Junos OS

 View Only
last person joined: 12 hours ago 

Ask questions and share experiences about Junos OS.

  • 1.  LNS MX480 Subscriber Managmnet (( accounting when reboot problem))

    Posted 02-15-2018 01:34

     

    We depolymnet MX as LNS with subscriber managnemt to prvide DSL users with internet . the radius is freeradius

    and the authentication and accounting is well work . but the problem when reboot the NAS the router didn't send any diconnect-request to Radius so the session will still active . so when router full rebooting and trying to connect they failed .

     

    this is  configuration under access profile

    Spoiler
     accounting {
            order radius;
            accounting-stop-on-failure;
            accounting-stop-on-access-deny;
            immediate-update;
            update-interval 10;
            statistics volume-time;
            send-acct-status-on-config-change;
            duplication;
        }


  • 2.  RE: LNS MX480 Subscriber Managmnet (( accounting when reboot problem))

     
    Posted 02-15-2018 01:39

     

    asousa,

     

    Reboot of NAS(BRAS), all the subscriber session get cleared.

    There wont be any disconnect request on wire if the node rebooted.

     

    The radius should have timeout and send acct-stop.

     

     

     



  • 3.  RE: LNS MX480 Subscriber Managmnet (( accounting when reboot problem))

     
    Posted 02-15-2018 01:44

    MX send accounting-off. Radius should clear the session from it's database.

     

    https://www.juniper.net/documentation/en_US/junos/topics/concept/aaa-service-framework-acct-on-acct-off.html

     

     



  • 4.  RE: LNS MX480 Subscriber Managmnet (( accounting when reboot problem))

     
    Posted 02-15-2018 01:45

     

    Also, when the NAS/BRAS is up/online post reboot, if the radius still have existing session entry, check if you have simultaneous session or concurrent session setting on FreeRadius? if its 1, it wont allow the access grant since the existing session already exist.

     

    In that case, you either have session set 2 counts or timeout the existing sessions from Radius/AAA.

     

     

     



  • 5.  RE: LNS MX480 Subscriber Managmnet (( accounting when reboot problem))

    Posted 02-15-2018 02:01

    here is the problem

    Spoiler

    RADIUS Acct-Off messages indicate that accounting in not supported. Subscriber management issues Acct-Off messages in the following situations:

    • The Authd process is terminated and there are no active subscribers.
    • The router is shut down and accounting servers are currently configured (this action also logs out all current subscribers).
    • The router is rebooted and redundancy is disabled.

    the router sould notify Radius about termination of active subscriber by disconnect-requestion .

    but this feature is not available on junos is that right ?? if not what is pragraph above mean ????



  • 6.  RE: LNS MX480 Subscriber Managmnet (( accounting when reboot problem))

     
    Posted 02-15-2018 02:21

    Hi,

     

    In your case, say you have 1k active subscriber and say due to power outage, your MX rebooted, in that case, there is no acct-off to radius becuase the box is just rebooted. With Radius database with existing session, the acct message in would get acct-off from MX(when its up) since those subscriber aren't on MX.

     

    Now, in some use case, for new login(i mean subscriber which disconnected due to MX reboot), they try to connect and they may get access-deny if existing session exists on radius for which i suggested to have conncurrent session to be 2 or get an access.

     

     

     

     



  • 7.  RE: LNS MX480 Subscriber Managmnet (( accounting when reboot problem))
    Best Answer

    Posted 03-29-2018 04:49

    i opened jTAC  and after long time we discover that juniper is send accounting on message when its reboot but not recevied to freeradius , so after we acctivate wait-for-acct-on-ack the juniper trying to send Acct-on msg again and recevied successfully

    so every time when we reboot juniper the first msg didn't send correctly but the second one send .

     

    before the problem solved

    Spoiler
    Mar 9 06:24:09.732451 authd_access_profile_apply_acctg_config configured RADIUS send acctg ON for profile:(ADSL-radius-profile)
Mar 9 06:24:09.732460 Access profile <ADSL-radius-profile> not configured to a specific routing context
Mar 9 06:24:09.732467 CAUTION! could not turn accounting on successfully
Mar 9 06:24:09.732474 sendAcctOffRequests: Dont send ACCT-OFF as Gres recovery is not complete.

    after we activate  ( wait-for-acct-on-ack ) the problem solved

     

     

    run show log authd | match ACCT-ON
Mar 19 10:27:41.042070 authd_radius_start_auth: Sending ACCT-ON for profile: ADSL-radius-profile, LS: default, RI: default
Mar 19 10:27:41.045828 authd_send_ssh_radius_acctg_state: ACCT-ON/OFF req SENT for profile <ADSL-radius-profile>
Mar 19 10:27:41.045851 REQUEST: AUTHEN - module_index 0 module(radius) return: NOT READY, ACCT-ON NOT ACK'D
Mar 19 10:27:45.803262 REQUEST: AUTHEN - module_index 0 module(radius) return: NOT READY, ACCT-ON NOT ACK'D
Mar 19 10:27:50.303190 REQUEST: AUTHEN - module_index 0 module(radius) return: NOT READY, ACCT-ON NOT ACK'D
Mar 19 10:27:54.603220 REQUEST: AUTHEN - module_index 0 module(radius) return: NOT READY, ACCT-ON NOT ACK'D
Mar 19 10:27:55.903174 REQUEST: AUTHEN - module_index 0 module(radius) return: NOT READY, ACCT-ON NOT ACK'D
Mar 19 10:27:58.903044 REQUEST: AUTHEN - module_index 0 module(radius) return: NOT READY, ACCT-ON NOT ACK'D
Mar 19 10:28:03.302747 REQUEST: AUTHEN - module_index 0 module(radius) return: NOT READY, ACCT-ON NOT ACK'D
Mar 19 10:28:03.803252 REQUEST: AUTHEN - module_index 0 module(radius) return: NOT READY, ACCT-ON NOT ACK'D
Mar 19 10:28:07.702857 REQUEST: AUTHEN - module_index 0 module(radius) return: NOT READY, ACCT-ON NOT ACK'D
Mar 19 10:28:11.803231 REQUEST: AUTHEN - module_index 0 module(radius) return: NOT READY, ACCT-ON NOT ACK'D
Mar 19 10:28:12.003246 REQUEST: AUTHEN - module_index 0 module(radius) return: NOT READY, ACCT-ON NOT ACK'D
Mar 19 10:28:16.403339 REQUEST: AUTHEN - module_index 0 module(radius) return: NOT READY, ACCT-ON NOT ACK'D
Mar 19 10:28:19.803242 REQUEST: AUTHEN - module_index 0 module(radius) return: NOT READY, ACCT-ON NOT ACK'D
Mar 19 10:28:20.703260 REQUEST: AUTHEN - module_index 0 module(radius) return: NOT READY, ACCT-ON NOT ACK'D
Mar 19 10:28:25.103260 REQUEST: AUTHEN - module_index 0 module(radius) return: NOT READY, ACCT-ON NOT ACK'D
Mar 19 10:28:27.803260 REQUEST: AUTHEN - module_index 0 module(radius) return: NOT READY, ACCT-ON NOT ACK'D
Mar 19 10:28:29.503140 REQUEST: AUTHEN - module_index 0 module(radius) return: NOT READY, ACCT-ON NOT ACK'D
Mar 19 10:28:33.803270 REQUEST: AUTHEN - module_index 0 module(radius) return: NOT READY, ACCT-ON NOT ACK'D
Mar 19 10:28:35.803243 REQUEST: AUTHEN - module_index 0 module(radius) return: NOT READY, ACCT-ON NOT ACK'D
Mar 19 10:28:38.102721 REQUEST: AUTHEN - module_index 0 module(radius) return: NOT READY, ACCT-ON NOT ACK'D
Mar 19 10:28:41.047627 authd_radius_acctg_on_callback ACCT-ON failed, for profile <ADSL-radius-profile>; LR <default>; RI<default>: re-trying
Mar 19 10:28:41.047855 authd_send_ssh_radius_acctg_state: ACCT-ON/OFF req SENT for profile <ADSL-radius-profile>