How Multi Action CoA Packets are Processed on ASR9K for BNG Subscribers
Available Languages
Contents
Introduction
This document explain how Change of Authorization (CoA) is processed on ASR9K platform for Broadband Network Gateway(BNG) and how you can troubleshoot it on ASR9K.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- BNG features on ASR9K
- Radius attributes
Components Used
The information in this document is based on these software and hardware versions:
- ASR9001 running 533 release.
- Free-radius server.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Background Information
Change of Authorization (CoA) is an extension to the RADIUS standard that allows for asynchronous messages to be sent from RADIUS Servers to a RADIUS Client. The prime reason for CoA is to allow a RADIUS Server to change an authorization behavior for a subscriber that has already been authorized. The CoA extension to RADIUS is defined in IETF RFC 3576.
The Multi-Action CoA (MA-CoA) feature extends the current BNG CoA functionality to support multiple service activate and service deactivate commands within a single CoA request:
The idea behind multi-action CoA (MA-CoA) is that it will allow internet service providers a way to activate/deactivate multiple services in a way that is atomic from their perspective.
Use case of MA-COA
This is an example use case for MA-CoA, from a very high feature level.
- PTA session comes up with web traffic redirected to a service portal (HTTP Redirect).
- Through the service portal, customer activates first level of service. This causes a multi-action CoA request with:
- Deactivate redirection
- Activate Turbo Button 1
- Activate VoIP with 2 channels for example
- Through the service portal, customer activates second level of service. This causes a multi-action CoA request with:
- Deactivate Turbo Button 1
- Activate Turbo Button 2
- Deactivate VoIP with 2 channels
- Activate VoIP with 4 channels
In MA-CoA is that if any service in the CoA request fails to be activated/deactivated, then any services which had been activated/deactivated as part of that CoA request must be rolled back. Essentially, the session must be restored to its pre-MA-CoA state upon failure to activate/deactivate. However, there may be some rare instances where complete rollback will not be possible. For example, consider a case where resources (e.g. memory, TCAM entries, IP addresses etc..) get relinquished as part of multi-action CoA processing. If a subsequent CoA failure occurs, those resources may no longer be available, so the complete rollback may not be possible. If a rollback failure does occur, the following actions will be taken:
- If coa-rollback-failure exception is configured in the control policy, then the action specified for the rollback-failure class will be taken. For example you can disconnect the session. However, the default action for a MA-CoA rollback failure will be to preserve the session.
policy-map type control subscriber WDAAR_NOVA_POLICY event exception match-first class type control subscriber coa-rollback-failure do-all 10 disconnect ! ! end-policy-map
- If coa-rollback-failure exception is not configure in the control policy, then a syslog error will be generated on the console.
The CoA processing is distributed in that the requests can be processed either on the RP (for bundle-based sessions) or on the LC (for LC-based sessions).
Image 1. Shows CoA message flow at a high level.
Image 1 : CoA Architecture on BNG Router
MA-CoA call flow
An example of the call flow involved in processing a MA-CoA request, at a very high level, is explained here:
- CoA Client sends MA-CoA request with the following commands:
- Deactivate Service Service-Internet
- Activate Service-Audio
- Activate Service-Video
- Radiusd converts newly-defined Cisco generic VSAs to standard AAA_AT attributes, and passes to policy plane.
- The Policy Plane command handler initiates an un-associate request for service Service-Internet and an associate request for services Service-Audio & Service-Video to SubDB, and then initiates a Produce-Done request to SubDB.
- SubDB performs the necessary unassociation/associations, and coordinates with its BPI clients to apply the necessary configuration to hardware. SubDB then sends Produce Done (config applied) message to Policy Plane.
- Policy Plane command handler sends CoA ACK via radiusd to the CoA Client.
- If service-level accounting had been enabled for service Service-Internet, the Policy Plane Accounting Coordinator sends out an Accounting Stop request to the RADIUS server. Similarly, if service-level accounting is enabled for service Service-Audio orService-Video, then the Policy Plane Accounting Coordinator sends out an Accounting Start request to the RADIUS server for those services.
Configure
Use the information that is described in this section in order to configure the features that are described in this document.
Network Diagram
The following topology is used for testing MA-CoA.
Configurations
ASR9K
interface Bundle-Ether1.200 ipv4 point-to-point ipv4 unnumbered Loopback200 service-policy type control subscriber WDAAR_NOVA_POLICY encapsulation dot1q 200 ipsubscriber ipv4 l2-connected initiator dhcp initiator unclassified-source
The following control policy is applied to bring up the IPoE session.
policy-map type control subscriber WDAAR_NOVA_POLICY event session-start match-first class type control subscriber DHCP do-until-failure 10 activate dynamic-template DT_NOVA_DHCP 20 authorize aaa list WDAAR format WDAAR_USERNAME_NOVA password cisco ! class type control subscriber WDAAR_STATIC do-until-failure 10 activate dynamic-template DT_NOVA_STATIC 20 authorize aaa list WDAAR format WDAAR_IP_STATIC password cisco ! ! event authentication-no-response match-first class type control subscriber class-default do-all 10 activate dynamic-template WDAAR_NOVA_ACCT_START 20 activate dynamic-template WDAAR_NOVA_NET50 ! ! end-policy-map !
dynamic-template type ipsubscriber DT_NOVA_DHCP ipv4 unnumbered Loopback201 ! ! interface Loopback201 ipv4 address 199.195.148.1 255.255.255.0 ! dynamic-template type ipsubscriber WDAAR_NOVA_ACCT_START accounting aaa list WDAAR type session periodic-interval 5 ! ! dynamic-template type service WDAAR_NOVA_NET50 service-policy input WDAAR_10Mbps service-policy output WDAAR_Upload ! !
In order to simulate the MA-CoA behavior the two QoS policy is configured which limit the traffic both on inbound and outbound direction.
- WDAAR_DAY_PACKAGE
- WDAAR_NIGHT_PACKAGE
dynamic-template type service WDAAR_DAY_PACKAGE service-policy input WDAAR_Internet_Service_10Mbps_IN service-policy output WDAAR_Internet_Service_10Mbps_OUT accounting aaa list WDAAR type service periodic-interval 10 ! ! dynamic-template type service WDAAR_NIGHT_PACKAGE service-policy input WDAAR_Internet_Service_5Mbps_IN service-policy output WDAAR_Internet_Service_5Mbps_OUT accounting aaa list WDAAR type service periodic-interval 10 ! !
The policy is configured to police the traffic to 10Mpbs both in inbound and output direction for DAY package and for NIGHT package it is limit to 5Mpbs.
policy-map WDAAR_Internet_Service_5Mbps_IN class class-default police rate 5486 kbps ! ! policy-map WDAAR_Internet_Service_5Mbps_OUT class class-default police rate 5486 kbps ! ! policy-map WDAAR_Internet_Service_10Mbps_IN class class-default police rate 10486 kbps ! ! policy-map WDAAR_Internet_Service_10Mbps_OUT class class-default police rate 10486 kbps ! !
Verification
This section provides information that you can use in order to verify that MA-CoA works properly.
IPoE subscriber session on ASR9K.
RP/0/RSP0/CPU0:acdc-asr9000-4#show subscriber session all detail
Mon Jul 27 11:24:46.467 UTC
Interface: Bundle-Ether1.200.ip18010
Circuit ID: Unknown
Remote ID: Unknown
Type: IP: DHCP-trigger
IPv4 State: Up, Mon Jul 27 11:23:10 2015
IPv4 Address: 172.188.243.147, VRF: default
Mac Address: 0000.6602.0102
Account-Session Id: 00004729
Nas-Port: Unknown
User name: 0000.6602.0102
Formatted User name: 0000.6602.0102
Client User name: unknown
Outer VLAN ID: 200
Subscriber Label: 0x00000048
Created: Mon Jul 27 11:23:08 2015
State: Activated
Authentication: unauthenticated
Authorization: authorized
Access-interface: Bundle-Ether1.200
Policy Executed:
policy-map type control subscriber WDAAR_NOVA_POLICY
event Session-Start match-first [at Mon Jul 27 11:23:08 2015]
class type control subscriber DHCP do-until-failure [Succeeded]
10 activate dynamic-template DT_NOVA_DHCP [Succeeded]
20 authorize aaa list WDAAR [Succeeded]
Session Accounting:
Acct-Session-Id: 00004729
Method-list: WDAAR
Accounting started: Mon Jul 27 11:23:10 2015
Interim accounting: On, interval 2 mins
Last successful update: Never
Next update in: 00:00:24 (dhms)
Service Accounting: WDAAR_DAY_PACKAGE
Acct-Session-Id: 0000472a
Method-list: WDAAR
Accounting started: Mon Jul 27 11:23:10 2015
Interim accounting: On, interval 10 mins
Last successful update: Never
Next update in: 00:08:24 (dhms)
Last COA request received: unavailable
Now, if you check the details of the session with hidden key word internal, you can see that what AVP's you recieved from the radius. If you enable the debugs on ASR9K, while bringing up the session you can see that also. From the session output, you can see that when the subscriber comes online, you applied the WDAAR_DAY_PACKAGE, and you also enable the session accounting and also service accounting.
RP/0/RSP0/CPU0:acdc-asr9000-4#show subscriber session all detail internal
Mon Jul 27 11:27:10.554 UTC
Interface: Bundle-Ether1.200.ip18010
Circuit ID: Unknown
Remote ID: Unknown
Type: IP: DHCP-trigger
IPv4 State: Up, Mon Jul 27 11:23:10 2015
IPv4 Address: 172.188.243.147, VRF: default
IPv4 Up helpers: 0x00000040 {IPSUB}
IPv4 Up requestors: 0x00000040 {IPSUB}
Mac Address: 0000.6602.0102
Account-Session Id: 00004729 Nas-Port: Unknown
User name: 0000.6602.0102
Formatted User name: 0000.6602.0102
Client User name: unknown
Outer VLAN ID: 200
Subscriber Label: 0x00000048
Created: Mon Jul 27 11:23:08 2015
State: Activated
Authentication: unauthenticated
Authorization: authorized
Ifhandle: 0x000abc20 Session History ID: 1
Access-interface: Bundle-Ether1.200
SRG Flags: 0x00000000
Policy Executed:
event Session-Start match-first [at Mon Jul 27 11:23:08 2015]
class type control subscriber DHCP do-until-failure [Succeeded]
10 activate dynamic-template DT_NOVA_DHCP [cerr: No error][aaa: Success]
20 authorize aaa list WDAAR [cerr: No error][aaa: Success]
Session Accounting:
Acct-Session-Id: 00004729
Method-list: WDAAR
Accounting started: Mon Jul 27 11:23:10 2015
Interim accounting: On, interval 2 mins
Last successful update: Mon Jul 27 11:25:10 2015
Next update in: 00:02:00 (dhms)
Last update sent: Mon Jul 27 11:25:10 2015
Updates sent: 1
Updates accepted: 1
Updates rejected: 0
Update send failures: 0
Service Accounting: WDAAR_DAY_PACKAGE
Acct-Session-Id: 0000472a
Method-list: WDAAR
Accounting started: Mon Jul 27 11:23:10 2015
Interim accounting: On, interval 10 mins
Last successful update: Never
Next update in: 00:06:00 (dhms)
Last update sent: Never
Updates sent: 0
Updates accepted: 0
Updates rejected: 0
Update send failures: 0
Accouting stop state: Final stats available
Last COA request received: unavailable
User Profile received from AAA:
Attribute List: 0x50105e7c
1: acct-interval len= 4 value= 120(78) 2: accounting-list len= 5 value= WDAAR Pending Callbacks: InterimAcct>StatsD,
Services:
Name : DT_NOVA_DHCP
Service-ID : 0x4000016
Type : Template
Status : Applied
-------------------------
Name : WDAAR_DAY_PACKAGE
Service-ID : 0x400001a
Type : Multi Template
Status : Applied
-------------------------
[Event History]
Jul 27 11:23:08.672 IPv4 Start
Jul 27 11:23:10.080 SUBDB produce done
Jul 27 11:23:10.080 IPv4 Up
You can enable these debugs if you want to see the CoA and radius packets for a subscriber session.
- debug radius
- debug radius dynamic-author
RP/0/RSP0/CPU0:Jul 27 11:23:08.706 : radiusd[1133]: RADIUS: Send Access-Request to 10.48.88.121:56777 id 229, len 218 RP/0/RSP0/CPU0:Jul 27 11:23:08.706 : radiusd[1133]: RADIUS: authenticator D0 EF B5 50 DD 9A 1A 84 - FB 36 5C FB 5C DB 96 FE RP/0/RSP0/CPU0:Jul 27 11:23:08.706 : radiusd[1133]: RADIUS: Vendor,Cisco [26] 41 RP/0/RSP0/CPU0:Jul 27 11:23:08.706 : radiusd[1133]: RADIUS: Cisco AVpair [1] 35 client-mac-address=0000.6602.0102 RP/0/RSP0/CPU0:Jul 27 11:23:08.706 : radiusd[1133]: RADIUS: Acct-Session-Id [44] 10 00004729 RP/0/RSP0/CPU0:Jul 27 11:23:08.706 : radiusd[1133]: RADIUS: NAS-Port-Id [87] 11 0/0/1/200 RP/0/RSP0/CPU0:Jul 27 11:23:08.706 : radiusd[1133]: RADIUS: Vendor,Cisco [26] 17 RP/0/RSP0/CPU0:Jul 27 11:23:08.706 : radiusd[1133]: RADIUS: cisco-nas-port [2] 11 0/0/1/200 RP/0/RSP0/CPU0:Jul 27 11:23:08.706 : radiusd[1133]: RADIUS: User-Name [1] 16 0000.6602.0102 RP/0/RSP0/CPU0:Jul 27 11:23:08.706 : radiusd[1133]: RADIUS: Service-Type [6] 6 Outbound[0] RP/0/RSP0/CPU0:Jul 27 11:23:08.706 : radiusd[1133]: RADIUS: User-Password [2] 18 * RP/0/RSP0/CPU0:Jul 27 11:23:08.706 : radiusd[1133]: RADIUS: NAS-Port-Type [61] 6 VIRTUAL_IPOEOVLAN[0] RP/0/RSP0/CPU0:Jul 27 11:23:08.706 : radiusd[1133]: RADIUS: Event-Timestamp [55] 6 1437996188 RP/0/RSP0/CPU0:Jul 27 11:23:08.706 : radiusd[1133]: RADIUS: Vendor,Cisco [26] 23 RP/0/RSP0/CPU0:Jul 27 11:23:08.706 : radiusd[1133]: RADIUS: Cisco AVpair [1] 17 dhcp-client-id= RP/0/RSP0/CPU0:Jul 27 11:23:08.706 : radiusd[1133]: RADIUS: Nas-Identifier [32] 16 acdc-asr9000-4 RP/0/RSP0/CPU0:Jul 27 11:23:08.707 : radiusd[1133]: RADIUS: NAS-IP-Address [4] 6 10.48.88.54 RP/0/RSP0/CPU0:Jul 27 11:23:08.707 : radiusd[1133]: RADIUS: NAS-IPv6-Address [95] 22 1a 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 RP/0/RSP0/CPU0:Jul 27 11:23:08.707 : radiusd[1133]: RADIUS: 00 00 00 00 RP/0/RSP0/CPU0:Jul 27 11:23:08.707 : radiusd[1133]: Got global deadtime 0 RP/0/RSP0/CPU0:Jul 27 11:23:08.707 : radiusd[1133]: Using global deadtime = 0 sec RP/0/RSP0/CPU0:Jul 27 11:23:08.707 : radiusd[1133]: Start timer thread rad_ident 229 remote_port 56777 remote_addr 10.48.88.121, socket 1342510940 rctx 0x50258020 RP/0/RSP0/CPU0:Jul 27 11:23:08.707 : radiusd[1133]: Successfully sent packet and started timeout handler for rctx 0x50258020 RP/0/RSP0/CPU0:Jul 27 11:23:08.710 : radiusd[1133]: Radius packet decryption complete with rc = 0 RP/0/RSP0/CPU0:Jul 27 11:23:08.710 : radiusd[1133]: RADIUS: Received from id 229 10.48.88.121:56777, Access-Accept, len 105 RP/0/RSP0/CPU0:Jul 27 11:23:08.710 : radiusd[1133]: RADIUS: authenticator 9D 27 8C A5 28 C8 AE 2B - 58 56 08 DF C2 BA 06 28 RP/0/RSP0/CPU0:Jul 27 11:23:08.710 : radiusd[1133]: RADIUS: Acct-Interim-Interval[85] 6 120 RP/0/RSP0/CPU0:Jul 27 11:23:08.710 : radiusd[1133]: RADIUS: Vendor,Cisco [26] 40 RP/0/RSP0/CPU0:Jul 27 11:23:08.710 : radiusd[1133]: RADIUS: Cisco AVpair [1] 34 subscriber:accounting-list=WDAAR RP/0/RSP0/CPU0:Jul 27 11:23:08.710 : radiusd[1133]: RADIUS: Vendor,Cisco [26] 39 RP/0/RSP0/CPU0:Jul 27 11:23:08.710 : radiusd[1133]: RADIUS: Cisco AVpair [1] 33 subscriber:sa=WDAAR_DAY_PACKAGE RP/0/RSP0/CPU0:Jul 27 11:23:08.710 : radiusd[1133]: Freeing server group transaction_id (3D000000)
Subscriber Identity and credential AAA attributes from different components are stored in SADB (Subscriber Attribute Database). SADB does not save the subscriber configuration. You can employ the following show command to see all the attributes for that session.
- show subscriber manager sadb
RP/0/RSP0/CPU0:acdc-asr9000-4#show subscriber manager sadb Mon Jul 27 12:13:36.273 UTC Sublabel: 0x00000048 Node_ID: 00000001 Signature: 0xabcdef12 Version: 1 Rev: 21 Length: 297 Attribute list: 1343184692 1: protocol-type len= 4 dhcp 2: dhcp-client-id len= 15 3: port-type len= 4 Virtual IP over VLAN 4: outer-vlan-id len= 4 200(c8) 5: client-mac-address len= 14 0000.6602.0102 6: parent-if-handle len= 4 1568(620) 7: string-session-id len= 8 00004729 8: interface len= 9 0/0/1/200 9: formatted-username len= 14 0000.6602.0102 10: username len= 14 0000.6602.0102 11: author_status len= 1 true 12: addr len= 4 172.188.243.147 13: if-handle len= 4 703520(abc20) 14: vrf-id len= 4 1610612736(60000000) 15: ipv4-session-state len= 1 true 16: accounting-list len= 5 WDAAR 17: start_time len= 4 Mon Jul 27 11:23:10 2015
There is another database called Subscriber Database(SubDB) to store the config and the association of config to session. SubDB (Subscriber Database) is designed to manage dynamic configuration for subscribers of BNG. A subscriber configuration is a set of pre-defined features and their specific values.
RP/0/RSP0/CPU0:acdc-asr9000-4#show subscriber database association Mon Jul 27 12:26:38.186 UTC Location 0/RSP0/CPU0 Bundle-Ether1.200.ip18010, subscriber label 0x48 Name Template Type -------- ------------- U00000048 User profile WDAAR_DAY_PACKAGE Service DT_NOVA_DHCP IP subscriber
You can also employ the filter subscriber-label to see the information for one subscriber.
- show subscriber database association subscriber-label <SUBSCRIBER-LABEL>
MA-CoA Testing
As you already applied the service WDAAR_DAY_PACKAGEon a session, so as a test first you just remove the WDAAR_DAY_PACKAGE service from the session. Now you can see that there is no service WDAAR_DAY_PACKAGE active on the session.
RP/0/RSP0/CPU0:acdc-asr9000-4#show subscriber session all detail internal
Mon Jul 27 13:47:55.881 UTC
Interface: Bundle-Ether1.200.ip18012
Circuit ID: Unknown
Remote ID: Unknown
Type: IP: DHCP-trigger
IPv4 State: Up, Mon Jul 27 13:33:22 2015
IPv4 Address: 172.188.243.147, VRF: default
IPv4 Up helpers: 0x00000040 {IPSUB}
IPv4 Up requestors: 0x00000040 {IPSUB}
Mac Address: 0000.6602.0102
Account-Session Id: 0000472d
Nas-Port: Unknown
User name: 0000.6602.0102
Formatted User name: 0000.6602.0102
Client User name: unknown
Outer VLAN ID: 200
Subscriber Label: 0x0000004a
Created: Mon Jul 27 13:33:21 2015
State: Activated
Authentication: unauthenticated
Authorization: authorized
Ifhandle: 0x000abca0
Session History ID: 1
Access-interface: Bundle-Ether1.200
SRG Flags: 0x00000000
Policy Executed:
event Session-Start match-first [at Mon Jul 27 13:33:21 2015]
class type control subscriber DHCP do-until-failure [Succeeded]
10 activate dynamic-template DT_NOVA_DHCP [cerr: No error][aaa: Success]
20 authorize aaa list WDAAR [cerr: No error][aaa: Success]
Session Accounting:
Acct-Session-Id: 0000472d
Method-list: WDAAR
Accounting started: Mon Jul 27 13:33:22 2015
Interim accounting: On, interval 2 mins
Last successful update: Mon Jul 27 13:47:24 2015
Next update in: 00:01:27 (dhms)
Last update sent: Mon Jul 27 13:47:24 2015
Updates sent: 7
Updates accepted: 7
Updates rejected: 0
Update send failures: 0
Accouting stop state: Final stats available
Last COA request: Mon Jul 27 13:47:50 2015
COA Request Attribute List: 0x50105f70
1: sd len= 17 value= WDAAR_DAY_PACKAGE 2: command len= 18 value= deactivate-service 3: service-info len= 17 value= WDAAR_DAY_PACKAGE 4: service-name len= 17 value= WDAAR_DAY_PACKAGE Last COA response: Result ACK
COA Response Attribute List: 0x50106180
1: sd len= 17 value= WDAAR_DAY_PACKAGE
User Profile received from AAA:
Attribute List: 0x50106390
1: acct-interval len= 4 value= 120(78)
2: accounting-list len= 5 value= WDAAR
Services:
Name : DT_NOVA_DHCP
Service-ID : 0x4000016
Type : Template
Status : Applied
-------------------------
[Event History]
Jul 27 13:33:21.152 IPv4 Start
Jul 27 13:33:22.560 IPv4 Up
Jul 27 13:47:50.528 CoA request
Jul 27 13:47:50.784 SUBDB produce done [many]
As explained, when the service is unassociated, then radiusd process on ASR9K send the accounting stop to radius server. And in the debugs this behavior is also confirmed.
RP/0/RSP0/CPU0:Jul 27 13:47:50.687 : radiusd[1133]: RADIUS: Send Accounting-Request to 10.48.88.121:56778 id 48, len 391 RP/0/RSP0/CPU0:Jul 27 13:47:50.687 : radiusd[1133]: RADIUS: authenticator 6C E1 D2 2B 49 1A EE E4 - 6D 36 FD FA 7A 84 26 50 RP/0/RSP0/CPU0:Jul 27 13:47:50.687 : radiusd[1133]: RADIUS: Acct-Interim-Interval[85] 6 10 RP/0/RSP0/CPU0:Jul 27 13:47:50.687 : radiusd[1133]: RADIUS: Acct-Session-Time [46] 6 868 RP/0/RSP0/CPU0:Jul 27 13:47:50.687 : radiusd[1133]: RADIUS: Acct-Terminate-Cause[49] 6 admin-reset[0] RP/0/RSP0/CPU0:Jul 27 13:47:50.687 : radiusd[1133]: RADIUS: Acct-Status-Type [40] 6 Stop[0] RP/0/RSP0/CPU0:Jul 27 13:47:50.687 : radiusd[1133]: RADIUS: Event-Timestamp [55] 6 1438004870 RP/0/RSP0/CPU0:Jul 27 13:47:50.687 : radiusd[1133]: RADIUS: Vendor,Cisco [26] 23 RP/0/RSP0/CPU0:Jul 27 13:47:50.687 : radiusd[1133]: RADIUS: Cisco AVpair [1] 17 dhcp-client-id= RP/0/RSP0/CPU0:Jul 27 13:47:50.687 : radiusd[1133]: RADIUS: NAS-Port-Type [61] 6 VIRTUAL_IPOEOVLAN[0] RP/0/RSP0/CPU0:Jul 27 13:47:50.687 : radiusd[1133]: RADIUS: Vendor,Cisco [26] 41 RP/0/RSP0/CPU0:Jul 27 13:47:50.687 : radiusd[1133]: RADIUS: Cisco AVpair [1] 35 client-mac-address=0000.6602.0102 RP/0/RSP0/CPU0:Jul 27 13:47:50.687 : radiusd[1133]: RADIUS: NAS-Port-Id [87] 11 0/0/1/200 RP/0/RSP0/CPU0:Jul 27 13:47:50.687 : radiusd[1133]: RADIUS: Vendor,Cisco [26] 17 RP/0/RSP0/CPU0:Jul 27 13:47:50.687 : radiusd[1133]: RADIUS: cisco-nas-port [2] 11 0/0/1/200 RP/0/RSP0/CPU0:Jul 27 13:47:50.687 : radiusd[1133]: RADIUS: User-Name [1] 16 0000.6602.0102 RP/0/RSP0/CPU0:Jul 27 13:47:50.687 : radiusd[1133]: RADIUS: Framed-IP-Address [8] 6 172.188.243.147 RP/0/RSP0/CPU0:Jul 27 13:47:50.687 : radiusd[1133]: RADIUS: Vendor,Cisco [26] 22 RP/0/RSP0/CPU0:Jul 27 13:47:50.687 : radiusd[1133]: RADIUS: Cisco AVpair [1] 16 vrf-id=default RP/0/RSP0/CPU0:Jul 27 13:47:50.687 : radiusd[1133]: RADIUS: Vendor,Cisco [26] 29 RP/0/RSP0/CPU0:Jul 27 13:47:50.688 : radiusd[1133]: RADIUS: Cisco AVpair [1] 23 accounting-list=WDAAR RP/0/RSP0/CPU0:Jul 27 13:47:50.688 : radiusd[1133]: RADIUS: AAA Unsupported Attr: user-maxlinks [196] 6 RP/0/RSP0/CPU0:Jul 27 13:47:50.688 : radiusd[1133]: RADIUS: Vendor,Cisco [26] 32 RP/0/RSP0/CPU0:Jul 27 13:47:50.688 : radiusd[1133]: RADIUS: Cisco AVpair [1] 26 connect-progress=Call Up RP/0/RSP0/CPU0:Jul 27 13:47:50.688 : radiusd[1133]: RADIUS: Vendor,Cisco [26] 34 RP/0/RSP0/CPU0:Jul 27 13:47:50.688 : radiusd[1133]: RADIUS: Cisco AVpair [1] 28 parent-session-id=0000472d RP/0/RSP0/CPU0:Jul 27 13:47:50.688 : radiusd[1133]: RADIUS: Vendor,Cisco [26] 38 RP/0/RSP0/CPU0:Jul 27 13:47:50.688 : radiusd[1133]: RADIUS: Cisco AVpair [1] 32 service-name=WDAAR_DAY_PACKAGE RP/0/RSP0/CPU0:Jul 27 13:47:50.688 : radiusd[1133]: RADIUS: Acct-Session-Id [44] 10 0000472e RP/0/RSP0/CPU0:Jul 27 13:47:50.688 : radiusd[1133]: RADIUS: Nas-Identifier [32] 16 acdc-asr9000-4 RP/0/RSP0/CPU0:Jul 27 13:47:50.688 : radiusd[1133]: RADIUS: NAS-IP-Address [4] 6 10.48.88.54 RP/0/RSP0/CPU0:Jul 27 13:47:50.688 : radiusd[1133]: RADIUS: NAS-IPv6-Address [95] 22 1a 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 RP/0/RSP0/CPU0:Jul 27 13:47:50.688 : radiusd[1133]: RADIUS: 00 00 00 00 RP/0/RSP0/CPU0:Jul 27 13:47:50.688 : radiusd[1133]: RADIUS: Acct-Delay-Time [41] 6 0
This show command also exhibit the statistics for the successful CoA.
RP/0/RSP0/CPU0:acdc-asr9000-4#show subscriber manager statistics AAA COA
Mon Jul 27 13:53:49.627 UTC
[ CHANGE OF AUTHORIZATION STATISTICS ]
Location: 0/RSP0/CPU0
CoA Requests:
Type Received Acked NAKed
==== ======== ===== =====
Account Logon 0 0 0
Account Logoff 0 0 0
Account Update 0 0 0
Account-Query 0 0 0
Disconnect 0 0 0
Single Service Logon 0 0 0
Single Service Logoff 1 1 0 Single Service Modify 0 0 0
Multiple Service 0 0 0
Errors:
Responses to COA with unknown session identifier = 3
[ CHANGE OF AUTHORIZATION STATISTICS ]
Location: 0/0/CPU0
CoA Requests:
Type Received Acked NAKed
==== ======== ===== =====
Account Logon 0 0 0
Account Logoff 0 0 0
Account Update 0 0 0
Account-Query 0 0 0
Disconnect 0 0 0
Single Service Logon 0 0 0
Single Service Logoff 0 0 0
Single Service Modify 0 0 0
Multiple Service 0 0 0
Errors:
None
Now, you applied the service WDAAR_NIGHT_PACKAGE on a subscriber session and see the statistics again.
Last COA request: Mon Jul 27 13:57:48 2015 COA Request Attribute List: 0x501060c8 1: sa len= 19 value= WDAAR_NIGHT_PACKAGE 2: command len= 16 value= activate-service 3: service-info len= 19 value= WDAAR_NIGHT_PACKAGE 4: service-name len= 19 value= WDAAR_NIGHT_PACKAGE Last COA response: Result ACK COA Response Attribute List: 0x501062d8 1: sa len= 19 value= WDAAR_NIGHT_PACKAGE User Profile received from AAA: Attribute List: 0x501064e8 1: acct-interval len= 4 value= 120(78) 2: accounting-list len= 5 value= WDAAR Services: Name : DT_NOVA_DHCP Service-ID : 0x4000016 Type : Template Status : Applied ------------------------- Name : WDAAR_NIGHT_PACKAGE Service-ID : 0x4000019 Type : Multi Template Status : Applied ------------------------- [Event History] Jul 27 13:33:21.152 IPv4 Start Jul 27 13:33:22.560 IPv4 Up Jul 27 13:57:48.800 CoA request [many] Jul 27 13:57:48.928 SUBDB produce done [many]
Apply the serivce, so you can see that the Serivce Logon counter is incremented and on above subscriber output you can also see that it has been applied.
RP/0/RSP0/CPU0:acdc-asr9000-4#show subscriber manager statistics AAA COA
Mon Jul 27 13:58:00.410 UTC
[ CHANGE OF AUTHORIZATION STATISTICS ]
Location: 0/RSP0/CPU0
CoA Requests:
Type Received Acked NAKed
==== ======== ===== =====
Account Logon 0 0 0
Account Logoff 0 0 0
Account Update 0 0 0
Account-Query 0 0 0
Disconnect 0 0 0
Single Service Logon 1 1 0
Single Service Logoff 1 1 0
Single Service Modify 0 0 0
Multiple Service 0 0 0
Errors:
Responses to COA with unknown session identifier = 3
[ CHANGE OF AUTHORIZATION STATISTICS ]
Location: 0/0/CPU0
CoA Requests:
Type Received Acked NAKed
==== ======== ===== =====
Account Logon 0 0 0
Account Logoff 0 0 0
Account Update 0 0 0
Account-Query 0 0 0
Disconnect 0 0 0
Single Service Logon 0 0 0
Single Service Logoff 0 0 0
Single Service Modify 0 0 0
Multiple Service 0 0 0
Errors:
None
Till now you are only just applying one serivce at a time with single CoA packet and remove one service with single CoA packet, now you will send a CoA packet which removes the the service and apply the service in single CoA packet.
RP/0/RSP0/CPU0:acdc-asr9000-4#show subscriber session all detail internal
Mon Jul 27 14:03:40.255 UTC
Interface: Bundle-Ether1.200.ip18012
Circuit ID: Unknown
Remote ID: Unknown
Type: IP: DHCP-trigger
IPv4 State: Up, Mon Jul 27 13:33:22 2015
IPv4 Address: 172.188.243.147, VRF: default
IPv4 Up helpers: 0x00000040 {IPSUB}
IPv4 Up requestors: 0x00000040 {IPSUB}
Mac Address: 0000.6602.0102
Account-Session Id: 0000472d
Nas-Port: Unknown
User name: 0000.6602.0102
Formatted User name: 0000.6602.0102
Client User name: unknown
Outer VLAN ID: 200
Subscriber Label: 0x0000004a
Created: Mon Jul 27 13:33:21 2015
State: Activated
Authentication: unauthenticated
Authorization: authorized
Ifhandle: 0x000abca0
Session History ID: 1
Access-interface: Bundle-Ether1.200
SRG Flags: 0x00000000
Policy Executed:
event Session-Start match-first [at Mon Jul 27 13:33:21 2015]
class type control subscriber DHCP do-until-failure [Succeeded]
10 activate dynamic-template DT_NOVA_DHCP [cerr: No error][aaa: Success]
20 authorize aaa list WDAAR [cerr: No error][aaa: Success]
Session Accounting:
Acct-Session-Id: 0000472d
Method-list: WDAAR
Accounting started: Mon Jul 27 13:33:22 2015
Interim accounting: On, interval 2 mins
Last successful update: Mon Jul 27 14:03:24 2015
Next update in: 00:01:43 (dhms)
Last update sent: Mon Jul 27 14:03:24 2015
Updates sent: 15
Updates accepted: 15
Updates rejected: 0
Update send failures: 0
Accouting stop state: Final stats available
Service Accounting: WDAAR_DAY_PACKAGE
Acct-Session-Id: 00004730
Method-list: WDAAR
Accounting started: Mon Jul 27 14:03:35 2015
Interim accounting: On, interval 10 mins
Last successful update: Never
Next update in: 00:09:56 (dhms)
Last update sent: Never
Updates sent: 0
Updates accepted: 0
Updates rejected: 0
Update send failures: 0
Accouting stop state: Final stats available
Last COA request: Mon Jul 27 14:03:35 2015
COA Request Attribute List: 0x50106248
1: sd len= 19 value= WDAAR_NIGHT_PACKAGE 2: command len= 18 value= deactivate-service 3: service-info len= 19 value= WDAAR_NIGHT_PACKAGE 4: service-name len= 19 value= WDAAR_NIGHT_PACKAGE 5: sa len= 17 value= WDAAR_DAY_PACKAGE 6: command len= 16 value= activate-service 7: service-info len= 17 value= WDAAR_DAY_PACKAGE 8: service-name len= 17 value= WDAAR_DAY_PACKAGE Last COA response: Result ACK
COA Response Attribute List: 0x50106458
1: sd len= 19 value= WDAAR_NIGHT_PACKAGE
2: sa len= 17 value= WDAAR_DAY_PACKAGE
User Profile received from AAA:
Attribute List: 0x50106668
1: acct-interval len= 4 value= 120(78)
2: accounting-list len= 5 value= WDAAR
Services:
Name : DT_NOVA_DHCP
Service-ID : 0x4000016
Type : Template
Status : Applied
-------------------------
Name : WDAAR_DAY_PACKAGE
Service-ID : 0x400001a
Type : Multi Template
Status : Applied
-------------------------
[Event History]
Jul 27 13:33:21.152 IPv4 Start
Jul 27 13:33:22.560 IPv4 Up
Jul 27 14:03:35.296 CoA request [many]
Jul 27 14:03:35.680 SUBDB produce done [many]
With the MA-CoA you can see that the Multi-Service counter is also increased.
RP/0/RSP0/CPU0:acdc-asr9000-4#show subscriber manager statistics AAA COA
Mon Jul 27 14:05:04.724 UTC
[ CHANGE OF AUTHORIZATION STATISTICS ]
Location: 0/RSP0/CPU0
CoA Requests:
Type Received Acked NAKed
==== ======== ===== =====
Account Logon 0 0 0
Account Logoff 0 0 0
Account Update 0 0 0
Account-Query 0 0 0
Disconnect 0 0 0
Single Service Logon 1 1 0
Single Service Logoff 1 1 0
Single Service Modify 0 0 0
Multiple Service 1 1 0
Errors:
Responses to COA with unknown session identifier = 3
[ CHANGE OF AUTHORIZATION STATISTICS ]
Location: 0/0/CPU0
CoA Requests:
Type Received Acked NAKed
==== ======== ===== =====
Account Logon 0 0 0
Account Logoff 0 0 0
Account Update 0 0 0
Account-Query 0 0 0
Disconnect 0 0 0
Single Service Logon 0 0 0
Single Service Logoff 0 0 0
Single Service Modify 0 0 0
Multiple Service 0 0 0
Errors:
None
If ASR9K recieves a CoA packet to perform any action on a subscriber session but the identifier which ASR9K recieve in CoA packet does not belong to any active subscriber session then the following message will be displaed in the logs if you enable the debugs which is suggested above..
RP/0/RSP0/CPU0:Jul 27 13:41:39.133 : radiusd[1133]: RADIUS: Received from id 159 , CoA Request, len 69 RP/0/RSP0/CPU0:Jul 27 13:41:39.133 : radiusd[1133]: RADIUS: authenticator 0D 52 11 54 B0 B7 37 07 - E1 9A 1D AF FA 1A 1A 09 RP/0/RSP0/CPU0:Jul 27 13:41:39.133 : radiusd[1133]: RADIUS: Acct-Session-Id [44] 10 00004723 RP/0/RSP0/CPU0:Jul 27 13:41:39.133 : radiusd[1133]: RADIUS: Vendor,Cisco [26] 39 RP/0/RSP0/CPU0:Jul 27 13:41:39.133 : radiusd[1133]: RADIUS: Cisco AVpair [1] 33 subscriber:sd=WDAAR_DAY_PACKAGE RP/0/RSP0/CPU0:Jul 27 13:41:39.133 : radiusd[1133]: Processing Dynamic authorization request RP/0/RSP0/CPU0:Jul 27 13:41:39.133 : radiusd[1133]: COA: Service-Name attribute is present in service profile push RP/0/RSP0/CPU0:Jul 27 13:41:39.134 : radiusd[1133]: COA/POD:request processing underway. RP/0/RSP0/CPU0:Jul 27 13:41:39.135 : iedged[245]: [IEDGE:TP83:COMMAND-HANDLER:ERROR:0x0] 0 matching session found for CoA request, rc 0 LC/0/0/CPU0:Jul 27 13:41:39.137 : iedged[209]: [IEDGE:TP83:COMMAND-HANDLER:ERROR:0x0] 0 matching session found for CoA request, rc 0
Troubleshoot
You can employ these command on ASR9K to verify the CoA packets processing. If CoA packet was successfully processed or it was being NACKed by ASR9K.
-
show radius dynamic-author
The above output exhibit the brief overview how many CoA are ACK'd and NACK'd by ASR9K.
- show subscriber manager statistics AAA COA
The output includes a statistic for the total number of singleton service activates (Service Logon) and singleton service deactivates (Service Logoff) which have been received, ACK’d, and NACK’d and also include the Multi Service counter for tracking.
- show subscriber manager statistics PRE event
The output exhibits statistics for multiple-service events which have been processed by the Policy Plane Policy Rule Engine (PRE).
- show subscriber manager statistics SVM events
If you configured the exception for coa rollback, then the above command show statistics for successful rollbacks following failed MA-CoA requests, and failed rollbacks following failed MA-CoA requests.
- show subscriber manager statistics perf non-zero
The above command give you a brief overview about the processing times of CoA on ASR9K and include transaction times (average, standard deviation, minimum, maximum, and count) for CoA transactions.
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
20-Oct-2017 |
Initial Release |
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)