ASR9k BNG Radius issue

Similar Messages

• ASR9K BNG and user defined VSAs

  Hello All,
  I am currently deploying Cisco ASR9K BNG solution and it needs to be integrated with a Cisco ACS 3.3 equipment (yes that old .. going to migrate to new product in the future). There are several specific attributes need that are not on the base config of the ACS 3.3 but it seems that i can configure them manually:
  In addition to supporting a set of predefined RADIUS vendors and vendor-specific attributes (VSAs), Cisco Secure ACS supports RADIUS vendors and VSAs that you define. Vendors you add must be IETF-compliant; therefore, all VSAs that you add must be sub-attributes of IETF RADIUS attribute number 26.
  This is from the ACS 3.3 configuration manual.
  I have never done this user defined VSAs. Anyone has experience with this ? Will this work ?
  How can i identify the exact attributes necessary for my implementation to work ?
  Thanks!
  David

  Hi David,
  yes that will work.
  Radius is very "simple", it defines attributes in teh following format:
  attribute-number     string representation     encoding type.
  the encoding type is important, because the value you provide on the string representation fo the attribute
  will get encoded in that manner.
  For instance  a string value of "105" is 3 bytes with chars "1", "0" and "5". the INT encoding of this will be a single byte with value "105", which is the ascii letter "i".
  Now Attribute number "26" has string representation "vendor-specific". These attributes are encoded slightly different
  attribute 26, vendor code, vendor length, vendor attribute, vendor value.
  for Cisco the vendor code is 9, always.
  The vendor attribute we have some options, for isntance:
  "1" is the cisco-avpair you may well know.
  "2" is cisco-nas-port
  250 is SSG command code for instance.
  In general, all VSA's follow a string encoding.
  So if you have the ability to define a new VENDOR specific attribute, they always start with 26, vendorcode and vendor attribute.
  IF you like you add a, what we call IETF attribute, that is the first digit (some vendors "stole" some values there like ascend, who was the originator of radius pretty much), they had assigned for instance number 135 for ascend-primary-dns which is encoded as ip address (so 4 octets converted to a ulong value).
  Does that clarify your Q at all? In short, yes VSA's are alwyas usable in ANY radius that supprots attribute 26.
  regards
  xander

• WLC and Radius issue

  We keep get the following error. And everytime we got this, the clients have been force to re-authentication.
  Any idea?
  Thanks,
  RADIUS server 10.108.32.33:1812 activated on WLAN 1
  RADIUS server 10.140.4.9:1812 deactivated on WLAN 1

  Go to clients. Look up the client by mac address and look at the PEM state. It will tell you why the client is failing ..
  DHCP_REQ is meaning there is a DHCP issue
  8021x_REQ means it failed auth
  You could also turn off exclude as a test, perhaps these clients are a little slow to auth.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• AAA RADIUS issue

  Hello everybody.
  I am having some trouble when lots of users try to connect via Anyconnect on my ASA (5545-X).
  At the peak some users complaints they cannot authenticate and I see these messages flaping on logs:
  %ASA-2-113022: AAA Marking RADIUS server 1.1.1.1 in aaa-server group SRV-RADIUS1 as FAILED
  %ASA-2-113023: AAA Marking RADIUS server 1.1.1.1 in aaa-server group SRV-RADIUS1 as ACTIVE
  After a while it get back working normaly and has no more message like that.
  Changing the "timeout" parameter (default is 10) to a higher number is a good idea? Or the problem could be at Radius server?
  aaa-server SRV-RADIUS1 protocol radius
  aaa-server SRV-RADIUS1 (inside) host 1.1.1.1
   time-out 20
  thnks

  Hi Vitor and sorry for the delayed reply! Your English is just fine! :)
  I am glad that changing the "timeout" value have solved the problem.
  On your second question: I never had to filter any attributes out of the ASA and I am not sure if it is possible. With that being said, I don't think that the issue was/is with the ASA sending too much logging/Radius info. If you only had around 10 concurrent users during your peak hours then there is no way that they overwhelmed the Radius server :) The fact that the issue went away after changing the "timeout" value leads me to believe that the problem is related to something else. For instance, RTT (round trip delay) between the aaa server and your ASA or link saturation that causes bandwidth starvation which cases the server to timeout in the ASA...just some ideas here :)
  I hope this helps!
  Thank you for rating helpful posts!

• WLC & RADIUS Issue

  Hi,
  I have been having a lot of issues with clients at a site that have a WLC and use EAP-TLS to an ACS server across the WAN. Most of the issues are roaming related in that the re-authentication time is very long. I have implemented QOS for the RADIUS traffic but they are still reporting problems.
  Looking at the logs on the WLC (5.1.151.0) I see messages simliar to this one for all 5 ACS servers.
  RADIUS server 10.x.x.x:1645 deactivated in global list
  RADIUS server 10.x.x.x:1645 failed to respond to request (ID 65) for client 00:0b:6b:87:54:d2 /user 'unknown'
  What concerns me is the word "deactivated". Does this mean that if an unknown client attempts to connect to this wlan and ACS is unable to authenticate it then the ACS server is "disabled" by the WLC?
  Is this the case?
  Thanks

  Thanks JG,
  Just one other question. The message says that the RADIUS server is disabled. Does this mean that it moves on to the next RADIUS server in the list?
  (In the logs I can see the WLC cyclng through all the RADIUS servers in quick succession, diabling them as it fails to get a response for the unknown user)
  COuld this almost be a denial of serivce style issue.
  Thanks

• Cisco ISE some Radius issues

  Dear guys,
       I deployed Cisco ISE for Network Access Control. My topology as described as attached image. I configured Cisco ISE as Radius Server for Client Access Control. But, I got some problems such as:
  No Accounting Start. (I have configured accouting on Switch 2960).
  Radius Request Dropped (attached image). These NAS IP Address are Servers on same subnet with Cisco ISE.
  I would greatly appreciate any help you can give me in working this problem.
  Have a nice day,
  Thanks and Regrads,

  Sorry for late reply.
  Here is my switch config.
  Current configuration : 8630 bytes
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Switch
  boot-start-marker
  boot-end-marker
  no logging console
  enable password ******************
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting delay-start all
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  aaa accounting network default start-stop group radius
  aaa server radius dynamic-author
   client A.B.C.D server-key keystrings
  aaa session-id common
  system mtu routing 1500
  vtp mode transparent
  ip dhcp snooping
  ip device tracking
  crypto pki trustpoint TP-self-signed-447922560
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-447922560
   revocation-check none
   rsakeypair TP-self-signed-447922560
  crypto pki certificate chain TP-self-signed-447922560
   certificate self-signed 01
    xxxxx
  dot1x system-auth-control
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  vlan 139,153,401-402,999,1501-1502
  interface FastEthernet0/11
   switchport access vlan 139
   switchport mode access
   authentication host-mode multi-auth
   authentication open
   authentication port-control auto
   authentication periodic
   authentication timer inactivity 180
   authentication violation restrict
   mab
  interface FastEthernet0/12
   switchport access vlan 139
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action authorize vlan 139
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication timer inactivity 180
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
  interface GigabitEthernet0/1
   switchport mode trunk
  interface GigabitEthernet0/2
  interface Vlan1
   no ip address
  interface Vlan139
   ip address E.F.G.H 255.255.255.0
  ip default-gateway I.J.K.L
  ip http server
  ip http secure-server
  ip access-list extended ACL-ALLOW
   permit ip any any
  ip access-list extended ACL-DEFAULT
   remark Allow DHCP
   permit udp any eq bootpc any eq bootps
   remark Allow DNS
   permit udp any any eq domain
   permit icmp any any
   permit tcp any host A.B.C.D eq 8443
   permit tcp any host A.B.C.D eq 443
   permit tcp any host A.B.C.D eq www
   permit tcp any host A.B.C.D eq 8905
   permit tcp any host A.B.C.D eq 8909
   permit udp any host A.B.C.D eq 8905
   permit udp any host A.B.C.D eq 8909
   deny   ip any any
  ip access-list extended ACL-WEBAUTH-REDIRECT
   permit tcp any any eq www
   permit tcp any any eq 443
   deny   ip any any
  ip radius source-interface Vlan139
  snmp-server community keystrings RW
  snmp-server enable traps snmp linkdown linkup
  snmp-server enable traps mac-notification change move
  snmp-server host A.B.C.D version 2c keystrings  mac-notification
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server host A.B.C.D auth-port 1812 acct-port 1813 key STRINGSKEY
  radius-server vsa send accounting
  radius-server vsa send authentication
  line con 0
  line vty 5 15
  end
  My switch version is
  WS-2960   12.2(55)SE5 C2960-LANBASEK9-M
  I would greatly appreciate any help you can give me in working this problem.

• WLC and windows radius issue and another problem

  Hi everyone.
  We have a problem with a costumer wireless infraestructure which has a WLC using a Windows 2003 radius server. for authentication.
  The users can't connet to the SSID from monday. Anything haven't been changed and the configuration is correct.
  I think its a client problem because the clients who use Linux can connect.
  Any idea?
  I have attached a debug dot1x events when a windows client try to connect.
  We have another problem with another SSID using local wpa2/pkm/ascii authentication..
  This SSID is used for smartphones. The clientes who use Android can connet, the clients who use IPhone can't.
  Is this a cospiracy? xD
  Thank you for avance.
  Best regards

  for the debug you attached, I see the client send an EAPOL start message, after it gets the Identity request.  It seems to move beyond that, and then
  Jul 30 15:36:47.396: 18:3d:a2:65:bd:54 Processing Access-Reject for mobile 18:3d:a2:65:bd:54
  I'd take a look at the IAS logs to see why this particular client was rejected.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• Pin radius vicinity issues

  Hi,
  This problem below got caught up on another thread with a different problem, thought best to start a new thread for it.
  My particular problem here comes from user manipulation via Manage Your Places of the radius of pins. It is slow, it is jerky and it is buggy and what it did some weeks back was jump on one particular pin and expand it to cover the entire world which basically overwrote every other location I had set. Why it would overwrite these without the user changing the settings for said pictures themselves is absolute stupidity, but I digress.
  Rebuilding libraries etc. is not going to retract the radius of that circle I am assuming and restore all of the original locations I had. Anyway, I took a deep breath and decided to approach places a little differently and have a lot less specific places. Before I might have had 15 photo locations for a town, now the pics will come under just the town name.
  So I have been going through renaming one of the fifteen pins (just from this one town as an example) as the town name, expanding it to cover the area the 15 covered then I delete off the other 14 as places. Time consuming and laborious but I see an eventual sensible outcome from it and in theory quicker to rename all my lost places.
  The problem is that the radius issue keeps happening, half a dozen times in the past 3 or 4 days alone and this meant that roughly 2500 pics I had relabelled were once again overwritten with the location of the pin with the expanded radius. And I'm back to square one.
  So is there any workaround for this particular Places problem?
  Thanks,
  C.

  @Craig,
  I am not sure to what extent less specific places "solves" the problem, which seems to be the radius that a pin receives when placed on the map for the first time.  It seems to be a value determined by Google, is not displayed in the teeny-weeny Assign a Place... dialog, and cannot be modified until it has or has not overlapped other custom places.  So, while the probability of overlap might be somewhat reduced by less specific places, the inconvenience it causes is increased.  I have noticed that Google defines a region named "Aletschgletscher" or "Jungfrau Aletsch" (working from memory here), which has a rather large radius due to the very irregular shape of the glacier, and that pins defined for towns in the Obergoms region, e.g., Blitzingen, Niederwald, Oberwald, Ulrichen, etc., often assumed the very large radius of the Aletsch Glacier.  Besides, I'm wondering why on earth I should have to modify my use of this feature to accommodate Apple's stupid implementation of it.  Nobody in Apple should even consider making the argument that this is how it should work.  The legions of problems it causes is well documented in these forums, although, as we all know, Apple "isn't monitoring" them and hence, presumably, is quite unaware of them.  And iPhoto 09 implemented Places completely differently -- the interface didn't have the eye-candy and "just magical" appeal of the present one, but it didn't cause the problems we're experiencing with Places in iPhoto 11.
  My "solution" to the pin radius problem is:
  Enter a character string in "Assign a Place..." and see what iPhoto suggests.
  If you are tempted to select a suggestion that is a custom place of yours, do so only if you don't intend to modify its location or name.  Doing so will have the same effect as modifying it in Manage My Places!
  If you select a place suggested by Google, try to locate it sufficiently far away from other custom places (iPhoto no help here), and give it a name that you can easily recognize and distinguish from Google's suggestions in the future (cf. warning above).
  Go directly to Manage My Places, find the new place, judge which existing places it overlaps, and note them down somewhere for the next step.  Then reduce its radius and adjust its location.
  Go into the Places view and select the new place.  In all probability there will be photos at that place that don't belong there.  Assign them to the correct place from the list you made in the step above.
  Weep and gnash teeth as necessary.  Regularly chant:  "On a Mac it just works!"  Keep stiff upper lip and imagine how much clumsier this must be in Windows.
  Regards,
  Richard

• Configure IP pool from radius server

  Hi, all
  My ADSL system's using a ERX-700 (juniper) as a BRAS and 7206 for backup.
  Everything is alright except assigning name of pool to BRAS.
  ERX-700 use frame-pool attr to provide pool name instead of addr-pool attr as 7206.
  IOS can unsupport this attr but I can't configure both attr on radius.
  Can you help to overcome this problem
  Thanks a lot.

  This is a radius issue. It does depends on the AAA server you're using how to configure both NASes independently.
  For instance, if you would be using NavisRadius product as AAA server to configure which attributes to send back per NAS is really piece of cake:
  1) First, you have you to define how to identify separately both NASes, either by IP, technology, by checking the calling-station-id, or whatever.
  Supposing you do use IP, which maybe is easier, you do have to define a clients file, for instance:
  10.0.0.1 secret_key ERX700
  10.0.0.2 secret_key2 Cisco7200
  10.0.0.3 secret_key3 AS5800
  2) Depending on who's sending the request define what to do next and what attributes send back. With NavisRadius you make this thru a Policy Flow, which is like a set of instructions to configure it, either manually or thru a GUI. Thru this set you could do for instance:
  checkClientClass Method-Type="Branch"
  Branch-Case = "Cisco7200\tsetIPAdressPoolA"
  Branch-Case = "ERX700\tsetIPforERX"
  Branch-Case = "AS5800\tsetIpsecService"
  Branch-Case = "*\tUnknownClient"
  Branch-SelectMode = "KEY"
  Branch-SearchKey = "${client.Client-Class}"
  3) And finally depending on the tag used go to another method which sends the needed attributes back to the NAS or do whatever you want to do depending on the case.
  This is a very brief example, since the product is really flexible and allows many other possibilities, like getting the IP pools from another server, etc.
  Good luck!

• 802.1X authentication and roaming issues

  Hi there,
  I have installed about 2 days ago one Cisco WCS 2504 and 11 APs. Everything is doing well regarding to WEP authentication. But I have a Radius Server that is alson running with some issues on wireless:
  - Unless I open network settings and click connect on that config I cannot obtain a valid IP Address;
  - Roaming is not working also;
  FYI the certificate (on radius) has expired
  TY

  Not all these are radius issues
  - WPA2 Wlan still ok (144Mbit), but dont know when roaming works (how can I know/change these settings?);
  Look at the client adapter as there is usually a roaming aggressiveness option on these devices. Play around with that.
  - Radius autenticated with 802.11 Data Encryption on 40 bits Key size connects always at 54Mbps (g) and auto authenticate but dont know when roaming works (how can I know/change these settings?);
  802.11n only supports open authentication or WPA2/AES. WEP is not supported so that why you get up to 54mbps.
  - Radius with 802.11 Data Encryption with none key size, doesnt authenticate connects 144Mbit but doesnt acquire IP Address
  You have a configuration issue either in the WLC or the switch.
  Sent from Cisco Technical Support iPhone App

• IOS XR 5.1.1 PPPoE Multicast BUG

  At connection of PPPoE of users at first everything works but after a while mistakes begin 
  and everything ceases to work
  RP/0/RSP0/CPU0:Apr 24 10:37:11.280 : pim[1160]: [11] Skipping set on Interface Bundle-Ether100.10.pppoe11180, vrf id/drop id 0x0/0x0 pim_vrf 0x60000000 group_joined 0 0, handle 0x1c8e0
  RP/0/RSP0/CPU0:Apr 24 10:37:11.280 : pim[1160]: [11] Skipping reset on Interface Bundle-Ether100.10.pppoe11180, vid 0/0 group_joined 0 0, handle 0x1c8e0
  RP/0/RSP0/CPU0:Apr 24 10:37:25.630 : pim[1160]: [11] Skipping set on Interface Bundle-Ether100.10.pppoe11181, vrf id/drop id 0x0/0x0 pim_vrf 0x60000000 group_joined 0 0, handle 0x1c960
  RP/0/RSP0/CPU0:Apr 24 10:37:25.630 : pim[1160]: [11] Skipping reset on Interface Bundle-Ether100.10.pppoe11181, vid 0/0 group_joined 0 0, handle 0x1c960
  Config
  interface Bundle-Ether100.10
   service-policy type control subscriber PPP_PM
   pppoe enable bba-group intersat
   encapsulation ambiguous dot1q any
  interface Bundle-Ether100.445
   description IPTV-in
   ipv4 address 10.45.45.2 255.255.255.0
   encapsulation dot1q 445
  interface Loopback1
   ipv4 address 10.254.254.254 255.255.255.255
  ipv4 access-list IPTV
   10 permit ipv4 239.10.0.0 0.0.255.255 any
   20 permit ipv4 239.12.0.0 0.0.255.255 any
   30 permit ipv4 239.195.0.0 0.0.255.255 any
   50 permit ipv4 224.0.0.0 0.0.0.255 any
   70 permit ipv4 229.0.0.0 0.0.255.255 any
  ipv4 access-list IPTV2
   10 permit ipv4 238.0.0.0 0.255.255.255 any
  dynamic-template
   type ppp PPP_TPL
    ppp authentication chap pap
    keepalive 120
    ppp timeout absolute 60000
    ppp ipcp peer-address pool POOL
    timeout idle 60
    accounting aaa list default type session periodic-interval 600
    ipv4 unnumbered Loopback1
    multicast ipv4 passive
    igmp query-interval 60
    igmp query-max-response-time 4
  multicast-routing
   address-family ipv4
    interface Bundle-Ether100.10
     enable
    interface Bundle-Ether100.445
     enable
  pppoe bba-group intersat
   service selection disable
  class-map type control subscriber match-any PPP
   match protocol ppp 
   end-class-map
  policy-map type control subscriber PPP_V
   event session-start match-first
    class type control subscriber PPP do-until-failure
     1 activate dynamic-template PPP_HW
   event session-activate match-first
    class type control subscriber PPP do-until-failure
     1 authenticate aaa list default
   end-policy-map
  policy-map type control subscriber PPP_PM
   event session-start match-first
    class type control subscriber PPP do-until-failure
     1 activate dynamic-template PPP_TPL
   event session-activate match-first
    class type control subscriber PPP do-until-failure
     1 authenticate aaa list default
   end-policy-map
  router pim
   address-family ipv4
    rp-address 10.42.42.2 IPTV2
    rp-address 10.66.202.2 IPTV
    neighbor-filter 1
    interface Loopback1
     disable
    interface Bundle-Ether100.10
     disable
  reset of process of pim doesn't help if to disconnect
  all users about everything will be reconnected starts working, at connection of several users works but then again ceases
  RP/0/RSP0/CPU0:ASR9K-BNG#sh igmp groups 
  Thu Apr 24 10:42:13.125 YEKT
  IGMP Connected Group Membership
  Group Address   Interface                     Uptime    Expires   Last Reporter
  224.0.0.2       Bundle-Ether100.445           23:44:55  never     10.45.45.2
  224.0.0.13      Bundle-Ether100.445           23:44:55  never     10.45.45.2
  224.0.0.22      Bundle-Ether100.445           23:44:55  never     10.45.45.2
  224.0.1.40      Bundle-Ether100.445           23:36:47  never     10.45.45.2
  239.10.11.3     Bundle-Ether100.10.pppoe11174 00:05:26  00:01:53  10.2.3.177
  239.10.11.6     Bundle-Ether100.10.pppoe11174 00:06:36  00:01:55 10.2.3.177
  239.10.19.5     Bundle-Ether100.10.pppoe11174 00:06:36  00:01:55  10.2.3.177
  239.255.255.250 Bundle-Ether100.10.pppoe11178 00:06:05  00:01:08 10.2.3.50
  224.0.0.252     Bundle-Ether100.10.pppoe11179 00:06:02  00:01:14  10.2.3.138
  238.1.2.1       Bundle-Ether100.10.pppoe11198 00:03:39  00:01:11  10.2.3.51
  239.195.0.1     Bundle-Ether100.10.pppoe11199 00:03:40  00:01:32  10.2.3.47
  RP/0/RSP0/CPU0:ASR9K-BNG#sh pim neighbor 
  Thu Apr 24 10:42:38.598 YEKT
  PIM neighbors in VRF default
  Flag: B - Bidir capable, P - Proxy capable, DR - Designated Router,
        E - ECMP Redirect capable
        * indicates the neighbor created for this router
  Neighbor Address             Interface              Uptime    Expires  DR pri   Flags
  10.45.45.1                   Bundle-Ether100.445    00:08:37  00:02:46 1     
  10.45.45.2*                  Bundle-Ether100.445    00:08:41  00:01:43 1 (DR) B P
  10.254.254.254*              Bundle-Ether100.10.pppoe11177 00:06:39  00:01:41 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11174 00:07:03  00:01:18 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11178 00:06:30  00:01:17 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11179 00:06:27  00:01:22 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11182 00:06:08  00:01:35 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11183 00:06:09  00:01:37 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11176 00:06:56  00:01:28 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11187 00:05:54  00:01:32 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11184 00:06:05  00:01:22 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11189 00:05:34  00:01:19 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11188 00:05:38  00:01:31 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11194 00:05:20  00:01:34 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11190 00:05:34  00:01:40 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11196 00:04:54  00:01:25 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11198 00:04:25  00:01:19 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11193 00:05:24  00:01:21 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11202 00:04:00  00:01:26 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11199 00:04:14  00:01:31 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11201 00:04:05  00:01:37 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11200 00:04:08  00:01:18 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11207 00:03:24  00:01:34 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11203 00:03:59  00:01:41 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11206 00:03:50  00:01:42 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11218 00:00:32  00:01:24 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11216 00:00:59  00:01:36 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11217 00:00:50  00:01:17 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11167 00:07:30  00:01:24 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11168 00:07:29  00:01:40 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11169 00:07:29  00:01:16 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11170 00:07:26  00:01:40 1 (DR) B P E
  10.254.254.254*              Bundle-Ether100.10.pppoe11171 00:07:24  00:01:16 1 (DR) B P E
  RP/0/RSP0/CPU0:ASR9K-BNG#sh pppoe sum per-access-interface 
  Thu Apr 24 10:43:10.141 YEKT
  0/RSP0/CPU0
      COMPLETE: Complete PPPoE Sessions
      INCOMPLETE: PPPoE sessions being brought up or torn down
  Interface                        BBA-Group  READY   TOTAL  COMPLETE  INCOMPLETE
  BE100.10                          intersat      Y      31        31           0
  TOTAL                                           1      31        31           0
  With what it can be connected?

  Hello Vladimir
  I have also the same problem with my asr 9001 i  release 5.1.1
  My configuration is same as yours.
  To understand the problem for troubleshoot (if someone have an idea for us), I've done some additionnal investigations and here are the results:
  Session pppoe up (show subs ses xxx):
  PPPoE:PTA    BE10.164.pppoe1459       AC        192.168.192.6 (default)             
  PPPoE:PTA    BE10.164.pppoe1469       AC        192.168.192.4 (default)            
  These 2 sessions are playing mcast stream 239.58.203.0:
  show igmp group
  239.58.203.0    Bundle-Ether10.164.pppoe1459  07:22:38  00:01:18  192.168.192.6
  239.58.203.0    Bundle-Ether10.164.pppoe1469  00:00:23  00:01:54  192.168.192.4
  Show mrib route
  (10.23.1.51,239.58.203.0) RPF nbr: 10.23.1.154 Flags:
    Up: 09:20:59
    Incoming Interface List
      GigabitEthernet0/0/1/2.224 Flags: A, Up: 09:20:59
    Outgoing Interface List
      Bundle-Ether10.164.pppoe1459 (0/0/CPU0) Flags: F NS, Up: 07:25:40
      Bundle-Ether10.164.pppoe1469 (0/0/CPU0) Flags: F NS, Up: 00:02:04
  If pppoe1469 zap to another channel (239.52.15.24), source 239.58.203.0 disappear on "Outgoing Interface List" (normal state), But the next stream chosen (239.52.15.24) doesn't work, and we have following output:
  (10.23.1.51,239.58.203.0) RPF nbr: 10.23.1.154 Flags:
    Up: 09:20:59
    Incoming Interface List
      GigabitEthernet0/0/1/2.224 Flags: A, Up: 09:20:59
    Outgoing Interface List
      Bundle-Ether10.164.pppoe1459 (0/0/CPU0) Flags: F NS, Up: 07:25:40
  (10.23.1.5,239.52.15.24) RPF nbr: 10.23.1.154 Flags:
    Up: 00:07:04
    Incoming Interface List
      GigabitEthernet0/0/1/2.224 Flags: A, Up: 00:07:04
    Outgoing Interface List
      Bundle-Ether10.164.pppoe1469 Flags: F NS, Up: 00:00:29
  If pppeo1469 zap again to previous stream (2039.58.203.0), I have following output:
  (10.23.1.51,239.58.203.0) RPF nbr: 10.23.1.154 Flags:
    Up: 09:23:01
    Incoming Interface List
      GigabitEthernet0/0/1/2.224 Flags: A, Up: 09:23:01
    Outgoing Interface List
      Bundle-Ether10.164.pppoe1459 (0/0/CPU0) Flags: F NS, Up: 07:27:42
      Bundle-Ether10.164.pppoe1469 Flags: F NS, Up: 00:04:05
  At this state:
  * pppoe1459 is still steaming 239.58.203.0 (as I didn't touch it until...)
  * and pppoe1469 do not stream 239.58.203.0
  If I compare both sessions on outgoing list, i can see difference (O/O/CPU0 which is ASR9001-Line Card on pppoe1459 only).
  So my understanding is that once the stream is "removed" from a LC for a specific access, the system cannot play it anymore for this access. The only way is to disconnect/reconnect again pppoe session.
  I've found a excellent Cisco live presentation from Xander Thuijs about multicast on asr9k, but i didn't found an issue.
  So any idea is welcome...
  Jean-paul

• Dot1x Problem

  Hi,
  We are seeing our wired devices on our Packetfence controlled network being prompted for credentials each time they are plugged in/turned on/rebooted, and often the credentials are being rejected.
  Radius debug logs show that Access-Accept is being sent to the device, but the device is not ever getting onto the network.
  Enabling debug on my Cisco 2960 test switch I can see the error below:
  %DOT1X_SWITCH-5-ERR_ADDING_ADDRESS: Unable to add address
  The reason I don’t think that this is a packetfence/radius issue is that we’re not having any issues with wireless clients.
  I hope someone can help.
  Jamie.

  Thanks for the reply.
  I looked at the MAC address table but it isn't full. I think that error may be a "red herring" because I have debug running on another switch and a user just had the same problem but the "%DOT1X_SWITCH-5-ERR_ADDING_ADDRESS: Unable to add address" didn't appear???
  cadet alain wrote:Hi,http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/system/message/msg_desc.html#wp532108RegardsAlainDon't forget to rate helpful posts.

• %MGBL-exec-3-ACCT_ERR

  hi, is there anybody knows about "%MGBL-exec-3-ACCT_ERR"? My client came across this error few days ago. The error followed with "main: command accounting failed - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request' ". going through the logs I found out that few users tried to do the SSHD to ASR device but authentication failed.
  "%SECURITY-SSHD-4-INFO_FAILURE "
  "Failed authentication attempt by user 'lablablab' from '1.18.3.41' on 'vty0' "
  I just want to know about this error and the reasons are resulted of generating these logs? 
  Cheers 
  Bruce 

  it is a fresh installation and the device is not connnected to ny network yet. 
  I am facing below problem in one of ASR 9010 router while configuring .  I am unable to config anything after entering any command this error shows up
  RP/0/RSP0/CPU0:hostname(config)#interface TenGigE0/1/0/0
  RP/0/RSP0/CPU0:Jan 15 12:48:41.186 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  RP/0/RSP0/CPU0:(config-if)# description # TO-Remote_site
  RP/0/RSP0/CPU0:hostname(config-if)#RP/0/RSP0/CPU0:Jan 15 12:48:41.263 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  RP/0/RSP0/CPU0:hostname(config-if)#commit
  Thu Jan 15 12:48:50.521 IST
  RP/0/RSP0/CPU0:Jan 15 12:48:50.521 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  it is not allowing even to commit any change
  and I am unable to find any online solutions for this.
  please help
  following packages are active right now
  disk0:asr9k-doc-px-4.3.4
      disk0:asr9k-fpd-px-4.3.4
      disk0:asr9k-k9sec-px-4.3.4
      disk0:asr9k-mcast-px-4.3.4
      disk0:asr9k-mgbl-px-4.3.4
      disk0:asr9k-bng-px-4.3.4
      disk0:asr9k-mini-px-4.3.4
      disk0:asr9k-mpls-px-4.3.4
  PS: please tell what more output are needed so that this problem can be solved.

• CSCtg09895 - percentMGBL-exec-3-ACCT_ERR main: command accounting failed

  Dear fellows,
  I am facing below problem in one of ASR 9010 router while configuring .  I am unable to config anything after entering any command this error shows up 
  RP/0/RSP0/CPU0:hostname(config)#interface TenGigE0/1/0/0
  RP/0/RSP0/CPU0:Jan 15 12:48:41.186 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  RP/0/RSP0/CPU0:(config-if)# description # TO-Remote_site
  RP/0/RSP0/CPU0:hostname(config-if)#RP/0/RSP0/CPU0:Jan 15 12:48:41.263 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  RP/0/RSP0/CPU0:hostname(config-if)#commit
  Thu Jan 15 12:48:50.521 IST
  RP/0/RSP0/CPU0:Jan 15 12:48:50.521 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  it is not allowing even to commit any change
  and unable to find any online solutions for this.
  please help
  following packages are active right now
   disk0:asr9k-doc-px-4.3.4
      disk0:asr9k-fpd-px-4.3.4
      disk0:asr9k-k9sec-px-4.3.4
      disk0:asr9k-mcast-px-4.3.4
      disk0:asr9k-mgbl-px-4.3.4
      disk0:asr9k-bng-px-4.3.4
      disk0:asr9k-mini-px-4.3.4
      disk0:asr9k-mpls-px-4.3.4

  it is a fresh installation and the device is not connnected to ny network yet. 
  I am facing below problem in one of ASR 9010 router while configuring .  I am unable to config anything after entering any command this error shows up
  RP/0/RSP0/CPU0:hostname(config)#interface TenGigE0/1/0/0
  RP/0/RSP0/CPU0:Jan 15 12:48:41.186 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  RP/0/RSP0/CPU0:(config-if)# description # TO-Remote_site
  RP/0/RSP0/CPU0:hostname(config-if)#RP/0/RSP0/CPU0:Jan 15 12:48:41.263 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  RP/0/RSP0/CPU0:hostname(config-if)#commit
  Thu Jan 15 12:48:50.521 IST
  RP/0/RSP0/CPU0:Jan 15 12:48:50.521 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  it is not allowing even to commit any change
  and I am unable to find any online solutions for this.
  please help
  following packages are active right now
  disk0:asr9k-doc-px-4.3.4
      disk0:asr9k-fpd-px-4.3.4
      disk0:asr9k-k9sec-px-4.3.4
      disk0:asr9k-mcast-px-4.3.4
      disk0:asr9k-mgbl-px-4.3.4
      disk0:asr9k-bng-px-4.3.4
      disk0:asr9k-mini-px-4.3.4
      disk0:asr9k-mpls-px-4.3.4
  PS: please tell what more output are needed so that this problem can be solved.

• Border radius & flash video player issue

  Border radius & flash issue - PFA screenshot
  http://72.29.76.194/~designs/firefox-flash-border-radius/border-radius-flash-firefox.png
  When I overlay a div with a border radius over a flash object, the corners are being cut as much as the size of border box.
  Firefox 23.0.1

  [https://support.mozilla.org/en-US/questions/971344 Screenshot of the issue]