Junos OS

Expand all | Collapse all

MX80 QinQ subscribers sessions doesn`t applying service profile

Jump to Best Answer
  • 1.  MX80 QinQ subscribers sessions doesn`t applying service profile

    Posted 01-09-2020 21:32

     

    Model: mx80
    Junos: 13.3R10.2
    
    set dynamic-profiles CLIENTS-IPoE interfaces "$junos-interface-ifd-name" unit "$junos-underlying-interface-unit" family inet
    set dynamic-profiles VLAN-IPoE interfaces demux0 unit "$junos-interface-unit" demux-source inet
    set dynamic-profiles VLAN-IPoE interfaces demux0 unit "$junos-interface-unit" no-traps
    set dynamic-profiles VLAN-IPoE interfaces demux0 unit "$junos-interface-unit" proxy-arp
    set dynamic-profiles VLAN-IPoE interfaces demux0 unit "$junos-interface-unit" vlan-tags outer "$junos-stacked-vlan-id"
    set dynamic-profiles VLAN-IPoE interfaces demux0 unit "$junos-interface-unit" vlan-tags inner "$junos-vlan-id"
    set dynamic-profiles VLAN-IPoE interfaces demux0 unit "$junos-interface-unit" demux-options underlying-interface "$junos-underlying-interface"
    set dynamic-profiles VLAN-IPoE interfaces demux0 unit "$junos-interface-unit" family inet unnumbered-address lo0.0
    
    set dynamic-profiles svc-global-inet variables SPEED_IN default-value 100m
    set dynamic-profiles svc-global-inet variables SPEED_OUT default-value 100m
    set dynamic-profiles svc-global-inet variables POLICER_IN uid
    set dynamic-profiles svc-global-inet variables POLICER_OUT uid
    set dynamic-profiles svc-global-inet interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet filter input "$SPEED_IN"
    set dynamic-profiles svc-global-inet interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet filter input precedence 50
    set dynamic-profiles svc-global-inet interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet filter output "$SPEED_OUT"
    set dynamic-profiles svc-global-inet interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet filter output precedence 50
    set dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_IN" interface-specific
    set dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_IN" term default then policer "$POLICER_IN"
    set dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_IN" term default then service-accounting
    set dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_IN" term default then accept
    set dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_OUT" interface-specific
    set dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_OUT" term default then policer "$POLICER_OUT"
    set dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_OUT" term default then service-accounting
    set dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_OUT" term default then accept
    set dynamic-profiles svc-global-inet firewall policer "$POLICER_IN" filter-specific
    set dynamic-profiles svc-global-inet firewall policer "$POLICER_IN" logical-interface-policer
    set dynamic-profiles svc-global-inet firewall policer "$POLICER_IN" if-exceeding bandwidth-limit "$SPEED_IN"
    set dynamic-profiles svc-global-inet firewall policer "$POLICER_IN" if-exceeding burst-size-limit 512k
    set dynamic-profiles svc-global-inet firewall policer "$POLICER_IN" then discard
    set dynamic-profiles svc-global-inet firewall policer "$POLICER_OUT" filter-specific
    set dynamic-profiles svc-global-inet firewall policer "$POLICER_OUT" logical-interface-policer
    set dynamic-profiles svc-global-inet firewall policer "$POLICER_OUT" if-exceeding bandwidth-limit "$SPEED_OUT"
    set dynamic-profiles svc-global-inet firewall policer "$POLICER_OUT" if-exceeding burst-size-limit 512k
    set dynamic-profiles svc-global-inet firewall policer "$POLICER_OUT" then discard
    
    set system services dhcp-local-server group IPoE authentication password IPoE
    set system services dhcp-local-server group IPoE authentication username-include user-prefix OPT82NOIP
    set system services dhcp-local-server group IPoE authentication username-include mac-address
    set system services dhcp-local-server group IPoE dynamic-profile CLIENTS-IPoE
    set system services dhcp-local-server group IPoE interface demux0.0
    
    set access profile BILLING accounting-order radius
    set access profile BILLING authentication-order radius
    set access profile BILLING radius authentication-server 89.1.1.1
    set access profile BILLING radius accounting-server 89.1.1.1
    set access profile BILLING radius options accounting-session-id-format decimal
    set access profile BILLING radius-server 89.1.1.1 port 1812
    set access profile BILLING radius-server 89.1.1.1 accounting-port 1813
    set access profile BILLING radius-server 89.1.1.1 secret "$9$cy-rlM7Nb2oGLxb2aZkqTz3/tOrlMXNb"
    set access profile BILLING radius-server 89.1.1.1 timeout 30
    set access profile BILLING radius-server 89.1.1.1 retry 5
    set access profile BILLING radius-server 89.1.1.1 max-outstanding-requests 1000
    set access profile BILLING radius-server 89.1.1.1 source-address 89.1.1.2
    set access profile BILLING accounting order radius
    set access profile BILLING accounting accounting-stop-on-failure
    set access profile BILLING accounting accounting-stop-on-access-deny
    set access profile BILLING accounting immediate-update
    set access profile BILLING accounting coa-immediate-update
    set access profile BILLING accounting address-change-immediate-update
    set access profile BILLING accounting update-interval 10
    set access profile BILLING accounting statistics volume-time
    
    set interfaces xe-0/0/1 flexible-vlan-tagging
    set interfaces xe-0/0/1 auto-configure stacked-vlan-ranges dynamic-profile VLAN-IPoE accept dhcp-v4
    set interfaces xe-0/0/1 auto-configure stacked-vlan-ranges dynamic-profile VLAN-IPoE ranges 1002-1002,10-15
    set interfaces xe-0/0/1 auto-configure stacked-vlan-ranges access-profile BILLING
    set interfaces xe-0/0/1 auto-configure remove-when-no-subscribers
    set interfaces xe-0/0/1 encapsulation flexible-ethernet-services
    

    When session starts it doents apply svc-global-inet profile. it comes with values svc-global-inet($SPEED_IN,$SPEED_OUT), but it doesn`t aplly, whnat my misstake in the configuration.

    Type: VLAN
    Logical System: default
    Routing Instance: default
    Interface: demux0.1073830782
    Interface type: Dynamic
    Underlying Interface: xe-0/0/1
    Dynamic Profile Name: VLAN-IPoE
    Dynamic Profile Version: 1
    State: Active
    Session ID: 183647
    Stacked VLAN Id: 0x8100.1002
    VLAN Id: 0x8100.11
    Login Time: 2020-01-09 14:45:05 UTC
    
    Type: DHCP
    User Name: OPT82NOIP.68ff.7b98.0083
    IP Address: 89.1.3.12
    IP Netmask: 255.255.254.0
    Logical System: default
    Routing Instance: default
    Interface: demux0.1073830780
    Interface type: Static
    Underlying Interface: demux0.1073830780
    Dynamic Profile Name: CLIENTS-IPoE
    Dynamic Profile Version: 1
    MAC Address: 68:ff:7b:98:00:83
    State: Configured
    Radius Accounting ID: 183648
    Session ID: 183648
    Stacked VLAN Id: 1002
    VLAN Id: 15
    Login Time: 2020-01-09 14:45:05 UTC
    DHCP Options: len 40
    35 01 01 39 02 02 40 37 08 01 03 06 0c 0f 1c 2a 79 3c 0c 75
    64 68 63 70 20 31 2e 33 30 2e 31 0c 07 4f 70 65 6e 57 72 74
    IP Address Pool: Dynamic-POOL1
    

    Authentication State: AuthClntRespWait (why?)

    dmitry@Mine-Juniper-GW# run show network-access aaa subscribers session-id 183648 detail
    Type: dhcp
    Stripped username: OPT82NOIP.68ff.7b98.0083
    AAA Logical system/Routing instance: default:default
    Target Logical system/Routing instance: default:default
    Access-profile: BILLING
    Session ID: 183648
    Accounting Session ID: 183648
    Multi Accounting Session ID: 0
    IP Address: 89.1.3.12
    Authentication State: AuthClntRespWait
    Accounting State: Acc-Init
    Provisioning Type: None
    


    Maybe my firmware needs to be upgraded? 

     



  • 2.  RE: MX80 QinQ subscribers sessions doesn`t applying service profile

     
    Posted 01-10-2020 01:47

    Hello,

     

    Your subscriber is in state "Configured" instead of "Active", which means that it can't connect. AuthClntRepsWait most likely means that it's not able to authenticate the subscriber - it's waiting a response from the Radius server. "show network-access aaa statistics authentication" can be checked to confirm.

     

    13.3R10.2 is a really old release, but your configuration should work.

     

    Best regards,

    Sergii

    -------------------------------------------------------------------

    Please accept the solution if your problem is resolved Smiley Happy

    -------------------------------------------------------------------



  • 3.  RE: MX80 QinQ subscribers sessions doesn`t applying service profile

    Posted 01-10-2020 06:04

    That`s all I have

    dmitry@Mine-Juniper-GW# run show network-access aaa statistics authentication detail
    Authentication module statistics
      Requests received: 95383
      Accepts: 18569
      Rejects: 76807
        RADIUS authentication failures: 76807
          Queue request deleted: 0
          Malformed reply: 0
          No server configured: 0
          Access Profile configuration not found: 0
          Unable to create client record: 0
          Unable to create client request: 0
          Unable to build authentication request: 0
          No available server: 0
          Unable to create handle: 0
          Unable to queue request: 0
          Invalid credentials: 76807
          Malformed request: 0
          License unavailable: 0
          Redirect requested: 0
          Internal failure: 0
        Local authentication failures: 0
        LDAP lookup failures: 0
      Challenges: 0
      Timed out requests: 7
    


  • 4.  RE: MX80 QinQ subscribers sessions doesn`t applying service profile

     
    Posted 01-10-2020 06:11

    Can you check which counter is incrementing?



  • 5.  RE: MX80 QinQ subscribers sessions doesn`t applying service profile

    Posted 01-10-2020 07:28

    for a clean experiment, I rebooted the system, that's what we have

    dmitry@Mine-Juniper-GW# run show subscribers
    Interface           IP Address/VLAN ID                      User Name                      LS:RI
    demux0.1073741824   0x8100.1002 0x8100.11                                             default:default
    demux0.1073741825   0x8100.1002 0x8100.15                                             default:default
    demux0.1073741826   0x8100.1002 0x8100.14                                             default:default
    demux0.1073741827   0x8100.1002 0x8100.13                                             default:default
    demux0.1073741828   0x8100.1002 0x8100.10                                             default:default
    demux0.1073741829   0x8100.1002 0x8100.12                                             default:default
    demux0.1073741825   89.1.3.2                            OPT82NOIP.68ff.7b98.0083       default:default
    demux0.1073741824   10.38.96.3                              OPT82NOIP.64d1.5406.c59c       default:default
    demux0.1073741825   10.38.96.5                              OPT82NOIP.64d1.5406.c5a0       default:default
    demux0.1073741827   10.38.96.4                              OPT82NOIP.64d1.5406.c59e       default:default
    demux0.1073741826   10.38.96.6                              OPT82NOIP.64d1.5406.c59f       default:default
    demux0.1073741828   10.38.96.7                              OPT82NOIP.64d1.5406.c59b       default:default
    demux0.1073741829   10.38.96.8                              OPT82NOIP.64d1.5406.c59d       default:default
    
    dmitry@Mine-Juniper-GW# run show network-access aaa statistics authentication detail
    Authentication module statistics
      Requests received: 7
      Accepts: 7
      Rejects: 0
        RADIUS authentication failures: 0
          Queue request deleted: 0
          Malformed reply: 0
          No server configured: 0
          Access Profile configuration not found: 0
          Unable to create client record: 0
          Unable to create client request: 0
          Unable to build authentication request: 0
          No available server: 0
          Unable to create handle: 0
          Unable to queue request: 0
          Invalid credentials: 0
          Malformed request: 0
          License unavailable: 0
          Redirect requested: 0
          Internal failure: 0
        Local authentication failures: 0
        LDAP lookup failures: 0
      Challenges: 0
      Timed out requests: 0
    


  • 6.  RE: MX80 QinQ subscribers sessions doesn`t applying service profile

    Posted 01-10-2020 07:30

    after 5 minutes no counter is incrementing



  • 7.  RE: MX80 QinQ subscribers sessions doesn`t applying service profile

    Posted 01-10-2020 07:48

    after 15 minutes subscriber has still Authentication State: AuthClntRespWait

    dmitry@Mine-Juniper-GW# run show network-access aaa subscribers session-id 7 detail
    Type: dhcp
    Stripped username: OPT82NOIP.68ff.7b98.0083
    AAA Logical system/Routing instance: default:default
    Target Logical system/Routing instance: default:default
    Access-profile: BILLING
    Session ID: 7
    Accounting Session ID: 7
    Multi Accounting Session ID: 0
    IP Address: 89.1.3.2
    Authentication State: AuthClntRespWait
    Accounting State: Acc-Init
    Provisioning Type: None
    

     

    dmitry@Mine-Juniper-GW# run show network-access aaa statistics accounting detail
    Accounting module statistics
      Requests received: 1
        Account on requests: 1
        Accounting start requests: 2684271748
        Accounting interim requests: 2684271748
        Accounting stop requests: 2684271748
      Accounting response failures: 0
      Accounting response success: 0
        Account on responses: 0
        Accounting start responses: 2684271748
        Accounting interim responses: 2684271748
        Accounting stop responses: 2684271748
      Timed out requests: 0
      Accounting rollover requests: 2684271748
      Accounting unknown responses: 2684271748
      Accounting pending account requests: 2684271748
      Accounting malformed responses: 2684271748
      Accounting retransmissions: 2684271748
      Accounting bad authenticators: 2684271748
      Accounting packets dropped: 2684271748
    

     



  • 8.  RE: MX80 QinQ subscribers sessions doesn`t applying service profile

    Posted 01-10-2020 23:49

    Same situation with version 15.1R7.9 

    dmitry@Mine-Juniper-GW# run show network-access aaa subscribers session-id 11 detail
    Type: dhcp
    Username: OPT82NOIP.68ff.7b98.0083
    Stripped username: OPT82NOIP.68ff.7b98.0083
    AAA Logical system/Routing instance: default:default
    Target Logical system/Routing instance: default:default
    Access-profile: BILLING
    Session ID: 11
    Accounting Session ID: 11
    Multi Accounting Session ID: 0
    IP Address: 89.1.3.2
    Authentication State: AuthClntRespWait
    Accounting State: Acc-Init
    Converted to time accounting: no
    Provisioning Type: None
    

     

    dmitry@Mine-Juniper-GW# run show network-access aaa statistics authentication detail
    Authentication module statistics
      Requests received: 7
      Accepts: 7
      Rejects: 0
        RADIUS authentication failures: 0
          Queue request deleted: 0
          Malformed reply: 0
          No server configured: 0
          Access Profile configuration not found: 0
          Unable to create client record: 0
          Unable to create client request: 0
          Unable to build authentication request: 0
          No available server: 0
          Unable to create handle: 0
          Unable to queue request: 0
          Invalid credentials: 0
          Malformed request: 0
          License unavailable: 0
          Redirect requested: 0
          Internal failure: 0
        Local authentication failures: 0
        LDAP lookup failures: 0
      Challenges: 0
      Timed out requests: 0
    


    Does anyone have any ideas?



  • 9.  RE: MX80 QinQ subscribers sessions doesn`t applying service profile

     
    Posted 01-14-2020 01:57

    Please keep 15.1R7.9, remove all subscribers and enable the following trace logs:

    set system processes general-authentication-service traceoptions file jtac-authd.log
    set system processes general-authentication-service traceoptions file size 100m
    set system processes general-authentication-service traceoptions file files 10
    set system processes general-authentication-service traceoptions flag all
    set system processes smg-service traceoptions file jtac-bbesmgd.log
    set system processes smg-service traceoptions file size 100m
    set system processes smg-service traceoptions file files 10
    set system processes smg-service traceoptions level all
    set system processes smg-service traceoptions flag all
    set system processes dhcp-service traceoptions file jtac-jdhcpd.log
    set system processes dhcp-service traceoptions file size 100m
    set system processes dhcp-service traceoptions file files 10
    set system processes dhcp-service traceoptions level all
    set system processes dhcp-service traceoptions flag all

    Then try to connect only one subscriber and check jtac-bbesmgd.log and jtac-authd.log for any clues (or provide its contents here).

     

    Best regards,

    Sergii

    -------------------------------------------------------------------

    Please accept the solution if your problem is resolved Smiley Happy

    -------------------------------------------------------------------



  • 10.  RE: MX80 QinQ subscribers sessions doesn`t applying service profile

    Posted 01-14-2020 05:42
      |   view attached

    I attached log files with one subscriber

    Attachment(s)

    zip
    Logs.zip   60 K 1 version


  • 11.  RE: MX80 QinQ subscribers sessions doesn`t applying service profile

     
    Posted 01-14-2020 06:50

    Thank you for attaching the requested logs - I don't see a single DHCP request from CPE. For some reasons it seems to ignore offers sent by MX. Can you please check whether you have any DHCP bindings (collect at least 4 outputs):

    show dhcp server binding detail | refresh 20

    Best regards,

    Sergii

    -------------------------------------------------------------------

    Please accept the solution if your problem is resolved Smiley Happy

    -------------------------------------------------------------------



  • 12.  RE: MX80 QinQ subscribers sessions doesn`t applying service profile

    Posted 01-14-2020 07:01
    dmitry@Mine-Juniper-GW# run show dhcp server binding | refresh 20 ---(refreshed at 2020-01-14 14:58:30 UTC)---
    IP address Session Id Hardware address Expires State Interface 89.190.112.15 233 64:d1:54:06:c5:9d -4654 SELECTING demux0.3221---(backing up)---
    ---(refreshed at 2020-01-14 14:58:30 UTC)---
    IP address Session Id Hardware address Expires State Interface 89.190.112.15 233 64:d1:54:06:c5:9d -4654 SELECTING demux0.3221---(refreshed at 2020-01-14 14:58:50 UTC)---
    IP address Session Id Hardware address Expires State Interface 89.190.112.15 233 64:d1:54:06:c5:9d -4674 SELECTING demux0.3221---(refreshed at 2020-01-14 14:59:10 UTC)---
    IP address Session Id Hardware address Expires State Interface 89.190.112.15 233 64:d1:54:06:c5:9d -4694 SELECTING demux0.3221---(refreshed at 2020-01-14 14:59:30 UTC)---
    IP address Session Id Hardware address Expires State Interface 89.190.112.15 233 64:d1:54:06:c5:9d -4714 SELECTING demux0.3221---(*more 100%)---[abort]
    [edit]
    dmitry@Mine-Juniper-GW#


  • 13.  RE: MX80 QinQ subscribers sessions doesn`t applying service profile

     
    Posted 01-14-2020 07:07

    It means that MX sends DHCP Offer, but doesn't receive DHCP Request. The issue is on CPE side - it doesn't send DHCP Request.

     

    Best regards,

    Sergii

    -------------------------------------------------------------------

    Please accept the solution if your problem is resolved Smiley Happy

    -------------------------------------------------------------------



  • 14.  RE: MX80 QinQ subscribers sessions doesn`t applying service profile

    Posted 01-14-2020 07:25
    Is it means problem on user side?


  • 15.  RE: MX80 QinQ subscribers sessions doesn`t applying service profile
    Best Answer

     
    Posted 01-14-2020 07:33

    Exactly. CPE (subscriber) and MX need to exchange four DHCP packets to get CPE connected to MX via DHCP (aka DORA process) - please check out this link for more detail.

    According to the logs, in your scenario only two packets are exchanged, and CPE doesn't send DHCP Request. You can also use the following command to check packets that are exchanged between RE (routing engine ) and CPE:

    monitor traffic interface xe-0/0/1 no-resolve

    Best regards,

    Sergii

    -------------------------------------------------------------------

    Please accept the solution if your problem is resolved Smiley Happy

    -------------------------------------------------------------------



  • 16.  RE: MX80 QinQ subscribers sessions doesn`t applying service profile

    Posted 01-14-2020 08:21
    Thank you so much for your help