[cisco-bba] LNS Error on Cisco ASR 1004

Dominic dominic at broadconnect.ca
Thu Jan 3 12:32:00 EST 2013 

Thanks for your suggestions, Chris:

≫ ? If yes, try removing the following attribute from your tunnel
configuration:
≫ | 123 | telco1-pppoe-static | Cisco-Avpair           | += |
interface-config=ppp ipcp dns xx.xx.xx.234 xx.xx.xx.235 |

Yep, tried that, same result.  I have whittled down the supplied radius
attributes to the barest minimum, but the result is the same. Also applied "
aaa policy interface-config allow-subinterface", both on the ASR and via
radius, and the result is same.

>> Is radius authentication performed and does the
>>  error appear _after_ the authentication during setup of the channel?

After_authentication.  As far as I can tell, the radius negotiation
completes successfully, the vtemplate is cloned successfully, and IP even
assigned, before interface goes down. See quick snapshot form the vtemplate
debug:


Jan  3 12:22:42 aggr.rt1 468674: 8w5d: VT[Vi3]:Added new vtemplate cloneblk,
now cloning from vtemplate
Jan  3 12:22:42 aggr.rt1 468675: 8w5d: VT[Vi3]:Clone Vaccess from
Virtual-Template1 (79 bytes)
Jan  3 12:22:42 aggr.rt1 468676: 8w5d: VT[Vi3]:mtu 1492
Jan  3 12:22:42 aggr.rt1 468677: 8w5d: VT[Vi3]:no ip redirects
Jan  3 12:22:42 aggr.rt1 468678: 8w5d: VT[Vi3]:ip tcp adjust-mss 1420
Jan  3 12:22:42 aggr.rt1 468679: 8w5d: VT[Vi3]:logging event link-status
Jan  3 12:22:42 aggr.rt1 468680: 8w5d: VT[Vi3]:end
Jan  3 12:22:42 aggr.rt1 468681: 8w5d: VT[Vi3]:Applying config commands on
process "VTEMPLATE Background Mgr" (528)
Jan  3 12:22:42 aggr.rt1 468682: 8w5d: VT[Vi3]:mtu 1492
Jan  3 12:22:42 aggr.rt1 468683: 8w5d: VT[Vi3]:no ip redirects
Jan  3 12:22:42 aggr.rt1 468684: 8w5d: VT[Vi3]:ip tcp adjust-mss 1420
Jan  3 12:22:42 aggr.rt1 468685: 8w5d: VT[Vi3]:logging event link-status
Jan  3 12:22:42 aggr.rt1 468686: 8w5d: VT[Vi3]:end
Jan  3 12:22:42 aggr.rt1 468687: 8w5d: VT[Vi3]:Request took 2 msec, 2 msec
processing time
Jan  3 12:22:42 aggr.rt1 468688: 8w5d: VT[Vi3]:MTUs ip 1492, sub 1492, max
1492, default 1500
Jan  3 12:22:42 aggr.rt1 468689: 8w5d: VT[Vi3]:Processing vaccess response,
id 0x6D000D09, result success (1)
Jan  3 12:22:42 aggr.rt1 468690: Jan  3 12:22:42: %LINEPROTO-5-UPDOWN: Line
protocol on Interface Virtual-Access3, changed state to up
Jan  3 12:22:42 aggr.rt1 468691: Jan  3 12:22:42: %LINK-3-UPDOWN: Interface
Virtual-Access3, changed state to up
Jan  3 12:22:42 aggr.rt1 468692: Jan  3 12:22:42: %FMANRP_ESS-4-FULLVAI:
Session creation failed due to Full Virtual-Access Interfaces not being
supported. Check that all applied Virtual-Template and RADIUS features
support Virtual-Access sub-interfaces. swidb= 0x7FEDB5942B98, ifnum= 37


Dominic

-----Original Message-----
From: Christoph Loibl [mailto:cl at sil.at] 
Sent: Thursday, January 03, 2013 2:40 AM
To: Dominic
Cc: cisco-bba at puck.nether.net
Subject: Re: [cisco-bba] LNS Error on Cisco ASR 1004

Hi Dominic,

On Jan 3, 2013, at 1:21 AM, "Dominic" <dominic at broadconnect.ca> wrote:

> "%FMANRP_ESS-4-FULLVAI: Session creation failed due to Full Virtual-Access
Interfaces not being supported. Check that all applied Virtual-Template and
RADIUS features support Virtual-Access sub-interfaces. swidb=
> 
> 0x7FEDB5942B98, ifnum= 37"
> 
> 
> The funny thing is, if the CPE is a Cisco 1841, the pppoe negotiation is
successfully negotiated, and everything works great. If some other CPE
however, we end up with the above error. 
> 
> Any idea what we are doing wrong?      

Some features you use may require a Full Virtual-Access to be created on the
ASR which is, as far as I know, not supported on the ASR1k. Additionally
some attributes sent by the radius may force the ASR to create a full Va.
(Cisco-AVPair Interface-config is my first guess)

Is radius authentication performed and does the error appear _after_ the
authentication during setup of the channel? If yes, try removing the
following attribute from your tunnel configuration:

| 123 | telco1-pppoe-static | Cisco-Avpair           | += |
interface-config=ppp ipcp dns xx.xx.xx.234 xx.xx.xx.235 |

^^^^ (By the way: Does this attribute really make sense/matter at all? When
you forward the session to a remote LAC IPCP is performed by the remote LAC
not the LNS itself)

You may also try to add the following configuration line on the LNS:

aaa policy interface-config allow-subinterface

And/or add the following to the response attributes of that particular user
on the radius:

Cisco-Avpair += lcp:interface-config=allow-subinterface=yes

Best regards

Christoph

-- 
SILVER SERVER \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ \\\\\\ \\ \
Ing Christoph Loibl, MSc <cl at sil.at>           Senior Network Engineer
CL8-RIPE                                             http://www.sil.at

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-bba/attachments/20130103/953b623b/attachment.html>

More information about the cisco-bba mailing list