[c-nsp] WebVPN Issue
Antonio Soares
amsoares at netcabo.pt
Wed Feb 10 20:14:11 EST 2010
Tyson,
TAC SR in progress. I will let you know what they will call this :)
Thanks.
Regards,
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt
-----Original Message-----
From: Tyson Scott [mailto:tscott at ipexpert.com]
Sent: quinta-feira, 11 de Fevereiro de 2010 0:11
To: 'Antonio Soares'; 'Roman Rodichev'
Cc: 'Farrukh Haroon'; cisco-nsp at puck.nether.net; 'Cisco certification'
Subject: RE: WebVPN Issue
Antonio,
It would be plausible that you could open a case with Cisco and call it a
bug, or a feature enhancement, that if there is an IP conflict that it
disconnects both sessions or refuses/ignores the radius attribute if it
conflicts with an existing session; or gives an error message, but I
wouldn't necessarily call that a bug. Typically I would classify a bug as a
feature that does not operate as it should within normal conditions or
expected error states. But that may be just me.
More it sounds like a basic rule is being broken (assigning duplicate IP's)
and adverse effects are happening from it. Currently there may not be an
error check to handle the error state as you would hope.
Please don't take offense, I can see myself making the same mistake, but a
networking rule 101 is being broken and sometimes you will have strange
results from such. Much like spanning-tree loops or duplicate IP's on the
network. Sometimes it takes intervention to fix the basic problems.
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: tscott at ipexpert.com
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
-----Original Message-----
From: Antonio Soares [mailto:amsoares at netcabo.pt]
Sent: Wednesday, February 10, 2010 6:06 PM
To: 'Tyson Scott'; 'Roman Rodichev'
Cc: 'Farrukh Haroon'; cisco-nsp at puck.nether.net; 'Cisco certification'
Subject: RE: WebVPN Issue
The session of the 1st user remains up and the vpn routes are there. But in
the router the route back to the user is removed. So in
the user's perspective, connectivity is broken and he doesn't have an idea
why. Clearly a bug, don't you think ?
Thanks.
Regards,
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt
-----Original Message-----
From: Tyson Scott [mailto:tscott at ipexpert.com]
Sent: quarta-feira, 10 de Fevereiro de 2010 22:33
To: 'Roman Rodichev'; 'Antonio Soares'
Cc: 'Farrukh Haroon'; cisco-nsp at puck.nether.net; 'Cisco certification'
Subject: RE: WebVPN Issue
Actually it makes sense. You have duplicate IP's and the router needs to
decide which one is valid, which often will cause a network interrupt.
Although it doesn't allow the second connection it is terminating the first
to process to make a decision about the conflict. At least that is what I
interpret what you are seeing to be.
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: tscott at ipexpert.com
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
-----Original Message-----
From: nobody at groupstudy.com [mailto:nobody at groupstudy.com] On Behalf Of
Roman Rodichev
Sent: Wednesday, February 10, 2010 12:28 PM
To: Antonio Soares
Cc: Farrukh Haroon; <cisco-nsp at puck.nether.net>; Cisco certification
Subject: Re: WebVPN Issue
Probably just a "feature" :)
Sent from my iPhone
On Feb 10, 2010, at 11:24 AM, "Antonio Soares" <amsoares at netcabo.pt>
wrote:
> Yes, it works fine with local pool. In this case, the AC client gets
> a message saying "no address assigned".
>
> I was able to reproduce the problem in the meanwhile. It makes sense
> that the 2nd user is not able to establish the session but it
> doesn't make sense the 1st looses his connection.
>
> This seems a bug to me.
>
> Thanks.
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
>
> -----Original Message-----
> From: Roman Rodichev [mailto:romangs at iementor.com]
> Sent: quarta-feira, 10 de Fevereiro de 2010 17:03
> To: Antonio Soares
> Cc: Farrukh Haroon; <cisco-nsp at puck.nether.net>; Cisco certification
> Subject: Re: WebVPN Issue
>
> So that might be the problem. How can you assign a different IP from
> RADIUS for concurrent logins?
>
> It should work with local pool
>
> Sent from my iPhone
>
> On Feb 10, 2010, at 10:14 AM, "Antonio Soares" <amsoares at netcabo.pt>
> wrote:
>
>> Thank you both for your inputs. I still cannot share the config
>> since i saw this in a production network and i'm still trying to
>> reproduce it in the lab.
>>
>> But the "debug ip routing" says it all:
>>
>> 1) When user X connects, he gets ip=10.10.10.166
>>
>> RT(VRF_X): updating static 10.10.10.166/32 (0x1) via 0.0.0.0 SS1
>> RT(VRF_X): add 10.10.10.166/32 via 0.0.0.0, static metric [0/0]
>>
>> 2) When another user tries the connection with the same user X:
>>
>> RT(VRF_X): del 10.10.10.166 via 0.0.0.0, static metric [0/0]
>> RT(VRF_X): delete subnet route to 10.10.10.166/32
>> RT(VRF_X): updating static 10.10.10.166/32 (0x1) via 0.0.0.0 SS1
>> RT(VRF_X): add 10.10.10.166/32 via 0.0.0.0, static metric [0/0]
>> RT(VRF_X): del 10.10.10.166 via 0.0.0.0, static metric [0/0]
>> RT(VRF_X): delete subnet route to 10.10.10.166/32
>>
>> So the router deletes the route, adds it and removes it again. This
>> explains the loss of connectivity.
>>
>> We have radius authentication and the radius server assigns a pre-
>> defined ip to each user. So when the radius server sends the same
>> ip, it seems the router gets confused.
>>
>>
>> Thanks.
>>
>> Regards,
>>
>> Antonio Soares, CCIE #18473 (R&S/SP)
>> amsoares at netcabo.pt
>>
>> -----Original Message-----
>> From: nobody at groupstudy.com [mailto:nobody at groupstudy.com] On Behalf
>> Of Farrukh Haroon
>> Sent: quarta-feira, 10 de Fevereiro de 2010 6:27
>> To: Antonio Soares
>> Cc: cisco-nsp at puck.nether.net; Cisco certification
>> Subject: Re: WebVPN Issue
>>
>> No it works fine for multiple users, we have it running. If you can
>> post the
>> sanitized config, I can have a look.
>>
>> Also check your 'show tcp brief' output to see if you have any stale
>> connections there. We faced a similar issue, and putting 'service
>> tcp-keepalives-in' fixed the issue (you may put 'out' as well)..
>>
>> We are running 12.4(15)Tx tough.
>>
>> Regards
>>
>> Farrukh
>>
>>
>>
>> On Wed, Feb 10, 2010 at 4:55 AM, Antonio Soares
>> <amsoares at netcabo.pt> wrote:
>>
>>> Hello group,
>>>
>>> I'm facing a strange issue with IOS Based WebVPN: when user X is
>>> connected
>>> and then another user uses the same user X, the second
>>> user is not able to connect but the first user looses connectivity.
>>> I have
>>> this with IOS 12.4.24T and AC 2.3.2016 running on a 2821.
>>> This is not expected behavior, right ?
>>>
>>>
>>> Thanks.
>>>
>>> Regards,
>>>
>>> Antonio Soares, CCIE #18473 (R&S/SP)
>>> amsoares at netcabo.pt
More information about the cisco-nsp
mailing list