PPP over L2TP with RADIUS Failed
Hi, I'm getting a CodeRej when I try do a PPP over L2TP dynamic using a Radius in a debian OS.
Regards
Ok, Ok i admit it was my fault to not use that common and sometimes strangely new feature probably older than me called "SEARCH"
I checked another discussion regarding the same subject and it turned out by their knowledge that ACS 5.x manage
TACACS+ only for Device Administration
RADIUS for Network Access
Any other way doesn't work...any other opinion? ( i just can't help the fact that Cisco doesn't let use TACACS+ for PPP Authentication...does anybody knows why?)
Similar Messages
-
IEEE 802.1x Authentication with RADIUS failed
Hello guys,
I've a little strange Situation.
If user start his Computer (Windows 7 enterprise) and computer is connected via LAN it works fine.
If user start his Computer (Windows 7 enterprise) and computer is connected via WLAN it works also fine.
But if user start his Computer (Windows 7 enterprise) that is connected via LAN it is not more possible to connect to WLAN (parallel). I've implemented an IEEE 802.1 RADIUS authenticiation.
It does not work with this special user account. I've tested it already successful with couple other accounts.
Does someone has experience with such Situation?
Regards
RodikIt does not work with this special user account. I've tested it already successful with couple other accounts.
Hi,
Did you mean that this problem just occures to the single User Account but others works fine at same computer, isn't it?
When it connect Wlan failed, is there any error message? Have you tried to reinstall the WLan device driver for test?
it would be better to provide more details about the Wlan connect failed.
Roger Lu
TechNet Community Support -
Hi there, I am trying to connect to my server at work from home using a vpn connection. It connects fine and the time ticks along, but when i click go - connect to server, it comes up with connection failed. Please help!
... when i click go - connect to server, it comes up with connection failed.
If you're trying to connect to a Bonjour server on the remote network, that won't work over a layer 3 VPN. Use something like Hamachi or one of the SSH-tunnelling Bonjour proxy apps for that. -
ISDN Authorization with RADIUS using ISE 1.1.2
Hi,
I am trying to move my ISDN dialup branches authentication/authorization from old ACS 4.1 to ISE appliance. Before it was through ACS 4.2 with TACACS protocol but now since we are moving to ISE we are moving them to ISE with radius.
Problem is that isdn client gets authenticated and authorized but calls get dropped and they dont able to communicate with HO. IP address is assigned by Head End router to all remote isdn dialing branches..
I have used default "PermitAccess" in authorization policy and authentication policy is also default. I dont understand where I am going wrong as authentication and authorization is sucessful.
aaa authentication ppp default group radius local
aaa authentication network default group radius
aaa accounting network default start-stop group radius
radius-server host 12.18.22.41
radius-server key *****
below is the router configuration for AAA
can any one help in thisCoA is not needed, nor supported for ISDN aaa, i used ACS 3.3 for this a long time ago. I think you should do some debugging if ise does not give you any errors.
try doing some debug aaa / debug radius & deb ppp nego if your calls are authenticated and ip is assigned to the calling router, you should see some disconnect reason in the debug. -
Problem with L2TP with Cisco 3845
Dear all
I have the following scenario for my dailup network.
MaxTNT(LAC) ---Ethernet--- Cisco3845 (LNS)
I have configuered MaxTNT Dailup server to act as LAC and launch a L2TP Tunnel after authenticating with Radius Server. Cisco 3845 acting as LNS estblishes L2TP tunnel with LAC and Dailup Users get connected on it as VPDNpppOE users.
However problem i am facing is that i don't receieve any authentication request on Cisco LNS. As soon as user gets connect it sents Accouting Request only.
I need authorization request in order to Push various different AVP from radius. But its not happening.
Anyone have any idea what could be wrong here?? is thre any specific parameter i need to set up Cisoc.. or on MaxTNT????
Waiting for replyTo enable the Layer 2 Tunnel Protocol (L2TP) tunnel server or network access server (NAS) to perform remote authentication, authorization, and accounting (AAA) tunnel authentication and authorization, use the vpdn tunnel authorization network command in global configuration mode. To disable remote tunnel authentication and authorization and return to the default of local tunnel authentication and authorization, use the no form of this command.
vpdn tunnel authorization network {list-name | default}
no vpdn tunnel authorization network {list-name | default} -
We just implemented ISE 802.1x in couple of our Cisco 4507 switches and we are seeing the following error in the log.
%HA_EM-3-LOG: NAC-RADIUS-FAIL-OPEN-DEAD: All RADIUS servers are dead changing the nac-enforcement ACL to permit all
I paste it in the Cisco error message decoder and came back with not found.
Thanks...Jimmy,
Srory for the late reply but it turned out to be we needed to add the missing auth data vlan command on the switch. After that the error went away.
Thanks for you input I do appreciate it.
Jack. -
Aironet 2702i Autonomous - Web-Authentication with Radius Window 2008
Hi Guys,
I have a problems with case, i have diagrams sample like then : AD(Win2008) - Radius(Win2008) - Aironet 2702i => Use methods Web-Auth for EndUser
This is my Configure file on Aironet 2702i
Aironet2702i#show run
Building configuration...
Current configuration : 8547 bytes
! Last configuration change at 05:08:25 +0700 Fri Oct 31 2014 by admin
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Aironet2702i
logging rate-limit console 9
aaa new-model
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login DTSGROUP group radius
aaa authentication login webauth group radius
aaa authentication login weblist group radius
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa session-id common
clock timezone +0700 7 0
no ip source-route
no ip cef
ip admission name webauth proxy http
ip admission name webauth method-list authentication weblist
no ip domain lookup
ip domain name dts.com.vn
dot11 syslog
dot11 activity-timeout unknown default 1000
dot11 activity-timeout client default 1000
dot11 activity-timeout repeater default 1000
dot11 activity-timeout workgroup-bridge default 1000
dot11 activity-timeout bridge default 1000
dot11 vlan-name DTSGroup vlan 46
dot11 vlan-name L6-Webauthen-test vlan 45
dot11 vlan-name NetworkL7 vlan 43
dot11 vlan-name SGCTT vlan 44
dot11 ssid DTS-Group
vlan 46
authentication open eap DTSGROUP
authentication key-management wpa version 2
mbssid guest-mode
dot11 ssid DTS-Group-Floor7
vlan 43
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 013D03104C0414040D4D5B5E392559
dot11 ssid L6-Webauthen-test
vlan 45
web-auth
authentication open
dot1x eap profile DTSGROUP
mbssid guest-mode
dot11 ssid SaigonCTT-Public
vlan 44
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 04480A0F082E424D1D0D4B141D06421224
dot11 arp-cache optional
dot11 adjacent-ap age-timeout 3
eap profile DTSGROUP
description testwebauth-radius
method peap
method mschapv2
method leap
username TRIHM privilege 15 secret 5 $1$y1J9$3CeHRHUzbO.b6EPBmNlFZ/
username ADMIN privilege 15 secret 5 $1$IvtF$EP6/9zsYgqthWqTyr.1FB0
ip ssh version 2
bridge irb
interface Dot11Radio0
no ip address
encryption vlan 44 mode ciphers aes-ccm
encryption vlan 46 mode ciphers aes-ccm
encryption mode ciphers aes-ccm
encryption vlan 43 mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
ssid DTS-Group
ssid DTS-Group-Floor7
ssid L6-Webauthen-test
ssid SaigonCTT-Public
countermeasure tkip hold-time 0
antenna gain 0
stbc
mbssid
packet retries 128 drop-packet
channel 2412
station-role root
rts threshold 2340
rts retries 128
ip admission webauth
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 subscriber-loop-control
bridge-group 43 spanning-disabled
bridge-group 43 block-unknown-source
no bridge-group 43 source-learning
no bridge-group 43 unicast-flooding
interface Dot11Radio0.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 subscriber-loop-control
bridge-group 44 spanning-disabled
bridge-group 44 block-unknown-source
no bridge-group 44 source-learning
no bridge-group 44 unicast-flooding
ip admission webauth
interface Dot11Radio0.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 subscriber-loop-control
bridge-group 45 spanning-disabled
bridge-group 45 block-unknown-source
no bridge-group 45 source-learning
no bridge-group 45 unicast-flooding
ip admission webauth
interface Dot11Radio0.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 subscriber-loop-control
bridge-group 46 spanning-disabled
bridge-group 46 block-unknown-source
no bridge-group 46 source-learning
no bridge-group 46 unicast-flooding
interface Dot11Radio1
no ip address
shutdown
encryption vlan 46 mode ciphers aes-ccm
encryption vlan 44 mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 43 mode ciphers aes-ccm
encryption vlan 45 mode ciphers ckip-cmic
ssid DTS-Group
ssid DTS-Group-Floor7
ssid SaigonCTT-Public
countermeasure tkip hold-time 0
antenna gain 0
peakdetect
dfs band 3 block
stbc
mbssid
packet retries 128 drop-packet
channel 5745
station-role root
rts threshold 2340
rts retries 128
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 subscriber-loop-control
bridge-group 43 spanning-disabled
bridge-group 43 block-unknown-source
no bridge-group 43 source-learning
no bridge-group 43 unicast-flooding
interface Dot11Radio1.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 subscriber-loop-control
bridge-group 44 spanning-disabled
bridge-group 44 block-unknown-source
no bridge-group 44 source-learning
no bridge-group 44 unicast-flooding
ip admission webauth
interface Dot11Radio1.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 subscriber-loop-control
bridge-group 45 spanning-disabled
bridge-group 45 block-unknown-source
no bridge-group 45 source-learning
no bridge-group 45 unicast-flooding
ip admission webauth
interface Dot11Radio1.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 subscriber-loop-control
bridge-group 46 spanning-disabled
bridge-group 46 block-unknown-source
no bridge-group 46 source-learning
no bridge-group 46 unicast-flooding
interface GigabitEthernet0
no ip address
duplex auto
speed auto
dot1x pae authenticator
dot1x authenticator eap profile DTSGROUP
dot1x supplicant eap profile DTSGROUP
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet0.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 spanning-disabled
no bridge-group 43 source-learning
interface GigabitEthernet0.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 spanning-disabled
no bridge-group 44 source-learning
interface GigabitEthernet0.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 spanning-disabled
no bridge-group 45 source-learning
interface GigabitEthernet0.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 spanning-disabled
no bridge-group 46 source-learning
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet1.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 spanning-disabled
no bridge-group 43 source-learning
interface GigabitEthernet1.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 spanning-disabled
no bridge-group 44 source-learning
interface GigabitEthernet1.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 spanning-disabled
no bridge-group 45 source-learning
interface GigabitEthernet1.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 spanning-disabled
no bridge-group 46 source-learning
interface BVI1
mac-address 58f3.9ce0.8038
ip address 172.16.1.62 255.255.255.0
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius server 172.16.50.99
address ipv4 172.16.50.99 auth-port 1645 acct-port 1646
key 7 104A1D0A4B141D06421224
bridge 1 route ip
line con 0
logging synchronous
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
transport input ssh
line vty 5 15
exec-timeout 0 0
privilege level 15
logging synchronous
transport input ssh
end
This is My Logfile on Radius Win 2008 :
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: S-1-5-21-858235673-3059293199-2272579369-1162
Account Name: xxxxxxxxxxxxxxxx
Account Domain: xxxxxxxxxxx
Fully Qualified Account Name: xxxxxxxxxxxxxxxxxxx
Client Machine:
Security ID: S-1-0-0
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: -
NAS:
NAS IPv4 Address: 172.16.1.62
NAS IPv6 Address: -
NAS Identifier: Aironet2702i
NAS Port-Type: Async
NAS Port: -
RADIUS Client:
Client Friendly Name: Aironet2702i
Client IP Address: 172.16.1.62
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: DTSWIRELESS
Authentication Provider: Windows
Authentication Server: xxxxxxxxxxxxxx
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
So i will explain problems what i have seen:
SSID: DTS-Group using authentication EAP with RADIUS and it working great (Authentication Type from Aironet to RADIUS is PEAP)
SSID:L6-Webauthen-test using web-auth and i had try to compare with RADIUS but ROOT CAUSE is AUTHENTICATION TYPE from Aironet to RADIUS default is PAP. (Reason Code : 66)
=> I had trying to find how to change Authentication Type of Web-Auth on Cisco Aironet from PAP to PEAP or sometime like that for combine with RADIUS.
Any idea or recommend for me ?
Thanks for see my caseHi Dhiresh Yadav,
Many thanks for your reply me,
I will explain again for clear my problems.
At this case, i had setup complete SSID DTS-Group use authentication with security as PEAP combine Radius Server running on Window 2008.
I had login SSID by Account create in AD => It's work okay with me. Done
Problems occurs when i try to use Web-authentication on Vlan45 With SSID :
dot11 ssid L6-Webauthen-test
vlan 45
web-auth
authentication open
dot1x eap profile DTSGROUP
mbssid guest-mode
After configured on Aironet and Window Radius , i had try to login with Account create in AD by WebBrowser but it Fail ( i have see mini popup said: Authentication Fail" . So i go to Radius Server and search log on EventViewer.
This is My Logfile on Radius Win 2008 :
Network Policy Server denied access to a user.
NAS:
NAS IPv4 Address: 172.16.1.62
NAS IPv6 Address: -
NAS Identifier: Aironet2702i
NAS Port-Type: Async
NAS Port: -
RADIUS Client:
Client Friendly Name: Aironet2702i
Client IP Address: 172.16.1.62
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: DTSWIRELESS
Authentication Provider: Windows
Authentication Server: xxxxxxxxxxxxxx
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
Im think ROOT CAUSE is :
PAP is the default authentication type for web-auth users on Aironet 2702i, so it can't combine with Radius Window 2008 because they just support PEAP (CHAPv1,CHAPv2....) => Please give me a tip how to change Authentication Type from PAP to PEAP for Web Authentication on Aironet -
Hey Everyone,
I am configuring AAA with RADIUS on our remote ASA firewalls. This is pretty straight forward, but I have some firewalls that this is not working on. I have upgraded the IOS image on the ASA 5510 to ASA804-K8.BIN on all of them. The strange part is some of them are working and some of them are not working.
Just wondering if anyone else has come across this before and what info do you need to give me an assist.
Thanks in advance,
KimberlyHi Kimberly,
just curious: why 8.0.4 and not 8.0.5 ?
What are you using radius for ? What is the radius server? Did you configure all the ASAs on the radius server(s) ? Did you use the correct shared secret?
Is there anything different between the working ASAs and the failing ones? Configuration, location in the network, etc?
If the above doesn't help please post the config of a failing ASA (or at least the relevant parts, and make sure to remove any sensitive data) and the output of:
debug radius
debug aaa authen
debug aaa common 254
You can test just the radius part with the cli command "test aaa-server authentication ..."
hth
Herbert -
Voice over Wireless with Cisco phones 7921 and 7925
Hello experts,
I made an wireless audit for a company.
They have 2 WLCs 5508 in HA mode, with APs 2602 for indoor and 1552. Version of the WLC : 7.6.120.0
At the end of the day we noticed that the roaming between indoor and outdoor access points is sometimes failing and results to a complete disconnection of the wireless phone (7921 or 7925) from the network. When people go from the indoor to the outdoor area, there is no problem. The problem comes when people are coming from the outdoor to the indoor.
Also, on the WLC, the power lvl of the outdoor APs are set to 1 ... Is it good or not ?
My question is, is there any known issue about Voice over wireless with WLC 5508-7.6.120.0 with APs 2602 and 1552 ?
Maybe it should be better to upgrade to 7.6.130.0 ?
Thanks in advance,
AlexisNormally yes.
Is there a way to troubleshoot what's going on with the phones ? Maybe a "show client detail MAC address* on the WLC ?
Here are some logs when the phones are losing the network :
*Dot1x_NW_MsgTask_4: Apr 09 12:44:21.320: #DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c:957 Received invalid EAPOL-key M2 msg in START state - invalid secure bit; KeyLen 40, Key type 1, client 00:24:d7:83:56:dc
*apfMsConnTask_6: Apr 09 12:28:32.668: #APF-3-VALIDATE_CCKM_REASS_REQ_ELEMENT: apf_utils.c:2506 Could not validate the CCKM Reassociation request element.Received Timestamp deviation > 1sec in CCKM Info Element from mobile. Mobile:4c:00:82:85:6e:e1, AP:1
*Dot1x_NW_MsgTask_1: Apr 09 12:26:53.964: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:445 Invalid replay counter from client 74:26:ac:63:8c:a9 - got 00 00 00 00 00 00 00 03, expected 00 00 00 00 00 00 00 04
*Dot1x_NW_MsgTask_1: Apr 09 12:26:53.929: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:445 Invalid replay counter from client 74:26:ac:63:8c:a9 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 04
*apfMsConnTask_4: Apr 09 12:24:34.959: #APF-3-VALIDATE_CCKM_REASS_REQ_ELEMENT: apf_utils.c:2506 Could not validate the CCKM Reassociation request element.Received Timestamp deviation > 1sec in CCKM Info Element from mobile. Mobile:78:da:6e:f6:5f:89, AP:5
*Dot1x_NW_MsgTask_0: Apr 09 12:22:30.217: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:445 Invalid replay counter from client 4c:00:82:85:1d:68 - got 00 00 00 00 00 00 00 03, expected 00 00 00 00 00 00 00 04
*Dot1x_NW_MsgTask_4: Apr 09 12:22:30.206: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:445 Invalid replay counter from client 4c:00:82:85:b3:ac - got 00 00 00 00 00 00 00 03, expected 00 00 00 00 00 00 00 04
*Dot1x_NW_MsgTask_4: Apr 09 12:22:30.186: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:445 Invalid replay counter from client 4c:00:82:85:b3:ac - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 04
*Dot1x_NW_MsgTask_0: Apr 09 12:22:30.167: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:445 Invalid replay counter from client 4c:00:82:85:1d:68 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 04
*Dot1x_NW_MsgTask_6: Apr 09 12:22:29.672: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:445 Invalid replay counter from client 78:da:6e:f6:14:2e - got 00 00 00 00 00 00 00 03, expected 00 00 00 00 00 00 00 04
*Dot1x_NW_MsgTask_6: Apr 09 12:22:29.638: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:445 Invalid replay counter from client 78:da:6e:f6:14:2e - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 04
*apfMsConnTask_3: Apr 09 12:19:22.098: #APF-3-VALIDATE_CCKM_REASS_REQ_ELEMENT: apf_utils.c:2506 Could not validate the CCKM Reassociation request element.Received Timestamp deviation > 1sec in CCKM Info Element from mobile. Mobile:4c:00:82:85:6e:e1, AP:5
*osapiBsnTimer: Apr 09 12:13:36.031: #LOG-3-Q_IND: spam_lrad.c:53542 The system is unable to find WLAN 2 to be deleted -
789 error.The L2TP connection attempt fail.
Hi
I configure the L2TP vpn an ASA-5520.I configured by the CLI mode.But I cant not connected to my laptop by vpn.A error is coming to my windows 7 laptop. The name of the error
789 error. The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.
In this regards what I do?????make sure IKE and AuthIP IPsec Keying Modules" service and the "IPsec Policy Agent" service is up and try to upgrade your network adapter driver
Sent from Cisco Technical Support iPad App -
How to configure ACS to authenticate Modem with radius
Hi,
How do I configure ACS to authenticate and authorize modem users with radius. My problem is with authorization(authentication is ok in the debug). Do I need to configure specific Av pairs (006 and 007 in IETF)Hi Dominic,
Are we have Microsoft radius server or ACS?
Yes, these attributes should be configured.
006-service-type: login
007-framed-protocol: PPP
HTH
JK -
Mac registration with L2FM failed
My Logfile on Nexus 6K is fiilled with Logs like below:
Nexus Version is: 7.0(3)N1(1)
2014 Sep 12 14:49:11 Nexus-6K %ADJMGR-3-MAC_REG_FAILED: adjmgr [3727] Mac registration with L2FM failed for mac xxxx.xxxx.xxxx, iod Vlan191, phy iod: port-channel169
2014 Sep 12 14:49:24 Nexus-6K %ADJMGR-3-MAC_REG_FAILED: adjmgr [3727] Mac registration with L2FM failed for mac xxxx.xxxx.xxxx, iod Vlan108, phy iod: port-channel91
2014 Sep 12 14:49:36 Nexus-6K %ADJMGR-3-MAC_REG_FAILED: adjmgr [3727] Mac registration with L2FM failed for mac xxxx.xxxx.xxxx, iod Vlan108, phy iod: port-channel91
2014 Sep 12 14:49:58 Nexus-6K %ADJMGR-3-MAC_REG_FAILED: adjmgr [3727] Mac registration with L2FM failed for mac xxxx.xxxx.xxxx, iod Vlan191, phy iod: port-channel169
Cisco's document does not explain what is causing this:
Error Message: AM-3-MAC_REG_FAILED Format: Mac registration with L2FM failed for mac %s, iod %s, phy iod: %s
Explanation MAC registration with L2FM failed.
Recommended Action No action is required.
Here is my Logging Configuration:
logging level aaa 5
logging level cdp 6
logging level copp 6
logging level flogi 5
logging level hsrp 6
logging level interface-vlan 5
logging level lldp 5
logging level monitor 6
logging level radius 5
logging level session-mgr 6
logging level spanning-tree 6
logging level track 6
logging level virtual-service 2
logging level igmp 3
logging event link-status default
logging logfile messages 6
logging server x.x.x.x use-vrf x facility syslog
logging monitor 6
Can anyone tell me what are these and how to stop them from occurring. Also would appreciate suggestions on how can I improve logging configuration.Hi Saurabh,
The L2FM is Layer2 Feature Manager which manages the mac-address table and mac-address
registrations and deletions from the hardware table. The L2FM component exists on Nexus
7K. In case of Nexus 5500 and Nexus 6K, there is an equivalent component called FWM. Since
most of the code is re-used in Nexus 6K platform, the references to L2FM need to be
removed/resolved on Nexus 6K code. There is a software bug to fix these L2FM references in
the code. Still the bug is in assigned state, hence the fix for this bug is not yet
available. You can safely ignore these messages, they have no impact. The mac-addresses
are registered with FWM and since there is no L2FM these messages have no impact.
========================================
CSCum82485 Nexus 5500/6000: L2FM messages seen
Symptom:
In a Nexus 6000 switch running NX-OS 7.0(0)N1(1), messages such as following can be seen
%ADJMGR-3-MAC_REG_FAILED: adjmgr [3745] Mac registration with L2FM failed for mac
002a.6a35.b341, iod Vlan250, phy iod: Gateway Port-Channel1:186
%ADJMGR-3-MAC_REG_FAILED: adjmgr [3745] Mac registration with L2FM failed for mac
00d0.03eb.2000, iod Vlan60, phy iod: Ethernet131/1/15
Conditions:
Usually seen when a host comes online.
Workaround:
L2FM is not a valid component on Nexus 6000. These are cosmetic messages and can be
ignored.
HTH
Inayath
***Plz rate the post and mark the thread as closed****** -
Hi,
Does cisco support mpls over atm-ppp-llc
per RFC 2354(PPP over AAL5).
Something like a scenario if Cisco acts as a PE and it gets frames with mpls over atm-ppp-llc from a connected CE ,is it supported in cisco , or it will drop the frames ?
Running mpls over ce-pe link is mandatory for the specific scenario.
Thanks
Thanks in advanceHello,
The MPLS should be supported also on PPP over AAL5. Simply use the "mpls ip" command on the Virtual-Template or the Dialer interface you are using on top of the ATM VC to set up the PPP interface.
The 3640 with proper IOS can support the PE functions. The Enterprise feature sets should be equipped with all features necessary to provide a PE router functionality - basically, the VRF, MPLS, LDP, MPLS VPN support, BGP, BGP VPNv4 support, IGP protocols with VRF support and that should be sufficient.
Best regards,
Peter -
ASA , Cisco VPN client with RADIUS authentication
Hi,
I have configured ASA for Cisco VPN client with RADIUS authentication using Windows 2003 IAS.
All seems to be working I get connected and authenticated. However even I use user name and password from Active Directory when connecting with Cisco VPN client I still have to provide these credentials once again when accessing domain resources.
Should it work like this? Would it be possible to configure ASA/IAS/VPN client in such a way so I enter user name/password just once when connecting and getting access to domain resources straight away?
Thank you.
Kind regards,
AlexHi Alex,
It is working as it should.
You can enable the vpn client to start vpn before logon. That way you login to vpn and then logon to the domain. However, you are still entering credentials twice ( vpn and domain) but you have access to domain resources and profiles.
thanks
John -
I get error message: "An error occurred with the publication of album...Authentication with server failed. Please check your login and password information" whenever I open a facebook file in my iPhoto. In each file, most of my photos have disappeared. I am hoping I can retrieve these "lost" files. What do I need to do?
Message was edited by: leroydouglas
better yet, try this solution:
https://discussions.apple.com/message/12351186#12351186
Maybe you are looking for
-
Not able to see GC on web.
GC 10.2.0.1 DB : 10.2.0.4 OS : AIX 5.3 Hello Folks, I have installed GC on exisiting db, without any issue. After installation EM page is not visible on internet explorer. In emoms.log file I have got below error 2009-01-08 17:02:51,849 [XMLLoader0 7
-
Can't upgrade from pdf converter to pro
I can't upgrade from the pdf converter to the pro...It gives me an error message and sends me here to support. How do I upgrade? "Unable to complete request To complete your upgrade, please contact customer support."
-
Plugging camera in G5 via firewire showing up in Motion or FCP
I have a camera that I would like to plug into Motion or Final Cut Pro via the Firewire plug in my G5. Is it possible to have this live feed show up in Motion or FCP? I would also like to know if I could put a Green background in back of a subject as
-
I want to watch ESPN 360 on my tv. Is there a way to hook my Mac Book Pro to my tv to do this?
-
I HOW I FILL PDF FORM WITH HEBROW ON CHROME ?
I HOW I FILL PDF FORM WITH HEBROW ON CHROME ?