VRF and DHCP issue

VRF and DHCP issue
We have a 6500 ( 12.2 (33) SXH5 ) that has a VRF running for our guest network. On this 6500 resides the DHCP pool with a range defined for our guest network. We have a stack of 3750's (12.2 (46) SE) connected to the 6500 with a L3 connection. The 3750's have a local guest VLAN with its gateway defined in a VLAN interface. This VLAN on the 3750 has an IP helper address pointing to an IP within the VRF on the 6500. When debugging DHCP on the 6500, a request is received and sent back out. The client never receives this request.
If a static IP is applied, the client is able to communicate anywhere within the VRF successfully (including pinging the IP within the helper-address. As many posts have pointed out - there is no VRF <name> under the ip dhcp pool <name> within the 6500. I am just wondering if anyone else has run into this and what their solution was.
Thanks.

Hi,
I have tested the dhcp server and vrf on Cisco 3640 and it is working without VRF under the ip dhcp pool. Please ensure that you have configured routing for the dhcp-relay agent(VLAN facing dhcp client on 3750 in your case).

Similar Messages

  • Windows Server 2012 R2 NIC Teaming and DHCP Issue

    Came across a weird issue today during a server deployment. I was doing a physical server deployment and got Windows installed and was getting ready to connect it to our network. Before connecting the Ethernet cables to the network adapters, I created a
    NIC Team using Windows Server 2012 R2 built-in software with a static IP address (we'll say its 192.168.1.56). Once I plugged in the Ethernet cables, I got network access but was unable to join our domain. At this time, I deleted the NIC team and the two network
    adapters got their own IP addresses issued from DHCP (192.168.1.57 and 192.168.1.58) and at this point I was able to join our domain. I recreated the NIC team and set a new static IP (192.168.1.57) and everything was working great as intended.
    My issue is when I went into DHCP I noticed a random entry that was using the IP address I used for the first NIC teaming attempt (192.168.1.56), before I joined it to the domain. I call this a random entry because it is using the last 8 characters of the
    MAC address as the hostname instead of the servers hostname.
    It seems when I deleted the first NIC team I created (192.168.1.56), a random MAC address Server 2012 R2 generated for the team has remained embedded in the system. The IP address is still pingable even though an ipconfig /all shows the current NIC team
    with the IP 192.168.1.57. There is no IP address of 192.168.1.56 configured on the current server and I have static IPs set yet it is still pingable and registering with DHCP.
    I know this is slightly confusing but I am hoping someone else has encountered this issue and may be able to tell me how to fix this. Simply deleting the DHCP entry does not do the trick, it comes back.

    Hi,
    Please confirm you have choose the right NIC team type, If you’ve previously configured NIC teaming, you’re aware NIC teams usually require the assistance of network-side
    protocols. Prior to Windows 2012, using a NIC team on a server also meant enabling protocols like EtherChannel or LACP (also known as 802.1ax or 802.3ad) on network ports.
    More information:
    NIC teaming configure in Server 2012
    http://technet.microsoft.com/en-us/magazine/jj149029.aspx
    Hope this helps.
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • WDS and DHCP issues

    Hi
    I have a series of 1200 series access points, set-up for WDS infrastructure mode to ACS and client authentication to Microsoft IAS.
    When set up in WDS mode, clients authenticate to the IAS server (and event viewer confirms this), but clients do not receive an ip address - even though they do DHCP requests.
    anyone offer advice on any similar issues?

    Can you provide more information on the deisgn?
    Are you using VLANs in your wireless config? If so, does your router or switch have the ip helper address specified for DHCP requests?
    If not, can you obtain an address when the client is plugged into the same port as the access point?

  • Netboot and DHCP Issue - Setting up AST Diagnostic Gateway

    Hi everyone,
    I recently set up a new Mac Mini as a stand-alone server for the Apple Service Toolkit Diagnostic Gateway. Here are the specs of the Mini, if needed by anyone:
    Mac OS X 10.6 Server (patched to 10.6.8)
    2.66GHz Core 2 Duo
    8 GB DDR3 RAM
    I have followed Apple's instructions on how to install/configure AST Diagnostic Gateway from the Service Source page to the T. Installation was no problem and everything went smoothly.
    In Server Admin, I turned on only NFS and NetBoot services (as per the instructions) and configured NetBoot to work via Ethernet with the AST image as the default. Both services are running. I DO NOT have DHCP turned on on this machine, namely because:
    a.) We have a district DHCP server supplying IPs to all our machines, and
    b.) The instructions from Apple actually say to avoid running any services on the AST Gateway machine besides NFS and NetBoot.
    I gave the server a static IP and reserved it in our DHCP server. I also registered my Gateway Manager with my Apple ID and ASP location, etc. so it can connect to the repositories.
    However, when I plug in a remote host on the same network segment (same subnet), it will not netboot. I get the flashing globe for about 20 - 30 seconds and then the system boots normally into the OS. When going into System Preferences > Startup Disk, it does not see the AST server.
    If I turn AFP on, I can connect to it that way and view the image files, etc. The permissions are set so that everyone can read the image files.
    What am I missing? The only thing I have been able to find so far are these entires in the NetBoot log within Server Admin:
    Jul  6 13:06:48 localhost servermgrd[58]: servermgr_dhcp:bootp config:Error:Failed to create default subnet records
    Jul  6 11:47:43 localhost configd[32]: bootp_session_transmit: bpf_write(en1) failed: Network is down (50)
    It appears that the remote host is not getting a proper DHCP address and therefore cannot see the netboot server..?
    Any suggestions or help would be greatly appreciated!

    The NetBoot service does not need to run on a server also running DHCP so you are ok on that front, you will only need AFP if you are going to use diskless NetBoot. Can you however provide more details as to your NetBoot configuration, e.g. what Interfaces have you enabled it to serve on, what archictectures are supported, have you configured any restrictions as to models that can connect, have you configured a filter for MAC addresses, etc.?
    The first thing to do is to get things so the NetBoot image does show up in Startup Disks, then worry later about actually trying to NetBoot.
    The error you listed of "Jul  6 11:47:43 localhost configd[32]: bootp_session_transmit: bpf_write(en1) failed: Network is down (50)" might be suggesting you have enabled the NetBoot service on a network interface which is not in use. Some models of Mac such as the Mac Pro and XServe have two Ethernet interfaces. Even on the Mac mini you are using the built-in Ethernet and built-in AirPort (WiFi) still count as two interfaces. On the Mac mini normally en0 is the built-in Ethernet and en1 is the AirPort.

  • 4500X L3 MEC + VRF + DHCP issue

    Good morning -
    I have a pair of 6513 in a VS40 (VSS quad sup) connected via L3 MEC to a VSS pair of 4500X. Active to Active and Standby to Standby connected in a L3 MEC port-channel that is also a vnet trunk:
    (Core)
    interface Port-channel5
    description Distribution Uplink
    no switchport
    vnet trunk
    ip dhcp snooping limit rate 100
    ip address 172.20.68.1 255.255.255.252
    ip ospf message-digest-key 1 md5 XXX
    spanning-tree guard root
    (4500 Distribution)
    interface Port-channel1
    description Core Uplink
    vnet trunk
    ip arp inspection trust
    ip address 172.20.68.2 255.255.255.252
    ip ospf message-digest-key 1 md5 XXX
    The interfaces are all using LACP mode Active inside the channels
    On the 4500 we have a global routing table and a vrf. Both have helper addresses pointing to the DHCP server which is extranet service behind the 6513 Core.
    interface Vlan2301
    description Global Routing Table
    ip address 172.19.68.1 255.255.255.0
    ip helper-address 10.4.16.222
    interface Vlan2512
    description VRF
    vrf forwarding RED
    ip address 10.217.5.1 255.255.255.0
    ip helper-address 10.4.16.222
    DHCP for the Global Routing Table subnet works. DHCP for the VRF does not.
    What is interesting is if we shut down the link that is connected to the standby 4500 (Te2/1/1) DHCP starts to work for the VRF.
    Using <debug ip dhcp server packet detail> at the 4500 here is what I am seeing.
    When both links are up and DHCP is failing for the VRF:
    Mar 10 20:02:02.419: DHCPD: BOOTREQUEST from 0100.1a6b.3a56.13 forwarded to 10.4.16.222.
    Mar 10 20:02:10.473: DHCPD: Reload workspace interface Vlan2512 tableid 3.
    Mar 10 20:02:10.473: DHCPD: tableid for 10.217.5.1 on Vlan2512 is 3
    Mar 10 20:02:10.474: DHCPD: client's VPN is RED.
    Mar 10 20:02:10.474: DHCPD: using received relay info.
    When I shut the Te2/1/1 link down in the L3 MEC at the 4500 DHCP starts to work for the VRF RED:
    Mar 10 20:04:41.354: DHCPD: BOOTREQUEST from 0100.1a6b.3a56.13 forwarded to 10.4.16.222.
    Mar 10 20:04:41.369: DHCPD: Reload workspace interface Port-channel1.2002 tableid 3.
    Mar 10 20:04:41.369: DHCPD: tableid for 172.20.68.2 on Port-channel1.2002 is 3
    Mar 10 20:04:41.369: DHCPD: client's VPN is .
    Mar 10 20:04:41.369: DHCPD: forwarding BOOTREPLY to client 001a.6b3a.5613.
    Mar 10 20:04:41.369: DHCPD: no option 125
    Mar 10 20:04:41.369: DHCPD: broadcasting BOOTREPLY to client 001a.6b3a.5613.
    Mar 10 20:04:41.369: DHCPD: no option 125
    Mar 10 20:04:44.808: DHCPD: Reload workspace interface Vlan2512 tableid 3.
    Mar 10 20:04:44.808: DHCPD: tableid for 10.217.5.1 on Vlan2512 is 3
    Mar 10 20:04:44.808: DHCPD: client's VPN is RED.
    It is like there is a bug that is treating the L3 MEC as a L2 MEC when both links are present; or the VNET trunk is not being processed correctly.
    Has anyone else used a L3 MEC with a VRF and a DHCP helper with success? Is this a bug?
    03.05.01.E is the code we are running on the 4500X-32(SPF+)
    This is also with TAC but I thought I would share with the community in case anyone else has a similar environment or if Cisco experts want to comment.

    Hi,
    I have tested the dhcp server and vrf on Cisco 3640 and it is working without VRF under the ip dhcp pool. Please ensure that you have configured routing for the dhcp-relay agent(VLAN facing dhcp client on 3750 in your case).

  • XML Parser for PL/SQL and related issues

    I need to have further information about some of the following
    issues and XML features and make a determination useful for
    evaluation and recommendation:
    ISSUES
    1) Is there a maximum size for an XML document to provide data
    for PL/SQL(or SQL) across tables, provided that no CLOB are used?
    2) How about from Oracle to an XML document ?
    3) Is there a ratio between XML document size and main memory and
    SGA size. What are Oracle's recommendations /
    4) Can the Oracle Application Server run on a DHCP NT server when
    using XML parsing ? Is it NT Service Pack 3 and 4 compatible ?
    5) How parsers can interact with one another or related tools ?
    For example, how the XML parser for c/c++ could be useful when
    using Pro*C/C++ (programmer 2000) or OCI interfaces ? In other
    words, what is the business logic in using these tools ?
    null

    Anthony D. Noriega (guest) wrote:
    : I need to have further information about some of the following
    : issues and XML features and make a determination useful for
    : evaluation and recommendation:
    : ISSUES
    : 1) Is there a maximum size for an XML document to provide data
    : for PL/SQL(or SQL) across tables, provided that no CLOB are
    used?
    The limit should be what can be inserted into an object view.
    : 2) How about from Oracle to an XML document ?
    The limit should be what can be retrieved from an object view.
    : 3) Is there a ratio between XML document size and main memory
    :and SGA size. What are Oracle's recommendations /
    Not directly due to the relationship between XML metadata and
    data not being constrained.
    : 4) Can the Oracle Application Server run on a DHCP NT server
    : when using XML parsing ?
    If it can run a JavaVM with the correct permissions there are no
    other special requirements.
    :Is it NT Service Pack 3 and 4 compatible ?
    No special requirements here.
    : 5) How parsers can interact with one another or related tools ?
    : For example, how the XML parser for c/c++ could be useful when
    : using Pro*C/C++ (programmer 2000) or OCI interfaces ? In
    other
    : words, what is the business logic in using these tools ?
    Not really sure of your question. The XML components are useful
    in any application where I am processing documents or data with
    an XML structure. The choice to use XML can be based on quite a
    range of requirements due to its declarative syntax and open
    standards. If you give me a specific application, I can perhaps
    be more helpful.
    Oracle XML Team
    http://technet.oracle.com
    Oracle Technology Network
    null

  • WLC and Radius issue

    We keep get the following error. And everytime we got this, the clients have been force to re-authentication.
    Any idea?
    Thanks,
    RADIUS server 10.108.32.33:1812 activated on WLAN 1
    RADIUS server 10.140.4.9:1812 deactivated on WLAN 1

    Go to clients. Look up the client by mac address and look at the PEM state. It will tell you why the client is failing ..
    DHCP_REQ is meaning there is a DHCP issue
    8021x_REQ means it failed auth
    You could also turn off exclude as a test, perhaps these clients are a little slow to auth.
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

  • Wierd DHCP Issue

    Hello All,
    I facing a very wierd  DHCP issue and would like to know your thoughts on it.
    I have my wired clients on vlan 1 and wireless cleints(eap-peap) on VLAN 2.
    We are facing an issue where multiple wired clients who were on access port vlan 1 are receiving IP address from wireless subnet(vlan2) -their DHCP server was the WLC virtual gateway IP address(1.1.1.1). This is causing an outage to few wired clients.
    The WLC trunk does not have vlan 1 allowed on its ports and all APs are in local mode and all on access vlan.
    I'm not entirely sure whats causing this, but only way I think this is possible is  that 'A Client' laptop has his network connections  bridged - his wired nic on VLAN 1 and wireless NIC on vlan 2, acting like a WGB, which is causing new wired clients(vlan1) DHCP broadcast request forwared through the bidge mode laptop to AP--> WLC. Do you think this is possible??
    Havent been able to identify which client is causing this issue yet.
    Has anyone faced a similar issue and anyway to block this through WLC/ACS policy?
    Thanks
    Jino

    Hi,
    Might we consider to make use of network monitor to take a look at the traffics for the 1.1.1.1 address?
    How to use Network Monitor to capture network traffic
    Download link here:
    Microsoft Network Monitor 3.4
    Best regards
    Michael Shao
    TechNet Community Support

  • Guest Wireless Tunnelling - DHCP Issue

    Hi,
    I'm attempting to implement Guest Anchor tunnelling between two WLC's but I've run into an odd issue I cannot find a clear answer to.
    We have two 5508 WLC's, both Running 7.4.100.0.
    The Guest Anchor Controller obviously resides in a DMZ, it's functionality has been proven by connecting an AP directly to it, and connecting the the guest WLAN.
    The two controllers have been configured as Mobility Peers, the Mobility Tunnel between them is up (mping and eping both successful, status is up).
    The Guest WLAN has been replicated on both controllers, I have set the Mobility Anchor on the WLAN. The Guest Anchor has itself as the mobility anchor and the Internal Controller has the Guest Anchor set.
    DHCP is provided by the Guest Anchor's internal DHCP Server. DHCP Proxy is enabled on both Controllers, with the Option 82 format set to AP-MAC. Both Controllers WLAN settings are set to DHCP Server Override, pointed to the Management IP of the Guest Anchor and DHCP Addr. Assignment required.
    The problem I'm experiencing is with connecting clients through the Internal WLC. The Client Associates to the Internal WLC and obtains a lease from the Guest Anchor and connects to the network. A few seconds later the client is dessociated from the internal controller. On every subsequent connection attempt, the client does not recieve a response to it's DHCP Requests, and hence ends up with an apipa address.
    The Message logs on two controllers return the following errors:
    INTERNAL CONTROLLER:
    *apfReceiveTask: Jun 27 14:03:25.839: #APF-4-HANDOFF_END_RCVD: apf_mm.c:1626 Handoff end received in wrong role (peer Ip: 0.0.0.0, sender:GUEST_ANCHOR_IP, Role:0) for mobile Client_MAC
    GUEST ANCHOR CONTROLLER:
    *DHCP Server: Jun 27 14:03:14.466: #DHCP-4-REQIP_NOT_PRESENT: dhcpd.c:559 Received a packet without a requested ip!.
    Has anyone else seen similar behaviour? Does anyone have an ideas what might be causing this?
    Many Thanks,
    Paul

    Hi George,
    Thanks for the reply.
    The Guest WLAN on the Internal Controller is Anchored to the WLC in the DMZ. The Guest Anchor is anchored to itself.
    There are only two controllers in the configuration, so breaking off one of the Anchors isn't really an option.
    I have tested the Guest Anchor as a Standalone WLC by connecting an AP directly to it, in that configuration DHCP works as expected.

  • Unable to connect to my network (DHCP issue)

    Hello,
    Here is a description of my issue:
    My thinkpad T43 (running on XP/SP2) has lost its connectivity to my router (Netgear WGR614) after being connected without an issue for several months. Both wireless and ethernet adapters are unable to reconnect. I also have a T60 and a HP desktop that are connected to the same router, via wireless and ethernet cable respectively.
    The IPCONFIG command shows the adapters as 'media disconnected' and a "ipconfig  /renew" command comes back with an error "unable to contact your dhcp server".
    Following are what i have attempted with no success so far::
    1. Upgraded the Thinkpad access connection utility
    2. Upgraded the router firmware
    3. Repaired/reinstalled the wireless adapter
    4. Restarted the WirelessZero service
    4. Downloaded and ran the LSPFix and WinsockFix utilities
    5. Manually executed the following:
    Reset TCP/IP stack to installation defaults, type: netsh int ip reset reset.log
    Reset WINSOCK entries to installation defaults, type: netsh winsock reset catalog
    6. Rebooted the thinkpad,router and cable modem several times in several sequence
    After i reset the TCP/IP stack, the ip config has defaulted to a 169.x.x.x address. I understand that it is caused when DHCP server is not available to assign an address, but how do i get this to work?
    I have even tried to force an ip address through the TCP/IP properties and manually assigned the router's ip as the default gateway and DHCP server address in the setting, to no effect. In this case, the thinkpad connects to the wireless network but does not connect to the internet.
    I have looked at other threads discussing similar issue and have mostly followed their suggestions to no avail. Can someone please help me fix this issue? I will be left with only this thinkpad in a few days, so i have to get this fixed.
    Your help and patience (in reading this email) is much appreciated.
    Thanks.
    Solved!
    Go to Solution.

    I tried to connect to the only unsecure network available in my vicinity, but i could not. The same issue followed.
    What i notice in the result of running ipconfig is this: (In addition to the LAN and wireless adapters, i see another  interface)
    Tunnel adapter Teredo Tunneling Pseudo-Interface:
    Connection-specific DNS Suffix .:
    IP Address...................................:?
    Default Gateway..........................:
    I do not remember when this started showing up, but im sure this was not listed in the begining of this problem. Does anyone know the use of it or if this is causing the problem?

  • WRT55AG - Denial Of Service / security hole, and other issues

    Im using a V2 of the WRT55AG using 1.79 firmware.
    I suffered many perplexing issues when connected directly to my cable modem.
    1 It would lock up and no data transversed it
    2 Its web interface would no longer exist
    3 Some types of data would be blocked
    4 It would stop doing DHCP
    5 Ping times to it from the LAN side would increase in 1 minute intervals for hours or until power cycled
    6 Data rates would slow randomly.
    These problems would occur separately and in combinations. They would occur randomly but some issues would occur daily.
    Left alone the router would 100% lock up in a matter of days. This occurred 100% of the time.
    Rebooting was a daily and sometimes hourly ritual.
    After reading in many forums of the known issues with this router I purchased a BEFSR41 as replacement.
    ALL of my problem were gone. This of course isolated the issues I was having to the WRT55AG.
    I then hooked up the WRT55AG _after_ the BEFSR41.
    The problems with the WRT55AG disappeared. Completely. It suddenly worked for weeks perfectly.
    I then tried setting the BEFSR41's DMZ to the IP of the WRT55AG exposing the WRT55AG to the net directly.
    The issues returned.
    So the WRT55AG is crashing and suffering from various problems because of some hostile internet packets. Effectively it suffers major security issues and a denial of service from something that is present from the internet. I did not isolate what ports+packets were causing the DOS condition.
    Im sure the WRT55AG has some code that is vulnerable to attack because it crashes when exposed to the net. This is a serious issue.
    This is a sad state of affairs. I paid good money for the router. Its too late to get my money back. I would settle for a 802.11A WAP.
    I want a *FIX* for the obvious security hole that could expose anyone on the LAN side of the wrt55AG router to attack if the router/firewall is compromised. I want my WRT55AG to work as intended or at least as well as the BEFSR41 I own.
    I also feel if the source code was still open, then these problems would not exist. At the very least, some other 3rd party version of firmware would be available that would work in the router and any issue would get prompt attention and a quick solution from a open source team. The decision by Linksys to move away from open source firmware will erode the quality of the brand by making products less reliable.
    WHEN will a new version of the firmware be available for the WRT55AG ?
    If not how do I go about returning a well documented defectively engineered product for a product that works ?

    I would like to see a update to fix the various issues with this router. When will this be available ?
    -OR-
    If this product is considered End Of Life, I would like to get confirmation that no future firmware update will occur.
    As this product was defective out of the box and has never been fixed, I would like a replacement product please. My serial number is # MDJ106802225
    Message Edited by Xymox on 08-13-2008 11:28 AM

  • IPoE BNG and DHCP on the ASR9K

    Hi,
    can some one tell me if this is possible.
    I have a bundle Interface -using ambiguous VLANS:
    interface Bundle-Ether100.1
    vrf customers_1
    ipv4 unnumbered lo2
    ipv4 point-to-point
    arp learning disable
    service-policy type control subscriber UFB_DHCP
    ipsubscriber ipv4 l2-connected
      initiator dhcp
    encapsulation ambiguous dot1q any second-dot1q any
    I have two loopback interfaces:
    interface lo2
    vrf customers_1
    ipv4 address 100.64.0.1 255.255.128.0
    interface lo3
    vrf customers_1
    ipv4 address 200.200.200.1 255.255.254.0
    I am authenticating users using option82 remote-id, and DHCP for address allocation.  I want to use RADIUS to send back attributes, to set the users template, and, somehow set the dhcp giaddr so that the user gets an address from the correct pool.
    ie. put the user into this template:
    dynamic-template
    type ipsubscriber CUSTOMER
      vrf customers_1
      ipv4 unnumbered Loopback3
    and have them then given an address in the lo3 (200.200.200.0) range.  No matter what i do the dhcp giadd remains the address of the Bundle Interface.
    I have tried all sorts of radius attributes:
    Cisco-AVPair = 'subscriber:service-name=CUSTOMER'
    Cisco-AVPair = 'subscriber:command=activate-service'
    I have tried:
    Cisco-AVPair= 'ipv4:ip-unnumbers=Loopback3'
    Cisco-AVPair= 'subscriber:classname=lo192'  - and creating a dhcp class to set giaddr
    I get a "aaa_type invalid attribute, flags 0x21"
    I am at a bit of loss, and am not sure if what I am wanting to do is even possible.
    though if set the template statically via an onboard policy things seem to work, and my user gets an address from the correct loopback.
    any help would be appreciated.
    ta.

    Alexander,
    thanks for your reply,
    If I use
    Cisco-AVPair = 'subscriber:sa=UFB_CUSTOMER'  -> sets dynamic template
    Cisco-AVPair += 'ipv4:ipv4-unnumbered=Loopback3' -> sets ipv4 loopback
    I get the following form the RADIUS debug (showing template, and loopback understood by RADIUS)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.478 : radiusd[1120]: Radius packet decryption complete with rc = 0
    RP/0/RSP0/CPU0:Nov 28 13:33:11.478 : radiusd[1120]:  RADIUS: Received from id 195 202.74.33.109:1812, Access-Accept, len 121
    RP/0/RSP0/CPU0:Nov 28 13:33:11.478 : radiusd[1120]:  RADIUS:   Vendor-Specific    [26]    34             
    RP/0/RSP0/CPU0:Nov 28 13:33:11.478 : radiusd[1120]:  RADIUS:  authenticator F2 4D D3 E7 B1 E8 90 D3 - F8 77 F1 1C 28 36 E9 6C
    RP/0/RSP0/CPU0:Nov 28 13:33:11.478 : radiusd[1120]:  RADIUS:   Vendor-Specific    [26]    41             
    RP/0/RSP0/CPU0:Nov 28 13:33:11.478 : radiusd[1120]:  RADIUS:  Reply-Message       [18]    26      User authenticated - UBA
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: pack_length = 121 radius_len = 121
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: rad_nas_reply_to_client: Received response from id : 195,packet type 2
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: Total len = 121, Radius len = 121
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: filter not found
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: Decoding the attribute: Vendor-Specific, aaa_type invalid attribute, flags 0x21
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: Decoding the attribute: Vendor-Specific, aaa_type invalid attribute, flags 0x21
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: This is sub-string of the Loopback interface name
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: Loopback attribute value: Loopback3
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: Decoding the attribute: Reply-Message, aaa_type reply-message, flags 0x100
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: Reply-Message fragments, 24
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: , total 24 bytes
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: RADIUS: parsing sevice 'UFB_CUSTOMER' (len 12)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: (rad_nas_reply_to_client) Successfully decoded the response No error: PASS
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: (rad_nas_reply_to_client) Successfully stored the preferred server info
    RP/0/RSP0/CPU0:Nov 28 13:33:11.478 : radiusd[1120]: Freeing server group transaction_id (B1000047)
    output from show subscriber running:
    Subscriber Label: 0xff
    % No such configuration item(s)
    dynamic-template
    type ipsubscriber UFB_CUSTOMER
      vrf customers_1
    The subscriber shows up as a session:
    RP/0/RSP0/CPU0:tpisp-cr02-h#show subscriber session all
    Thu Nov 28 13:38:05.389 UTC
    Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated,
           ID - Idle, DN - Disconnecting, ED - End
    Type         Interface                State     Subscriber IP Addr / Prefix                             
                                                    LNS Address (Vrf)                             
    IP:DHCP      BE100.1.ip71             AC        100.64.0.98 (customers_1) 
    However..
    the ip address range is from the loopback 2 address, (this is the loopback bound to the unbundled BNG interface)
    My understanding is that the giaddr address should have been changed to the ip address of lo3, which is the loopback specified in the RADIUS attribute.
    dhcp debug: (this is the dhcp debug that follows directly after the RADIUS debug)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.484 : dhcpd[1080]: DHCPD PACKET: TP1225: Process packet event, client mode: PROXY
    RP/0/RSP0/CPU0:Nov 28 13:33:11.484 : dhcpd[1080]: DHCPD PROXY: TP1955: FSM called for chaddr 000c.4270.6e7c with event DPM_SUCCESS state INIT_DPM_WAIT
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD PROXY: TP1917: Process client request called for chaddr 000c.4270.6e7c
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD PACKET: TP1883: Giaddr not present, Set giaddr 100.64.0.1, chaddr 000c.4270.6e7c
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD PACKET: TP571: L3 packet TX unicast to dest 202.74.33.108, port 67, source 100.64.0.1, vrf 0x60000003 (1610612739), tbl 0xe0000012 (3758096402)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: ---------- IPv4 DHCPD --- dhcpd_iox_l3_unicast_packet -------
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: VRF name (id): customers_1 (0x60000003)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: L3 src: 100.64.0.1
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: L3 dst: 202.74.33.108
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: L3 dst port: 67
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: L3 input Intf: Bundle-Ether100.1
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Output Intf: Null
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: FROM: L3
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: NETWORK_ORDER
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan Info
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan EtherType 1: 0x8100
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan Priority 1: 0 (0x0)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan Format 1: 0 (0x0)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan ID 1: 101 (0x65)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan EtherType 2: 0x8100
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan Priority 2: 0 (0x0)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan Format 2: 0 (0x0)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan ID 2: 23 (0x17)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666:
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: op:     BOOTREQUEST
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: chaddr: 000c.4270.6e7c
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: xid:    0x303751ed
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: flags:  0x8000 (broadcast)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: ciaddr: 0.0.0.0
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: yiaddr: 0.0.0.0
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: siaddr: 0.0.0.0
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: giaddr: 100.64.0.1
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: cookie: 0x63825363
    RP/0/RSP0/CPU0:Nov 28 13:33:11.486 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: option: MESSAGE_TYPE: DISCOVER
    RP/0/RSP0/CPU0:Nov 28 13:33:11.486 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: option: PARAMETER_REQUEST data: "0x01-79-03-21-06-2a"
    RP/0/RSP0/CPU0:Nov 28 13:33:11.486 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: option: CLIENT_IDENTIFIER data: "0x01-00-0c-42-70-6e-7c"
    RP/0/RSP0/CPU0:Nov 28 13:33:11.486 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: option: HOST_NAME data: "MikroTik"
    RP/0/RSP0/CPU0:Nov 28 13:33:11.486 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: option: RELAY_INFORMATION
    RP/0/RSP0/CPU0:Nov 28 13:33:11.486 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: option: RELAY_INFORMATION: CIRCUIT_ID: 0x01-0f-43-48-4f-52-55-53-31-30-30-30-30-30-34-35-33
    I tried changing the dynamic template to service rather than ipsubscriber, this did not make a difference.  You make a reference to DHCP classname.  I have defined a DHCP class, however do not know how to match or force the use of a particular class by using a RADIUS attribute.
    Thanks,
    Mike

  • Very weird dhcp issue

    We've started 're-vlanning' our main location here, breaking up depts
    into their own vlans.
    All seems ok so far, aside from a real doozy.
    For the IT vlan, we have one address that will not talk to our web
    content mgmt appliance. It's the 2nd address in our assignable pool,
    and it doesn't matter if it's dhcp or statically assigned, that address
    will not talk to that device.
    That is the *only* device that cannot be reached from this particular
    address in our dept vlan, every other one works fine.
    Any ideas on this?
    Stevo

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    > and it doesn't matter if it's dhcp or statically assigned, that
    > address
    So.... the title of this thread should actually be 'Very weird non-DHCP
    issue', since your own testing confirms this has nothing to do with DHCP?
    If you do a LAN trace on this machine as well as your web content
    management appliance do you see packets on either side? Both sides? If
    not on both sides but you do on the source (workstation) side see
    packets going out, then get LAN traces after each network device
    (switch, router, firewall, etc.) to see when the packets disappear.
    Feel free to post the LAN traces somewhere with descriptions of IPs,
    ports, and what you should be seeing, if you want to post them somewhere
    for review.
    Good luck.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.18 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
    iQIcBAEBAgAGBQJP4jFPAAoJEF+XTK08PnB55aMP/3Rg9u6LX6jFCXGYuex/oXdS
    NZ/liqfCgjyIcykWWeKGgdtm2I7JZOcFiG8YW2le55mcltvCL1VJW +1VGng4kZER
    0f4hjfyQ3CcQ6HIU3RM6VL5U2Pblb80MsEQe0qo0xgtPXipmjs i7Q0xIv9p0wT7A
    7JMkfgM9tfuI5Yro+BDLfSIkFWicKuKs1sKpNugKalPuyyRrzW IiznoalIKFshon
    a40ETLJVZmngBYfqfeZL9nPNsFlveFNXrDkdbl2WbaprsHtNnA NwZfVUIlc5kOCT
    MknY0GXof4/tk149OVCCLgjEzoRtTIZH0BJTHQwW7ANkWUUNYwi49+Mk46V0o awl
    oe1aA+NK9gl2bWXWLCtTro4ERSVMvkcI0OffytrfcBsqdCKg/g3QPMjV3kiVEULI
    xnSTsqFgOl2qO8qGaL6FJtk39ZBnCwqDPtmoNt93OK4hAhWBuA Xihc+kiQHrwkpO
    O04quZu8qQG6A6qwFDr+r+QqarFR3kielfvi7H6o5iLfZn/sDhvijGOAknJVctH8
    j8fezki9PMznkcT+of2Oe4T99K9fChN2WFSgUKdlpkYSjbkmjP fdbWloou+WBjCm
    7hHwnAbKPPgoN8aPPfw9rG9E+K/0YW2kt4wRu79BEDvF6eMv0UdDPE1qPuw1ttmm
    jg2zzMZDkgIG39A0P3u7
    =+fCy
    -----END PGP SIGNATURE-----

  • Radius, and DHCP DNS info

    I have recently turned on the Radius server, and it seems to work fine, and has taken control of my Airport base station which is great. I only have one problem which is that the DHCP info provided by the server to the clients only seems to give one of the 2 DNS addresses that I have listed in the DHCP server info section. This is rather frustrating as it worked fine with WPA!
    Any thoughts?

    I just upgraded from a 2008 domain to 2012. I followed all the best practices, set up new 2012 DC and transferred all roles to it then removed the 2008 server. I just have the one DC at the moment and it's running both DNS and DHCP. Ever since we've had some odd DNS issues which usually require a reboot of the server to fix. Now at this point I'm digging through DNS and DHCP and seeing that a lot of client IP addresses are not matching up. DNS does not have the correct IP's for several clients. How can I fix dns?
    This topic first appeared in the Spiceworks Community

  • 6500 DHCP ISSUE

    Hello All,
    I am having an issue do DHCP from the 6500, and was hoping someone cant help. So, I tried to setup DHCP from the FWSM to the clients and this worked fine with giving out the IP, however the gateway for devices on the inside is supposed to be the 6500, not the FWSM, which is why the clinets wouldn't get out to the internet. Do I need to set up DHCP relay on the FWSM or does anyone know the way I can setup DHCP on the 6500 to give out IP's to the clients. Again just to reiterate, when I setup DHCP on the FWSM the clinets get the IP's but do not get out to the internet and when I setup DHCP on the 6500 the clients do not get an IP. Also I know tghis is a dhcp issue becasue when I assign a static address on the network the clients get out fine. Thanks in advance for the help!
    6500 Config
    ip dhcp pool TEST
       network 1.1.1.0 255.255.255.0
       default-router 1.1.1.1
       dns-server x.x.x.x y.y.y.y
    FWSM Config
    FWSM/TEST# show run
    interface Vlan3
    nameif outside9
    bridge-group 1
    security-level 0
    interface Vlan203
    nameif inside9
    bridge-group 1
    security-level 100
    interface BVI1
    ip address 1.1.1.4 255.255.255.0
    passwd 2KFQnbNIdI.2KYOU encrypted
    access-list INSIDE1_IN extended permit ip any any
    global (outside1) 1 x.x.x.x
    nat (inside1) 1 1.1.1.0 255.255.255.0
    access-group INSIDE1_IN in interface inside1
    route outside1 0.0.0.0 0.0.0.0 1.1.1.1 1
    FWSM/TEST#

    Hello Alain,
    Thanks for your quick response. I attached a Diagram of the layout. Just to let you know this is an FWSM with many virtual contexts and most including this one that are Transparent. I understand that I need an access-list on both ends to specifiy so the FWSM opens it, I am just having issue because the FWSM sees this as unsual traffic and the access-list needs to be on-point to work. Thank you for the response and I'll look forward to hearing back from you.

Maybe you are looking for