Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
983
Views
0
Helpful
2
Replies

PPPoE RADIUS STOP Messages and PADT

mikerpow1991
Level 1
Level 1

‎03-14-2018 12:05 PM - edited ‎03-01-2019 03:22 PM

We have a situation with our ASR9001 and BNG setup. Since our solution uses RADIUS to authenitcatePPPoE sessions, each username is limited to 2 concurrent sessions. We have found out that if we clear a subscriber session manually, the RADIUS STOP message does not reach the RADIUS server. The same is the case if a PADT comes in, and starts clearing the session automatically. This is an issue for us because the concurrent logins have locked up the username at this point and they cannot login.

STOP messages are seen in the debug radius command, but never reach the server. We have placed 3 different laptops and performed port mirroring and monitoring on the RADIUS server and the incoming RADIUS link from the ASR9001 router to the router where the RADIUS server is connected. All have been consistent, as we capture no STOP packets. We capture START packets when the username authenticates again, but no STOP.  Since the username keeps locking up, we are convinced the ASR9001 STOP packets are not making it out of the RADIUS server.

 

But, we see STOP records for other users. If the device does not send a PADT, and the session goes stale, a STOP record is sent and the STOP record is captured on the packet capture and the user concurrent session number drops. This is very strange.

 

So, we need to know if there could be another "plane" in the ASR that could be dropping the STOP packet even though the debug indicates it is sending it? Is there a proper policy for handling disconnected sessions? We are on code 6.1.4 code.

Labels:
0 Helpful
2 Replies 2

Aleksandar Vidakovic
Cisco Employee
Cisco Employee

‎03-15-2018 09:42 AM

Can you please expand on "each username is limited to 2 concurrent sessions". How exactly have you implemented this?

0 Helpful

mikerpow1991
Level 1
Level 1
In response to Aleksandar Vidakovic

‎03-15-2018 10:21 AM - edited ‎03-15-2018 10:22 AM

The RADIUS server has settings in it to allow a configurable number of times it can go online. Our default is 2 times. If the user logs on 2 times, the count is 2. If they try again, and if a STOP has not reached the RADIUS server, the user cannot logon. The STOP message clears the simultaneous user count for that user. 

0 Helpful
Customers Also Viewed These Support Documents