[cisco-nas] RE: cisco-nas Digest, Vol 16, Issue 3
Crooks, Samuel
scrooks at aristocrat-inc.com
Wed Jun 9 20:21:22 EDT 2004
In regards to the NAS and MS IAS issue..
I recently had an issue with IAS under Windows Server 2003 where the HAD
to have MS-CHAP-V2 as the authentication method set on the AS5350 (ppp
authen ms-chap-v2 default callin), despite other authentication methods
being selected on the IAS server (all of them)... turned out to be a
bug/feature of IAS for async connections... increased security.
I would say check that you have Framed-Protocol=PPP and
Service-Type=Framed in the policy
Sam Crooks
Systems Engineer
Aristocrat Technologies
www.aristocratgaming.com
-----Original Message-----
From: cisco-nas-request at puck.nether.net
[mailto:cisco-nas-request at puck.nether.net]
Sent: Wednesday, June 09, 2004 9:00 AM
To: cisco-nas at puck.nether.net
Subject: cisco-nas Digest, Vol 16, Issue 3
Send cisco-nas mailing list submissions to
cisco-nas at puck.nether.net
To subscribe or unsubscribe via the World Wide Web, visit
https://puck.nether.net/mailman/listinfo/cisco-nas
or, via email, send a message with subject or body 'help' to
cisco-nas-request at puck.nether.net
You can reach the person managing the list at
cisco-nas-owner at puck.nether.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of cisco-nas digest..."
Today's Topics:
1. NAS and Microsoft IAS (Scott Farrand)
2. AS5350 Connection Problems (Melvin C. Etheridge)
3. 5300 Stable IOS (Melvin C. Etheridge)
4. Re: AS5350 Connection Problems (John McKinney)
----------------------------------------------------------------------
Message: 1
Date: Tue, 08 Jun 2004 11:20:06 -0700
From: "Scott Farrand" <scottfarrand at msn.com>
Subject: [cisco-nas] NAS and Microsoft IAS
To: cisco-nas at puck.nether.net
Message-ID: <BAY4-F283oHT3RsOu210001c33f at hotmail.com>
Content-Type: text/plain; format=flowed
Can anyone give me some idea's about how I can successfully get IAS to
work
with a AS5200?
I've had it working properly with Tacacs on Cisco ACS, but I need to
move to
a IAS server for a short time.
The errors I keep getting on the IAS server are in this form:
Access request for user username was discarded.
Fully-Qualified-User-Name = domain\username
NAS-IP-Address = 1.2.3.4
NAS-Identifier = <not present>
Called-Station-Identifier = 2030
Calling-Station-Identifier = 4256401500
Client-Friendly-Name = as5248
Client-IP-Address = 1.2.3.4
NAS-Port-Type = Async
NAS-Port = 1310785555
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 3
Reason = The Remote Authentication Dial-In User Service (RADIUS) request
was
not properly formatted.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
sections of the config on the NAS:
aaa new-model
aaa authentication login CONSOLE none
aaa authentication login ADMIN radius local
aaa authentication login USERS radius local
aaa authentication enable default enable
aaa authentication ppp USERS&TUNNELS if-needed tacacs+ local
aaa authorization network default radius if-authenticated
aaa accounting exec default start-stop radius
aaa accounting network default start-stop radius
aaa accounting connection default start-stop radius
ip radius source-interface Ethernet0
interface Serial0:23
description "PRI D channel"
ip unnumbered Loopback1
no ip redirects
no ip unreachables
no ip directed-broadcast
no ip proxy-arp
encapsulation ppp
no ip route-cache
dialer-group 1
isdn switch-type primary-5ess
isdn incoming-voice modem
peer default ip address pool default
no fair-queue
no cdp enable
interface Group-Async1
description ASYNC Dial-up line
ip unnumbered Loopback1
no ip redirects
no ip unreachables
no ip directed-broadcast
no ip proxy-arp
ip tcp header-compression passive
encapsulation ppp
async dynamic address
async mode dedicated
no snmp trap link-status
peer default ip address pool default
no fair-queue
no cdp enable
ppp authentication ms-chap callin USERS&TUNNELS
group-range 1 48
radius-server host 10.0.1.2 auth-port 1645 acct-port 1646
radius-server key mysecretkey
Any idea's?
_________________________________________________________________
MSN 9 Dial-up Internet Access fights spam and pop-ups - now 3 months
FREE!
http://join.msn.click-url.com/go/onm00200361ave/direct/01/
------------------------------
Message: 2
Date: Tue, 8 Jun 2004 16:19:53 -0400
From: "Melvin C. Etheridge" <mele at enia.net>
Subject: [cisco-nas] AS5350 Connection Problems
To: <cisco-nas at puck.nether.net>
Cc: johnm at wnconline.net
Message-ID: <000301c44d95$f5c2d9b0$19541f0c at enia.net>
Content-Type: text/plain; charset="iso-8859-1"
John,
What did you do to resolve this issue?
Thanks,
Mel
[cisco-nas] AS5350 Connection Problems
John McKinney johnm at wnconline.net
Tue Sep 9 02:34:20 EDT 2003
a.. Previous message: [cisco-nas] AS5350 Connection Problems
b.. Next message: [cisco-nas] tcp header compression guidance
c.. Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
------------------------------------------------------------------------
----
----
On Fri, 5 Sep 2003, Aaron Leonard wrote:
Everyone,
I experienced the same problem again tonight, from my login.
Everyone else is assigned an IP from the pool, but I use an assigned IP.
I dialed into box A, data was being exchanged, but very very
slow,
25B/s. I disconnected and dialed in as another user. Again, I dialed
into
box A. Everything appeared normal with this other user.
I did a traceroute to my ip address and the first hop was box B
-
what? Yes the first hop was to box B, then back to box A, then nothing.
Well the nothing I can understand since I was not logged in as myself my
IP would not have been used. But why would it first go to box B? I may
have been logged through it earlier, I'm not sure, but just 5 minutes
before I was dialed in through Box A. So, I telneted to Box B, then did
a
'clear arp-cache'. Telneted into Box A, did a 'clear arp-cache'. I
disconnected and dialed back in as myself and again I hit Box A. Now
everything is working fine.
This sounds like a routing problem to me, not a v.92 problem. Since
all of these boxes are in the same class C network, I am not running any
higher level routing protocols. Simply a default route entry. Any
suggestions or comments? I am going in the right direction? It seems to
me
the arp entries are not getting updated on one or both boxes?
Let me know if I didn't explain this very well and I'll try to clarify.
Thank You,
John McKinney
> > > > On Fri, 5 Sep 2003, Internet Coordinator wrote:
> > > > Greg,
> > > > Another user called in this morning with this problem.
Luckily
> > > > they had 2 lines, so I was able to do a little troubleshooting.
The
called
> > > > looked normal. It showed V.34 and V.92. Connection speeds were
> > > > 26000/24000. I had the user disconnect and enter 'AT+MS=v90,0.
They
> > > > reconnected and this time it was a V.34 call and everything
worked
fine.
> > > > So, does this mean that the problem is a V.92 problem? Any
suggestions on
> > > > how to maintain the V.92 calls and resolve the problem?
> > >
> > > > Thank You,
> > > > John McKinney
> > > > WNC ONLINE
> > >
> > > > > We experienced this issue in March when we upgraded all 15 of
our
> > > > > 5350s. We didn't have time to worry about it at the time so
we
> > > > > downgraded back to 12.1-5.xm8 which also downgraded the
firmware
for the
> > > > > nextport modems. Now that we have time re upgraded all boxes
to
> > > > > 12.3(1a) and added a modemcap
> > > > >
> > > > > modemcap entry next:MSC=&FS0=0S29=6S21=3
> > > > >
> > > > > This has corrected thing BUT we needed to put in an INIT
String
for GWT
> > > > > v92, BCM v92 and PCTel v92 modems. Normally correcting it
with
+ms=v90
> > > > > or +ms=v90,0
> > > > >
> > > > > Not sure if this will clear it up for you but this was what we
did
to
> > > > > get updated past the IPv4 bug.
> > > > >
> > > > > thanks
> > > > >
> > > > > Greg
> > > > >
> > > > >
> > > > > "Francisco (fxdomin2)" wrote:
> > > > >
> > > > > > We're running into something similar, however, it's on
> > > > > > AS5300's with 12.2-2.XB11
> > > > > > Our network provider who "manages" these units says that
> > > > > > it's due to the existence of several viruses (mblast and
> > > > > > nachi) on the internet causing ICMP related issues.
> > > > > > Apparently, the Cisco Advanced Network Services Engineers
> > > > > > (ANS) is working on the issue for the last three weeks, but,
> > > > > > they haven't found a workaround.
> > > > > >
> > > > > > If anyone has seen this or is experiencing this, have a fix,
> > > > > > etc. please let us know (Dennis, have you seen this?).
> > > > > >
> > > > > > Currently we need to have our as5300's reloaded every 2
> > > > > > hours to bring the unit back to a useable state (all 25 of
> > > > > > them). If left too long before rebooting, no traffic will
> > > > > > pass (so no telnet etc.), users get stuck, and we regularly
> > > > > > get fast busy signals. From a financial standpoint, this is
> > > > > > killing our business.
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: cisco-nas-bounces at puck.nether.net
> > > > > > [mailto:cisco-nas-bounces at puck.nether.net]On Behalf Of
John
> > > > > > McKinney
> > > > > > Sent: Friday, September 5, 2003 12:53 AM
> > > > > > To: cisco-nas at puck.nether.net
> > > > > > Subject: [cisco-nas] AS5350 Connection Problems
> > > > > >
> > > > > > We seem to have a spuratic problem with users
connecting,
> > > > > > but then
> > > > > > not being able to send/receive any data. The call will start
> > > > > > like normal,
> > > > > > then after about 8K of data, sessions just stops sending or
> > > > > > receiving
> > > > > > anything. I experienced it myself Sunday afternoon from my
> > > > > > dial-up
> > > > > > connection. Since this is a production enviroment I am
> > > > > > having trouble
> > > > > > tracking the problem. Even pings from my dialup computer to
> > > > > > our local
> > > > > > severs will stop. I could ping the AS5300, but nothing on
> > > > > > the ethernet
> > > > > > side. I switched to my laptop and it did the same thing. I
> > > > > > drove to the
> > > > > > office and everything was fine. I drove home, the problem
> > > > > > was gone. I have
> > > > > > in the past told yours to reboot, that windows was causing
> > > > > > the problem but
> > > > > > this is not the case. I think rebooting is just buying time
> > > > > > until the
> > > > > > problem goes away. This seems to come and go, but lately I
> > > > > > am
> > > > > > hearing more and more complaints. Where do we go from here?
> > > > > > Phone
> > > > > > conditions seem normal, no excessive retrains or noise.
> > > > > >
> > > > > > 2 AS5350's, not sure if one or both are doing it. Both are
> > > > > > less than 1
> > > > > > year old.
> > > > > >
> > > > > > IOS 12.2-2.XB11
> > > > > >
> > > > > > One has beening running XB11 for several weeks, the other 2
> > > > > > days. Before
> > > > > > that we were using XB8. The problem was present before the
> > > > > > upgrade.
> > > > > >
> > > > > > Any suggestions would be greatly appreciated.
> > > > > >
> > > > > > Thank You,
> > > > > > John McKinney
> > > > > >
> > > > > > _______________________________________________
> > > > > > cisco-nas mailing list
> > > > > > cisco-nas at puck.nether.net
> > > > > > https://puck.nether.net/mailman/listinfo/cisco-nas
> > > > > >
> > > > > > _______________________________________________
> > > > > > cisco-nas mailing list
> > > > > > cisco-nas at puck.nether.net
> > > > > > https://puck.nether.net/mailman/listinfo/cisco-nas
>
------------------------------------------------------------------------
----
----
a.. Previous message: [cisco-nas] AS5350 Connection Problems
b.. Next message: [cisco-nas] tcp header compression guidance
c.. Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
------------------------------------------------------------------------
----
----
More information about the cisco-nas mailing list
------------------------------
Message: 3
Date: Tue, 8 Jun 2004 18:06:53 -0400
From: "Melvin C. Etheridge" <mele at enia.net>
Subject: [cisco-nas] 5300 Stable IOS
To: <cisco-nas at puck.nether.net>
Message-ID: <000e01c44da4$e824d600$de541f0c at D85D2H41>
Content-Type: text/plain; charset="iso-8859-1"
OK, question?
What is the most stable IOS for a AS5300 w/192 12port Mica Modems with
PW 2.9.4.0???
Thanks,
Mel
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
https://puck.nether.net/pipermail/cisco-nas/attachments/20040608/7ee2cc8
4/attachment-0001.html
------------------------------
Message: 4
Date: Wed, 9 Jun 2004 00:04:27 -0400 (EDT)
From: John McKinney <johnm at wnconline.net>
Subject: Re: [cisco-nas] AS5350 Connection Problems
To: "Melvin C. Etheridge" <mele at enia.net>
Cc: cisco-nas at puck.nether.net
Message-ID:
<Pine.LNX.4.44.0406082307110.28557-100000 at neptune.wnconline.net>
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Tue, 8 Jun 2004, Melvin C. Etheridge wrote:
Mel,
This was a long time ago. I'm not sure I remember all the
details.
>
> John,
>
> What did you do to resolve this issue?
>
> Thanks,
>
> Mel
> [cisco-nas] AS5350 Connection Problems
> John McKinney johnm at wnconline.net
> Tue Sep 9 02:34:20 EDT 2003
>
>
> I experienced the same problem again tonight, from my login.
> Everyone else is assigned an IP from the pool, but I use an assigned
IP.
I have not resolved this issue. If I assign a static IP through radius,
the cisco will assign the IP, but the session dies. But I suspect this
is
a config issue and not related to the problems mentioned on the list.
> > > > > Another user called in this morning with this problem.
Luckily
> > > > > they had 2 lines, so I was able to do a little
troubleshooting. The
> called
> > > > > looked normal. It showed V.34 and V.92. Connection speeds were
> > > > > 26000/24000. I had the user disconnect and enter 'AT+MS=v90,0.
They
> > > > > reconnected and this time it was a V.34 call and everything
worked
> fine.
> > > > > So, does this mean that the problem is a V.92 problem? Any
> suggestions on
> > > > > how to maintain the V.92 calls and resolve the problem?
> > > >
This was the main issue. Certain V.92 modems either would not connect or
would connect but not pass any data. I disabled V.92 on our end and the
problem went away. This was only a temp. fix. I believe we tried 3
different IOS versions around this time and it didn't seem to help. I
contacted CCO and they provided an SPE update. After updating it, the
problem went away. The customers quit complaining. I know dell and
gateway
both have issued driver updates and this also seems to help. I have no
idea what (if anything) was different with the modem code, but after
updating the SPE code the customers quit complaining. We still get a few
complaints, but its very few (less than we had with our PM3 boxes). We
will still have to turn off V.92 on the customer end, but not very
often.
Mostly on a V.92 connection, but the call slows to 28800. We can turn
off
the V.92 and customer seems to get better performance. Maybe the
customer
modem is a little to aggressive and can't maintain the call?
>From memory, we have experienced problems with:
bcm
gtw
motorola (can't recall the model)
>From memory, we have very good success with:
Zoom (3025 series)
HP LT win modems
I still think we have to many missed connections (customer redials), but
we get very few complaints. Here are some numbers.
## start numbers
as-1 uptime is 21 weeks, 2 days, 17 hours, 57 minutes
Avg Hold Inc calls Out calls Failed No Succ
SPE Time Succ Fail Succ Fail Dial Answer Pct
1/00 00:42:36 16256 1121 0 0 0 0 94%
1/01 00:42:40 16232 1102 0 0 0 0 94%
1/02 00:41:41 16507 1130 0 0 0 0 94%
1/03 00:41:39 16487 1130 0 0 0 0 94%
1/04 00:42:26 16253 1081 0 0 0 0 94%
1/05 00:42:14 16348 1066 0 0 0 0 94%
1/06 00:43:06 16001 1112 0 0 0 0 94%
1/07 00:42:39 16212 1120 0 0 0 0 94%
1/08 00:41:56 16374 1138 0 0 0 0 94%
1/09 00:41:09 16637 1155 0 0 0 0 94%
## end numbers
Here is some of my config if it helps. I don't recall all the features
for
the modemcap, but maybe Aaron (or anyone else) can explain it.
## start config
boot system flash c5350-is-mz.122-2.XB15.bin
spe 1/00 1/09
firmware location flash:128.0.1.92.spe
modemcap entry cisco:MSC=&FS62=8S63=3S29=12S21=15
## end config
Heres a list of current calls. Pay attention to the Compression. When
the sessions would die, they were using V.44 compression. (Turn off in
your modemcap and I bet your problem goes away)
## Current Calls - w/o Retrain
SPE 1/00
Port Type Prot Comp Duration Tx/Rx(bps) Tx/Rx(Lvl) SNR Cfg
2 V.34 LAP-M V.42bis 7546 26400/26400- 12/-24 38 In
4 V.34+ LAP-M V.44 1288 31200/21600- 13/-21 38 In
5 V.90 LAP-M V.42bis 6850 42667/24000- 12/-15 40 In
SPE 1/01
Port Type Prot Comp Duration Tx/Rx(bps) Tx/Rx(Lvl) SNR Cfg
6 V.90 LAP-M V.42bis 4032 46667/24000- 12/-16 33 In
7 V.90 LAP-M V.42bis 3609 44000/26400- 12/-17 38 In
8 V.90/92 LAP-M V.44 3326 36000/26400- 12/-16 38 In
9 V.90 LAP-M V.42bis 63 45333/28800- 12/-12 38 In
10 V.34/92 LAP-M V.44 8451 26400/24000- 13/-13 33 In
11 V.34 LAP-M V.42bis 4650 26400/24000- 13/-20 38 In
SPE 1/02
Port Type Prot Comp Duration Tx/Rx(bps) Tx/Rx(Lvl) SNR Cfg
14 V.34 LAP-M V.42bis 1449 26400/24000- 13/-20 33 In
15 V.90 LAP-M V.42bis 4448 45333/31200- 12/-14 40 In
17 V.34 LAP-M V.44 3520 28800/26400- 13/-19 38 In
SPE 1/03
Port Type Prot Comp Duration Tx/Rx(bps) Tx/Rx(Lvl) SNR Cfg
19 V.90/92 LAP-M V.44 16236 46667/26400- 12/-19 40 In
20 V.90 LAP-M V.42bis 1352 50667/26400- 12/-12 42 In
23 V.34/92 LAP-M V.44 6761 21600/21600- 13/-21 33 In
SPE 1/04
Port Type Prot Comp Duration Tx/Rx(bps) Tx/Rx(Lvl) SNR Cfg
25 V.34 LAP-M V.42bis 1650 28800/24000- 13/-19 38 In
29 V.90 LAP-M V.42bis 3304 52000/28800- 12/-10 40 In
SPE 1/05
Port Type Prot Comp Duration Tx/Rx(bps) Tx/Rx(Lvl) SNR Cfg
30 V.90 LAP-M V.42bis 3248 38667/26400- 12/-16 38 In
31 V.90 LAP-M V.42bis 4976 41333/24000- 12/-18 37 In
32 V.90/92 LAP-M V.44 799 36000/26400- 12/-16 0 In
SPE 1/06
Port Type Prot Comp Duration Tx/Rx(bps) Tx/Rx(Lvl) SNR Cfg
37 V.90/92 LAP-M V.44 2086 46667/26400- 12/-15 0 In
38 V.34 LAP-M V.42bis 11552 26400/24000- 13/-19 33 In
40 V.90 LAP-M None 4757 46667/28800- 12/-11 40 In
41 V.34 LAP-M V.42bis 296 21600/26400- 13/-19 38 In
## end current calls
Did you notice port 29? Wish everyone could connection that fast!
Feel free to reply. All feedback is welcome.
--
Thank You,
John McKinney
WNC ONLINE
------------------------------
_______________________________________________
cisco-nas mailing list
cisco-nas at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nas
End of cisco-nas Digest, Vol 16, Issue 3
****************************************
More information about the cisco-nas
mailing list