<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-2">
<META content="MSHTML 6.00.2734.1600" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Hi all!</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>We have a strange problem. We use AS5350s for
dial-in (async, isdn). When the user dial in, we send them per-user acl
from radius....</FONT></DIV>
<DIV><FONT face=Arial size=2>If the user dial in with async and single link ISDN
(no virtual-access created) everything is ok, but when he dial in with isdn
multilink and virtual-access interface is created the acl is not freed.
And there is hundreds of per-user acl in the nas referring to
virtual-access interfaces. Here is the debug:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>debug aaa per-user:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>User dials in with async:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Jan 28 12:27:52.914 MET: AAA/PER-USER: mode =
config; command = [ip access-list extended Async1/48#358241<BR>permit tcp any
host xxx.xxx.xx.xx eq smtp<BR>deny tcp any any eq smtp<BR>deny tcp any host
xx.xxx.xxx.xx eq 3128<BR>permit ip any any<BR>]<BR>Jan 28 12:27:52.914 MET:
AAA/PER-USER: line = [ip access-list extended Async1/48#358241]<BR>Jan 28
12:27:52.914 MET: AAA/PER-USER: line = [permit tcp any host xxx.xxx.xxx.xxx eq
smtp]<BR>Jan 28 12:27:52.914 MET: AAA/PER-USER: line = [deny tcp any any eq
smtp]<BR>Jan 28 12:27:52.918 MET: AAA/PER-USER: line = [deny tcp any host
xxx.xxx.xxx.xxx eq 3128]<BR>Jan 28 12:27:52.918 MET: AAA/PER-USER: line =
[permit ip any any]<BR>Jan 28 12:27:52.918 MET: AAA/PER-USER: mode = interface;
command = [IP access-group Async1/48#358241 in<BR>]<BR>Jan 28 12:27:52.918 MET:
AAA/PER-USER: line = [IP access-group Async1/48#358241 in]</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>The ACL is applied normally!</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV><FONT face=Arial size=2>
<DIV><BR>User Disconnects:</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Jan 28 12:28:00.390 MET: AAA/PER-USER: mode = interface; command = [no IP
access-group Async1/48#358241 in<BR>]<BR>Jan 28 12:28:00.390 MET: AAA/PER-USER:
line = [no IP access-group Async1/48#358241 in]<BR>Jan 28 12:28:00.390 MET:
AAA/PER-USER: mode = config; command = [no ip access-list extended
Async1/48#358241<BR>]<BR>Jan 28 12:28:00.390 MET: AAA/PER-USER: line = [no ip
access-list extended Async1/48#358241]</DIV>
<DIV> </DIV>
<DIV>The ACL is removed normally!</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>When the user dials in with multilink ISDN:</DIV>
<DIV> </DIV>
<DIV>Jan 28 14:06:47.105 MET: AAA/PER-USER: mode = config; command = [ip
access-list extended Virtual-Access143#358961<BR>permit tcp any host
xxx.xxx.xxx.xxx eq smtp<BR>deny tcp any any eq smtp<BR>deny tcp any host
xxx.xxx.xxx.xxx eq 3128<BR>permit ip any any<BR>]<BR>Jan 28 14:06:47.105 MET:
AAA/PER-USER: line = [ip access-list extended Virtual-Access143#358961]<BR>Jan
28 14:06:47.105 MET: AAA/PER-USER: line = [permit tcp any host xxx.xxx.xxx.xxx
eq smtp]<BR>Jan 28 14:06:47.109 MET: AAA/PER-USER: line = [deny tcp any any eq
smtp]<BR>Jan 28 14:06:47.109 MET: AAA/PER-USER: line = [deny tcp any host
xxx.xxx.xxx.xxx eq 3128]<BR>Jan 28 14:06:47.109 MET: AAA/PER-USER: line =
[permit ip any any]</DIV>
<DIV> </DIV>
<DIV>
<DIV><FONT face=Arial size=2>The ACL is applied normally!</FONT></DIV></DIV>
<DIV> </DIV>
<DIV><BR>And when the user disconnects:</DIV>
<DIV> </DIV>
<DIV><BR>Jan 28 14:07:01.793 MET: AAA/PER-USER: mode = config; command = [no ip
access-list extended Virtual-Access143#358961<BR>]<BR>Jan 28 14:07:01.793 MET:
AAA/PER-USER: line = [no ip access-list extended
Virtual-Access143#358961]<BR></DIV>
<DIV>I don't know why the nas don't put off the ACL from the interface......it
only wants to remove the ACL (global) when virtual-acces is
used....I guess that the nas can't remove the acl, because it
applied to an interface..... It is a bug ?</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>I tried it with 122-2.XB12.bin , 122-15.T10.bin, 122-2.XB14.bin
and I get the same result.....</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Here is my konfig:</DIV>
<DIV><BR>Cisco Internetwork Operating System Software <BR>IOS (tm) 5350 Software
(C5350-IS-M), Version 12.2(15)T10, RELEASE SOFTWARE (fc2)<BR>TAC Support:
<A href="http://www.cisco.com/tac">http://www.cisco.com/tac</A><BR>Copyright (c)
1986-2003 by cisco Systems, Inc.<BR>Compiled Thu 11-Dec-03 09:53 by
pwade<BR>Image text-base: 0x6000895C, data-base: 0x61600000</DIV>
<DIV> </DIV>
<DIV>ROM: System Bootstrap, Version 12.2(1r)1, RELEASE SOFTWARE
(fc1)<BR>BOOTLDR: 5350 Software (C5350-BOOT-M), Version 12.2(2)XA5, EARLY
DEPLOYMENT RELEASE SOFTWARE (fc2)</DIV>
<DIV> </DIV>
<DIV>nas-26 uptime is 4 weeks, 23 hours, 22 minutes<BR>System returned to ROM by
reload at 15:12:32 MET Tue Dec 30 2003<BR>System restarted at 15:13:09 MET Tue
Dec 30 2003<BR>System image file is "flash:c5350-is-mz.122-15.T10.bin"</DIV>
<DIV> </DIV>
<DIV>cisco AS5350 (R7K) processor (revision T) with 131072K/65536K bytes of
memory.<BR>Processor board ID JAE0531002D<BR>R7000 CPU at 250Mhz, Implementation
39, Rev 1.0, 256KB L2, 2048KB L3 Cache<BR>Last reset from IOS
reload<BR>Channelized E1, Version 1.0.<BR>Bridging software.<BR>X.25 software,
Version 3.0.0.<BR>SuperLAT software (copyright 1990 by Meridian Technology
Corp).<BR>Primary Rate ISDN software, Version 1.1.<BR>Manufacture Cookie
Info:<BR> EEPROM Type 0x0001, EEPROM Version 0x01, Board ID
0x32,<BR> Board Hardware Version 3.27, Item Number
800-5171-02,<BR> Board Revision A0, Serial Number
JAE0531002D,<BR> PLD/ISP Version 2.2, Manufacture Date
30-Jul-2001.<BR>Processor 0x14, MAC Address 0x044DC54B48<BR>Backplane HW
Revision 1.0, Flash Type 5V<BR>2 FastEthernet/IEEE 802.3 interface(s)<BR>134
Serial network interface(s)<BR>60 terminal line(s)<BR>4 Channelized E1/PRI
port(s)<BR>512K bytes of non-volatile configuration memory.<BR>32768K bytes of
processor board System flash (Read/Write)<BR>8192K bytes of processor board Boot
flash (Read/Write)</DIV>
<DIV> </DIV>
<DIV>Configuration register is 0x2102</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>version 12.2<BR>service timestamps debug datetime msec localtime
show-timezone<BR>service timestamps log datetime msec localtime
show-timezone<BR>service password-encryption<BR>!<BR>hostname
xxxxxxxxxxxxxxxxxxxxxxxxxxx<BR>!<BR>boot system flash
flash:c5350-is-mz.122-15.T10.bin<BR>boot system flash
flash:c5350-is-mz.122-2.XB12.bin<BR>no boot startup-test<BR>logging queue-limit
100<BR>no logging console<BR>enable secret 5
xxxxxxxxxxxxxxxxxxxxxxxxxxxxx<BR>!<BR>username xxxxxxxx privilege 15 password 7
xxxxxxxxxxxxxxxxxxx<BR>!<BR>!<BR>resource-pool enable<BR>resource-pool call
treatment resource busy<BR>resource-pool call treatment profile
busy<BR>resource-pool call treatment discriminator busy<BR>!<BR>resource-pool
group resource nextport<BR> range port 1/0 1/59<BR> pool-alloc
round-robin<BR>!<BR>resource-pool group resource isdn<BR> range limit
60<BR>! <BR>resource-pool
profile customer CUST1<BR> limit base-size 25<BR> limit overflow-size
30<BR> resource isdn digital <BR> resource nextport speech
<BR> resource nextport V110 <BR> resource isdn piafs
<BR> resource nextport V120 <BR> dnis group
CUST1<BR>!<BR>resource-pool profile customer CUST2<BR> limit base-size
5<BR> limit overflow-size 12<BR> resource isdn digital
<BR> resource nextport speech <BR> resource nextport V110
<BR> resource isdn piafs <BR> resource nextport V120
<BR> dnis group CUST2<BR> vpdn group CUST2<BR>!<BR>resource-pool
profile customer CUST3<BR> limit base-size 0<BR> limit overflow-size
18<BR> resource isdn digital <BR> resource nextport speech
<BR> resource nextport V110 <BR> resource isdn piafs
<BR> resource nextport V120 <BR> dnis group
CUST3<BR>!<BR>resource-pool profile customer CUST4<BR> limit base-size
0<BR> limit overflow-size 0<BR> resource isdn digital
<BR> resource nextport speech <BR> resource nextport V110
<BR> resource isdn piafs <BR> resource nextport V120
<BR> dnis group CUST4<BR> vpdn group CUST4<BR>!<BR>resource-pool
profile customer CUST5<BR> limit base-size 0<BR> limit overflow-size
0<BR> resource isdn digital <BR> resource nextport speech
<BR> resource nextport V110 <BR> resource isdn piafs
<BR> resource nextport V120 <BR> dnis group CUST5<BR> vpdn
group CUST5<BR>resource-pool aaa protocol local<BR>clock timezone MET 1<BR>clock
summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 3:00<BR>spe
call-record modem quiet<BR>!<BR>spe default-firmware spe-firmware-1<BR>spe 1/00
1/09<BR> firmware location flash:np.8.3.spe<BR>!<BR>aaa new-model<BR>aaa
session-mib disconnect<BR>!<BR>!<BR>aaa authentication login telnet group
tacacs+ local<BR>aaa authentication enable default enable<BR>aaa authentication
ppp dialin local group radius<BR>aaa authorization network dialin local group
radius <BR>aaa accounting delay-start <BR>aaa accounting suppress
null-username<BR>aaa accounting exec default start-stop group tacacs+<BR>aaa
accounting commands 15 default start-stop group tacacs+<BR>aaa accounting
network dialin start-stop group radius<BR>aaa accounting system default
start-stop group radius<BR>aaa session-id common<BR>ip subnet-zero<BR>ip
cef<BR>ip tftp source-interface Loopback0<BR>no ip domain
lookup<BR>!<BR>virtual-profile if-needed<BR>vpdn enable<BR>vpdn logging<BR>vpdn
logging local<BR>vpdn logging remote<BR>vpdn logging user<BR>vpdn logging
tunnel-drop<BR>vpdn history failure table-size 50<BR>vpdn search-order
dnis <BR>!<BR>vpdn-group PPPoE<BR> description *** PPPoE
***<BR> accept-dialin<BR> protocol pppoe<BR> virtual-template
1<BR> pppoe limit per-mac 1<BR>!<BR>vpdn-group CUST4<BR> description
*** CUST4 L2TP ***<BR> request-dialin<BR> protocol l2tp<BR>
dnis CUST4<BR> initiate-to ip xxxxxxxxxxxxx<BR> source-ip
xxxxxxxxxxxxxx<BR> multilink bundle 2<BR> multilink link
2<BR> l2tp hidden<BR> l2tp tunnel password 7
xxxxxxxxxxxxxxx<BR>!<BR>vpdn-group CUST2<BR> description *** CUST2 L2TP
***<BR> request-dialin<BR> protocol l2tp<BR> dnis
CUST2<BR> initiate-to ip xxxxxxxxxxxx<BR> source-ip
xxxxxxxxxxxxxxxxx<BR> multilink bundle 2<BR> multilink link
2<BR> l2tp hidden<BR> l2tp tunnel password 7
xxxxxxxxxxxxxxxxxxxxxxxxxx<BR>!<BR>vpdn-group CUST5<BR> description ***
CUST5 L2TP ***<BR> request-dialin<BR> protocol
l2tp<BR> initiate-to xxxxxxxxxxxxxxxxxxx<BR> source-ip
xxxxxxxxxxxxxxxxxx<BR> multilink bundle 2<BR> multilink link
2<BR> l2tp hidden<BR> l2tp tunnel password 7
xxxxxxxxxxxxxxxxxxxxxxx<BR>!<BR>isdn switch-type
primary-net5<BR>!<BR>!
<BR>!<BR>!<BR>!<BR>!<BR>!<BR>!<BR>no voice hpi capture buffer<BR>no voice hpi
capture destination <BR>!<BR>!<BR>!<BR>fax interface-type fax-mail<BR>mta
receive maximum-recipients 0<BR>!<BR>!<BR>!<BR>controller E1
2/0<BR> pri-group timeslots 1-31<BR> <BR>!<BR>controller E1
2/1<BR> pri-group timeslots 1-31<BR> <BR>!<BR>controller E1
3/0<BR> pri-group timeslots 1-31<BR>!<BR>controller E1
3/1<BR> pri-group timeslots 1-31<BR>!<BR>!<BR>interface
Loopback0<BR> ip address
xxxxxxxxxxxxxxxxxx<BR>!
<BR>interface FastEthernet0/0<BR> no ip address<BR> no ip
redirects<BR> no ip proxy-arp<BR> shutdown<BR> duplex
auto<BR> speed auto<BR>!<BR>interface FastEthernet0/1<BR> ip address
xxxxxxxxxxxxxxxx secondary<BR> ip address xxxxxxxxxxxxxxxx
secondary<BR> ip address xxxxxxxxxxxxxxxxxxxxx<BR> ip access-group
xxxxxxxxxxxx out<BR> duplex auto<BR> speed auto<BR> pppoe
enable<BR>!<BR>interface Serial0/0<BR> ip address
xxxxxxxxxxxxxxxx<BR> ip route-cache flow<BR> ip summary-address rip
xxxxxxxxxxxxxxxxxxxxx<BR> load-interval 30<BR>!<BR>interface
Serial0/1<BR> no ip address<BR> shutdown<BR> clockrate
2000000<BR>!<BR>interface Serial2/0:15<BR> no ip address<BR> no ip
redirects<BR> no ip proxy-arp<BR> encapsulation ppp<BR> ip
route-cache flow<BR> dialer rotary-group 1<BR> isdn switch-type
primary-net5<BR> isdn incoming-voice modem<BR> isdn
piafs_enabled<BR> no keepalive<BR> no fair-queue<BR> no cdp
enable<BR>!<BR>interface Serial2/1:15<BR> no ip address<BR> no ip
redirects<BR> no ip proxy-arp<BR> encapsulation ppp<BR> ip
route-cache flow<BR> dialer rotary-group 1<BR> isdn switch-type
primary-net5<BR> isdn incoming-voice modem<BR> isdn
piafs_enabled<BR> no keepalive<BR> no fair-queue<BR> no cdp
enable<BR>!<BR>interface Serial3/0:15<BR> no ip address<BR> no ip
redirects<BR> no ip proxy-arp<BR> encapsulation ppp<BR> ip
route-cache flow<BR> dialer rotary-group 1<BR> isdn switch-type
primary-net5<BR> isdn incoming-voice modem<BR> isdn
piafs_enabled<BR> no keepalive<BR> no fair-queue<BR> no cdp
enable<BR>!<BR>interface Serial3/1:15<BR> no ip address<BR> no ip
redirects<BR> no ip proxy-arp<BR> encapsulation ppp<BR> ip
route-cache flow<BR> dialer rotary-group 1<BR> isdn switch-type
primary-net5<BR> isdn incoming-voice modem<BR> isdn
piafs_enabled<BR> no keepalive<BR> no fair-queue<BR> no cdp
enable<BR>!<BR>interface Virtual-Template1<BR> mtu 1492<BR> ip
unnumbered Loopback0<BR> ip route-cache flow<BR> load-interval
30<BR> peer default ip address pool dialin<BR> ppp authentication pap
dialin<BR> ppp authorization dialin<BR> ppp accounting
dialin<BR>!<BR>interface Group-Async0<BR> no ip address<BR> no ip
redirects<BR> no ip proxy-arp<BR> ip route-cache flow<BR> dialer
in-band<BR> dialer rotary-group 1<BR> async mode
interactive<BR> no keepalive<BR> no fair-queue<BR> group-range
1/00 1/59<BR>!<BR>interface Dialer1<BR> ip unnumbered Loopback0<BR> ip
verify unicast reverse-path 101<BR> no ip redirects<BR> no ip
proxy-arp<BR> encapsulation ppp<BR> ip route-cache
flow<BR> load-interval 30<BR> dialer in-band<BR> dialer
idle-timeout 0<BR> peer default ip address pool dialin<BR> no
fair-queue<BR> no cdp enable<BR> ppp authentication pap
dialin<BR> ppp authorization dialin<BR> ppp accounting
dialin<BR> ppp multilink<BR>!<BR>router rip<BR> version
2<BR> redistribute connected<BR> redistribute static route-map
nodefault<BR> passive-interface default<BR> no passive-interface
Serial0/0<BR> network xxxxxxxxxxxxxxxxx<BR> default-metric
2<BR> no auto-summary<BR>!<BR>ip local pool dialin
xxxxxxxxxxxxxxxxxxxxxx<BR>ip flow-aggregation cache
source-prefix-tos<BR> mask source minimum 32<BR> enabled<BR>!<BR>ip
flow-aggregation cache destination-prefix-tos<BR> mask destination minimum
32<BR> enabled<BR>!<BR>ip classless<BR>ip route 0.0.0.0 0.0.0.0
xxxxxxxxxx<BR>ip route xxxxxxxxxxxxxxxxxxxxxx Null0<BR>ip tacacs
source-interface Loopback0<BR>no ip http server<BR>!<BR>!<BR>!<BR>ip radius
source-interface Loopback0 <BR>!<BR>logging facility local2<BR>logging
source-interface Loopback0<BR>logging xxxxxxxxxxxx<BR>logging
xxxxxxxxxxxxxxxxxxxxxxxx<BR>!<BR>dialer dnis group CUST1<BR> number
001<BR> number 000<BR>!<BR>dialer dnis group CUST2<BR> number
007<BR> number 005<BR>!<BR>dialer dnis group CUST3<BR> number
002<BR>!<BR>dialer dnis group CUST4<BR> number 008<BR> number
006<BR>!<BR>dialer dnis group CUST5<BR> number 004<BR>!<BR>route-map
nodefault permit 10<BR> match ip address 5<BR>!<BR>tacacs-server
hostxxxxxxxxxxxxx port xxxx key xxxxxxxxxxxxxx<BR>tacacs-server
directed-request<BR>snmp-server community xxxxxxxxxxxxx RO 1<BR>no snmp-server
enable traps tty<BR>!<BR>radius-server attribute 32 include-in-access-req
<BR>radius-server host xxxxxxxxxxxxxx auth-port xxxx acct-port
xxxxx<BR>radius-server retransmit 4<BR>radius-server key 7
xxxxxxxxxxxxxxxxxxxxxxx<BR>radius-server authorization permit missing
Service-Type<BR>call rsvp-sync<BR>!<BR>voice-port 2/0:D<BR>!<BR>voice-port
2/1:D<BR>!<BR>voice-port 3/0:D<BR>!<BR>voice-port 3/1:D<BR>!<BR>!<BR>mgcp
profile default<BR>!<BR>dial-peer cor custom<BR>!<BR>!<BR>!<BR>!<BR>alias exec
sp show processes cpu | exc 0.00% 0.00% 0.00%<BR>alias exec sv show
version | inc image<BR>!<BR>line con 0<BR> logging
synchronous<BR> transport output none<BR>line aux 0<BR>line vty 0
4<BR> session-timeout 30 <BR> timeout login response
20<BR> logging synchronous<BR> login authentication
telnet<BR> transport input telnet<BR>line vty 5 15<BR> session-timeout
30 <BR> timeout login response 20<BR> logging
synchronous<BR> login authentication telnet<BR> transport input
telnet<BR>line 1/00 1/59<BR> no flush-at-activation<BR> no modem
callout<BR> modem Dialin<BR> modem autoconfigure type
nextport<BR> transport input all<BR> autoselect
during-login<BR> autoselect ppp<BR>!<BR>scheduler allocate 10000 400<BR>ntp
clock-period 17179978<BR>ntp source Loopback0<BR>ntp access-group peer 10<BR>ntp
update-calendar<BR>ntp server xxxxxxxxxxxxxxxx<BR>end</DIV>
<DIV> </DIV>
<DIV>Thanks in advance everybody's response.</DIV>
<DIV> </DIV>
<DIV>Regards,</DIV>
<DIV> </DIV>
<DIV>Szicsu</DIV>
<DIV></FONT> </DIV></BODY></HTML>