Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASR1002x PPPoE Subinterface network authorization problem

I have been able to bring up PPPoE services both on the router itself and sending authentication to a free-radius server. Unfortunately when I initiate Network Authorization. PPPoE sessions fail and i receive this error in the debug radius brief logs " %FMANRP_ESS-4-FULLVAI: Session creation failed due to Full Virtual-Access Interfaces not being supported. Check that all applied Virtual-Template and RADIUS features support Virtual-Access sub-interfaces. swidb= 0x7F7C8307C6B0, ifnum= 50

I found one article on this but was unable to replicate the success of it. Below is the config and some debug logs.

 

!
aaa new-model
!
!
aaa group server radius RADIUS_SERVER
 server xx.xx.xx.66 auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authentication ppp default group RADIUS_SERVER
aaa authorization network default group RADIUS_SERVER
aaa authorization auth-proxy default group RADIUS_SERVER
aaa accounting send stop-record authentication failure
aaa accounting send stop-record always
aaa accounting delay-start
aaa accounting nested
aaa accounting update newinfo periodic 60
aaa accounting exec default start-stop group RADIUS_SERVER
aaa accounting network default start-stop group RADIUS_SERVER
aaa accounting connection default start-stop group RADIUS_SERVER
aaa accounting system default
 action-type start-stop
 group RADIUS_SERVER
!
aaa accounting resource default stop-failure group RADIUS_SERVER
!
aaa nas port extended
!
!
!
!
aaa session-id common
aaa policy interface-config allow-subinterface
!
!

bba-group pppoe 880
 virtual-template 880
 vendor-tag circuit-id service
 sessions per-vc limit 65000
 sessions per-mac limit 2
 sessions per-vlan limit 65000
 sessions auto cleanup
!

interface GigabitEthernet0/0/1.880
 encapsulation dot1Q 880 second-dot1q any
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 pppoe enable group 880

!

interface Virtual-Template880
 ip unnumbered Loopback1
 no ip redirects
 no peer default ip address
 ppp authentication chap

!

radius-server attribute 8 include-in-access-req
radius-server attribute nas-port format d
radius-server host xx.xx.xx.66 auth-port 1812 acct-port 1813
radius-server timeout 60
radius-server unique-ident 2
radius-server key 7 xxxxxxxxxxxxxxxx
radius-server vsa send accounting
radius-server vsa send authentication

!

 

*Aug  7 07:17:31.004: RADIUS: acct-timeout  for 7F7C777020BC now 240, acct-jitter 0, acct-delay-time (at 7F7C77702276) now 240
*Aug  7 07:17:31.004: RADIUS: No response from (208.123.195.66:1812,1813) for id 1646/69
*Aug  7 07:17:31.004: RADIUS/DECODE: No response from radius-server; parse response; FAIL
*Aug  7 07:17:31.004: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
*Aug  7 07:17:34.901: RADIUS/ENCODE(000042EF):Orig. component type = PPPoE
*Aug  7 07:17:34.901: RADIUS: DSL line rate attributes successfully added
*Aug  7 07:17:34.901: RADIUS(000042EF): Config NAS IP: 66.135.67.4
*Aug  7 07:17:34.902: RADIUS(000042EF): Config NAS IPv6: ::
*Aug  7 07:17:34.902: RADIUS/ENCODE: No idb found! Framed IP Addr might not be included
*Aug  7 07:17:34.902: RADIUS/ENCODE(000042EF): acct_session_id: 30787
*Aug  7 07:17:34.902: RADIUS(000042EF): Config NAS IP: 66.135.67.4
*Aug  7 07:17:34.902: RADIUS(000042EF): sending
*Aug  7 07:17:34.902: RADIUS(000042EF): Sending a IPv4 Radius Packet
*Aug  7 07:17:34.902: RADIUS(000042EF): Send Access-Request to 208.123.195.66:1812 id 1645/35,len 167
*Aug  7 07:17:34.902: RADIUS:  authenticator 64 0E 60 7E A9 03 01 4F - 9E 0F DD 36 31 47 FF 51
*Aug  7 07:17:34.902: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
*Aug  7 07:17:34.902: RADIUS:  User-Name           [1]   10  "drichter"
*Aug  7 07:17:34.902: RADIUS:  CHAP-Password       [3]   19  *
*Aug  7 07:17:34.902: RADIUS:  NAS-Port-Type       [61]  6   PPPoEoQinQ                [34]
*Aug  7 07:17:34.902: RADIUS:  NAS-Port            [5]   6   37160851                  
*Aug  7 07:17:34.902: RADIUS:  NAS-Port-Id         [87]  16  "0/0/2/880.1939"
*Aug  7 07:17:34.902: RADIUS:  Vendor, Cisco       [26]  41  
*Aug  7 07:17:34.902: RADIUS:   Cisco AVpair       [1]   35  "client-mac-address=f8c0.9123.30cc"
*Aug  7 07:17:34.902: RADIUS:  Service-Type        [6]   6   Framed                    [2]
*Aug  7 07:17:34.902: RADIUS:  NAS-IP-Address      [4]   6   66.135.67.4               
*Aug  7 07:17:34.902: RADIUS:  Nas-Identifier      [32]  31  "ro.03.core.hoc.montanasat.net"
*Aug  7 07:17:34.902: RADIUS(000042EF): Started 60 sec timeout
*Aug  7 07:17:34.904: RADIUS: Received from id 1645/35 208.123.195.66:1812, Access-Accept, len 115
*Aug  7 07:17:34.904: RADIUS:  authenticator 65 9D 3A 60 1B 92 66 6E - 42 18 5F CD C9 4B 32 99
*Aug  7 07:17:34.904: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
*Aug  7 07:17:34.904: RADIUS:  Framed-Compression  [13]  6   VJ TCP/IP Header Compressi[1]
*Aug  7 07:17:34.904: RADIUS:  Framed-IP-Address   [8]   6   66.135.70.50              
*Aug  7 07:17:34.904: RADIUS:  NAS-IP-Address      [4]   6   66.135.67.4               
*Aug  7 07:17:34.904: RADIUS:  Vendor, Cisco       [26]  65  
*Aug  7 07:17:34.904: RADIUS:   Cisco AVpair       [1]   59  "interface-config=ppp ipcp dns 216.211.190.3 216.211.191.3"
*Aug  7 07:17:34.904: RADIUS:  Framed-IP-Netmask   [9]   6   255.255.255.255           
*Aug  7 07:17:34.904: RADIUS(000042EF): Received from id 1645/35
*Aug  7 07:17:34.909: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
*Aug  7 07:17:34.910: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
*Aug  7 07:17:34.928: %FMANRP_ESS-4-FULLVAI: Session creation failed due to Full Virtual-Access Interfaces not being supported. Check that all applied Virtual-Template and RADIUS features support Virtual-Access sub-interfaces. swidb= 0x7F7C8307C6B0, ifnum= 50
*Aug  7 07:17:34.930: RADIUS/ENCODE(000042EF):Orig. component type = PPPoE
*Aug  7 07:17:34.930: RADIUS/ENCODE(000042EF): Acct-session-id pre-pended with Nas Port = 0/0/2/880.1939
*Aug  7 07:17:34.930: RADIUS(000042EF): Config NAS IP: 66.135.67.4
*Aug  7 07:17:34.930: RADIUS(000042EF): Config NAS IPv6: ::
*Aug  7 07:17:34.930: RADIUS: Attribute 55 not sent, as system clock is not set
*Aug  7 07:17:34.931: RADIUS(000042EF): Config NAS IP: 66.135.67.4
*Aug  7 07:17:34.933: RADIUS(000042EF): Sending a IPv4 Radius Packet
*Aug  7 07:17:34.933: RADIUS(000042EF): Started 60 sec timeout
*Aug  7 07:17:34.933: RADIUS/ENCODE(000042EF):Orig. component type = PPPoE
*Aug  7 07:17:34.933: RADIUS/ENCODE(000042EF): Acct-session-id pre-pended with Nas Port = 0/0/2/880.1939
*Aug  7 07:17:34.933: RADIUS(000042EF): Config NAS IP: 66.135.67.4
*Aug  7 07:17:34.933: RADIUS(000042EF): Config NAS IPv6: ::
*Aug  7 07:17:34.933: RADIUS: Attribute 55 not sent, as system clock is not set
*Aug  7 07:17:34.933: RADIUS(000042EF): Config NAS IP: 66.135.67.4
*Aug  7 07:17:34.935: RADIUS(000042EF): Sending a IPv4 Radius Packet
*Aug  7 07:17:34.935: RADIUS(000042EF): Started 60 sec timeout
*Aug  7 07:17:34.936: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
*Aug  7 07:17:34.936: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
*Aug  7 07:17:36.285: RADIUS(000042E6): Request timed out!

1 REPLY
Cisco Employee

Hi,The "%FMANRP_ESS-4-FULLVAI

Hi,

The "%FMANRP_ESS-4-FULLVAI: Session creation failed due to Full Virtual-Access Interfaces not being supported. Check that all applied Virtual-Template and RADIUS features support Virtual-Access sub-interfaces. swidb= 0x7F7C8307C6B0, ifnum= 50" meesage means that the session came up using a full Virtual-Access Interface (VAI). VAI interfaces are not supported on ASR1k platform dur to scalability. Only sub-interfaces are supported. Most likely here, some configuration is forcing the full VAI.

Looking at the radius profile sent for the user I see you are sending "Framed-Compression  [13]  6   VJ TCP/IP Header Compressi[1]". Most likely this is forcing the full VAI. Please remove that attribute from the radius profile and try again. Also make sure you have configured "aaa policy interface-config allow-subinterface" in global config.

 

Regards

 

212
Views
0
Helpful
1
Replies