vMX

 View Only
last person joined: 13 days ago 

Ask questions and share experiences about vMX.

vMX are not updating filters on dynamic interface with values from RADIUS

  • 1.  vMX are not updating filters on dynamic interface with values from RADIUS

    Posted 13 days ago

    Hello.

    I'm testing IPoE dynamic subscriber management on vMX and encounter one problem.
    I'm trying to set "$junos-input-filter" and "$junos-output-filter" on dynamic interface with values received from RADIUS.


    Here is dynamic profile:

    user# show dynamic-profiles 
    DYNINTF-2VLANS-DHCP-INET {
        predefined-variable-defaults {
            output-filter limit5mbit;
            input-filter limit5mbit;
        }
        interfaces {
            "$junos-interface-ifd-name" {
                unit "$junos-interface-unit" {
                    proxy-arp restricted;
                    vlan-tags outer "$junos-stacked-vlan-id" inner "$junos-vlan-id";
                    family inet {
                        filter {
                            input "$junos-input-filter";
                            output "$junos-output-filter";
                        }
                        unnumbered-address lo0.0 preferred-source-address xx.xx.xx.1;
                    }
                }
            }
        }
    }
    [edit]

    Here are filters & policers:

    user# show firewall 
    family inet {
        filter limit10mbit {
            interface-specific;
            term 1 {
                then policer police10mbit;
            }
        }
        filter limit5mbit {
            interface-specific;
            term 1 {
                then policer police5mbit;
            }
        }
        
    policer police10mbit {
        if-exceeding {
            bandwidth-limit 10m;
            burst-size-limit 100k;
        }                                   
        then discard;
    }
    policer police5mbit {
        if-exceeding {
            bandwidth-limit 5m;
            burst-size-limit 100k;
        }
        then discard;
    }

    Here are test connection:

    user# run show dhcp server binding  
    IP address        Session Id  Hardware address   Expires     State      Interface
    xx.xx.xx.12      40          bc:24:11:90:55:ca  2809        BOUND      ge-0/0/1.3221225510 


    user# run show interfaces ge-0/0/1.3221225510 extensive 
      Logical interface ge-0/0/1.3221225510 (Index 536870990) (SNMP ifIndex 200000078) (Generation 57)
        Flags: Up VLAN-Tag [ 0x8100.123 0x8100.10 ]  Encapsulation: ENET2
        Demux:
          Underlying interface: ge-0/0/1 (Index 150)
        Bandwidth: 0
        Traffic statistics:
         Input  bytes  :                 4660
         Output bytes  :                73307
         Input  packets:                   26
         Output packets:                 1438
        Local statistics:
         Input  bytes  :                 4436
         Output bytes  :                 4056
         Input  packets:                   22
         Output packets:                   22
        Transit statistics:
         Input  bytes  :                  224                    0 bps
         Output bytes  :                69251                    0 bps
         Input  packets:                    4                    0 pps
         Output packets:                 1416                    0 pps
        Protocol inet, MTU: 1500
        Max nh cache: 0, New hold nh limit: 0, Curr nh cnt: 0, Curr new hold cnt: 0, NH drop cnt: 0
        Generation: 0, Route table: 0
          Flags: Unnumbered
          Donor interface: lo0.0 (Index 320)
          Preferred source address: xx.xx.xx.1
          Input Filters: limit5mbit-ge-0/0/1.3221225510-in   <--- look at this !
          Output Filters: limit5mbit-ge-0/0/1.3221225510-out   <--- look at this !
          Addresses, Flags: Is-Primary
            Destination: Unspecified, Local: xx.xx.xx.1, Broadcast: Unspecified, Generation: 0

            
    As you can see default variable values ("limit5mbit") are attached to dynamic interface though different values are received from RADIUS:

    Excerpt from log:
    Nov 20 12:26:07.355747 Parsing RADIUS message for session-id:40
    Nov 20 12:26:07.355776 radius-access-accept: Egress-Policy-Name (Juniper-ERX-VSA) received: limit10mbit   <--- look at this !
    Nov 20 12:26:07.355787 radius-access-accept: Ingress-Policy-Name (Juniper-ERX-VSA) received: limit10mbit   <--- look at this !
    Nov 20 12:26:07.355795 Framework - module(radius) return: SUCCESS


    Full log:
    Nov 20 12:26:07.334202 findSession AST-Table couldn't find the session-id:40
    Nov 20 12:26:07.334224 Process/Dispatch Client Message
    Nov 20 12:26:07.334231 New Process/Dispatch Client Message
    Nov 20 12:26:07.334244 authd_tlv_build_list_from_struct username l =1 offset =56
    Nov 20 12:26:07.334252 authd_tlv_build_list_from_struct profile l =1 offset =57
    Nov 20 12:26:07.334259 authd_tlv_build_list_from_struct password l =1 offset =58
    Nov 20 12:26:07.334267 authd_auth_aaa_msg_create: num_of_tlvs:0 tot_num_of_tlv:0
    Nov 20 12:26:07.334273 authd_auth_aaa_msg_create username:() profile:()
    Nov 20 12:26:07.334280 Process Request
    Nov 20 12:26:07.334289 SEQ RecvClientMsg:jdhcpd-client session-id:40 Opcode:65, Subcode:0 (ACCESS_REQUEST)
    Nov 20 12:26:07.334320 Taking a client snapshot, session-id:40
    Nov 20 12:26:07.334333 getSubscriberAaaOptionsName
    Nov 20 12:26:07.334346 authd_build_req_attr_list_from_sdb_data: The request list is from sdb
    Nov 20 12:26:07.334366 createSubscriberSession session-id:40
    Nov 20 12:26:07.334373 Taking a client snapshot, session-id:40
    Nov 20 12:26:07.334388 createSubscriberSession UserName (bc24.1190.55ca) for session-id:40 from SDB
    Nov 20 12:26:07.334396 createSubscriberSession SDB_CLIENT_SESSION_TYPE is 1
    Nov 20 12:26:07.334425 AaaService::RoutingContext::ctor/default, ls default, ri default, tn null
    Nov 20 12:26:07.334433 AaaService::RoutingContext::ctor/default, ls default, ri default, tn null
    Nov 20 12:26:07.334444 Creating SubscriberASTEntry for session-id:40, session name:bc24.1190.55ca
    Nov 20 12:26:07.334459 fillSessionDBAttributes: attr type 10003
    Nov 20 12:26:07.334466 fillSessionDBAttributes: attr type 10005
    Nov 20 12:26:07.334472 fillSessionDBAttributes: attr type 10015
    Nov 20 12:26:07.334477 fillSessionDBAttributes: attr type 10185
    Nov 20 12:26:07.334488 fillSessionDBAttributes: session-id:40, ifdName: ge-0/0/1
    Nov 20 12:26:07.334505 initialize: No access-profile found in the SDB for session-id:40
    Nov 20 12:26:07.334513 initialize: Bbe Domain Id found in the SDB for session-id:40
    Nov 20 12:26:07.334520 initialize: PhyIfdName found in the SDB for session-id:40
    Nov 20 12:26:07.334528 initialize: InterfaceName found in the SDB for session-id:40
    Nov 20 12:26:07.334541 initialize: aaa ls:default aaa ri:default; target ls:default target ri: default
    Nov 20 12:26:07.334553 AaaService::RoutingContext::assign, ls default, ri default, tn null
    Nov 20 12:26:07.334564 setTargetRoutingContextdefault:default
    Nov 20 12:26:07.334573 AaaService::RoutingContext::assign, ls default, ri default, tn null
    Nov 20 12:26:07.334580 setRoutingContext: Querying the access-profile for user:bc24.1190.55ca on LR/RI:default:default
    Nov 20 12:26:07.334590 setRoutingContext: Access Profile Name from context is <RADIUS>)
    Nov 20 12:26:07.334607 authd_build_radius_nas_port_and_id: nas-port-id-format order is disabled
    Nov 20 12:26:07.334621 authd_build_req_attr_list_from_sdb_data: The request list is from aaa_msg
    Nov 20 12:26:07.334628 Taking a client snapshot, session-id:40
    Nov 20 12:26:07.334634 authd_get_auth_request_nas_attr: No Agent Circuit ID attribute from SDB
    Nov 20 12:26:07.334643 authd_get_auth_request_nas_attr: No Agent Remote ID attribute from SDB
    Nov 20 12:26:07.334649 authd_get_auth_request_nas_attr: No interface ATM VPI attribute from SDB
    Nov 20 12:26:07.334654 authd_get_auth_request_nas_attr: No interface ATM VCI attribute from SDB
    Nov 20 12:26:07.334659 authd_get_auth_request_nas_attr: Recovered from SDB - VPI:-1 VCI:-1 NasPortType:15
    Nov 20 12:26:07.334674 NASPortID ins and outs: phy = [ge-0/0/1] ifn = [ge] uifn = [ge-0/0/1.3221225510], ae:0 s:0 a:0 p:1 c:0 su:3221225510 sv:123 v:10
    Nov 20 12:26:07.334700 authd_get_interface_nas_port_options Interface Radius-Options for Interface ge-0/0/1 not found
    Nov 20 12:26:07.334717 Taking a client snapshot, session-id:40
    Nov 20 12:26:07.334752 Taking a client snapshot, session-id:40
    Nov 20 12:26:07.334760 authd_build_radius_nas_port_and_id: NASPortID = ge-0/0/1.3221225510:123-10, NASPort = 40000a, CallingStationID =
    Nov 20 12:26:07.334780 Finding a client snapshot session-id:40
    Nov 20 12:26:07.334819 setRoutingContext: Setting multi-acct-session-id to 0
    Nov 20 12:26:07.334825 setAccountingInfo: RADIUS
    Nov 20 12:26:07.334830 authd_access_profile_get: profile RADIUS found
    Nov 20 12:26:07.334837 setAccountingInfo: service accounting order 0
    Nov 20 12:26:07.334844 updateCoaDynamicVariableValidation coaValidation: 0
    Nov 20 12:26:07.334852 updateDynamicProfile: session-id:40, old dynamic profile empty, new dynamic profile empty
    Nov 20 12:26:07.334859 ../../../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:5137 Did not find dynamic-profile in the SDB for session-id:40
    Nov 20 12:26:07.334866 JSRC: NOT calling jsrc restore function: - notify off - jsrc id empty
    Nov 20 12:26:07.334872 Bundle session id not found, setting to NULL
    Nov 20 12:26:07.334878 multi-acct-session-id set to 0
    Nov 20 12:26:07.334888 authd_access_profile_get: profile RADIUS found
    Nov 20 12:26:07.334894 access profile: RADIUS
    Nov 20 12:26:07.334901 On-demand IP address set to 0
    Nov 20 12:26:07.334923 SLimit: getEligibleProfile: session-limit is OFF access-profile:RADIUS session-id:40
    Nov 20 12:26:07.334932 UserAccess:bc24.1190.55ca session-id:40 Access-profile:RADIUS Multi-Acct-Session-Id:0 ACCESS_REQUEST
    Nov 20 12:26:07.334938 authd_auth_modules_pre_feed_sanity: message passed sanity test profile=(), username=()
    Nov 20 12:26:07.334952 AuthFsm::current state=AuthInit(0) event=1 astEntry=0x4f0506c aaa msg=0x4cede4c session-id:40
    Nov 20 12:26:07.334966 authd_access_profile_get: profile RADIUS found
    Nov 20 12:26:07.334973 ###################################################################
    Nov 20 12:26:07.334978 ########################### AUTH REQ RCVD #########################
    Nov 20 12:26:07.334983 ###################################################################
    Nov 20 12:26:07.334988 Auth-FSM: Process Auth-Request for session-id:40 username <bc24.1190.55ca> profile <RADIUS>
    Nov 20 12:26:07.334994 Auth-FSM: Process Auth-Request V4 for session-id:40
    Nov 20 12:26:07.334999 Framework: Starting authentication
    Nov 20 12:26:07.335005 authd_access_profile_get: profile RADIUS found
    Nov 20 12:26:07.335010 authd_advance_module_for_aaa_request_msg: result:0
    Nov 20 12:26:07.335016 Authd module start session-id:40
    Nov 20 12:26:07.335025 authd_radius_start_auth: Starting RADIUS authentication session-id:40
    Nov 20 12:26:07.335030 authd_radius_get_config: profile RADIUS
    Nov 20 12:26:07.335035 authd_radius_get_config: profile RADIUS in arm_profile_radius_tree
    Nov 20 12:26:07.335040 authd_radius_get_config:Using radius option config from access profile stanza
    Nov 20 12:26:07.335045 authd_access_profile_get: profile RADIUS found
    Nov 20 12:26:07.335060 authd_radius_build_basic_auth_request: session-id:40 profile=RADIUS, username=bc24.1190.55ca
    Nov 20 12:26:07.335069 radius-access-request: User-Name added: bc24.1190.55ca
    Nov 20 12:26:07.335078 radius-access-request: User-Password added: ""
    Nov 20 12:26:07.335096 Taking a client snapshot, session-id:40
    Nov 20 12:26:07.335107 radius-access-request: Service-Type added: 2
    Nov 20 12:26:07.335118 radius-access-request: Chargeable-User-Identity added:
    Nov 20 12:26:07.335126 radius-access-request: Acct-Session-Id added: 40
    Nov 20 12:26:07.335143 radius-access-request: DHCP-Options (Juniper-ERX-VSA) added: 35 01 01 32 04 55 84 56 0c 0c 0f 6e 65 74 77 6f 72 6b 2d 74 65 73 74 69 6e 67 37 0d 01 1c 02 03 0f 06 77 0c 2c 2f 1a 79 2a
    Nov 20 12:26:07.335153 radius-access-request: DHCP-MAC-Address (Juniper-ERX-VSA) added: bc24.1190.55ca
    Nov 20 12:26:07.335164 radius-access-request: Framed-IP-Address added: xx.xx.xx.12
    Nov 20 12:26:07.335172 radius-access-request: NAS-Identifier added: Juniper-vMX
    Nov 20 12:26:07.335199 radius-access-request: NAS-Port added: 00 40 00 0a
    Nov 20 12:26:07.335205 radius-access-request: NAS-Port-Id added: ge-0/0/1.3221225510:123-10
    Nov 20 12:26:07.335212 radius-access-request: NAS-Port-Type added: 15
    Nov 20 12:26:07.335222 radius-access-request: PPPoE-Description (Juniper-ERX-VSA) added: pppoe bc:24:11:90:55:ca
    Nov 20 12:26:07.335232 radius-access-request: DHCP-First-Relay-IPv4-Address (Juniper-ERX-VSA) added: xx.xx.xx.1
    Nov 20 12:26:07.335260 radius-access-request: DHCP-Header (Juniper-ERX-VSA) added: 01 01 06 00 c2 49 f1 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc 24 11 90 55 ca 00 00 00 00 00 00 00 00 00 00
    Nov 20 12:26:07.335276 authd_create_application_specific_radius_server: Evaluating RADIUS server 192.168.77.175 to add to the server list
    Nov 20 12:26:07.335281 Evaluating RADIUS server 192.168.77.175 to add to the server list
    Nov 20 12:26:07.335287 Verify source address c0a84da5 in routing instance index=0
    Nov 20 12:26:07.335316 authd_radius_server_add: server 192.168.77.175 retry 5, timeout 20 acct_request 0
    Nov 20 12:26:07.335325 processSessionAttributeNasAddress 40
    Nov 20 12:26:07.335330 processSessionAttributeNasAddress return false
    Nov 20 12:26:07.335368 Request queued successfully
    Nov 20 12:26:07.335375 REQUEST: AUTHEN - module_index 0 module(radius) return: ASYNC
    Nov 20 12:26:07.335391 UserAccess:bc24.1190.55ca session-id:40 state:start ge-0/0/1.3221225510:123-10
    Nov 20 12:26:07.335399 Auth-FSM: GRES-Mirror for session-id:40 state:AuthStart(1)
    Nov 20 12:26:07.355668 authd_radius_get_config: profile RADIUS
    Nov 20 12:26:07.355682 authd_radius_get_config: profile RADIUS in arm_profile_radius_tree
    Nov 20 12:26:07.355695 authd_radius_get_config:Using radius option config from access profile stanza
    Nov 20 12:26:07.355700 RadiusServer: authd_radius_mark_servers_dead : 1 servers radius config, probably config changed
    Nov 20 12:26:07.355706 RadiusServer: server[0] used for last request - 192.168.77.175
    Nov 20 12:26:07.355720 loadDefaultService:: default service for the subscriber is empty
    Nov 20 12:26:07.355725 Radius result is CLIENT_REQ_STATUS_SUCCESS
    Nov 20 12:26:07.355740 authd_get_var_list: No dynamic-profile in the AST entry with session-id:40
    Nov 20 12:26:07.355747 Parsing RADIUS message for session-id:40
    Nov 20 12:26:07.355776 radius-access-accept: Egress-Policy-Name (Juniper-ERX-VSA) received: limit10mbit   <--- look at this !
    Nov 20 12:26:07.355787 radius-access-accept: Ingress-Policy-Name (Juniper-ERX-VSA) received: limit10mbit   <--- look at this !
    Nov 20 12:26:07.355795 Framework - module(radius) return: SUCCESS
    Nov 20 12:26:07.355801 authd_advance_module_for_aaa_response_msg: result:2
    Nov 20 12:26:07.355821 Taking a client snapshot, session-id:40
    Nov 20 12:26:07.355834 Taking a client snapshot, session-id:40
    Nov 20 12:26:07.355886 accurate-acc update for subscriber Session-id:40 accurate-acc:1
    Nov 20 12:26:07.355898 Finding a client snapshot session-id:40
    Nov 20 12:26:07.356009 authd_access_profile_get: profile RADIUS found
    Nov 20 12:26:07.356016  authd_auth_update_local_server_address ::Searching access profile RADIUS for local DNS Server
    Nov 20 12:26:07.356024 Decoding incoming attributes
    Nov 20 12:26:07.356032 Subscriber attribute 10003, length 4
    Nov 20 12:26:07.356039 Subscriber attribute 10005, length 4
    Nov 20 12:26:07.356046 Subscriber attribute 10015, length 8


    Where did I mistake, so vMX are not updating filters?

    Thanks to everyone in advance for help.



    ------------------------------
    RASHAD RUSTAMOFF
    ------------------------------