Intelligent Services Gateway Configuration Guide Cisco IOS XE Release 3S
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Configuring ISG Policies for Session Maintenance
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Contents
Configuring ISG Policies for Session MaintenanceLast Updated: July 15, 2011
Intelligent Services Gateway (ISG) is a Cisco IOS XE software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers. This module describes how to configure a session timer and connection timer through a service policy map. Additionally, the Internet Engineering Task Force (IETF) RADIUS attributes Session-Timeout (attribute 27) and Idle-Timeout (attribute 28) can be used in service profiles on an authentication, authorization, and accounting (AAA) server to configure the same session maintenance control. IP subscriber session keepalive support is configured for monitoring session data traffic in the upstream direction for idleness. Address Resolution Protocol (ARP) is used for Layer 2 connected subscribers. For routed host (Layer 3 connected) subscribers, the protocol defaults to Internet Control Message Protocol (ICMP). ICMP is also used in configurations where the access interface does not support ARP.
Finding Feature InformationYour software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Prerequisites for ISG Policies for Session MaintenanceA traffic class is required only if an idle timer or session timer is being installed on a service that has a traffic class definition in it. If the timer is installed on a session or service that has no traffic class, a traffic class is not required. See the "Configuring ISG Subscriber Services" module for information about how to configure a traffic class. Information About ISG Policies for Session Maintenance
Session Maintenance TimersISG provides two commands (each of which can be set independently) to maintain control over a session and its connection. The timeout absolute command controls how long a session can be connected before it is terminated. The timeout idle command controls how long a connection can be idle before it is terminated. Both commands detect both PPP and IP sessions and can be applied in a non-traffic-class-based service, on a per-session basis, or in a flow (traffic-class-based service). All subscriber traffic will reset the timers; however, non-network traffic such as PPP control packets will not reset the timers. The scope of the session timers and connection timers is determined by the type of service within which the timer is specified. If specified in a service profile for which no traffic class is defined, the timer action will be to terminate the session or connection. If a traffic class specifier resides in the service profile, the timer action will be to deactivate the service. Benefits of Session Maintenance TimersThe PPP idle timeout functionality has been replaced by the ISG idle timeout feature. The idle timer is a generic feature that can be set to detect idle traffic in both PPP and IP sessions. You set the idle timer in a service profile that is installed on a session to control how long that service stays installed before it is removed from the session because no traffic is flowing through that service. If the service has traffic class parameters associated with it, that traffic class is terminated when this timer expires, or when the session itself is terminated. The same is true for the session timer, except that this timer determines how long the session or service stays up, regardless of traffic flowing through it. Monitoring SessionsThe IP subscriber sessionâs data traffic in the upstream direction can be monitored for idleness using a keepalive feature configured for the subscriber. If a session is idle for a configured period of time, keepalive requests are sent to the subscriber. This action verifies that the connection is still active. The protocol to use for the keepalive request and response can be configured based on the IP subscriber session type. If it is a directly connected host (Layer #2 connection), ARP is used. For routed host (Layer 3 connected) subscribers, ICMP is used. If the access interface does not support ARP, the keepalive protocol defaults to ICMP. ARP for Keepalive MessagesWhen a session is established and the keepalive feature is configured to use ARP, the keepalive feature saves the ARP entry as a valid original entry for verifying future ARP responses.
When ARP is configured, the ARP unicast request is sent to the subscriber. After a configured interval of time, the ARP response (if received) is verified. If the response is correct and matches the original entry that was saved when the subscriber was initially established, the keepalive feature continues monitoring the data plane for the configured interval of time. If the response is not correct, the keepalive feature resends the ARP request until a correct response is received or the configured maximum number of attempts is exceeded. ICMP for Keepalive MessagesIf ICMP is configured, the ICMP âhelloâ request is sent to the subscriber and checked for a response, until the configured maximum number of attempts is exceeded. For IP subnet sessions, the peer (destination) IP address to be used for ICMP âhelloâ requests will be all the IP addresses within the subnet. This means âhelloâ requests will be sent sequentially (not simultaneously) to all the possible hosts within that subnet. If there is no response from any host in that subnet, the session will be disconnected. Another option is to configure ICMP directed broadcast for keepalive requests. If the subscriber hosts recognize the IP subnet broadcast address, the ISG can send the ICMP âhelloâ request to the subnet broadcast address. The subscribers need not be on the same subnet as the ISG for this configuration to work. A directed broadcast keepalive request can work multiple hops away as long as these conditions are satisfied:
When these two conditions are satisfied, you can optimize the ICMP keepalive configuration to minimize the number of ICMP packets.
How to Configure ISG Policies for Session MaintenanceConfiguring the session maintenance timers requires two separate tasks, one to set the idle timer and one to set the session timer. Either one or both of these tasks can be performed in order to set session maintenance control. The following tasks show how to set these timers in a service policy map and in a RADIUS AAA server profile:
Configuring the Session Timer in a Service Policy Map
SUMMARY STEPS
DETAILED STEPS
Configuring the Session Timer on a AAA Server
SUMMARY STEPS
DETAILED STEPS
Configuring the Connection Timer in a Service Policy Map
SUMMARY STEPS
DETAILED STEPS
Configuring the Connection Timer on a AAA Server
SUMMARY STEPS
DETAILED STEPS
Verifying the Session and Connection Timer Settings
SUMMARY STEPS
DETAILED STEPS
Troubleshooting the Session and Connection Timer SettingsThe following sections list the debug commands that can be used to troubleshoot the session maintenance timers and describe the tasks you perform to enable them:
Prerequisites for Troubleshooting the Session Maintenance TimersBefore performing the task in this section, it is recommended that you be familiar with the use of Cisco IOS debug commands described in the introductory chapters of the Cisco IOS Debug Command Reference . Also see the module "Troubleshooting ISG with Session Monitoring and Distributed Conditional Debugging". Restrictions for Troubleshooting the Session Maintenance TimersDebug Commands Available for the Session Maintenance TimersThe table below lists the debug commands that can be used to diagnose problems with the session maintenance timers.
Enabling the Session Maintenance Timer Debug Commands
SUMMARY STEPS
DETAILED STEPS
Configuring a Session Keepalive on the RouterThis task describes how to configure the keepalive feature on the router, using either ARP or ICMP. Because the session keepalive feature is checking for the subscriberâs health and presence, this feature is applied only to the session as a whole and not per-flow. DETAILED STEPS Configuring a Session Keepalive on a RADIUS Server
SUMMARY STEPS
DETAILED STEPS
Configuring the ISG to Interact with the RADIUS ServerThe ISG device interacts with the RADIUS server to listen for the Packet of Disconnect (POD) message from the RADIUS server. On receipt, the POD and associated attributes are handed to the appropriate client to disconnect the session. Perform this task to configure the ISG to interact with the RADIUS server to listen for the POD message. DETAILED STEPS
Configuration Examples for ISG Policies for Session Maintenance
Example Session Timer Configuration in a Service Policy MapThe following example limits session time in a service policy map to 4800 seconds (80 minutes): class-map type traffic match-any traffic-class match access-group input 101 match access-group output 102 policy-map type service video-service class traffic-class police input 20000 30000 60000 police output 21000 31500 63000 timeout absolute 4800 class type traffic default drop Example Connection Idle Timer Configuration in a Service Policy MapThe following example limits idle connection time in a service policy map to 30 seconds: class-map type traffic match-any traffic-class match access-group input 101 match access-group output 102 policy-map type service video-service class type traffic traffic-class police input 20000 30000 60000 police output 21000 31500 63000 timeout idle 30 class type traffic default drop Example Session Timer Show Command OutputThe following example shows the settings for the session timer displayed by the show subscriber session all privileged EXEC command. Current Subscriber Information: Total sessions 1 -------------------------------------------------- Unique Session ID: 3 Identifier: user01 SIP subscriber access type(s): PPPoE/PPP Current SIP options: Req Fwding/Req Fwded Session Up-time: 00:02:50, Last Changed: 00:02:53 AAA unique ID: 4 Interface: Virtual-Access2.1 Policy information: Context 02DE7380: Handle 1B000009 Authentication status: authen User profile, excluding services: Framed-Protocol 1 [PPP] username "user01" Framed-Protocol 1 [PPP] username "user01" Prepaid context: not present Non-datapath features: Feature: Session Timeout Timeout value is 180000 seconds Time remaining is 2d01h Configuration sources associated with this session: Interface: Virtual-Template1, Active Time = 00:02:52 Example Connection Idle Timer Show Command OutputThe following example shows the settings for the idle timer as displayed by the show subscriber session all privileged EXEC command. Current Subscriber Information: Total sessions 1 -------------------------------------------------- Unique Session ID: 4 Identifier: user01 SIP subscriber access type(s): PPPoE/PPP Current SIP options: Req Fwding/Req Fwded Session Up-time: 00:01:44, Last Changed: 00:01:46 AAA unique ID: 5 Interface: Virtual-Access2.1 Policy information: Context 02DE7380: Handle AD00000C Authentication status: authen User profile, excluding services: Framed-Protocol 1 [PPP] username "user01" Framed-Protocol 1 [PPP] username "user01" Prepaid context: not present Session outbound features: Feature: PPP Idle Timeout Timeout value is 2000 Idle time is 00:01:44 Configuration sources associated with this session: Interface: Virtual-Template1, Active Time = 00:01:47 Example Session Timer Debug OutputThe following example shows output when the session timer debug commands (debug subscriber feature error, debug subscriber feature event, debug subscriber feature name session-timer error, and debug subscriber feature name session-timer event)are enabled. *Jan 12 18:38:51.947: SSF[Vi2.1/Abs Timeout]: Vaccess interface config update; not per-user, ignore *Jan 12 18:38:53.195: SSF[Vt1/uid:3]: Install interface configured features *Jan 12 18:38:53.195: SSF[Vt1/uid:3]: Associate segment element handle 0x95000002 for session 1191182344, 1 entries *Jan 12 18:38:53.195: SSF[Vt1/uid:3/Abs Timeout]: Group feature install *Jan 12 18:38:53.195: SSF[uid:3/Abs Timeout]: Adding feature to none segment(s) Example Connection Idle Timer Debug OutputThe following example shows output when the idle timer debug commands (debug subscriber feature error, debug subscriber feature event, debug subscriber feature name idle-timer error, and debug subscriber feature name idle-timer event)are enabled. *Jan 12 18:43:15.167: SSF[Vt1/uid:4]: Install interface configured features *Jan 12 18:43:15.167: SSF[Vt1/uid:4]: Associate segment element handle 0xF4000003 for session 67108875, 1 entries *Jan 12 18:43:15.167: SSF[Vt1/uid:4/Idle Timeout]: Group feature install *Jan 12 18:43:15.167: SSF[uid:4/Idle Timeout]: Adding feature to outbound segment(s) *Jan 12 18:43:15.167: Idle Timeout[uid:4]: Idle timer start, duration 2000 seconds, direction: outbound *Jan 12 18:43:16.327: SSM FH: [SSS:PPPoE:8198:Idle Timeout:4097] created 02DFFDD8 *Jan 12 18:43:16.327: SSM FH: [SSS:PPPoE:8198:Idle Timeout:4097] added 02DFFDD8 [outbound] *Jan 12 18:43:16.327: SSM FH: [SSS:PPPoE:8198:Idle Timeout:4097] installed: ok *Jan 12 18:43:16.327: SSM FH: [SSS:PPPoE:8198:Idle Timeout:4097] installed: ok *Jan 12 18:43:19.147: SSM FH: [SSS:PPPoE:8198:Idle Timeout:4097] bound Additional ReferencesRelated DocumentsMIBsTechnical Assistance
Feature Information for ISG Policies for Session MaintenanceThe following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||