ISG IP subnet subscriber
Good day.
Subject feature seems to be a usefull one, but with a couple of nasty restrictions. Correct me, if I'm wrong, but we can't:
- give a subscriber arbitrary number of IP adresses, only powers of 2, like 4, 8, 16, 32, etc;
- place two different address spaces in one session, like 4 + 16 addresses from different parts of address space. We'll have to give him a new block of 32 IPs, or create 2 different sessions with separate configuration(like policer or QoS).
This seems to be a lot of inconvenience to me.
Isn't there another way to place different IPs in one session? In example, giving a list of these IPs in a RADIUS attribute upon user authentication(I assume we have routed or L2-connected subscriber, with well-known MACs/IPs)?
Hi Vladimir,
for IP subnet sessions, ISG will actually be configured in the same way of IP sessions, meaning that it will create an IP session when a packet with an unknown source address is received.
When the subscriber will be authorized, it may have a Framed-IP-Netmask attribute in the Radius profile.
If the attribute is present, ISG will convert the session to IP subnet session.
So the limitation is actually given by the Framed-IP-Netmask you configure in Radius.
The alternative would be to assign the whole interface (or subinterface) to a single session, matching whatever IP the users may have there.
Regards
Marco
Similar Messages
-
I can't use Aux port for ASR 1006, becouse i can't find it in configuration.
Version: asr1000rp2-advipservicesk9.03.07.05.S.152-4.S5.bin"
router#sho line ?
<0-16> First Line range
async-queue Show async-queue
console Primary terminal line
summary Quick line status summary
vty Virtual terminal
| Output modifiers
<cr>
router#sho line
Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
0 CTY - - - - - 0 0 0/0 -
* 1 VTY - - - - 1 4 0 0/0 -
* 2 VTY - - - - 1 16 0 0/0 -
* 3 VTY - - - - 1 2 0 0/0 -
4 VTY - - - - 1 3 0 0/0 -
Can you help me whith my problem?Hi,
I see you are using initiator unclassified ip-address. How exactly are you trying to trigger the session here? What type of traffic are you sending from your CPE? Please make sure you send a packet which 'crosses' the ISG box. A packet with destination the ISG will not trigger a session. Only a packet that needs to be forwarded by the ISG will. If you are not seeing anything with those debugs, it seems like no FSOL is seen to spawn the session.
Also, if your subscriber is connected with L2 network, why do you configure "ip subscriber routed"? This is conceptually wrong since you are telling to ISG that the subscriber is connecting via a L3 routed network which is not correct according to what you say.
Regards -
after tried to setup access list, it return drop in packet tracer and can not ping outside router too
is there an configuration example to show allow a subnet of class C IP address to surf internet in Cisco ASA ?
assume all works in GNS3, expect initial network setup too
inside outside
router A 192.168.1.2 <--->switch <---> 192.168.1.1 ASA 192.168.1.4 <---> switch <---> router B 192.168.1.3
ASA version: 8.42
when i try the following command,
ASA
conf t
interface GigabitEthernet 0
description INSIDE
nameif inside
security-level 0
ip address 192.168.1.1 255.255.255.0
no shut
end
conf t
interface GigabitEthernet 1
description OUTSIDE
no shutdown
nameif outside
security-level 100
ip address 192.168.1.4 255.255.255.0
no shut
end
conf t
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
end
conf t
access-list USERSLIST permit ip 192.168.1.0 255.255.255.0 any
access-group USERSLIST in interface inside
end
Router A
conf t
int fastEthernet 0/0
ip address 192.168.1.2 255.255.255.0
no shut
end
Router B
conf t
int fastEthernet 0/0
ip address 192.168.1.3 255.255.255.0
no shut
end
ASA-1# packet-tracer input inside tcp 192.168.1.1 1 192.168.1.4 1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
<--- More --->current config can not ping, one of packet tracer allow all, another packet tracer drop
can not ping between Router A and Router B
ASA-1# packet-tracer input inside tcp 192.168.1.2 1 192.168.3.3 1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.3.0 255.255.255.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network DYNAMIC-PAT
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.1.2/1 to 192.168.3.4/311
<--- More --->
<--- More --->
Phase: 4
<--- More --->
Type: IP-OPTIONS
<--- More --->
Subtype:
<--- More --->
Result: ALLOW
<--- More --->
Config:
<--- More --->
Additional Information:
<--- More --->
<--- More --->
Phase: 5
<--- More --->
Type: FLOW-CREATION
<--- More --->
Subtype:
<--- More --->
Result: ALLOW
<--- More --->
Config:
<--- More --->
Additional Information:
<--- More --->
New flow created with id 14, packet dispatched to next module
<--- More --->
<--- More --->
Result:
<--- More --->
input-interface: inside
<--- More --->
input-status: up
<--- More --->
input-line-status: up
<--- More --->
output-interface: outside
<--- More --->
output-status: up
<--- More --->
output-line-status: up
<--- More --->
Action: allow
<--- More --->
ASA-1# packet-tracer input outside tcp 192.168.3.3 1 192.168.1.2 1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
<--- More --->
Drop-reason: (acl-drop) Flow is denied by configured rule
<--- More --->
ASA-1#
ASA-1# sh run |
: Saved
ASA Version 8.4(2)
hostname ASA-1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0
description INSIDE
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface GigabitEthernet1
description OUTSIDE
nameif outside
security-level 0
ip address 192.168.3.4 255.255.255.0
interface GigabitEthernet2
shutdown
no nameif
no security-level
<--- More --->
no ip address
<--- More --->
<--- More --->
ftp mode passive
<--- More --->
object network DYNAMIC-PAT
<--- More --->
subnet 192.168.1.0 255.255.255.0
<--- More --->
access-list 101 extended permit icmp any any echo-reply
<--- More --->
access-list 101 extended permit icmp any any source-quench
<--- More --->
access-list 101 extended permit icmp any any unreachable
<--- More --->
access-list 101 extended permit icmp any any time-exceeded
<--- More --->
access-list ACL-OUTSIDE extended permit icmp any any
<--- More --->
pager lines 24
<--- More --->
mtu inside 1500
<--- More --->
mtu outside 1500
<--- More --->
icmp unreachable rate-limit 1 burst-size 1
<--- More --->
no asdm history enable
<--- More --->
arp timeout 14400
<--- More --->
<--- More --->
object network DYNAMIC-PAT
<--- More --->
nat (inside,outside) dynamic interface
<--- More --->
access-group ACL-OUTSIDE in interface outside
<--- More --->
timeout xlate 3:00:00
<--- More --->
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
<--- More --->
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
<--- More --->
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
<--- More --->
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
<--- More --->
timeout tcp-proxy-reassembly 0:01:00
<--- More --->
timeout floating-conn 0:00:00
<--- More --->
dynamic-access-policy-record DfltAccessPolicy
<--- More --->
user-identity default-domain LOCAL
<--- More --->
no snmp-server location
<--- More --->
no snmp-server contact
<--- More --->
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
<--- More --->
telnet timeout 5
<--- More --->
ssh timeout 5
<--- More --->
console timeout 0
<--- More --->
threat-detection basic-threat
<--- More --->
threat-detection statistics access-list
<--- More --->
no threat-detection statistics tcp-intercept
<--- More --->
<--- More --->
<--- More --->
prompt hostname context
<--- More --->
no call-home reporting anonymous
<--- More --->
call-home
<--- More --->
profile CiscoTAC-1
<--- More --->
no active
<--- More --->
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
<--- More --->
destination address email [email protected]
<--- More --->
destination transport-method http
<--- More --->
subscribe-to-alert-group diagnostic
<--- More --->
subscribe-to-alert-group environment
<--- More --->
subscribe-to-alert-group inventory periodic monthly
<--- More --->
subscribe-to-alert-group configuration periodic monthly
<--- More --->
subscribe-to-alert-group telemetry periodic daily
<--- More --->
crashinfo save disable
<--- More --->
Cryptochecksum:8ee9b8e8ccf0bf1873cd5aa1efea2b64
<--- More --->
: end
ASA-1# -
Unable to access secondary subnet from VPN client
Please can someone help with the following; I have an ASA 5510 running v8.4(3)9 and have setup a remote user VPN using the Cisco VPN client v5.0.07.0410 which is working appart from the fact that I cannot access resources on a secondary subnet.
The setup is as follows:
ASA inside interface on 192.168.10.240
VPN clients on 192.168.254.x
I can access reources on the 192.168.10 subnet but not any other subnets internally, I need to specifically allow access to the 192.168.20 subnet, but I cannot figure out how to do this please advise, the config is below: -
Result of the command: "show startup-config"
ASA Version 8.4(3)9
hostname blank
domain-name
enable password encrypted
passwd encrypted
names
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address 255.255.255.224
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.240 255.255.255.0
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 10.10.10.253 255.255.255.0
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa843-9-k8.bin
boot system disk0:/asa823-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 194.168.4.123
name-server 194.168.8.123
domain-name nifcoeu.com
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.255.0
object network obj-192.168.5.0
subnet 192.168.5.0 255.255.255.0
object network obj-192.168.10.0
subnet 192.168.10.0 255.255.255.0
object network obj-192.168.100.0
subnet 192.168.100.0 255.255.255.0
object network obj-192.168.254.0
subnet 192.168.254.0 255.255.255.0
object network obj-192.168.20.1
host 192.168.20.1
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network obj-10.10.10.1
host 10.10.10.1
object network obj_any-03
subnet 0.0.0.0 0.0.0.0
object network obj_any-04
subnet 0.0.0.0 0.0.0.0
object network obj_any-05
subnet 0.0.0.0 0.0.0.0
object network NS1000_EXT
host 80.4.146.133
object network NS1000_INT
host 192.168.20.1
object network SIP_REGISTRAR
host 83.245.6.81
object service SIP_INIT_TCP
service tcp destination eq sip
object service SIP_INIT_UDP
service udp destination eq sip
object network NS1000_DSP
host 192.168.20.2
object network SIP_VOICE_CHANNEL
host 83.245.6.82
object service DSP_UDP
service udp destination range 6000 40000
object service DSP_TCP
service tcp destination range 6000 40000
object network 20_range_subnet
subnet 192.168.20.0 255.255.255.0
description Voice subnet
object network 25_range_Subnet
subnet 192.168.25.0 255.255.255.0
description VLAN 25 client PC devices
object-group network ISP_NAT
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service SIP_INIT tcp-udp
port-object eq sip
object-group service DSP_TCP_UDP tcp-udp
port-object range 6000 40000
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object 20_range_subnet 192.168.254.0 255.255.255.0
access-list Remote-VPN_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list Remote-VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
access-list 100 extended permit object-group TCPUDP object SIP_REGISTRAR object NS1000_INT object-group SIP_INIT
access-list 100 extended permit object-group TCPUDP object SIP_VOICE_CHANNEL object NS1000_DSP object-group DSP_TCP_UDP
access-list 100 extended permit ip 62.255.171.0 255.255.255.224 any
access-list 100 extended permit icmp any any echo-reply inactive
access-list 100 extended permit icmp any any time-exceeded inactive
access-list 100 extended permit icmp any any unreachable inactive
access-list 100 extended permit tcp any host 10.10.10.1 eq ftp
access-list 100 extended permit tcp any host 10.10.10.1 eq ftp-data
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPN-Pool 192.168.254.1-192.168.254.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.5.0 obj-192.168.5.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.100.0 obj-192.168.100.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.254.0 obj-192.168.254.0 no-proxy-arp route-lookup
nat (outside,inside) source static SIP_REGISTRAR SIP_REGISTRAR destination static interface NS1000_INT service SIP_INIT_TCP SIP_INIT_TCP
nat (outside,inside) source static SIP_REGISTRAR SIP_REGISTRAR destination static interface NS1000_INT service SIP_INIT_UDP SIP_INIT_UDP
object network obj_any
nat (inside,outside) dynamic interface
object network obj_any-01
nat (inside,outside) dynamic obj-0.0.0.0
object network obj_any-02
nat (inside,DMZ) dynamic obj-0.0.0.0
object network obj-10.10.10.1
nat (DMZ,outside) static 80.4.146.134
object network obj_any-03
nat (DMZ,outside) dynamic obj-0.0.0.0
object network obj_any-04
nat (management,outside) dynamic obj-0.0.0.0
object network obj_any-05
nat (management,DMZ) dynamic obj-0.0.0.0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 80.4.146.129 1
route inside 192.168.20.0 255.255.255.0 192.168.10.254 1
route inside 192.168.25.0 255.255.255.0 192.168.10.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 inside
http 192.168.25.0 255.255.255.0 inside
http 62.255.171.0 255.255.255.224 outside
http 192.168.254.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=
crl configure
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 2f0e024d
quit
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
quit
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh 62.255.171.0 255.255.255.224 outside
ssh 192.168.254.0 255.255.255.0 outside
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.25.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
vpn-sessiondb max-other-vpn-limit 250
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.10.6 source inside prefer
webvpn
group-policy Remote-VPN internal
group-policy Remote-VPN attributes
wins-server value 192.168.10.21 192.168.10.22
dns-server value 192.168.10.21 192.168.10.22
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Remote-VPN_splitTunnelAcl
default-domain value
username blank password blank encrypted privilege 0
username blank attributes
vpn-group-policy Remote-VPN
username blank password encrypted privilege 0
username blank attributes
vpn-group-policy Remote-VPN
tunnel-group Remote-VPN type remote-access
tunnel-group Remote-VPN general-attributes
address-pool VPN-Pool
default-group-policy Remote-VPN
tunnel-group Remote-VPN ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect sip
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
contact-email-addr
profile CiscoTAC-1
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b8263c5aa7a6a4d9cb08368c042ea236Your config was missing a no-nat between your "192.168.20.0" and "obj-192.168.254.0"
So, if you look at your config there is a no-nat for inside subnet "obj-192.168.10.0" as shown below.
nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.254.0 obj-192.168.254.0
So all you have to do is create a no-nat for your second subnet, like I showed you before, the solution was already there on your config but I guess you over looked at it.
I hope that helps.
Thanks
Rizwan Rafeek -
Hi,
I am trying to obtain more information about the ISG feature on 7200 and 7600 platforms and finding it very difficult to obtain answers from distributors or even Cisco representatives.
The main questions are:
- How many subscribers include the 7200 license?, provided that my subscribers would be of IP-type (not tunnelled).
FR-ISG72
ISG Feature License for 7200
FR-ISG72=
ISG Feature License for 7200
- What other licenses are needed in a 7200 platform?
I believe, maybe:
FR-BUS72
Cisco IOS 7200/7300/7400 Series Broadband 8000 User License
FR-BUS72=
Cisco IOS 7200 Series Broadband User Services License
- On Cico 7600, ISG is licensed in steps of 8000 subscribers. If I have a redundant system (two routing engines), do I need to buy the license twice?
76-ES+ISG-LIC
ES+ Intelligent Services Gateway SW License, 8K subs, 8 VRF
76-ES+ISG-LIC=
ES+ Internet Services Gateway (ISG) Software License
ThanksThanks indeed for your response.
In fact I could not obtain any support at all from Cisco (Spain) even if I explained we were a small software company that required ISG to complement an existing solution for a BIG mobile operator. The question was supposed to be escalated to the US more than 1 month ago.
Myself, I was actually able to better understand the configuration and licenses required for the feature, with a final question about the capacity (maximum number of sessions). My conclusions and questions are at the end of this email, in case you or anyone else is interested.
Anyway, our main requirement is not traffic shaping, but providing a captive portal (redirect unauthorized traffic to some node, and be able to let the box know when an IP is "authorized"/"unauthorized".Cisco used to have a smaller feature to do this called SSG (service selection gateway) which is end-of-lifed, I believe.
If you know a box that does this, please advise! And it would be nice if you could recommend an "inline packet swatter".
For demo, I have done it myself with linux and iptables, but the time to make it business-class may be more costly than buying some product.
The issues I have had trying to find out information from Juniper ("subscriber management" feature) are similar!!
Final Question about ISG capacity
We wish to use the Intelligent Services Gateway (ISG) functionality, which seems supported only on Cisco 10000, 7600, 7300 and 7200 routers.
Our traffic requirements are not too high (500Mbps), but due to the following number of sessions limitation in 7200/7300, the right platform for us seems the 7600:
"The Cisco 7200 Series and Cisco 7301 scale from 4000 to 8000 sessions"
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6549/ps6588/prod_bulletin0900aecd804a2c70.html
We would actually need 50000-100000 consurrent sessions.
On Cisco 7600, the feature seems supported by default on Cisco IOS 12.2SR without the need for an extra license, even with the plain "IP Services" flavour of IOS.
However, we have the following fundamental questions that we could not completely resolve with the documentation or software configurator tool.
Maximum number of consurrent sessions supported
Our sessions would be of the "IP session" kind, meaning:
"An IP session includes all the traffic that is associated with a single subscriber IP address".
On the documentation, this is the applicable information that we find regarding the number of sessions:
http://www9.cisco.com/en/US/docs/ios/isg/configuration/guide/isg_acess_sub_sessns_ps6922_TSD_Products_Configuration_Guide_Chapter.html
Beginning in Cisco IOS Release 12.2(33)SRE, the Cisco 7600 router supports IP subscriber sessions only on the SIP400 and ES+ line cards
The Cisco 7600 router enforces limits on the number of IP subscriber sessions per line card and router chassis. If the number of active sessions exceeds the following limits, an error message displays:
- Cisco 7600 chassis—32,000 subscriber sessions (supported in Cisco IOS Release 12.2(33)SRE1 and later releases)
- ES+ line card—4000 subscriber sessions per port group; 16,000 sessions per line card (supported in Cisco IOS Release 12.2(33)SRE and later releases)
- SIP400 line card—8000 subscriber sessions (supported in Cisco IOS Release 12.2(33)SRD4 and later releases)
Let us suppose that we use the SIP400 line card, since ES+ is far from our networking requirements.
Please confirm/answer the following:
No special license is required to use ISG with SIP400.
Is the 8000 session limitation per SIP400 module or per SPA attached to it?
I read in the documentation, that the SAMI card enhances the maximum number of ISG sessions:
http://www.cisco.com/en/US/docs/ios/isg/configuration/guide/isg_sup_sami_blade.html
The ISG Support for SAMI Blade feature combines the subscriber management features and functions of the Cisco Intelligent Services Gateway (ISG) with the processing power of the Cisco Service Application Module for IP (SAMI). The Cisco SAMI blade has six PowerPC (PPC) processors and occupies just one slot in the Cisco 7600 series router. This means that you can support many ISG features for up to 600,000 subscribers on a single router.
We then assume that the SAMI blade overcomes the limitations noted above: 32,000 session/chassis and 8,000 sessions/SIP400. Correct?
No extra license is required to use ISG with SAMI.
Based on this assumptions, an example configuration for a single node could be:
Product Description Quantity
CISCO7604 Cisco 7604 Chassis 1
FAN-MOD-4HS High-Speed Fan Module for 7604/6504-E 1
7604-RSP720C-P Cisco 7604 Chassis,4-slot,RSP720-3C,PS 1
2700W-AC Dummy PID 2700 W AC Power Supply for 7604 1
CAB-C19-CBN Cabinet Jumper Power Cord, 250 VAC 16A, C20-C19 Connectors 1
S764ISK9-12233SRE Cisco 7600-RSP720 IOS IP SERVICES SSH 1
7600-SIP-400 Cisco 7600 Series SPA Interface Processor-400 1
SPA-2X1GE Cisco 2-port Gigabit Ethernet Shared Port Adapter 2
WS-SVC-SAMI-BB-K9 Service Application Module for IP ( 6 x PPC w/ 1GB) (Cryto) 1 -
Example of ISG PBHK configuration
Could anyone share an example of ISG's PBHK configuration, pretty please?
i'm facing an issue when applying PBHK within the subscriber policy. Here is what i do:
policy-map type service PBHK
ip portbundle
policy-map type control ISG
class type control always event session-start
1 service-policy type service name PBHK
10 service-policy type service name S_L4R
class type control always event session-restart
1 service-policy type service name PBHK
10 service-policy type service name S_L4R
class type control always event account-logon
10 authenticate aaa list RAD_SRV
access-list 100 permit ip any host 192.168.8.227
ip portbundle
length 5
match access-list 100
source GigabitEthernet2
interface GigabitEthernet1
description endhosts
ip address 192.168.0.254 255.255.255.0
ip helper-address vrf SRV 192.168.8.228
service-policy type control ISG
ip subscriber l2-connected
initiator unclassified mac-address
interface GigabitEthernet2
description server-dhcp-int_gw
vrf forwarding SRV
ip address dhcp
ip portbundle outside
When i enable the network interface on the end host i see whole bunch of debug messages saying:
Portbundle Hostkey: Apply inbound direction from Service Profile configuration
Portbundle Hostkey[uid:33]: No free port-bundles - feature failed
Portbundle Hostkey[uid:33]: Key update: remove port-bundle 0.0.0.0:0
Portbundle Hostkey[uid:33]: Sent a PBHK session key remove
How can it be out of ports, if none of them are used?
ISG#show ip portb sta
Bundle-length = 5
Bundle-groups: -
IP Address Free Bundles In-use Bundles
192.168.8.230 2016 0Hi Arseniy,
I think the issue here may be that the PBHK source interface is in a VRF (SRV) different than the VRF of the interface where subscriber arrives (global).
I would suggest to change the PBHK source to use an interface not in a VRF. Perhaps use a loopback interface for that. You should still be able to configure ' ip portbundle outside' on the desired interface in VRF SRV.
Hope this helps. -
Subnets and DHCP Scopes One More Time
If my subnets are all subnets off of the same network such as 192.168.43.0/19 and the subnets are 192.168.43.0
192.168.43.32 and so on can a single router handle all the subnets as relay agents? I'm assuming I don't need separate routers for each subnet or separate NIC's for each subnet. Thanks for all your help.
Michael T. Glenn
Michael T. GlennHi,
If you have multiple subnets in your network, and do not have a DHCP server on every subnet, you can configure a DHCP relay agent or use a multihoming DHCP server. In general, the router acts as a DHCP relay agent in a routed network.
For more detailed information, please refer to the link below:
Enabling DHCP Support for Multiple Subnets
Best regards,
Susie
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Hello. Just starting with ISG.
My final goal is to force ISG device to periodically check if user still has access to the service without interrupting pppoe session. if user access should be prohibited by some reason, he should be redirected to billing web-page.
First step is to make periodic check part.
Here is user profile:
user1 Cleartext-Password := "user1"
Cisco-Account-Info += "AANY",
Cisco-Control-Info += "QV1000000",
Cisco-Account-Info += "QU;10240000;D;10240000",
ANY Cleartext-Password := "cisco", Service-Type == Outbound-User
Cisco-AVPair += "ip:traffic-class=in access-group name CM_T_ANY",
Cisco-AVPair += "ip:traffic-class=in default drop",
Cisco-AVPair += "ip:traffic-class=out access-group name CM_T_ANY",
Cisco-AVPair += "ip:traffic-class=out default drop",
Cisco-AVPair += "prepaid-config=PREPAID",
Here is ASR 1002X , 03.10.03.S software:
aaa authentication ppp FREERADIUS group freeradius
aaa authorization network FREERADIUS group freeradius
aaa authorization subscriber-service FREERADIUS local group freeradius
aaa accounting network FREERADIUS start-stop group freeradius
aaa group server radius freeradius
server-private 10.0.6.10 auth-port 1812 acct-port 1813 key 7 142417081E013E
subscriber feature prepaid PREPAID
threshold time 0 seconds
threshold volume 1 Kbytes
interim-interval 1 minutes
method-list author FREERADIUS
method-list accounting FREERADIUS
password cisco
User is authenticated, service downloaded but no periodical checks coming to RADIUS and no quota get depleted.
What am i doing wrong?
asr-1002x-01#show subscriber session username user1 detailed
Type: PPPoE, UID: 200, State: authen, Identity: user1
IPv4 Address: 192.168.128.127
IPv6 Address: 2A01:8960:4::
Session Up-time: 00:22:11, Last Changed: 00:22:11
Interface: Virtual-Access2.1
Switch-ID: 4677
Policy information:
Context 7FBB6473CB60: Handle A80009BE
AAA_id 00001B1F: Flow_handle 0
Authentication status: authen
Downloaded User profile, excluding services:
Framed-Protocol 0 1 [PPP]
service-type 0 2 [Framed]
ssg-account-info 0 "AANY"
ssg-control-info 0 "QV1000000"
ssg-account-info 0 "QU;10240000;D;10240000"
prefix 0 00 40 2A 01 89 60 00 04 00 00 00 00 00 00 00 00 00 00
Interface-Id 0 00 00 00 00 00 00 00 01
route 0 "2a01:8960:5::/56"
delegated-prefix 0 00 38 2A 01 89 60 00 05 00 00 00 00 00 00 00 00 00 00
Downloaded User profile, including services:
Framed-Protocol 0 1 [PPP]
service-type 0 2 [Framed]
ssg-account-info 0 "AANY"
ssg-control-info 0 "QV1000000"
ssg-account-info 0 "QU;10240000;D;10240000"
prefix 0 00 40 2A 01 89 60 00 04 00 00 00 00 00 00 00 00 00 00
Interface-Id 0 00 00 00 00 00 00 00 01
route 0 "2a01:8960:5::/56"
delegated-prefix 0 00 38 2A 01 89 60 00 05 00 00 00 00 00 00 00 00 00 00
Config history for session (recent to oldest):
Access-type: Web-service-logon Client: SM
Policy event: Apply Config Success (Unapplied) (Service)
Profile name: ANY, 3 references
traffic-class 0 "in access-group name CM_T_ANY"
traffic-class 0 "in default drop"
traffic-class 0 "out access-group name CM_T_ANY"
traffic-class 0 "out default drop"
Access-type: Web-service-logon Client: SM
Policy event: Process Config Connecting (Service)
Profile name: ANY, 3 references
traffic-class 0 "in access-group name CM_T_ANY"
traffic-class 0 "in default drop"
traffic-class 0 "out access-group name CM_T_ANY"
traffic-class 0 "out default drop"
Access-type: PPP Client: SM
Policy event: Process Config Connecting
Profile name: apply-config-only, 2 references
Framed-Protocol 0 1 [PPP]
service-type 0 2 [Framed]
ssg-account-info 0 "AANY"
ssg-control-info 0 "QV1000000"
ssg-account-info 0 "QU;10240000;D;10240000"
prefix 0 00 40 2A 01 89 60 00 04 00 00 00 00 00 00 00 00 00 00
Interface-Id 0 00 00 00 00 00 00 00 01
route 0 "2a01:8960:5::/56"
delegated-prefix 0 00 38 2A 01 89 60 00 05 00 00 00 00 00 00 00 00 00 00
Rules, actions and conditions executed:
subscriber rule-map default-internal-rule
condition always event service-start
1 service-policy type service identifier service-name
subscriber rule-map default-internal-rule
condition always event service-stop
1 service-policy type service unapply identifier service-name
Classifiers:
Class-id Dir Packets Bytes Pri. Definition
0 In 229275 13175066 0 Match Any
1 Out 714381 1038574772 0 Match Any
Features:
Static Routes:
Class-id Configuration Status Source
0 This feature is enabled Peruser
Policing:
Class-id Dir Avg. Rate Normal Burst Excess Burst Source
0 In 10240000 1920000 3840000 Peruser
1 Out 10240000 1920000 3840000 Peruser
DHCPv6 PD from AAA:
Class-id Configuration Status Source
0 This feature is enabled Peruser
Configuration Sources:
Type Active Time AAA Service ID Name
USR 00:22:11 - Peruser
INT 00:22:11 - Virtual-Template2I tried not specifying quota, but NAS never ask RADIUS for it.
For all my experiments i'm using second bba group with second virtual template and FREERADUIS aaa list.
Here's debugs:
Nov 26 08:55:57: SSS PM: ANCP not enabled on 'TenGigabitEthernet0/1/0.299' - not retrieving default shaper value
Nov 26 08:55:59: RADIUS/ENCODE(00001B97):Orig. component type = PPPoE
Nov 26 08:55:59: RADIUS: DSL line rate attributes successfully added
Nov 26 08:55:59: RADIUS(00001B97): Config NAS IP: 10.0.6.21
Nov 26 08:55:59: RADIUS(00001B97): Config NAS IPv6: ::
Nov 26 08:55:59: RADIUS/ENCODE: No idb found! Framed IP Addr might not be included
Nov 26 08:55:59: RADIUS/ENCODE(00001B97): acct_session_id: 7072
Nov 26 08:55:59: RADIUS(00001B97): sending
Nov 26 08:55:59: RADIUS(00001B97): Send Access-Request to 10.0.6.10:1812 id 1645/156, len 138
Nov 26 08:55:59: RADIUS: authenticator DD A0 1E 36 65 E4 E6 38 - B0 10 9F 51 6A 11 24 09
Nov 26 08:55:59: RADIUS: Framed-Protocol [7] 6 PPP [1]
Nov 26 08:55:59: RADIUS: User-Name [1] 7 "user1"
Nov 26 08:55:59: RADIUS: CHAP-Password [3] 19 *
Nov 26 08:55:59: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Nov 26 08:55:59: RADIUS: NAS-Port [5] 6 0
Nov 26 08:55:59: RADIUS: NAS-Port-Id [87] 11 "0/1/0/299"
Nov 26 08:55:59: RADIUS: Vendor, Cisco [26] 41
Nov 26 08:55:59: RADIUS: Cisco AVpair [1] 35 "client-mac-address=000c.2964.a91e"
Nov 26 08:55:59: RADIUS: Service-Type [6] 6 Framed [2]
Nov 26 08:55:59: RADIUS: NAS-IP-Address [4] 6 10.0.6.21
Nov 26 08:55:59: RADIUS: Acct-Session-Id [44] 10 "00001BA0"
Nov 26 08:55:59: RADIUS(00001B97): Sending a IPv4 Radius Packet
Nov 26 08:55:59: RADIUS(00001B97): Started 5 sec timeout
Nov 26 08:55:59: RADIUS: Received from id 1645/156 10.0.6.10:1812, Access-Accept, len 44
Nov 26 08:55:59: RADIUS: authenticator 3C 62 99 46 6E BA 39 24 - AB CF A6 D4 12 83 2D B8
Nov 26 08:55:59: RADIUS: Framed-Protocol [7] 6 PPP [1]
Nov 26 08:55:59: RADIUS: Service-Type [6] 6 Framed [2]
Nov 26 08:55:59: RADIUS: Vendor, Cisco [26] 12
Nov 26 08:55:59: RADIUS: ssg-account-info [250] 6 "AANY"
Nov 26 08:55:59: RADIUS(00001B97): Received from id 1645/156
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Authen status update; is now "authen"
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: IDMGR: assert authen status "authen"
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: IDMGR: send event Session Update
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: IDMGR: with username "user1"
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Session activation: ok
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Username key not found in set domain key API
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Username key does not have a delimiter in set domain key API
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Client block is NULL in get client block with handle 260009C1
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Updated key list:
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: AAA-Attr-List = 3A001B08
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Framed-Protocol 0 1 [PPP]
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: service-type 0 2 [Framed]
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: ssg-account-info 0 "AANY"
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Access-Type = 0 (PPP)
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Session-Handle = 3472884087 (CF000177)
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: SHDB-Handle = 3388997707 (CA00004B)
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Input Interface = "TenGigabitEthernet0/1/0.299"
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Converted-Session = 0 (NO)
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Media-Type = 1 (Ethernet)
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Authen-Status = 0 (Authenticated)
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Nasport = PPPoEoVLAN: slot 0 adapter 1 port 0 sub-interface 299 IP 0.0.0.0 VPI 0 VCI 0 VLAN 299
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Protocol-Type = 0 (PPP Access Protocol)
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Final = 1 (YES)
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Auth-User = "user1"
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: SM Policy invoke - Process Config Connecting
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Access type PPP
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Access type PPP: final key
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Handling Config Request from Client
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Event <got process config req>, State: wait-for-events to wait-process-config-complete
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Handling Process Config
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Apply config request set to AAA list
Config: Framed-Protocol 0 1 [PPP]
Config: service-type 0 2 [Framed]
Config: ssg-account-info 0 "AANY"
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Sending apply-config-only request to AAA
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: SSS PM: Allocating per-user profile info
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: SSS PM: Add per-user profile info to policy context
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Root SIP PPPoE
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Enable PPPoE parsing
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Enable PPP parsing
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: ACTIVE HANDLE[0]: Snapshot captured in Active context
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: ACTIVE HANDLE[0]: Active context created
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Event <make request>, state changed from idle to authorizing
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Active key set to Auth-User
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Authorizing key apply-config-only
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Spoofed AAA reply sent for key apply-config-only
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Received an AAA pass
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: [7FBB6473CB60]:Reply message not exist
Initial attr Framed-Protocol 0 1 [PPP]
Initial attr service-type 0 2 [Framed]
Initial attr ssg-account-info 0 "AANY"
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Could not parse AAA interim interval
Nov 26 08:55:59: COA_HA: [ERR] Unable to get coa_ctx from shdb 0xCA00004B
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: RULE: Service Name = ANY Ok
Nov 26 08:55:59: SSS PM: PARAMETERIZED-QoS: QOS parameters
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: RULE: VRF Parsing routine:
Framed-Protocol 0 1 [PPP]
service-type 0 2 [Framed]
ssg-account-info 0 "AANY"
Nov 26 08:55:59: SSS PM: VPDN is not enabled
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Feature
Nov 26 08:55:59: Portbundle Hostkey: portbundle not configured on the router
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: SIP PPP[34E0B60] parsed as Success
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: SIP PPP[40FD520] parsed as Ignore
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: SIP PPPoE[357ECE0] parsed as Success
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: SIP Root parser not installed
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Event <service not found>, state changed from authorizing to complete
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: No service authorization info found
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Active Handle present - 94000170
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Apply config handle [2D001B9D] now set to [B3001B00]
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: ACTIVE HANDLE[0]: Snapshot reverted from Active context to policy context
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Freeing Active Handle; SSS Policy Context Handle = 260009C1
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: ACTIVE HANDLE[2113]: Released active handle
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: PROFILE: store profile "apply-config-only"
Nov 26 08:55:59: SSS PM: PROFILE-DB: is profile "apply-config-only" in DB
Nov 26 08:55:59: SSS PM: PROFILE-DB: Computed hash value = 669264914
Nov 26 08:55:59: SSS PM: PROFILE-DB: Yes, but is a new version
Nov 26 08:55:59: SSS PM: PROFILE-DB: create "apply-config-only"/7FBB636AB768 hdl 65001B90 ref 1
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: PROFILE: create 7FBB636AF8A8, ref 1
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Event <free request>, state changed from complete to terminal
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Cancel request
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Handling Author Not Found Event
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Create context 7FBB6473CF00
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: key lists to append are empty
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Authen status update; is now "unauthen"
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: IDMGR: assert authen status "unauthen"
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: SERVICE [ANY]: Parent 7FBB6473CB60
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: SERVICE [ANY]: Started yet? No
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: IDMGR: service not started yet; can't update
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Did not update authen status to IDMGR
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Username key not found in set domain key API
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Username key not found in set domain key API
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Updated NAS port for AAA ID 7063
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: IDMGR: send event Session Update
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Client block is NULL in get client block with handle 150009C2
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Updated key list:
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Logon-Service = "ANY"
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Nasport = PPPoEoVLAN: slot 0 adapter 1 port 0 sub-interface 299 IP 0.0.0.0 VPI 0 VCI 0 VLAN 299
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Access-Type = 11 (Web-service-logon)
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Authen-Status = 1 (Unauthenticated)
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Session-Handle = 3472884087 (CF000177)
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Service Command-Handler Policy invoke - Service-Start
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Access type Web-service-logon
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE: Looking for a rule for event service-start
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE: Intf CloneSrc Vt2: service-rule any: None
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE: Intf InputI/f Te0/1/0.299: service-rule any: None
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE: Glob: service-rule any: default-internal-rule
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE: Evaluate "default-internal-rule" for service-start
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE: Wrong type "default-internal-rule/always event account-logon"
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE: Wrong type "default-internal-rule/always event idle-timeout"
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE: Wrong type "default-internal-rule/always event session-timeout"
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE: Wrong type "default-internal-rule/always event keepalive-timeout"
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE: Wrong type "default-internal-rule/always event flow-timeout"
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE: Matched "default-internal-rule/always event service-start"
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE: Matched "default-internal-rule/always event service-start/1 service-policy type service identifier service-name"
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE[0]: Start
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE[0]: default-internal-rule/always event service-start/1 service-policy type service identifier service-name
Nov 26 08:55:59: SSS PM CCM: Found SHDB handle 0xCA00004B for policy context 0x7FBB6473CB60
Nov 26 08:55:59: SSS PM CCM: [SESSION PM EVENT] Event = NEW-REQUEST (ctx: 0x7FBB6473CB60, action: APPLY-SERVICE)
Nov 26 08:55:59: SSS PM HA: Dynsess not required shdb = 0xCA00004B spol_ctx = 0x7FBB6473CB60
Nov 26 08:55:59: SSS PM CCM: Set PM HA as not ready (session 0xCA00004B) successfully
Nov 26 08:55:59: SSS PM HA: Adding an action (type APPLY-SERVICE) into the PM HA queue
Nov 26 08:55:59: SSS PM HA: NE: In policy_ha_add_session_info, shdb=0xCA00004B, last=APPLY-SERVICE (6)
Nov 26 08:55:59: SSS PM HA: In policy_ha_nett_effect_process: ctx=0x7FBB5EBC8FC0, action-type=APPLY-SERVICE, event=SERVICE-START, state=INIT-STATE
Nov 26 08:55:59: SSS PM HA: NE: Didn't find any duplicate service-apply action
Nov 26 08:55:59: SSS PM HA: Setting current elem, from 0x0 to 0x7FBB5EBC4BF8
Nov 26 08:55:59: SSS PM CCM: New bulk session (shdb 0xCA00004B), ctx 0x7FBB6473CB60, dsess_hdl 0x0, APPLY-SERVICE OK
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE[0]: Have key Logon-Service
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE[0]: This service ANY is marked as not cancelled
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: State: initial-req to check-auth-needed
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: Event <send auth>, State: check-auth-needed to authorizing
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: Handling AAA service Authorization
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: Sending AAA request for 'ANY'
Nov 26 08:55:59: SVM [ANY]: needs downloading
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: service "ANY" not in cache; needs download
Nov 26 08:55:59: SVM [430000BB/ANY]: allocated version 1
Nov 26 08:55:59: SVM [430000BB/ANY]: [150009C2]: client queued
Nov 26 08:55:59: SVM [430000BB/ANY]: [PM-Download:150009C2] locked 0->1
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: download required
Nov 26 08:55:59: SVM [430000BB/ANY]: [AAA-Download:7FBB6280D928] locked 0->1
Nov 26 08:55:59: SSS AAA AUTHOR: Authorization:Fetching method list from SIP:Web-service-logon
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: using named author method list "FREERADIUS"
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Root SIP PPPoE
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Enable PPPoE parsing
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Enable PPP parsing
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Enable Web-service-logon parsing
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: ACTIVE HANDLE[0]: Snapshot captured in Active context
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: ACTIVE HANDLE[0]: Active context created
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Event <make request>, state changed from idle to authorizing
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Active key set to Apply-Service
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Authorizing key ANY
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Set authorization profile type to service
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: AAA request sent for key ANY
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: RULE[0]: Downloading service "ANY"
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: RULE[1]: Start
Nov 26 08:55:59: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Nov 26 08:55:59: RADIUS(00000000): Config NAS IP: 10.0.6.21
Nov 26 08:55:59: RADIUS(00000000): Config NAS IPv6: ::
Nov 26 08:55:59: RADIUS(00000000): sending
Nov 26 08:55:59: RADIUS: nas-port-id(87) is not found in the request
Nov 26 08:55:59: RADIUS(00000000): Send Access-Request to 10.0.6.10:1812 id 1645/157, len 55
Nov 26 08:55:59: RADIUS: authenticator B3 F6 A3 5E 7D D8 01 9E - 72 A5 4E D0 79 32 0C 11
Nov 26 08:55:59: RADIUS: User-Password [2] 18 *
Nov 26 08:55:59: RADIUS: User-Name [1] 5 "ANY"
Nov 26 08:55:59: RADIUS: Service-Type [6] 6 Outbound [5]
Nov 26 08:55:59: RADIUS: NAS-IP-Address [4] 6 10.0.6.21
Nov 26 08:55:59: RADIUS(00000000): Sending a IPv4 Radius Packet
Nov 26 08:55:59: RADIUS(00000000): Started 5 sec timeout
Nov 26 08:55:59: RADIUS: Received from id 1645/157 10.0.6.10:1812, Access-Accept, len 240
Nov 26 08:55:59: RADIUS: authenticator F2 BB 14 5D 90 BC 76 91 - 8C B3 9B 55 75 69 4A 6B
Nov 26 08:55:59: RADIUS: Vendor, Cisco [26] 54
Nov 26 08:55:59: RADIUS: Cisco AVpair [1] 48 "ip:traffic-class=in access-group name CM_T_ANY"
Nov 26 08:55:59: RADIUS: Vendor, Cisco [26] 40
Nov 26 08:55:59: RADIUS: Cisco AVpair [1] 34 "ip:traffic-class=in default drop"
Nov 26 08:55:59: RADIUS: Vendor, Cisco [26] 55
Nov 26 08:55:59: RADIUS: Cisco AVpair [1] 49 "ip:traffic-class=out access-group name CM_T_ANY"
Nov 26 08:55:59: RADIUS: Vendor, Cisco [26] 41
Nov 26 08:55:59: RADIUS: Cisco AVpair [1] 35 "ip:traffic-class=out default drop"
Nov 26 08:55:59: RADIUS: Vendor, Cisco [26] 30
Nov 26 08:55:59: RADIUS: Cisco AVpair [1] 24 "prepaid-config=PREPAID"
Nov 26 08:55:59: RADIUS/DECODE(00000000): There is no General DB. Reply server details may not be recorded
Nov 26 08:55:59: RADIUS(00000000): Received from id 1645/157
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Received an AAA pass
Initial attr traffic-class 0 "in access-group name CM_T_ANY"
Initial attr traffic-class 0 "in default drop"
Initial attr traffic-class 0 "out access-group name CM_T_ANY"
Initial attr traffic-class 0 "out default drop"
Initial attr prepaid-config 0 "PREPAID"
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Could not parse AAA interim interval
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: PREPAID:Prepaid config= PREPAID
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: PREPAID:No prepaid context in policy context; allocing
Nov 26 08:55:59: SSS PM: PARAMETERIZED-QoS: QOS parameters
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: RULE: VRF Parsing routine:
traffic-class 0 "in access-group name CM_T_ANY"
traffic-class 0 "in default drop"
traffic-class 0 "out access-group name CM_T_ANY"
traffic-class 0 "out default drop"
Nov 26 08:55:59: SSS PM: VPDN is not enabled
Nov 26 08:55:59: SVM [430000BB/ANY]: Set class ids: 228.229
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Feature
Nov 26 08:55:59: SSF[ANY/QoS Policy Map]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/TC]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/Service Config]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/IP Config]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/Interface Config]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/Compression]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/Modem-on-hold]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/Static Routes]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/IPX Static SAPs]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/Per-User ACL]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/Per-User Filter]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/Portbundle Hostkey]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/DHCPv6 PD from AAA]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/Keepalive]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/Tariff Switching]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/Forced Flow Routing]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/Templating End of Transaction]: TC flow does not support this feature
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: SIP PPP[34E0B60] parsed as Success
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: SIP PPP[40FD520] parsed as Ignore
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: SIP PPPoE[357ECE0] parsed as Success
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: SIP Root parser not installed
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: SIP Web-service-logon parser not installed
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Event <service not found>, state changed from authorizing to complete
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: No service authorization info found
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Active Handle present - B5000171
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: Attr list is NULL, apply config handle [0] not reset
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: ACTIVE HANDLE[0]: Snapshot reverted from Active context to policy context
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Freeing Active Handle; SSS Policy Context Handle = 150009C2
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: ACTIVE HANDLE[2113]: Released active handle
Nov 26 08:55:59: SSS PM [7FBB6473C080]: Create context 7FBB6473C080
Nov 26 08:55:59: SSS PM: PROFILE-DB: is profile "ANY" in DB
Nov 26 08:55:59: SSS PM: PROFILE-DB: Computed hash value = 1769891265
Nov 26 08:55:59: SSS PM: PROFILE-DB: No, add new list
Nov 26 08:55:59: SSS PM: PROFILE-DB: create "ANY"
Nov 26 08:55:59: SSS PM: PROFILE-DB: create "ANY"/7FBB636AB6A8 hdl CF001B0C ref 1
Nov 26 08:55:59: SVM [430000BB/ANY]: downloaded first version
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: SVM download for "ANY" ok
Nov 26 08:55:59: SVM [430000BB/ANY]: [150009C2]: client download ok
Nov 26 08:55:59: SVM [430000BB/ANY]: [SVM-to-client-msg:150009C2] locked 0->1
Nov 26 08:55:59: SVM [430000BB/ANY]: [AAA-Download:7FBB6280D928] unlocked 1->0
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Event <free request>, state changed from complete to terminal
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Cancel request
Nov 26 08:55:59: SSS PM [7FBB6473C080]: Destroy context 7FBB6473C080
Nov 26 08:55:59: SSS PM: [PARAMETERIZED-QoS]: In removed_from_rbpl_ctx_temp_hold for policy handle[ED0009C3
Nov 26 08:55:59: SSS PM: [PARAMETERIZED-QoS]: No rabapol context created yet for handle [ED0009C3], nothing to return
Nov 26 08:55:59: COA_CCM: [SESSION FREE] Policy ctx: 0x7FBB6473C080
Nov 26 08:55:59: COA_CCM: Free session - Ignoring policy context 0x7FBB6473C080 (not our session)
Nov 26 08:55:59: SSS PM CCM: [SESSION FREE] policy ctx: 0x7FBB6473C080
Nov 26 08:55:59: SSS PM CCM: [ERR] Free session - Ignoring policy context 0x7FBB6473C080 (not our HA session)
Nov 26 08:55:59: CH-UTILS: Invalid command handle
Nov 26 08:55:59: SSS PM [7FBB6473C080]: PROFILE: destroy all config
Nov 26 08:55:59: SSS PM [7FBB6473C080]: SSS PM: destroy all user profile info from policy context
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: SVM service download success
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: download completed for "ANY" version 1
Nov 26 08:55:59: SVM [430000BB/ANY]: alloc feature info
Nov 26 08:55:59: SVM [430000BB/ANY]: [SVM-Feature-Info:7FBB636DD648] locked 0->1
Nov 26 08:55:59: SVM [430000BB/ANY]: has Policy info
Nov 26 08:55:59: SVM [430000BB/ANY]: [PM-Info:7FBB6484BDC0] locked 0->1
Nov 26 08:55:59: SVM [430000BB/ANY]: has Policy info
Nov 26 08:55:59: SSS PM CCM: Poisoning session for SHDB 0xCA00004B.
Nov 26 08:55:59: SVM [430000BB/ANY]: [PM-Info:7FBB6484BD60] unlocked 1->0
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: PROFILE: store profile "ANY"
Nov 26 08:55:59: SSS PM: PROFILE-DB: incremented ref "ANY"/7FBB636AB6A8 hdl CF001B0C ref 2
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: PROFILE: create 7FBB636AF880, ref 1
Nov 26 08:55:59: SVM [430000BB/ANY]: populated client
Nov 26 08:55:59: SVM [430000BB/ANY]: [PM-Download:150009C2] unlocked 1->0
Nov 26 08:55:59: SVM [430000BB/ANY]: [SVM-to-client-msg:150009C2] unlocked 1->0
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: RULE: VRF/Classname Check: session logging off or not VRF/Classname dependent
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: Handling Author Not Found Event
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: Feature info: 7FBB636DD648 Type: Service Config
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: : Config level: Service Profile
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: : IDB type: Sub-if or not required
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: : 16 bytes:
SSS PM [uid:201][7FBB6473CF00]: : Data: 000000 00 00 43 00 00 BB EA 00 ..c.....
SSS PM [uid:201][7FBB6473CF00]: : Data: 000008 00 15 15 00 09 C2 00 00 ........
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: Service starting
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: SERVICE [ANY]: Parent 7FBB6473CB60
Nov 26 08:55:59: SVM [430000BB/ANY]: [PM-Service:7FBB53EE6050] locked 0->1
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Client block is NULL in get client block with handle 260009C1
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: SERVICE [ANY]: Start-pending request: Ok
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: Event <srvf not found>, State: authorizing to check-auth-needed
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: Handling Next Authorization Check
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: RULE[0]: Continue
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: RULE[0]: default-internal-rule/always event service-start/1 service-policy type service identifier service-name
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: RULE[0]: No more actions to run
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: RULE[1]: Continue
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: RULE[1]: default-internal-rule/always event service-start/1 service-policy type service identifier service-name
Nov 26 08:55:59: SVM [430000BB/ANY]: already downloaded; sharing
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: RULE[1]: Give default directive
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: RULE[2]: Continue
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: RULE[2]: default-internal-rule/always event service-start/1 service-policy type service identifier service-name
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: Event <srvf found>, State: check-auth-needed to wait-for-events
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: All auto services downloaded and cached,proceed with rule execution
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Service Command-Handler Policy invoke - Auto Services Downloaded
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Session contans a prepaid svc
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Handling Config Apply to SM
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: SSS PM: config_applied is set for Per-User handle [8D0000CB]
Nov 26 08:55:59: SSF: SSF FIB SB required Vi2.1, FALSE
Nov 26 08:55:59: SSF: SSF FIB SB required Vi2.1, FALSE
Nov 26 08:55:59: SSF: SSF FIB SB required Vi2.1, FALSE
Nov 26 08:55:59: SSF: SSF FIB SB required Vi2.1, FALSE
Nov 26 08:55:59: SSF: SSF FIB SB required Vi2.1, FALSE
Nov 26 08:55:59: SSF: SSF FIB SB required Vi2.1, FALSE
Nov 26 08:55:59: SSS PM: SSS PM: Added peruser feature infos when config_applied already set
Nov 26 08:55:59: SSF[uid:201:0.1]: L2HW Segment init returned: Success
Nov 26 08:55:59: SSF[uid:201:0.1]: Sending Apply Config Request to FM
Nov 26 08:55:59: SSF Owner[]: rcv owner avail msg: owner type 4, owner hdl 0x7FBB57E18088, old seg hdl 0, msg seg hdl 872415490, fsb 0x0
Nov 26 08:55:59: SSF Owner [Vi2.1/uid:0]: Created fsb, owner type 4, owner hdl 0x7FBB57E18088, fsb 0x7FBB64D54F88
Nov 26 08:55:59: SSF Owner [Vi2.1/uid:0]: FSM Ev: Owner info avail
Nov 26 08:55:59: FSM Old St: SSF Owner InActive
Nov 26 08:55:59: FSM New St: SSF Owner Owner-Ready
Nov 26 08:55:59: FSM: Act owner avail
Nov 26 08:55:59: SSF[uid:201:0.1]: Received a config apply request from Swidb for segment 7FBB648AEFB0
Nov 26 08:55:59: SSF[Vt2/uid:201:0.1]: Apply Interface configured features from source(7FBB6366B1D8)
Nov 26 08:55:59: SSF[Vt2]: Bind notify. Incremented ref count: 1
Nov 26 08:55:59: SSF[Vt2/uid:201:0.1]: Segment bound to a Interface configuration source Success
Nov 26 08:55:59: SSF[ANY/uid:201:0.1]: Apply Service Profile configured features from source(430000BB)
Nov 26 08:55:59: SSF[uid:201:0.1]: Request flow segment context to be created
Nov 26 08:55:59: SSF[uid:201:0.1]: L2HW Segment init returned: Success
Nov 26 08:55:59: SSF[ANY/uid:201:228.229]: Apply Service Profile configured features from source(430000BB)
Nov 26 08:55:59: SVM [430000BB/ANY]: [FM-Bind:CF000177] locked 0->1
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: SERVICE [ANY]: Bind notify: Ok
Nov 26 08:55:59: SSF[ANY/uid:201:228.229]: Segment bound to a Service Profile configuration source Success
Nov 26 08:55:59: SSF[Peruser/uid:201:0.1]: Apply Per-user configured features from source(8D0000CB)
Nov 26 08:55:59: SSF[Peruser/uid:201:0.1]: Segment bound to a Per-user configuration source Success
Nov 26 08:55:59: SSF[uid:201:0.1]: L2HW Activate features returned: Success
Nov 26 08:55:59: SSF[uid:201:0.1]: Sent feature apply success msg
Nov 26 08:55:59: SVM [430000BB/ANY]: [SVM-Feature-Info:7FBB636DD648] unlocked 1->0
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: SM Policy invoke - Apply Config Success
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Session contans a prepaid svc
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: Sending first author request
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: PREPAID:Event DO_FIRST_AUTHOR, State: INIT to PROCESSING_FIRST_AUTHOR
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: PREPAID:Performing action: PROCESS_FIRST_AUTHOR
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Client block is NULL in get client block with handle 260009C1
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: PREPAID:Suspending first author till IPCP_PASS
Nov 26 08:55:59: SSF[Peruser]: Did not locate push peruser bind mapping
Nov 26 08:55:59: SSS PM: [PARAMETERIZED-QoS]: No rabapol context created yet for handle [260009C1], returning compatible
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Event <got apply config success>, State: wait-process-config-complete to wait-for-events
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Handling Apply Config; SUCCESS
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: session start done
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Removed attribute list just processed
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: SERVICE [ANY]: Complete-Pending
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: IDMGR: service start
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: IDMGR: send event Service Assert
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: IDMGR: with service name "ANY"
Nov 26 08:55:59: SVM [430000BB/ANY]: already downloaded; sharing
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: IDMGR: assert authen status "authen"
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: IDMGR: send event Service Update
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: IDMGR: with service name "ANY"
Nov 26 08:55:59: SVM [430000BB/ANY]: already downloaded; sharing
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: IDMGR: update service
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: IDMGR: send event Service Update
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: IDMGR: with service name "ANY"
Nov 26 08:55:59: SVM [430000BB/ANY]: already downloaded; sharing
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: SERVICE [ANY]: Started
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: no callback for callback north
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Client block is NULL in get client block with handle 260009C1
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Null client block; Can't update RP
asr-1002x-01#
Nov 26 08:55:59: RADIUS: Acct-Delay-Time [41] 6 0
Nov 26 08:55:59: RADIUS(00001B97): Sending a IPv4 Radius Packet
Nov 26 08:55:59: RADIUS(00001B97): Started 5 sec timeout
Nov 26 08:55:59: RADIUS: Received from id 1646/205 10.0.6.10:1813, Accounting-response, len 20
Nov 26 08:55:59: RADIUS: authenticator 18 6B 22 E6 3F 56 1A 4A - 73 83 5C 79 BD 38 24 8A
asr-1002x-01#
SSS Switch: Pak 7FBB4D5B6D28 sz 14 encap 2
Nov 26 08:56:01: 000000 C0 21 09 7E 00 0C 0C 11 D!N~....
Nov 26 08:56:01: 000008 3B ED FA D5 8D F4 ;.....
Nov 26 08:56:01: SSF: Classified on Layer 2
Config:
! Last configuration change at 16:45:50 TMN Tue Nov 25 2014 by lion
! NVRAM config last updated at 16:45:51 TMN Tue Nov 25 2014 by lion
version 15.3
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service unsupported-transceiver
no platform punt-keepalive disable-kernel-core
hostname asr-1002x-01
boot-start-marker
boot system flash bootflash:asr1002x-universalk9.03.10.03.S.153-3.S3-ext.SPA.bin
boot-end-marker
aqm-register-fnf
vrf definition Mgmt-intf
address-family ipv4
exit-address-family
address-family ipv6
exit-address-family
vrf definition Voice
address-family ipv4
exit-address-family
address-family ipv6
exit-address-family
logging buffered 1024000 informational
aaa new-model
aaa group server radius freeradius
server-private 10.0.6.10 auth-port 1812 acct-port 1813 key 7 142417081E013E
ip vrf forwarding Mgmt-intf
ip radius source-interface GigabitEthernet0
aaa group server radius billing
server-private 10.0.6.102 auth-port 1812 acct-port 1813 key 7 06150A225E4B1D
ip vrf forwarding Mgmt-intf
ip radius source-interface GigabitEthernet0
aaa authentication login default local
aaa authentication ppp LOCAL_AUTH local
aaa authentication ppp FREERADIUS group freeradius
aaa authentication ppp BILLING group billing
aaa authorization console
aaa authorization exec default local
aaa authorization network LOCAL_AUTH none
aaa authorization network FREERADIUS group freeradius
aaa authorization network BILLING group billing
aaa authorization subscriber-service FREERADIUS local group freeradius
aaa authorization subscriber-service BILLING local
aaa accounting delay-start all
aaa accounting delay-start extended-delay 2
aaa accounting update periodic 5
aaa accounting include auth-profile framed-ip-address
aaa accounting include auth-profile framed-ipv6-prefix
aaa accounting include auth-profile delegated-ipv6-prefix
aaa accounting network FREERADIUS start-stop group freeradius
aaa accounting network BILLING start-stop group billing
aaa server radius dynamic-author
client 10.0.6.102 vrf Mgmt-intf server-key 7 120A0014000E18
client 10.0.6.10 server-key 7 094F471A1A0A
port 1645
auth-type any
ignore session-key
aaa session-id common
aaa policy interface-config allow-subinterface
clock timezone TMN 5 0
no ip source-route
no ip domain lookup
ip domain name local
ip host service 10.0.6.101
ip dhcp excluded-address vrf Voice 10.3.0.0 10.3.127.255
ip dhcp pool Voice
vrf Voice
network 10.3.0.0 255.255.0.0
ipv6 unicast-routing
ipv6 dhcp iana-route-add
ipv6 dhcp binding track ppp
ipv6 dhcp pool dhcpv6_pool_60
prefix-delegation pool ppp_delegate_60_v6_pool
accounting BILLING
ipv6 dhcp pool dhcpv6_pool_56
prefix-delegation pool ppp_delegate_56_v6_pool
accounting BILLING
ipv6 dhcp pool AAA_dhcpv6_pool
prefix-delegation aaa method-list BILLING
subscriber feature prepaid PREPAID
threshold time 0 seconds
threshold volume 1 Kbytes
interim-interval 1 minutes
method-list author FREERADIUS
method-list accounting FREERADIUS
password cisco
flow monitor MON1
record netflow ipv4 original-output
multilink bundle-name authenticated
no virtual-template snmp
license accept end user agreement
archive
log config
logging enable
logging size 300
hidekeys
path tftp://service/config/all/$h-$t
write-memory
spanning-tree extend system-id
redundancy
mode none
redirect server-group NoMoney
server ip A.B.198.3 port 80
redirect server-group NoMoneyDNS
server ip A.B.198.10 port 53
cdp run
ip tftp source-interface GigabitEthernet0
ip ssh version 2
lldp run
class-map type traffic match-any CM_ANY6
match access-group input name CM_T_ANY6
match access-group output name CM_T_ANY6
class-map type traffic match-any CM_ANY
match access-group input name CM_T_ANY
match access-group output name CM_T_ANY
class-map type traffic match-any CM_T_NoMoney_REDIRECT_DNS
match access-group input name CM_T_NoMoney_REDIRECT_DNS
class-map type traffic match-any CM_T_NoMoney_REDIRECT_WWW
match access-group input name CM_T_NoMoney_REDIRECT_WWW
class-map type traffic match-any CM_T_NoMoney_PASS
match access-group input name CM_T_NoMoney_PASS
match access-group output name CM_T_NoMoney_PASS
policy-map type service NoMoney10
10 class type traffic CM_T_NoMoney_PASS
class type traffic default in-out
drop
policy-map type service NoMoney500
500 class type traffic CM_T_NoMoney_REDIRECT_WWW
redirect to group NoMoney
class type traffic default in-out
drop
policy-map type service NoMoney510
510 class type traffic CM_T_NoMoney_REDIRECT_DNS
redirect to group NoMoneyDNS
class type traffic default in-out
drop
policy-map type service Any
1 class type traffic CM_ANY
prepaid config PREPAID
class type traffic default in-out
drop
policy-map type service Any6
1 class type traffic CM_ANY6
prepaid config PREPAID
class type traffic default in-out
drop
policy-map pol2
policy-map pol1
policy-map PM_SPEED_NONE
class class-default
policy-map rate_10m
class class-default
police 10000000 1000000
policy-map PM_TEST
class class-default
police 1000000
policy-map rate_1m
class class-default
police 1000000 100000
policy-map PM_SPEED_8M
class class-default
police 9000000
policy-map rate_out_10m
class class-default
police 10000000 1000000
policy-map rate_in_10m
class class-default
police 10000000 1000000
no crypto isakmp default policy
no crypto ipsec transform-set default
bba-group pppoe 1
virtual-template 1
vendor-tag circuit-id service
vendor-tag remote-id service
sessions per-mac limit 2
bba-group pppoe 2
virtual-template 2
vendor-tag circuit-id service
vendor-tag remote-id service
sessions per-mac limit 2
interface Null0
no ip unreachables
no ipv6 unreachables
interface Loopback0
ip address A.B.196.6 255.255.255.255
ipv6 address 2001:7f8::20/128
ipv6 enable
interface Loopback2
ip address A.B.198.1 255.255.255.0
interface GigabitEthernet0/0/0
no ip address
negotiation auto
cdp enable
interface GigabitEthernet0/0/1
no ip address
negotiation auto
cdp enable
interface GigabitEthernet0/0/2
no ip address
negotiation auto
cdp enable
interface GigabitEthernet0/0/3
no ip address
negotiation auto
cdp enable
interface GigabitEthernet0/0/4
no ip address
negotiation auto
cdp enable
interface GigabitEthernet0/0/5
no ip address
negotiation auto
cdp enable
interface TenGigabitEthernet0/1/0
mtu 9000
no ip address
load-interval 30
cdp enable
hold-queue 4096 in
interface TenGigabitEthernet0/1/0.9
encapsulation dot1Q 9
ip address A.B.196.5 255.255.255.254
ip nat outside
ip flow monitor MON1 input
ip flow monitor MON1 output
ipv6 address 2001:7f8:0:1::2:1/127
ipv6 nd ra suppress
interface TenGigabitEthernet0/1/0.34
description DM_Inet
encapsulation dot1Q 34
ip unnumbered Loopback2
ip nat outside
service-policy input PM_SPEED_NONE
service-policy output PM_SPEED_NONE
interface TenGigabitEthernet0/1/0.96
description DM_Datacenter
encapsulation dot1Q 96
ip unnumbered Loopback2
ip nat outside
service-policy input PM_SPEED_NONE
service-policy output PM_SPEED_NONE
interface TenGigabitEthernet0/1/0.298
description IPoE test
encapsulation dot1Q 298
ip unnumbered Loopback2
ip nat outside
interface TenGigabitEthernet0/1/0.299
description PPPoE Test
encapsulation dot1Q 299
pppoe enable group 2
interface TenGigabitEthernet0/1/0.300
encapsulation dot1Q 300
vrf forwarding Voice
ip address 10.3.0.1 255.255.0.0
interface TenGigabitEthernet0/1/0.21000
description PPPoE
encapsulation dot1Q 2 second-dot1q 1000-1999
pppoe enable group 1
pppoe max-sessions 10000
interface TenGigabitEthernet0/1/0.2002000
description client 2000
encapsulation dot1Q 200 second-dot1q 2000
ip unnumbered Loopback2
ip nat outside
service-policy input PM_SPEED_8M
service-policy output PM_SPEED_8M
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.0.6.21 255.255.255.0
negotiation auto
interface Virtual-Template1
mtu 1492
ip unnumbered Loopback0
no ip redirects
no ip proxy-arp
ip nat inside
ip verify unicast reverse-path
ip tcp adjust-mss 1452
no logging event link-status
ipv6 unnumbered Loopback0
ipv6 enable
no ipv6 nd ra suppress
ipv6 dhcp server AAA_dhcpv6_pool
peer default ip address pool pool192_168
keepalive 60
ppp authentication chap ms-chap-v2 BILLING
ppp authorization BILLING
ppp accounting BILLING
ppp ipcp dns A.B.198.10
interface Virtual-Template2
description Testing PPPoE
mtu 1492
ip unnumbered Loopback0
no ip redirects
no ip proxy-arp
ip nat inside
ip verify unicast reverse-path
ip tcp adjust-mss 1452
no logging event link-status
ipv6 unnumbered Loopback0
ipv6 enable
no ipv6 nd ra suppress
ipv6 dhcp server AAA_dhcpv6_pool
peer default ip address pool pool192_168
keepalive 60
ppp authentication chap ms-chap-v2 FREERADIUS
ppp authorization FREERADIUS
ppp accounting FREERADIUS
ppp ipcp dns A.B.198.10
ip local pool pool172_17 172.17.0.1 172.17.255.254
ip local pool pool192_168 192.168.128.0 192.168.255.254
ip nat settings mode cgn
no ip nat settings support mapping outside
ip nat pool nat_pool A.B.196.65 A.B.196.127 netmask 255.255.255.0
ip nat inside source list nat pool nat_pool overload
no ip forward-protocol nd
no ip forward-protocol udp tftp
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 A.B.196.4
ip route A.B.196.128 255.255.255.128 Null0 100
ip route A.B.197.0 255.255.255.0 Null0 100
ip route A.B.198.0 255.255.255.0 Null0 100
ip route A.B.198.2 255.255.255.255 TenGigabitEthernet0/1/0.96 A.B.198.2 name net-console-01
ip route A.B.198.3 255.255.255.255 TenGigabitEthernet0/1/0.96 A.B.198.3 name net-mon-01
ip route A.B.198.4 255.255.255.255 TenGigabitEthernet0/1/0.96 A.B.198.4 name billing-01
ip route A.B.198.5 255.255.255.255 TenGigabitEthernet0/1/0.96 A.B.198.5 name svyazisty
ip route A.B.198.6 255.255.255.255 TenGigabitEthernet0/1/0.96 A.B.198.6 name Linux_test
ip route A.B.198.7 255.255.255.255 TenGigabitEthernet0/1/0.96 A.B.198.7 name SCE_Console
ip route A.B.198.8 255.255.255.255 TenGigabitEthernet0/1/0.96 A.B.198.8 name backup-01
ip route A.B.198.9 255.255.255.255 TenGigabitEthernet0/1/0.298 A.B.198.9 name Linux_test2
ip route A.B.198.10 255.255.255.255 TenGigabitEthernet0/1/0.96 A.B.198.10 name dns-server
ip route A.B.198.16 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.16 name DM
ip route A.B.198.17 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.17 name DM
ip route A.B.198.18 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.18 name DM
ip route A.B.198.19 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.19 name DM
ip route A.B.198.20 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.20 name DM
ip route A.B.198.21 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.21 name DM
ip route A.B.198.22 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.22 name DM
ip route A.B.198.23 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.23 name DM
ip route A.B.198.24 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.24 name DM
ip route A.B.198.25 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.25 name DM
ip route A.B.198.26 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.26 name DM
ip route A.B.198.27 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.27 name DM
ip route A.B.198.28 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.28 name DM
ip route A.B.198.29 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.29 name DM
ip route A.B.198.30 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.30 name DM
ip route A.B.198.31 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.31 name DM
ip route A.B.198.100 255.255.255.255 TenGigabitEthernet0/1/0.2002000 A.B.198.100 name "client 100"
ip access-list extended CM_T_ANY
permit ip any any
ip access-list extended CM_T_NoMoney_PASS
permit ip any host A.B.198.3
permit ip host A.B.198.3 any
permit udp any host A.B.198.10 eq domain
permit udp host A.B.198.10 eq domain any
ip access-list extended CM_T_NoMoney_REDIRECT_DNS
permit udp any any eq domain
ip access-list extended CM_T_NoMoney_REDIRECT_WWW
permit tcp any any eq www
ip access-list extended POLICE_EXCLUDE
deny ip any host A.B.198.3
deny ip host A.B.198.3 any
permit ip any any
ip access-list extended POLICE_EXCLUDE_INV
permit ip any host A.B.198.3
permit ip host A.B.198.3 any
ip access-list extended nat
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 169.254.0.0 0.0.255.255
permit ip 192.168.128.0 0.0.127.255 any
permit ip 172.17.0.0 0.0.255.255 any
ip access-list extended vty
permit ip 10.0.6.0 0.0.0.255 any
kron occurrence daily-backup at 3:24 recurring
policy-list backup_rc
kron policy-list backup_rc
cli enable
cli archive config
ipv6 route 2001:7f8:1::/48 Null0
ipv6 route 2001:7f8:2::/48 Null0
ipv6 route 2001:7f8:3::/48 Null0
ipv6 route ::/0 2001:7f8:0:1::2:0
ipv6 local pool ppp_delegate_60_v6_pool 2001:7f8:2::/48 60
ipv6 local pool ppp_delegate_56_v6_pool 2001:7f8:3::/48 56
ipv6 local pool ppp_link_v6_pool 2001:7f8:1::/49 64
radius-server attribute 44 include-in-access-req default-vrf
radius-server attribute 8 include-in-access-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf
ipv6 access-list CM_T_ANY6
permit ipv6 any any
control-plane
line con 0
exec-timeout 30 0
logging synchronous
history size 256
stopbits 1
line aux 0
transport input ssh
transport output all
stopbits 1
line vty 0 4
access-class vty in vrf-also
exec-timeout 120 0
logging synchronous
history size 256
transport input ssh
transport output all
line vty 5 15
access-class vty in vrf-also
exec-timeout 120 0
logging synchronous
history size 256
transport input ssh
transport output all
line vty 16 97
history size 256
ntp server vrf Mgmt-intf 10.0.6.10
end -
Changing Hyper-V host and cluster virtual IP addresses to new subnet/VLAN
I have a 2 node Hyper-V 2012 R2 failover cluster, managed by System Center Virtual Machine Manager 2012 R2, and I would like to change the IP addresses of the hosts and the cluster, in order to move them to a new subnet and VLAN. The existing and new subnets
are able to route to each other so all hosts will still be able to communicate throughout the parts of the process where they may be on separate subnets. There is also a dedicated cluster heartbeat network on its own subnet and VLAN that I am not altering
in any way.
The 2 hosts are configured with 4 nics in a team, with dedicated virtual interfaces for each of the following:
-Live Migration
-Cluster Heartbeating
-Host management/general traffic (the cluster virtual IP address is also on the same subnet as these interfaces).
It is the host management/general traffic addresses that I want to change. The interfaces were created and configured with the Add-VMNetworkAdapter, New-NetIPAddres and Set-VMNetworkAdapterVlan commands.
Please advise if the following process is correct:
1) Evacuate all the VMs from the first host to be changed and put it in maintenance mode.
2) Use Set-VMNetworkAdapter to change the name of the interface (the current name refers to the VLAN it's on)
3) Use Set-NetIPAddress to change the IP address and gateway of the interface as appropriate
4) Use Set-VMNetworkAdapterVlan to set the VLAN ID
5) Take the host out of maintenance mode and move all VMs off the other host
6) Repeat above steps on the other host
I know that I will then need to change the cluster virtual IP address, but I have no idea how to do this or where to look for that setting. Please advise!
Cheers.Hi new_guise,
For changing cluster node's IP address please refer to the link below :
https://support.microsoft.com/kb/230356?wa=wsignin1.0
For changing VIP please refer to this article :
http://blogs.technet.com/b/chrad/archive/2011/09/16/changing-hyper-v-cluster-virtual-ip-address-vip-after-layer-3-changes.aspx
Best Regards,
Elton Ji
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] . -
ISG Debug - IP configuration missing for radius proxy session initiation
Folks,
We are trying to configure the ISG as a Radius-Proxy for EAP Authentication. I have configured aaa server radius proxy, clients and aaa auth radius-proxy group as per the guide. I have my interface config as follows:
interface TenGigabitEthernet0/2/0.205
encapsulation dot1Q 205
ip vrf forwarding CS
ip address 10.20.0.1 255.255.224.0
ip helper-address global 172.X.X.X
no ip redirects
no ip proxy-arp
ip tcp adjust-mss 1420
service-policy type control DEFAULT_RULES
ip subscriber l2-connected
initiator dhcp
initiator radius-proxy
arp ignore local
When I try to connect a wifi client to an AP, I can see that the AP is forwarding the Access-Request to the ISG but the ISG does not forward it to the AAA. In the ISG debug I see the following message:
RADIUS: IP configuration missing for radius proxy session initiation
Can any one help to identify what is missing here pls?
Thank You in advance!Kiran,
Did you follow this guide? It looks like the interface configuration is there but you didnt include the actual radius configuration does it follow the guide here -
http://www.cisco.com/en/US/docs/ios/isg/configuration/guide/isg_radius_proxy.html#wp1055053
Thanks,
Tarik Admani -
Good afternoon
I currently operate a two node DAG in our primary site supporting one mailbox database. I plan to introduce a third DAG node in our datacenter which is in a different Active Directory site. Both current DAG members replicate over a dedicated replication
network to keep the traffic separate from the MAPI traffic. The third DAG member will also have a dedicated replication network adapter (of course, on a different subnet). Ideally I would like to seed the database at a time of my choosing, rather than at the
moment I add the mailbox database copy (I know how to achieve this), but I would like to specify which network the data replicates over.
According to the following (see below link) under the 'Seeding and Networks' section as my two DAG members will be on different subnets in different sites Exchange will make the decision to use the MAPI network adapters of the target and source server.
'If the source server and target server are on different subnets, even if a replication network that contains those subnets has been configured, the client (MAPI) network will be used for seeding.'
http://technet.microsoft.com/en-us/library/dd335158%28v=exchg.150%29.aspx
Am I able to force Exchange to use the replication network adapters of both source and target server when I initiate the seeding process? I have a 200+ GB mailbox database that will need to replicate over a 100Mbps internet connection to our secondary
site and I would like to keep that traffic to the replication network I have configured.
Any insight would be helpful.Hi,
If you want to specify the networks for seeding, you can use the
Network parameter when running the
Update-MailboxDatabaseCopy cmdlet and specify the DAG networks that you want to use.
If you don't use the Network parameter, then the system uses the following default behavior for selecting a network to use for the seeding operation:
If the source server and target server are on the same subnet and a replication network has been configured that includes the subnet, the replication network will be used.
If the source server and target server are on different subnets, even if a replication network that contains those subnets has been configured, the client (MAPI) network will be used for seeding.
If the source server and target server are in different datacenters, the client (MAPI) network will be used for seeding.
So please use the Update-MailboxDatabaseCopy cmdlet with
NetWork parameter to specify which DAG network should be used for seeding.
Best regards,
If you have feedback for TechNet Subscriber Support, contact
[email protected]
Belinda Ma
TechNet Community Support -
ISG with DHCP Option 82 sessions
Greetings, I'm looking to roll out a GPON deployment using the ISG as our BRAS with DHCP-based sessions but we are experience some problems with session restart. Were using an external DHCP server and RADIUS. Sessions come up fine the first time, but if there is an existing session and the CPE node is rebooted the session get's "stuck". To clear the session we turn off the CPE device, clear the state in the GPON shelf and wait for more than 5 minutes. Doing some debug shows the SG-DPM process thinking there is an existing DHCP lease that seems to clear out after five minutes of "silence". I'd like to get this five minutes down to something in the less than 60 seconds range. Anybody know of any knobs to tweak this?
Dec 2 12:49:19.642 EST: SG-DPM: getting the context for mac_address = 0024.c823.7322
Dec 2 12:49:19.642 EST: SG-DPM: input override for mac_address = 0024.c823.7322
Dec 2 12:49:19.642 EST: SG-DPM: null input interface from dhcp,returning access interface GigabitEthernet0/3.300
Dec 2 12:49:19.642 EST: SG-DPM: DHCP Offer notification from client, mac_address = 0024.c823.7322
Dec 2 12:49:19.642 EST: SG-DPM: getting the context for mac_address = 0024.c823.7322
Dec 2 12:49:19.642 EST: SG-DPM: Aborting update. IP address: 10.2.2.162 hasn't changed
Running 12.2 (31) SB19 with the following code snippet:
aaa authorization subscriber-service USER_LOGON group radius
policy-map type control USER
class type control always event session-start
20 authorize aaa list USER_LOGON password blablabla identifier circuit-id
30 service disconnect
interface GigabitEthernet0/3.300
encapsulation dot1Q 300
ip dhcp relay information trusted
ip address 10.1.1.1 255.255.255.224
ip helper-address 10.10.10.10
no cdp enable
service-policy type control USER
ip subscriber l2-connected
initiator dhcpTry...
If the session is still un an unauthenticated state setting the unauthe timer will help:
class type control always event session-start
25 set-timer IP_UNAUTH_TIMER 6
But if the session is authenticated then it is suggested to set a idle timeout value like this:
policy-map type service IDLE_TIME_SERVICE
class type traffic IDLE_TIME
timeout idle 600
class type control always event session-start
24 service-policy type service name IDLE_TIME_SERVICE
Shelley. -
Hi,
I do have SCE & ISG with some device licenses. But i am unable to view the license in both the devices.
Please help..Hi,
I cant speak for the SCE, but there will be no ISG license on your 7200 to view with any show command, just like you cannot do the same with the Broadband per subscriber licenses.
Instead look through your previous BoM or contact your sales contact for clarification on how many licenses you have purchased. -
Can you cluster two nodes from subnet A with the cluster itself residing in subnet B?
We have a situation in a cloud deployment where the servers are automatically provisioned through a cloud portal with IP addressed from subnet A. Because we require static IP for clustering, the static IP can only be provisioned from subnet B for
use by the cluster. Is it possible to create a cluster from the two nodes in subnet A from a cluster IP in subnet B? I cannot find any mention of this particular network configuration for a Windows cluster. We are using the cluster to support
SQL Server 2012 AlwaysOn Availability Groups.Hi Sir,
>>the servers are automatically provisioned through a cloud portal with IP addressed from subnet A.
Did you try to create a new VM then give it an static IP from subnet B then check if the VM can be accessed from outside ?
Best Regards,
Elton Ji
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] . -
VMW Fusion 4.1 breaks 1 host LAN subnet
Testing VMware Fusion 4.1 on '09 MacBook Pro Lion 10.7.2 to run a Lion 10.7.2 guest for testing. When Fusion is running, regardless of VM on, suspended or stopped, it sometimes has (not yet consistantly reproduceable) killed Exchange mail in the host (mail.app or MS 02k11) and kills any new access to one particular local subnet (yet all other LAN and WAN subnets are fine) from host wired etnernet LAN (guest VM running bridged, wifi, totally separate / firewalled from host wired LAN). Quit Fusion and, bam, all works again. Repeatable back & forth, and after reboot with nothing else running. Can't even ping subnet on router. Even stranger: if shared server volumes from affected subnet are mounted in host before starting Fusion they stay mounted and fully accessible for read/write yet their whole subnet can no longer be pinged, no new connection to server from host can be established.
Tried changing lots of network settings in host, Fusion and guest VM, seems to make no difference: The simple act of starting Fusion.app breaks host access to just the 1 local subnet. Quitting Fusion.app restores it.
Anyone got any ideas what causes this, maybe something simple I've overlooked? TIA.Sorry to hear that.
But Apple have probably broken it when they added the MobileMe and modified the Wide-Area Bonjour code.
However, I can report that Back-to-My-Mac does work on the AEBS. If you already a MM subscriber, you can use that to get back to the AirDisk.
Maybe you are looking for
-
i have my iphone set up with itunes on one computer, but i recently bought my own computer. How do I set up my iphone with the new itunes account? It says my phone can only be set up woth one itunes account. How do I remove the previous account?
-
IPod Updater 2006-06-28 still says Don't Disconnect...
Hello. This evening I tried updating the firmware of my iPod. Everything seemed to go ok. When this was finished, their still was the "do not disconnect" message on the screen of my iPod. I decided to try the restore button. iPod Updater 2006-06-28 n
-
Serial Number problem...
I have a big problem with my photoshop Serial. My Serial Number is activated on two different computers but these are not alive anymore. How can I deactivate the Software on the software from a different computer so that I can install this on my new
-
We have a following scenario in case of subcontracting PO/Bought PO. Case I :- 1) We need to supply Jig/Fixture or some measuring tool at vendors place which are returnable. How can we manage it through subcontracting PO ? or suggest any other alter
-
IPhoto crashes during Flickr set up
I installed the iLife 09 family suite on my computer then on my husband's (iMac 2.4 GHz intel core duo). iPhoto works flawlessly on my husband's. On mine however, it started out with the same problem others have posted: iPhoto crashing (or closing un