid:5089]:  Enable IP-Interface parsing
SSS AAA AUTHOR [uid:5089]: Event <make request>, state changed from idle to authorizing
SSS AAA AUTHOR [uid:5089]: Active key set to combo_keys
SSS AAA AUTHOR [uid:5089]: Authorizing key 0004012d0012:00063408043a3f10
AAA/AUTHOR (0xBA4FBF): Pick method list 'ipoe'
SSS AAA AUTHOR [uid:5089]: Set authorization profile type default -  user
SSS AAA AUTHOR [uid:5089]: AAA request sent for key 0004012d0012:00063408043a3f10
RADIUS/ENCODE(00BA4FBF):Orig. component type = Iedge DHCP SIP
RADIUS: Format E value 0xE8E3A13 for character U with bitmask 0xFFFFFFFF
RADIUS: Format E port 0xE8E3A13 with bit 32 processed
RADIUS(00BA4FBF): Config NAS IPv6: ::
RADIUS/ENCODE(00BA4FBF): acct_session_id: 244202006
RADIUS/ENCODE(00BA4FBF): Acct-session-id pre-pended with Nas Port = 0/0/0/1
RADIUS(00BA4FBF): sending
RADIUS(00BA4FBF): Send Access-Request to 172.16.10.133:1812 id 1645/162, len 278
RADIUS:  authenticator F4 65 F5 C3 66 5F 13 05 - EB B4 FF 5E FD F5 89 B9
RADIUS:  User-Name           [1]   31  "0004012d0012:00063408043a3f10"
RADIUS:  User-Password       [2]   18  *
RADIUS:  Calling-Station-Id  [31]  14  "2cab253b9b53"
RADIUS:  NAS-Port-Type       [61]  6
RADIUS:  Vendor, Cisco       [26]  17
RADIUS:   cisco-nas-port     [2]   11  "0/0/0/1"
RADIUS:  NAS-Port            [5]   6   244202003
RADIUS:  NAS-Port-Id         [87]  11  "0/0/0/1"
RADIUS:  Vendor, Cisco       [26]  35
RADIUS:   Cisco AVpair       [1]   29  "circuit-id-tag=0004012d0012"
RADIUS:  Vendor, Cisco       [26]  38
RADIUS:   Cisco AVpair       [1]   32  "remote-id-tag=00063408043a3f10"
RADIUS:  Vendor, Cisco       [26]  39
RADIUS:   Cisco AVpair       [1]   33  "vendor-class-id-tag=udhcp 0.9.8"
RADIUS:  Service-Type        [6]   6   Outbound                  [5]
RADIUS:  NAS-IP-Address      [4]   6   172.16.10.1
RADIUS:  Acct-Session-Id     [44]  20  "0/0/0/1_0E8E3A16"
RADIUS:  Nas-Identifier      [32]  5   "AS1"
RADIUS:  Event-Timestamp     [55]  6   1411207456
RADIUS(00BA4FBF): Sending a IPv4 Radius Packet
RADIUS(00BA4FBF): Started 15 sec timeout
....
IPSUB: Try to create a new session
IPSUB: Lite session not required
IPSUB: IP session context allocated 0x7F861DC31EA8
IPSub: Not a L2 initiated session, update failed
IPSub: Not a L2 initiated session, update failed
IPSub: Check IP session recovery: 172.17.182.39 Te0/0/0.1 mac 0000.0000.0000
IPSub ERROR: No binding application to serve the query.
IPSub: IPSUB: Create no IP session. Start timer to tear down DP session
IPSub: Added session 172.17.182.39 to L3 session table
IPSub: Added session to session table with access session keys
IPSub: session disconnect delay timer started
IPSUB_DP: [uid:0] Sent message to control plane for in-band session creation
IPSUB_DP: [uid:0] Insert new entry for mac 0000.0aad.7332
IPSUB_DP: [uid:0] Processing new in-band session request
IPSUB_DP: [uid:0] Delete mac entry 0000.0aad.7332
IPSUB_DP: [uid:0] Session already exist with given keys
IPSUB_DP: [uid:0] Insert new entry for mac 0000.0aad.cb13
IPSUB_DP: [uid:0] Processing new in-band session request
IPSUB_DP: [uid:0] Delete mac entry 0000.0aad.cb13
IPSUB_DP: [uid:0] Session already exist with given keys
IPSUB_DP: [uid:0] Insert new entry for mac 0000.0aad.4418
IPSUB_DP: [uid:0] Processing new in-band session request
IPSUB_DP: [uid:0] Delete mac entry 0000.0aad.4418
IPSUB_DP: [uid:0] Session already exist with given keys
IPSUB_DP: [uid:0] Insert new entry for mac 0000.0aad.2017
IPSUB_DP: [uid:0] Processing new in-band session request
IPSUB_DP: [uid:0] Delete mac entry 0000.0aad.2017
IPSUB_DP: [uid:0] Session already exist with given keys
RADIUS: Received from id 1645/162 172.16.10.133:1812, Access-Reject, len 20
RADIUS:  authenticator E1 97 6F 69 D0 41 B9 85 - BA 50 B6 A0 2D D4 AB F3
RADIUS(00BA4FBF): Received from id 1645/162
SSS AAA AUTHOR [uid:5089]: TAL authorisation keys added
SSS AAA AUTHOR [uid:5089]: Received an AAA failure
SSS AAA AUTHOR [uid:5089]: Radius server sent reject
SSS AAA AUTHOR [uid:5089]: Event <service not found>, state changed from authorizing to complete
SSS AAA AUTHOR [uid:5089]: No service authorization info found
SSS AAA AUTHOR [uid:5089]: Active Handle present - C6000311
SSS AAA AUTHOR [uid:5089]: Freeing Active Handle; SSS Policy Context Handle = 7E010EA1
SSS AAA AUTHOR [uid:5089]: Event <free request>, state changed from complete to terminal
SSS AAA AUTHOR [uid:5089]: Cancel request
DHCPD: Callback for workspace (ID=0x910004FD)
DHCPD: FSM state change CONFIGURED
DHCPD: Reprocessing saved workspace (ID=0x910004FD)
DHCPD: Reload workspace interface TenGigabitEthernet0/0/0.1 tableid 0.
DHCPD: tableid for 172.16.1.1 on TenGigabitEthernet0/0/0.1 is 0
DHCPD: client's VPN is .
DHCPD: using received relay info.
DHCPD: Sending notification of DISCOVER:
 DHCPD: htype 1 chaddr 2cab.253b.9b53
 DHCPD: remote id 00063408043a3f10
 DHCPD: circuit id 0004012d0012
 DHCPD: giaddr = 172.16.101.15
 DHCPD: interface = TenGigabitEthernet0/0/0.1
 DHCPD: class id 756468637020302e392e38
DHCPD: DHCPDISCOVER received from client 012c.ab25.3b9b.53 through relay 172.16.101.15.
DHCPD: relaying this packet
DHCPD: BOOTREQUEST from 012c.ab25.3b9b.53 forwarded to 172.16.2.67.
DHCPD: Freeing saved workspace (ID=0x910004FD)
DHCPD: Sending notification of ASSIGNMENT FAILURE:
 DHCPD: htype 1 chaddr 2cab.253b.9b53
 DHCPD: remote id 020a00000a490101080000c9
 DHCPD: giaddr = 172.16.101.15
 DHCPD: interface = TenGigabitEthernet0/0/0.1
 DHCPD: class id 756468637020302e392e38
DHCPD: Sending notification of ASSIGNMENT_FAILURE:
DHCPD: due to: NO REASON
 DHCPD: htype 1 chaddr 2cab.253b.9b53
 DHCPD: remote id 020a00000a490101080000c9
 DHCPD: giaddr = 172.16.101.15
 DHCPD: interface = TenGigabitEthernet0/0/0.1
 DHCPD: class id 756468637020302e392e38
...

 

Соответственно есть ли в схеме policy-map type control service local с существующим сервисом или нет, роли не играет... сессии не вижу...

Edited by Marg

Share this post


Link to post
Share on other sites

Кстати смотрю адреса поднимаются в "show ip subscriber"

Но все они выглядят как

...
routed      0              down     172.17.4.40/32
routed      0              down     172.17.4.85/32
...

 

И помоему все таки адреса dhcp шные должны быть в show ip dhcp database/binding ?

Share this post


Link to post
Share on other sites

Хм, такую схему мы не использовали. Одна из наших схем - клиенты L2 connected, initiator dhcp, ААА по circuit+remote. Вторая - L3 connected, identifier - source ip, адреса выдаются отдельным сервером, трафик которого через брас не ходит.

А циска точно умеет сочетание опции 82 и routed?

Share this post


Link to post
Share on other sites

+ не очень понятно. ибо работу с двойным л3 релеем не умеет исг. там в рестрикшенах написано.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this