排除MSE和融合接入(5760/3850/3650/4500s8e)上的NMSP问题
简介
网络移动服务协议(NMSP)管理移动服务引擎(MSE)和无线局域网控制器(WLC)之间的通信。
NMSP是一种双向协议,可通过面向连接或无连接传输运行。情景感知交换机可以使用NMSP与一个或多个MSE通信。NMSP基于MSE和访问控制器之间的请求和响应的双向系统。现在,让我们看看如何启用MSE和WLC之间的此通信。
此处,我们已使用3850(基于IOS的WLC)和MSE进行此帖子。
问题:
在3850和MSE之间建立NMSP隧道时遇到的问题。
使用的设备:
MSE:虚拟MSE 8.0.110(MR1)
WLC:3850 3.3.5SE
Prime基础设施(PI):2.2.1
由于NMSP在SSL(安全套接字层)上工作,因此您必须在WLC上配置MSE凭证。MSE使用其MAC地址和密钥哈希,因此WLC应了解这两个参数。您可以通过MSE CLI获取此详细信息,如下所示
[root@robin ~]# cmdshell
cmd> show server-auth-info
调用命令:com.aes.server.cli.CmdGetServerAuthInfo
AesLog队列高标记:50000
AesLog队列低标记:500
—
服务器身份验证信息
—
MAC 地址:00:50:56:9c:34:89
SHA1密钥哈希:e0ffbe2e2abeed5a2f975f059da6a1bf2bfa0
SHA2密钥哈希:6ab919e20afc103d025aaf210c2a9dda151af9403ef52e80a35ae1ecb6d3c177
证书类型:SSC
现在在融合接入(5760/3850/3650)平台上配置NMSP设置。
本例中我们使用了3850。我们必须将MSE MAC地址配置为用户名,将密钥哈希配置为密码。注意:在我的3850上运行的版本是3.3.5 SE,SHA2加密在IOS-XE中使用。
使用的命令:
3850c(config)#username 0050569c3489 aaa属性列表NMSP
3850c(config)#aaa attribute list NMSP
3850c(config)#属性类型密码6ab919e20afc103d025aaf210c2a9dda151af9403ef52e80a35ae1ecb6d3c177
3850c(config)#aaa authorization credential-download wcm_loc_serv_cert local
在您的Prime基础设施中,点击:服务>移动服务>同步服务
选择3850并点击“更改MSE分配”按钮。
然后,您需要选择要在WLC(3850)和MSE之间同步的适当MSE和服务。
验证:
完成同步服务后,您可以从WLC、MSE或PI GUI验证它。
通过3850 CLI:
通过MSE GUI
对于MSE v8.0或更高版本,请转至:(https://<MSE_IP>/mseui/)
故障排除:
如果NMSP仍处于非活动状态:
1)检查密钥哈希,如果不匹配,请手动输入哈希,如上所示
2)MSE和WLC之间应存在NTP时间同步
调试:
故障场景:
哈希密钥验证失败:
3850c#set trace nmsp connection level debug
3850c#show trace messages nmsp
[06/03/15 22:28:10.762 UTC a27 10241]已分配新的NMSP连接0
[06/03/15 22:28:10.762 UTC a28 10241] sslConnectionInit:SSL_new()conn ssl b3f8a8d0
[06/03/15 22:28:10.762 UTC a29 10241] sslConnectionInit:conn ssl b3f8a8d0的SSL_do_handshake, conn state:INIT,SSL状态:握手
[06/03/15 22:28:10.762 UTC a2a 10241] SSL状态= 0x6000;其中= 0x10;ret = 0x1
[06/03/15 22:28:10.762 UTC a2b 10241] ret_type_string=unknown
[06/03/15 22:28:10.762 UTC a2c 10241] ret_desc_string=unknown
[06/03/15 22:28:10.762 UTC a2d 10241] SSL_state_string=before/accept初始化
[06/03/15 22:28:10.762 UTC a2e 10241] SSL状态= 0x6000;其中= 0x2001;ret = 0x1
[06/03/15 22:28:10.762 UTC a2f 10241] ret_type_string=unknown
[06/03/15 22:28:10.762 UTC a30 10241] ret_desc_string=unknown
[06/03/15 22:28:10.762 UTC a31 10241] SSL_state_string=before/accept初始化
[06/03/15 22:28:10.762 UTC a32 10241] SSL状态= 0x2111;其中= 0x2002;ret = 0xffffffff
[06/03/15 22:28:10.762 UTC a33 10241] ret_type_string=unknown
[06/03/15 22:28:10.762 UTC a34 10241] ret_desc_string=unknown
[06/03/15 22:28:10.762 UTC a35 10241] SSL_state_string=SSLv3读取客户端hello B
— 更多 — ?????????????????????[06/03/15 22:28:10.762 UTC a36 10241] — 返回连接ssl b3f8a8d0的WANT_READ
[06/03/15 22:28:10.762 UTC a37 10241] sslConnectionInit()成功,连接状态为:INIT,SSL状态:握手
[06/03/15 22:28:10.768 UTC a38 10241] doSSLRecvLoop:连接0的握手尚未完成
[06/03/15 22:28:10.768 UTC a39 10241] sslConnectionInit:conn ssl b3f8a8d0的SSL_do_handshake, conn state:INIT,SSL状态:握手
[06/03/15 22:28:10.768 UTC a3a 10241] SSL状态= 0x2111;其中= 0x2001;ret = 0x1
[06/03/15 22:28:10.768 UTC a3b 10241] ret_type_string=unknown
[06/03/15 22:28:10.768 UTC a3c 10241] ret_desc_string=unknown
[06/03/15 22:28:10.768 UTC a3d 10241] SSL_state_string=SSLv3读取客户端Hello B
[06/03/15 22:28:10.768 UTC a3e 10241] SSL状态= 0x2130;其中= 0x2001;ret = 0x1
[06/03/15 22:28:10.768 UTC a3f 10241] ret_type_string=unknown
[06/03/15 22:28:10.768 UTC a40 10241] ret_desc_string=unknown
[06/03/15 22:28:10.768 UTC a41 10241] SSL_state_string=SSLv3写服务器hello A
[06/03/15 22:28:10.768 UTC a42 10241] SSL状态= 0x2140;其中= 0x2001;ret = 0x1
[06/03/15 22:28:10.768 UTC a43 10241] ret_type_string=unknown
[06/03/15 22:28:10.768 UTC a44 10241] ret_desc_string=unknown
[06/03/15 22:28:10.768 UTC a45 10241] SSL_state_string=SSLv3写证书A
— 更多 — ?????????????????????[06/03/15 22:28:10.768 UTC a46 10241] SSL状态= 0x2160;其中= 0x2001;ret = 0x1
[06/03/15 22:28:10.768 UTC a47 10241] ret_type_string=unknown
[06/03/15 22:28:10.768 UTC a48 10241] ret_desc_string=unknown
[06/03/15 22:28:10.768 UTC a49 10241] SSL_state_string=SSLv3写证书请求A
[06/03/15 22:28:10.768 UTC a4a 10241] SSL状态= 0x2100;其中= 0x2001;ret = 0x1
[06/03/15 22:28:10.768 UTC a4b 10241] ret_type_string=unknown
[06/03/15 22:28:10.768 UTC a4c 10241] ret_desc_string=unknown
[06/03/15 22:28:10.768 UTC a4d 10241] SSL_state_string=SSLv3刷新数据
[06/03/15 22:28:10.768 UTC a4e 10241] SSL状态= 0x2180;其中= 0x2002;ret = 0xffffffff
[06/03/15 22:28:10.768 UTC a4f 10241] ret_type_string=unknown
[06/03/15 22:28:10.768 UTC a50 10241] ret_desc_string=unknown
[06/03/15 22:28:10.768 UTC a51 10241] SSL_state_string=SSLv3读取客户端证书A
[06/03/15 22:28:10.768 UTC a52 10241] — 返回conn ssl b3f8a8d0的WANT_READ
[06/03/15 22:28:11.068 UTC a53 10241] doSSLRecvLoop:连接0的握手尚未完成
[06/03/15 22:28:11.068 UTC a54 10241] sslConnectionInit:conn ssl b3f8a8d0的SSL_do_handshake, conn state:INIT,SSL状态:握手
[06/03/15 22:28:11.069 UTC a55 10241]对等证书验证已完成,用于conn ssl b3f8a8d0, calling authlist。
— 更多 — ????????????????????[06/03/15 22:28:11.070 UTC a56 10241]连接ssl b3f8a8d0的Authlist身份验证失败
[06/03/15 22:28:12.070 UTC a57 10241]对等体未根据授权列表进行验证
[06/03/15 22:28:12.070 UTC a58 10241] SSL状态= 0x2182;其中= 0x4008;ret = 0x22e
[06/03/15 22:28:12.070 UTC a59 10241] ret_type_string=fatal
[06/03/15 22:28:12.070 UTC a5a 10241] ret_desc_string=certificate unknown
[06/03/15 22:28:12.070 UTC a5b 10241] SSL_state_string=SSLv3读取客户端证书C
[06/03/15 22:28:12.070 UTC a5c 10241] SSL状态= 0x2182;其中= 0x2002;ret = 0xffffffff
[06/03/15 22:28:12.070 UTC a5d 10241] ret_type_string=unknown
[06/03/15 22:28:12.070 UTC a5e 10241] ret_desc_string=unknown
[06/03/15 22:28:12.070 UTC a5f 10241] SSL_state_string=SSLv3读取客户端证书C
[06/03/15 22:28:12.070 UTC a60 10241] — conn ssl b3f8a8d0的握手失败,ssl_err 1错误=错误:140890B2:SSL例程:SSL3_GET_CLIENT_CERTIFICATE:未返回证书
[06/03/15 22:28:12.070 UTC a61 10241]释放Nmsp conn ssl b3f8a8d0, conn id 0
成功场景:
[06/06/15 17:47:53.600 UTC 4f2 10205]将NMSP_APP_MEAS_NOTIFY_MSG发送到LocServer 0
[06/06/15 17:56:34.305 UTC 4f3 10205]已分配新的NMSP连接0
— 更多 — ????????????????????[06/06/15 17:56:34.306 UTC 4f4 10205] sslConnectionInit:SSL_new()conn ssl 590a6048
[06/06/15 17:56:34.306 UTC 4f5 10205] sslConnectionInit:conn ssl 590a6048的SSL_do_handshake, conn state:INIT,SSL状态:握手
[06/06/15 17:56:34.306 UTC 4f6 10205] SSL状态= 0x6000;其中= 0x10;ret = 0x1
[06/06/15 17:56:34.306 UTC 4f7 10205] ret_type_string=unknown
[06/06/15 17:56:34.306 UTC 4f8 10205] ret_desc_string=unknown
[06/06/15 17:56:34.307 UTC 4f9 10205] SSL_state_string=before/accept初始化
[06/06/15 17:56:34.307 UTC 4fa 10205] SSL状态= 0x6000;其中= 0x2001;ret = 0x1
[06/06/15 17:56:34.307 UTC 4fb 10205] ret_type_string=unknown
[06/06/15 17:56:34.307 UTC 4fc 10205] ret_desc_string=unknown
[06/06/15 17:56:34.307 UTC 4fd 10205] SSL_state_string=before/accept初始化
[06/06/15 17:56:34.307 UTC 4fe 10205] SSL状态= 0x2111;其中= 0x2002;ret = 0xffffffff
[06/06/15 17:56:34.307 UTC 4ff 10205] ret_type_string=unknown
[06/06/15 17:56:34.307 UTC 500 10205] ret_desc_string=unknown
[06/06/15 17:56:34.307 UTC 501 10205] SSL_state_string=SSLv3读取客户端Hello B
[06/06/15 17:56:34.307 UTC 502 10205] — 返回连接ssl 590a6048的WANT_READ
[06/06/15 17:56:34.307 UTC 503 10205] sslConnectionInit()成功,连接状态为:INIT,SSL状态:握手
— 更多 — ?????????????????????[06/06/15 17:56:34.309 UTC 504 10205] doSSLRecvLoop:连接0的握手尚未完成
[06/06/15 17:56:34.309 UTC 505 10205] sslConnectionInit:conn ssl 590a6048的SSL_do_handshake, conn state:INIT,SSL状态:握手
[06/06/15 17:56:34.309 UTC 506 10205] SSL状态= 0x2111;其中= 0x2001;ret = 0x1
[06/06/15 17:56:34.309 UTC 507 10205] ret_type_string=unknown
[06/06/15 17:56:34.309 UTC 508 10205] ret_desc_string=unknown
[06/06/15 17:56:34.309 UTC 509 10205] SSL_state_string=SSLv3读取客户端Hello B
[06/06/15 17:56:34.309 UTC 50a 10205] SSL状态= 0x2130;其中= 0x2001;ret = 0x1
[06/06/15 17:56:34.309 UTC 50b 10205] ret_type_string=unknown
[06/06/15 17:56:34.309 UTC 50c 10205] ret_desc_string=unknown
[06/06/15 17:56:34.309 UTC 50d 10205] SSL_state_string=SSLv3写服务器hello A
[06/06/15 17:56:34.310 UTC 50e 10205] SSL状态= 0x2140;其中= 0x2001;ret = 0x1
[06/06/15 17:56:34.310 UTC 50f 10205] ret_type_string=unknown
[06/06/15 17:56:34.310 UTC 510 10205] ret_desc_string=unknown
[06/06/15 17:56:34.310 UTC 511 10205] SSL_state_string=SSLv3写证书A
[06/06/15 17:56:34.310 UTC 512 10205] SSL状态= 0x2160;其中= 0x2001;ret = 0x1
[06/06/15 17:56:34.310 UTC 513 10205] ret_type_string=unknown
— 更多 — ?????????????????????[06/06/15 17:56:34.310 UTC 514 10205] ret_desc_string=unknown
[06/06/15 17:56:34.310 UTC 515 10205] SSL_state_string=SSLv3写证书请求A
[06/06/15 17:56:34.310 UTC 516 10205] SSL状态= 0x2100;其中= 0x2001;ret = 0x1
[06/06/15 17:56:34.310 UTC 517 10205] ret_type_string=unknown
[06/06/15 17:56:34.310 UTC 518 10205] ret_desc_string=unknown
[06/06/15 17:56:34.310 UTC 519 10205] SSL_state_string=SSLv3刷新数据
[06/06/15 17:56:34.310 UTC 51a 10205] SSL状态= 0x2180;其中= 0x2002;ret = 0xffffffff
[06/06/15 17:56:34.310 UTC 51b 10205] ret_type_string=unknown
[06/06/15 17:56:34.310 UTC 51c 10205] ret_desc_string=unknown
[06/06/15 17:56:34.310 UTC 51d 10205] SSL_state_string=SSLv3读取客户端证书A
[06/06/15 17:56:34.310 UTC 51e 10205] — 返回连接ssl 590a6048的WANT_READ
[06/06/15 17:56:34.610 UTC 51f 10205] doSSLRecvLoop:连接0的握手尚未完成
[06/06/15 17:56:34.610 UTC 520 10205] sslConnectionInit:conn ssl 590a6048的SSL_do_handshake, conn state:INIT,SSL状态:握手
[06/06/15 17:56:34.616 UTC 521 10205]对等证书验证已完成,用于conn ssl 590a6048,主叫authlist..
[06/06/15 17:56:34.622 UTC 522 10205]连接ssl 590a6048的身份验证成功
??????????????????[06/06/15 17:56:35.616 UTC 523 10205]对等体已根据授权列表进行验证
[06/06/15 17:56:35.616 UTC 524 10205] SSL状态= 0x2180;其中= 0x2001;ret = 0x1
[06/06/15 17:56:35.616 UTC 525 10205] ret_type_string=unknown
[06/06/15 17:56:35.616 UTC 526 10205] ret_desc_string=unknown
[06/06/15 17:56:35.616 UTC 527 10205] SSL_state_string=SSLv3读取客户端证书A
[06/06/15 17:56:35.633 UTC 528 10205] SSL状态= 0x2190;其中= 0x2001;ret = 0x1
[06/06/15 17:56:35.633 UTC 529 10205] ret_type_string=unknown
[06/06/15 17:56:35.633 UTC 52a 10205] ret_desc_string=unknown
[06/06/15 17:56:35.633 UTC 52b 10205] SSL_state_string=SSLv3读取客户端密钥交换A
[06/06/15 17:56:35.635 UTC 52c 10205] SSL状态= 0x21a0;其中= 0x2001;ret = 0x1
[06/06/15 17:56:35.636 UTC 52d 10205] ret_type_string=unknown
[06/06/15 17:56:35.636 UTC 52e 10205] ret_desc_string=unknown
[06/06/15 17:56:35.636 UTC 52f 10205] SSL_state_string=SSLv3读取证书验证A
[06/06/15 17:56:35.636 UTC 530 10205] SSL状态= 0x21c0;其中= 0x2001;ret = 0x1
[06/06/15 17:56:35.636 UTC 531 10205] ret_type_string=unknown
[06/06/15 17:56:35.636 UTC 532 10205] ret_desc_string=unknown
— 更多 — ????????????????????[06/06/15 17:56:35.636 UTC 533 10205] SSL_state_string=SSLv3读取完成A
[06/06/15 17:56:35.636 UTC 534 10205] SSL状态= 0x21d0;其中= 0x2001;ret = 0x1
[06/06/15 17:56:35.636 UTC 535 10205] ret_type_string=unknown
[06/06/15 17:56:35.636 UTC 536 10205] ret_desc_string=unknown
[06/06/15 17:56:35.636 UTC 537 10205] SSL_state_string=SSLv3写更改密码规范A
[06/06/15 17:56:35.636 UTC 538 10205] SSL状态= 0x21e0;其中= 0x2001;ret = 0x1
[06/06/15 17:56:35.636 UTC 539 10205] ret_type_string=unknown
[06/06/15 17:56:35.636 UTC 53a 10205] ret_desc_string=unknown
[06/06/15 17:56:35.636 UTC 53b 10205] SSL_state_string=SSLv3写入完成A
[06/06/15 17:56:35.637 UTC 53c 10205] SSL状态= 0x2100;其中= 0x2001;ret = 0x1
[06/06/15 17:56:35.637 UTC 53d 10205] ret_type_string=unknown
[06/06/15 17:56:35.637 UTC 53e 10205] ret_desc_string=unknown
[06/06/15 17:56:35.637 UTC 53f 10205] SSL_state_string=SSLv3刷新数据
[06/06/15 17:56:35.637 UTC 540 10205] SSL状态= 0x3;其中= 0x20;ret = 0x1
[06/06/15 17:56:35.637 UTC 541 10205] ret_type_string=unknown
[06/06/15 17:56:35.637 UTC 542 10205] ret_desc_string=unknown
[06/06/15 17:56:35.637 UTC 543 10205] SSL_state_string=SSL协商成功完成
[06/06/15 17:56:35.637 UTC 544 10205] SSL状态= 0x3;其中= 0x2002;ret = 0x1
— 更多 — ????????????????????[06/06/15 17:56:35.637 UTC 545 10205] ret_type_string=unknown
[06/06/15 17:56:35.637 UTC 546 10205] ret_desc_string=unknown
[06/06/15 17:56:35.637 UTC 547 10205] SSL_state_string=SSL协商成功完成
[06/06/15 17:56:35.637 UTC 548 10205] SSL_do_handshake()成功用于conn ssl 590a6048
[06/06/15 17:56:35.637 UTC 549 10205] NMSP连接成功!用于conn 0
反馈