Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

CoA Session Context Not Found

Hello Guys,

I am using a Cisco 2951 with 15.3(3)M1, and when doing some tests with CoA i got the following error:      

*Nov  7 10:34:24.780: COA: 1.1.1.1 request queued
*Nov  7 10:34:24.780: RADIUS:  authenticator 52 CF BB 58 BB D5 69 4E - 59 3B 09 75 E9 83 54 4C
*Nov  7 10:34:24.780: RADIUS:  User-Name           [1]   2   ""
*Nov  7 10:34:24.780: RADIUS:  Acct-Session-Id     [44]  10  "0000002B"
*Nov  7 10:34:24.780: RADIUS:  Vendor, Cisco       [26]  42
*Nov  7 10:34:24.780: RADIUS:   Cisco AVpair       [1]   36  "subscriber:command=reauthenticate "
*Nov  7 10:34:24.780: RADIUS:  Message-Authenticato[80]  18
*Nov  7 10:34:24.780: RADIUS:   B6 78 8B EA DE 3B 73 26 57 53 C0 E7 47 89 2C 6D         [ x;s&WSG,m]
*Nov  7 10:34:24.780: COA: Message Authenticator decode passed

*Nov  7 10:34:24.780:  ++++++ CoA Attribute List ++++++
*Nov  7 10:34:24.780: 01EEAF6C 0 00000081 username(450) 0
*Nov  7 10:34:24.780: 01EEB7EC 0 00000001 session-id(408) 4 43(2B)
*Nov  7 10:34:24.780: 01EEB820 0 00000081 ssg-command-code(490) 1 32
*Nov  7 10:34:24.780:
*Nov  7 10:34:24.780:  ++++++ Received CoA response Attribute List ++++++
*Nov  7 10:34:24.780: 01EEB7EC 0 00000082 reply-message(273) 16 No valid Session
*Nov  7 10:34:24.780: 01EEB820 0 00000002 error-cause(272) 4 Session Context Not Found

This is very strange, because the session-id is correct.

Can anyone advice me on this? Thanks!

David

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

CoA Session Context Not Found

Hi David,

One thing that calls my attention is that in the logs the username in the CoA shows like "testguy1@xx.xx".

Also the domain shows like "xxx.xx" in the session status:

Identifier: Auth-Domain = "xxx.xx"

However, the username seems to be "testguy1@link.bm".

Is this displaying like that or are you changing it by any chance?

On the other hand, I was checking on the support for CoA on this platform and SW version. In the Cisco Feature Navigator (http://tools.cisco.com/ITDIT/CFN/) I could not find CoA being supported here. The only reference for CoA on this SW release is for 802.1x but I'm afraid that is not what is needed here. Not sure if thisis supposed to work here. Was it working before?

I've used CoA with a different key also. Something like:

Cisco-Account-Info = "S1.1.1.2" ===> where 1.1.1.2 is the subscriber IP.

Perhaps you can try a CoA like that to see if it makes any difference. If not, try a reload just to see if it helps. If no avail, I would suggest to open a TAC case. As I mentioned, seems like CoA is not really supported for this product and release but, if you want to have an official confirmation, is better to do it via a TAC case.

Best regards.

11 REPLIES
Cisco Employee

CoA Session Context Not Found

Hi David,

Was the CoA working before or are you just trying it?

Did you tried adding also the username? I see it's empty in the log you included.

Can you also take 'show subscriber session uid X detail internal' for the session (I hope this is available in 2951 as I never tried it on that platform). It should allow us to see the session keys.

Regards.

New Member

CoA Session Context Not Found

Hello Manuel,

Thanks for all your help. Here is the show output

LNS#show subscriber session uid 47 detailed internal
Subscriber session handle: EC00005E, state: connected, service: Local Term
Unique Session ID: 47
Identifier: testguy1@xxx.xx
SIP subscriber access type(s): VPDN/PPP
Root SIP Handle: 5300005D, PID: 313
Child SIP Handle: 7900002F, PID: 318
Current SIP options: Req Fwding/Req Fwded
Session Up-time: 19:52:55, Last Changed: 19:52:55
Switch handle: 211E
Interface: Virtual-Access2.2

Policy information:
  Context 10EC39C0: Handle 7B00002F
  AAA_id 0000003B: Flow_handle 0
  Authentication status: authen

Policy internals:
  Policy state                        : wait-for-events
  Authorization type                  : AAA service
  Active key                          : apply-config-only
  Authorization active key            : Auth-User
  Last top level rule type            : session-service-found
  Client                              : SM
  Last message from client            : Apply Config Success
  Last message to client              : Apply Config Success
  Current key list from client        :
    Identifier: Auth-Domain = "xxx.xx"
    Identifier: Protocol-Type = 0 (PPP Access Protocol)
    Identifier: Session-Handle = 3959423070 (EC00005E)
    Identifier: Tunnel-Name = "LNS"
    Identifier: Media-Type = 2 (IP)
    Identifier: Input Interface = "GigabitEthernet0/1.2000"
    Identifier: AAA-Acct-Enbl = 1 (YES)
    Identifier: Authen-Status = 0 (Authenticated)
    Identifier: Nasport = Vty Terminal: port 47 IP 69.17.193.90
    Identifier: Auth-User = "testguy1@link.bm"
  Network plumbing done yet           : Yes
  Network plumbing directive proposed : None
  AIE handle                          : 2B00002F
  AIE user ID                         : 47
  AAA user ID                         : 0000003B/59
  Authorization index                 : 0
  Authorization priority              : 1
  Context                             : 7B00002F
  North handle                        : 00000000
  North callback                      : 00000000
  South handle                        : EC00005E
  South callback                      : 06B898A8
  Current access-type                 : PPP
  All access-types                    : [0] VPDN
                                      : [1] PPP
  No more keys available from         : PPP
  Session activated                   : Yes

Session inbound features:
Feature: QoS Policy Map
  Input Policy Map: INTERNET-15Mb-IN

Session outbound features:
Feature: QoS Policy Map
  Output Policy Map: INTERNET-15Mb-OUT

Configuration sources associated with this session:
Interface: Virtual-Template1, Active Time = 19:52:55

Pending status associated with this session:
Bind status: Success, Delay delete: No, Pending mask: 0

And the debug output for a reauthenticate command

*Nov  8 10:21:58.367: RADIUS: COA  received from id 1 x.x.x.x:60590, CoA Request, len 108
*Nov  8 10:21:58.367: COA: x.x.x.x request queued
*Nov  8 10:21:58.367: RADIUS:  authenticator 1D 92 FF 04 43 EA 0E 11 - DE 49 2F AE 81 46 42 78
*Nov  8 10:21:58.367: RADIUS:  User-Name           [1]   18  testguy1@xx.xx
*Nov  8 10:21:58.367: RADIUS:  Acct-Session-Id     [44]  10  "0000003B"
*Nov  8 10:21:58.367: RADIUS:  Vendor, Cisco       [26]  42
*Nov  8 10:21:58.367: RADIUS:   Cisco AVpair       [1]   36  "subscriber:command=reauthenticate "
*Nov  8 10:21:58.367: RADIUS:  Message-Authenticato[80]  18
*Nov  8 10:21:58.367: RADIUS:   7F CA 0A 96 A7 4C 5F 05 57 33 4D 36 D6 7A 37 7E         [ L_W3M6z7~]
*Nov  8 10:21:58.367: COA: Message Authenticator decode passed

*Nov  8 10:21:58.367:  ++++++ CoA Attribute List ++++++
*Nov  8 10:21:58.367: 01FCE77C 0 00000081 username(450) 16 testguy1@xx.xx
*Nov  8 10:21:58.367: 01FCFBAC 0 00000001 session-id(408) 4 59(3B)
*Nov  8 10:21:58.367: 01FCFBE0 0 00000081 ssg-command-code(490) 1 32
*Nov  8 10:21:58.367:
*Nov  8 10:21:58.367: RADIUS/ENCODE(00000000):Orig. component type = Invalid
*Nov  8 10:21:58.367: RADIUS(00000000): sending
*Nov  8 10:21:58.367: RADIUS(00000000): Send CoA Nack Response to 69.17.193.4:60590 id 1, len 62
*Nov  8 10:21:58.367: RADIUS:  authenticator A3 EC 85 01 C3 31 E2 B3 - 25 22 38 79 DA 8E 95 46
*Nov  8 10:21:58.367: RADIUS:  Reply-Message       [18]  18
*Nov  8 10:21:58.367: RADIUS:   4E 6F 20 76 61 6C 69 64 20 53 65 73 73 69 6F 6E  [ No valid Session]
*Nov  8 10:21:58.367: RADIUS:  Dynamic-Author-Error[101] 6   Session Context Not Found [503]
*Nov  8 10:21:58.367: RADIUS:  Message-Authenticato[80]  18
*Nov  8 10:21:58.367: RADIUS:   AC 83 2A 7C DE 7D 78 8E B7 91 C9 F0 16 8B 86 D2              [ *|}x]

Even the PoA is not working

*Nov  8 10:24:04.022: RADIUS: POD  received from id 4 x.x.x.x:57061, POD Request, len 66

*Nov  8 10:24:04.022: POD: 69.17.193.4 request queued

*Nov  8 10:24:04.022:  ++++++ POD Attribute List ++++++

*Nov  8 10:24:04.022: 01FCFBAC 0 00000081 username(450) 16

testguy1@xxx.xx

*Nov  8 10:24:04.022: 01FCE77C 0 00000001 session-id(408) 4 59(3B)

*Nov  8 10:24:04.022: 01FCE7B0 0 00000081 Message-Authenticator(274) 16 20 2C D0 32 B2 B7 70 BC CE 0F 57 30 8A 0B 52 B7

*Nov  8 10:24:04.022:

*Nov  8 10:24:04.022: RADIUS/ENCODE(00000000):Orig. component type = Invalid

*Nov  8 10:24:04.022: RADIUS(00000000): sending

*Nov  8 10:24:04.022: RADIUS(00000000): Send Disconnect Nack Response to x.x.x.x:57061 id 4, len 44

*Nov  8 10:24:04.022: RADIUS:  authenticator 86 6C A4 7E EC E6 D8 DA - 30 03 38 E7 51 03 78 86

*Nov  8 10:24:04.022: RADIUS:  Reply-Message       [18]  18

*Nov  8 10:24:04.022: RADIUS:   4E 6F 20 76 61 6C 69 64 20 53 65 73 73 69 6F 6E  [ No valid Session]

*Nov  8 10:24:04.022: RADIUS:  Dynamic-Author-Error[101] 6   Session Context Not Found [503] *Nov  8 10:24:04.022: RADIUS: POD  received from id 4 x.x.x.x:57061, POD Request, len 66
*Nov  8 10:24:04.022: POD: x.x.x.x request queued
*Nov  8 10:24:04.022:  ++++++ POD Attribute List ++++++
*Nov  8 10:24:04.022: 01FCFBAC 0 00000081 username(450) 16 testguy1@xxx.xx
*Nov  8 10:24:04.022: 01FCE77C 0 00000001 session-id(408) 4 59(3B)
*Nov  8 10:24:04.022: 01FCE7B0 0 00000081 Message-Authenticator(274) 16 20 2C D0 32 B2 B7 70 BC CE 0F 57 30 8A 0B 52 B7
*Nov  8 10:24:04.022:
*Nov  8 10:24:04.022: RADIUS/ENCODE(00000000):Orig. component type = Invalid
*Nov  8 10:24:04.022: RADIUS(00000000): sending
*Nov  8 10:24:04.022: RADIUS(00000000): Send Disconnect Nack Response to x.x.x.x:57061 id 4, len 44
*Nov  8 10:24:04.022: RADIUS:  authenticator 86 6C A4 7E EC E6 D8 DA - 30 03 38 E7 51 03 78 86
*Nov  8 10:24:04.022: RADIUS:  Reply-Message       [18]  18
*Nov  8 10:24:04.022: RADIUS:   4E 6F 20 76 61 6C 69 64 20 53 65 73 73 69 6F 6E  [ No valid Session]
*Nov  8 10:24:04.022: RADIUS:  Dynamic-Author-Error[101] 6   Session Context Not Found [503]

Thanks!!

David

Cisco Employee

CoA Session Context Not Found

Hi David,

One thing that calls my attention is that in the logs the username in the CoA shows like "testguy1@xx.xx".

Also the domain shows like "xxx.xx" in the session status:

Identifier: Auth-Domain = "xxx.xx"

However, the username seems to be "testguy1@link.bm".

Is this displaying like that or are you changing it by any chance?

On the other hand, I was checking on the support for CoA on this platform and SW version. In the Cisco Feature Navigator (http://tools.cisco.com/ITDIT/CFN/) I could not find CoA being supported here. The only reference for CoA on this SW release is for 802.1x but I'm afraid that is not what is needed here. Not sure if thisis supposed to work here. Was it working before?

I've used CoA with a different key also. Something like:

Cisco-Account-Info = "S1.1.1.2" ===> where 1.1.1.2 is the subscriber IP.

Perhaps you can try a CoA like that to see if it makes any difference. If not, try a reload just to see if it helps. If no avail, I would suggest to open a TAC case. As I mentioned, seems like CoA is not really supported for this product and release but, if you want to have an official confirmation, is better to do it via a TAC case.

Best regards.

New Member

CoA Session Context Not Found

Thanks Manuel. Very appreciated.

Cisco Employee

CoA Session Context Not Found

Hi David,

No problem. Were you able to test the CoA using session ID like:

Cisco-Account-Info = "S1.1.1.2"? Any luck?

Also, one thing I noticed from your debugs is that you are using a reauthenticate command in the CoA. Any specific reason to do that for a VPDN session? Did you try to do the CoA with a different command like a sesion query or an accounto logoff? Did you ended up opening a TAC case?

Just want to verify if your issue was indeed solved

Best regards.

New Member

CoA Session Context Not Found

Hello Manuel,

It did not solve it i'm afraid. I did opened a Cisco SR.. the answer after one week of troubleshooting was that COA is an ISG feature and it is not compatible with the router acting has an LNS.. No words if the 2951 supports it or not..

Will an true ISG, like the ASR1001 support LNS and ISG features like CoA?

Thanks Manuel!

New Member

CoA Session Context Not Found

Will an true ISG, like the ASR1001 support LNS and ISG features like CoA, simultaneous?

Cisco Employee

CoA Session Context Not Found

Hi David,

On an ASR1k, ISG, CoA and LNS are certainly supported and working together. I've seen this plenty of times. I cannot speak for the 2951 I'm afraid as I'm not normally working with that platform. The comment I made before regarding the support there was based simply on what I could see in the cisco.com feature navigator.

I think you should still give it a try using the session identifier as I suggested and also trying a different CoA command (not sure if reauthenticate is something we are supposed to do fo PPP session as that is normally used for 802.1x)

Best regards.

New Member

CoA Session Context Not Found

Hello Manuel,

Even the Packet of Disconnect is not working, and it should. At least the Feature Navigator says it is supported on the 2951. Do you have any recommendation for an attribute to force the subscriber to re-authenticate again?

Cisco Employee

CoA Session Context Not Found

Hi David,

Indeed the PoD is a concern but I'm just thinking on give the CoA a try with the session ID as I mentioned to see if tehre is any luck.

Also, what is your requirement exactly? Why do you need to re-authenticate the session?

Cheers

New Member

CoA Session Context Not Found

Hello manuel,

What we want to do is to force the Subscriber to restart its session again to apply then settings to the session. Just this. Any thoughts on how we can do it?

Thanks!!!!

2805
Views
0
Helpful
11
Replies
CreatePlease to create content