[c-nsp] ASR 9k1 SRG troubles
Sergey Kanovskiy
vveber.tsk at gmail.com
Wed Jan 24 21:35:19 EST 2018
Dear colleagues, I'am trying to configure 2 Cisco asr 9001 as SRGroup and
there are some problems. Can you give me your advices about that ?
Cisco IOS XR Software, Version 6.2.25[Default]
RP/0/RSP0/CPU0:asr9k1_Master#sh inventory
NAME: "module 0/RSP0/CPU0", DESCR: "ASR 9001, Route Switch Processor with
8GB memory"
PID: ASR9001-RP, VID: V01,
NAME: "module 0/0/CPU0", DESCR: "ASR 9001, Modular Line Card"
PID: ASR9001-LC, VID: V01,
NAME: "module 0/0/2", DESCR: "ASR 9000 Virtual Module"
PID: A9K-MODULEv, VID: N/A, SN: N/A
BNG-Pie was installed. We have 1k test-IPoE sessions, SRG warm (hot-standby
was tested too) redundancy, DHCP-relay and AAA-authorization.
Access-interface is Bundled-Ethernet, Uplink is bundled-ethernet
consisting of two 10G physicals. I configured one SRGroup, the 1st router
is the master, the 2nd is the slave.
1st trouble: Account-Session-id changes every time, when the session is
migrating from Master to Slave and coming back to Master. For example:
"clear" session on Master:
*RP/0/RSP0/CPU0:asr9k1_master#sh subscriber session filter ipv4-address
10.243.108.16 det int *
*Tue Jan 23 07:18:48.730 *
*Interface: Bundle-Ether91.403.ip273*
*Circuit ID: Unknown*
*Remote ID: Unknown*
*Type: IP: Packet-trigger*
*IPv4 State: Up, Tue Jan 23 07:17:37 2018*
*IPv4 Address: 10.243.108.16, VRF: default*
*IPv4 Up helpers: 0x00000040 {IPSUB}*
*IPv4 Up requestors: 0x00000040 {IPSUB}*
*Mac Address: 0021.913b.6861*
*Account-Session Id: 00043971*
*Nas-Port: 1526829937*
*User name: 0403.0021913b6861.10.243.108.16*
*Formatted User name: 0403.0021913b6861.10.243.108.16*
*Client User name: unknown*
*Outer VLAN ID: 403*
*Subscriber Label: 0x00000043*
*Created: Tue Jan 23 07:17:37 2018*
*State: Activated*
*Authentication: unauthenticated*
*Authorization: authorized*
*Ifhandle: 0x0001fba0*
*Session History ID: 8*
*Access-interface: Bundle-Ether91.403*
*SRG Flags: 0x00004000*
*Policy Executed: *
* event Session-Start match-first [at Tue Jan 23 07:17:37 2018]*
* class type control subscriber class-default do-until-failure
[Succeeded]*
* 10 set-timer TIMER_UNAUTH 1 [cerr: No error][aaa: Success]*
* 20 activate dynamic-template DYNTPL_IP_SUB_26 [cerr: No error][aaa:
Success]*
* 30 authorize aaa list default [cerr: No error][aaa: Success]*
* event Timer-Expiry match-first [at Tue Jan 23 07:18:37 2018]*
* class type control subscriber UNAUTH_TIMER_CLASS do-all [Succeeded]*
* 10 set-timer TIMER_UNAUTH 3 [cerr: No error][aaa: Success]*
* 20 authorize aaa list default [cerr: No error][aaa: Success]*
*Session Accounting: disabled*
*Last COA request received: unavailable*
*User Profile received from AAA:*
* Attribute List: 0x4a0129c8*
*1: session-timeout len= 4 value= 3600(e10)*
*2: primary-dns len= 4 value= 10.117.162.226*
*3: inacl len= 17 value= ACL_PERMIT_ANY_IN*
*4: outacl len= 18 value= ACL_PERMIT_ANY_OUT*
*5: sub-qos-policy-in len= 14 value= QOS_100000K_IN*
*6: sub-qos-policy-out len= 15 value= QOS_100000K_OUT*
*7: sub-pbr-policy-in len= 14 value= PBR_PERMIT_ANY*
*Services:*
* Name : DYNTPL_IP_SUB_26*
* Service-ID : 0x4000002*
* Type : Multi Template*
* Status : Applied*
*-------------------------*
*[Event History]*
* Jan 23 07:17:37.280 IPv4 Start*
* Jan 23 07:17:37.664 IPv4 Up*
* Jan 23 07:18:37.312 SUBDB produce done [many]*
Session migrated from Master to Slave once:
*RP/0/RSP0/CPU0:asr9k1_slave#sh subscriber session filter ipv4-address
10.243.108.16 det int*
*Tue Jan 23 07:22:00.224 *
*Interface: Bundle-Ether91.403.ip190*
*Circuit ID: Unknown*
*Remote ID: Unknown*
*Type: IP: Packet-trigger*
*IPv4 State: Up, Tue Jan 23 07:21:27 2018*
*IPv4 Address: 10.243.108.16, VRF: default*
*IPv4 Up helpers: 0x00000040 {IPSUB}*
*IPv4 Up requestors: 0x00000040 {IPSUB}*
*Mac Address: 0021.913b.6861*
*Account-Session Id: 000005ad*
*Nas-Port: 1526829937*
*User name: 0403.0021913b6861.10.243.108.16*
*Formatted User name: 0403.0021913b6861.10.243.108.16*
*Client User name: unknown*
*Outer VLAN ID: 403*
*Subscriber Label: 0x000005d8*
*Created: Tue Jan 23 07:21:25 2018*
*State: Activated*
*Authentication: unauthenticated*
*Authorization: authorized*
*Ifhandle: 0x00016060*
*Session History ID: 10*
*Access-interface: Bundle-Ether91.403*
*SRG Flags: 0x00024000*
*Policy Executed: *
*Session Accounting: disabled*
*Last COA request received: unavailable*
*User Profile received from AAA:*
* Attribute List: 0x4a012c50*
*1: session-timeout len= 4 value= 3600(e10)*
*2: primary-dns len= 4 value= 10.117.162.226*
*3: inacl len= 17 value= ACL_PERMIT_ANY_IN*
*4: outacl len= 18 value= ACL_PERMIT_ANY_OUT*
*5: sub-qos-policy-in len= 14 value= QOS_100000K_IN*
*6: sub-qos-policy-out len= 15 value= QOS_100000K_OUT*
*7: sub-pbr-policy-in len= 14 value= PBR_PERMIT_ANY*
*Services:*
* Name : DYNTPL_IP_SUB_26*
* Service-ID : 0x4000002*
* Type : Multi Template*
* Status : Applied*
*-------------------------*
*[Event History]*
* Jan 23 07:21:26.912 IPv4 Up*
* Jan 23 07:21:26.912 SUBDB produce done*
Session came back from Slave to Master:
*RP/0/RSP0/CPU0:asr9k1_Master#sh subscriber session filter ipv4-address
10.243.108.16 det int*
*Tue Jan 23 07:21:38.603*
*Interface: None*
*Circuit ID: Unknown*
*Remote ID: Unknown*
*Type: IP: Packet-trigger*
*IPv4 State: Up Pending, Tue Jan 23 07:21:37 2018*
*IPv4 Address: 10.243.108.16, VRF: default*
*Mac Address: 0021.913b.6861*
*Account-Session Id: 00000aee*
*Nas-Port: 1526829937*
*User name: 0403.0021913b6861.10.243.108.16*
*Formatted User name: 0403.0021913b6861.10.243.108.16*
*Client User name: unknown*
*Outer VLAN ID: 403*
*Subscriber Label: 0x000005da*
*Created: Tue Jan 23 07:21:37 2018*
*State: Connected*
*Authentication: unauthenticated*
*Authorization: authorized*
*Ifhandle: 0x00000000*
*Session History ID: 0*
*Access-interface: Bundle-Ether91.403*
*SRG Flags: 0x00064004*
*Policy Executed: *
*Session Accounting: disabled*
*Last COA request received: unavailable*
*User Profile received from AAA:*
* Attribute List: 0x4a012ba0*
*1: session-timeout len= 4 value= 3600(e10)*
*2: primary-dns len= 4 value= 10.117.162.226*
*3: inacl len= 17 value= ACL_PERMIT_ANY_IN*
*4: outacl len= 18 value= ACL_PERMIT_ANY_OUT*
*5: sub-qos-policy-in len= 14 value= QOS_100000K_IN*
*6: sub-qos-policy-out len= 15 value= QOS_100000K_OUT*
*7: sub-pbr-policy-in len= 14 value= PBR_PERMIT_ANY*
*Services:*
* Name : DYNTPL_IP_SUB_26*
* Service-ID : 0x4000002*
* Type : Multi Template*
* Status : Request PD Association*
as a result radius can't send CoA to ASR because SessionID became the
different with initial ID. I saw this trouble in warm-standby and
hot-standby mode of SRG.
I received error-messages in hot-standby mode:
*[Event History]*
* Jan 23 08:03:44.768 SUBDB produce done(fail) [many]*
* event Timer-Expiry match-first [at Tue Jan 23 07:46:47 2018] class
type control subscriber UNAUTH_TIMER_CLASS do-all [Succeeded] {repeated
1} 10 set-timer TIMER_UNAUTH 3 [cerr: No error][aaa: Success] 20
authorize aaa list default [cerr: 'iEdge' detected the 'warning' condition
'iEdge SVM, Unable to complete this request'][aaa: Success]Session
Accounting: disabledLast COA request received: unavailableUser Profile
received from AAA: NoneNo Services[Event History] Jan 23 07:48:45.568
IPv4 Up Jan 23 08:03:46.816 SUBDB produce done(fail) [many]*
2nd trouble is related to the SRG too:
State-control-routes doesn't work. If node became master -
summarized-routes doesn't appear on BGP-advertized-routes and "show route
subscriber" shows only /32 hosts and virtual interfaces of subscribers. I
tried this feature in warm and hot modes. Does anyone have a working
state-control-routes option ?
This is fragment of configuration:
router bgp 64701
bgp router-id 10.117.165.193
address-family ipv4 unicast
redistribute connected <---- I added this because state-control-routes
doesn't work
redistribute subscriber route-policy SUBSCRIBERS_ROUTES
!
neighbor 10.117.165.194
remote-as 65533
address-family ipv4 unicast
send-community-ebgp
route-policy RP_IN in
route-policy RP_EXT_OUT out
soft-reconfiguration inbound always
!
!
neighbor 10.117.165.198
remote-as 65533
address-family ipv4 unicast
send-community-ebgp
route-policy RP_IN in
route-policy RP_INT_OUT out
soft-reconfiguration inbound always
subscriber
redundancy
source-interface Bundle-Ether92.77
group 1
preferred-role master
virtual-mac 42ce.2400.0026
slave-mode hot
hold-timer 5
peer 10.117.165.205
peer route-disable
access-tracking srg_1st_cluster
state-control-route ipv4 10.252.8.0/24 vrf default tag 1
state-control-route ipv4 10.252.9.0/24 vrf default tag 1
state-control-route ipv4 10.252.10.0/24 vrf default tag 1
.......
revertive-timer 2 maximum 3
interface-list
interface Bundle-Ether91.403 id 403
interface Bundle-Ether91.404 id 404
interface Bundle-Ether91.412 id 412
interface Bundle-Ether91.413 id 413
interface Bundle-Ether91.414 id 414
interface Bundle-Ether91.433 id 433
interface Bundle-Ether91.564 id 564
!
route-policy RP_IN
pass
end-policy
!
route-policy RP_OUT
if destination in PS_SRG_MASTER then
set community (65533:20001)
endif
if destination in PS_SRG_SLAVE then
set community (65533:20000)
endif
end-policy
!
route-policy RP_EXT_OUT
apply RP_OUT
end-policy
!
route-policy RP_INT_OUT
apply RP_OUT
end-policy
!
route-policy SUBSCRIBERS_ROUTES
if tag is 1 then
pass
endif
end-policy
If someone has expirience with SRG on XR give me your advices please.
With best regards
Sergey
More information about the cisco-nsp
mailing list