Junos
Highlighted
Junos

MX80 QinQ subscribers sessions doesn`t applying service profile

[ Edited ]
‎01-09-2020 09:32 PM

 

Model: mx80
Junos: 13.3R10.2
set dynamic-profiles CLIENTS-IPoE interfaces "$junos-interface-ifd-name" unit "$junos-underlying-interface-unit" family inet
set dynamic-profiles VLAN-IPoE interfaces demux0 unit "$junos-interface-unit" demux-source inet
set dynamic-profiles VLAN-IPoE interfaces demux0 unit "$junos-interface-unit" no-traps
set dynamic-profiles VLAN-IPoE interfaces demux0 unit "$junos-interface-unit" proxy-arp
set dynamic-profiles VLAN-IPoE interfaces demux0 unit "$junos-interface-unit" vlan-tags outer "$junos-stacked-vlan-id"
set dynamic-profiles VLAN-IPoE interfaces demux0 unit "$junos-interface-unit" vlan-tags inner "$junos-vlan-id"
set dynamic-profiles VLAN-IPoE interfaces demux0 unit "$junos-interface-unit" demux-options underlying-interface "$junos-underlying-interface"
set dynamic-profiles VLAN-IPoE interfaces demux0 unit "$junos-interface-unit" family inet unnumbered-address lo0.0
set dynamic-profiles svc-global-inet variables SPEED_IN default-value 100m
set dynamic-profiles svc-global-inet variables SPEED_OUT default-value 100m
set dynamic-profiles svc-global-inet variables POLICER_IN uid
set dynamic-profiles svc-global-inet variables POLICER_OUT uid
set dynamic-profiles svc-global-inet interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet filter input "$SPEED_IN"
set dynamic-profiles svc-global-inet interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet filter input precedence 50
set dynamic-profiles svc-global-inet interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet filter output "$SPEED_OUT"
set dynamic-profiles svc-global-inet interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet filter output precedence 50
set dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_IN" interface-specific
set dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_IN" term default then policer "$POLICER_IN"
set dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_IN" term default then service-accounting
set dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_IN" term default then accept
set dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_OUT" interface-specific
set dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_OUT" term default then policer "$POLICER_OUT"
set dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_OUT" term default then service-accounting
set dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_OUT" term default then accept
set dynamic-profiles svc-global-inet firewall policer "$POLICER_IN" filter-specific
set dynamic-profiles svc-global-inet firewall policer "$POLICER_IN" logical-interface-policer
set dynamic-profiles svc-global-inet firewall policer "$POLICER_IN" if-exceeding bandwidth-limit "$SPEED_IN"
set dynamic-profiles svc-global-inet firewall policer "$POLICER_IN" if-exceeding burst-size-limit 512k
set dynamic-profiles svc-global-inet firewall policer "$POLICER_IN" then discard
set dynamic-profiles svc-global-inet firewall policer "$POLICER_OUT" filter-specific
set dynamic-profiles svc-global-inet firewall policer "$POLICER_OUT" logical-interface-policer
set dynamic-profiles svc-global-inet firewall policer "$POLICER_OUT" if-exceeding bandwidth-limit "$SPEED_OUT"
set dynamic-profiles svc-global-inet firewall policer "$POLICER_OUT" if-exceeding burst-size-limit 512k
set dynamic-profiles svc-global-inet firewall policer "$POLICER_OUT" then discard
set system services dhcp-local-server group IPoE authentication password IPoE
set system services dhcp-local-server group IPoE authentication username-include user-prefix OPT82NOIP
set system services dhcp-local-server group IPoE authentication username-include mac-address
set system services dhcp-local-server group IPoE dynamic-profile CLIENTS-IPoE
set system services dhcp-local-server group IPoE interface demux0.0
set access profile BILLING accounting-order radius
set access profile BILLING authentication-order radius
set access profile BILLING radius authentication-server 89.1.1.1
set access profile BILLING radius accounting-server 89.1.1.1
set access profile BILLING radius options accounting-session-id-format decimal
set access profile BILLING radius-server 89.1.1.1 port 1812
set access profile BILLING radius-server 89.1.1.1 accounting-port 1813
set access profile BILLING radius-server 89.1.1.1 secret "$9$cy-rlM7Nb2oGLxb2aZkqTz3/tOrlMXNb"
set access profile BILLING radius-server 89.1.1.1 timeout 30
set access profile BILLING radius-server 89.1.1.1 retry 5
set access profile BILLING radius-server 89.1.1.1 max-outstanding-requests 1000
set access profile BILLING radius-server 89.1.1.1 source-address 89.1.1.2
set access profile BILLING accounting order radius
set access profile BILLING accounting accounting-stop-on-failure
set access profile BILLING accounting accounting-stop-on-access-deny
set access profile BILLING accounting immediate-update
set access profile BILLING accounting coa-immediate-update
set access profile BILLING accounting address-change-immediate-update
set access profile BILLING accounting update-interval 10
set access profile BILLING accounting statistics volume-time
set interfaces xe-0/0/1 flexible-vlan-tagging
set interfaces xe-0/0/1 auto-configure stacked-vlan-ranges dynamic-profile VLAN-IPoE accept dhcp-v4
set interfaces xe-0/0/1 auto-configure stacked-vlan-ranges dynamic-profile VLAN-IPoE ranges 1002-1002,10-15
set interfaces xe-0/0/1 auto-configure stacked-vlan-ranges access-profile BILLING
set interfaces xe-0/0/1 auto-configure remove-when-no-subscribers
set interfaces xe-0/0/1 encapsulation flexible-ethernet-services

When session starts it doents apply svc-global-inet profile. it comes with values svc-global-inet($SPEED_IN,$SPEED_OUT), but it doesn`t aplly, whnat my misstake in the configuration.

Type: VLAN
Logical System: default
Routing Instance: default
Interface: demux0.1073830782
Interface type: Dynamic
Underlying Interface: xe-0/0/1
Dynamic Profile Name: VLAN-IPoE
Dynamic Profile Version: 1
State: Active
Session ID: 183647
Stacked VLAN Id: 0x8100.1002
VLAN Id: 0x8100.11
Login Time: 2020-01-09 14:45:05 UTC

Type: DHCP
User Name: OPT82NOIP.68ff.7b98.0083
IP Address: 89.1.3.12
IP Netmask: 255.255.254.0
Logical System: default
Routing Instance: default
Interface: demux0.1073830780
Interface type: Static
Underlying Interface: demux0.1073830780
Dynamic Profile Name: CLIENTS-IPoE
Dynamic Profile Version: 1
MAC Address: 68:ff:7b:98:00:83
State: Configured
Radius Accounting ID: 183648
Session ID: 183648
Stacked VLAN Id: 1002
VLAN Id: 15
Login Time: 2020-01-09 14:45:05 UTC
DHCP Options: len 40
35 01 01 39 02 02 40 37 08 01 03 06 0c 0f 1c 2a 79 3c 0c 75
64 68 63 70 20 31 2e 33 30 2e 31 0c 07 4f 70 65 6e 57 72 74
IP Address Pool: Dynamic-POOL1

Authentication State: AuthClntRespWait (why?)

dmitry@Mine-Juniper-GW# run show network-access aaa subscribers session-id 183648 detail
Type: dhcp
Stripped username: OPT82NOIP.68ff.7b98.0083
AAA Logical system/Routing instance: default:default
Target Logical system/Routing instance: default:default
Access-profile: BILLING
Session ID: 183648
Accounting Session ID: 183648
Multi Accounting Session ID: 0
IP Address: 89.1.3.12
Authentication State: AuthClntRespWait
Accounting State: Acc-Init
Provisioning Type: None


Maybe my firmware needs to be upgraded? 

 

15 REPLIES 15
Highlighted
Junos

Re: MX80 QinQ subscribers sessions doesn`t applying service profile

‎01-10-2020 01:47 AM

Hello,

 

Your subscriber is in state "Configured" instead of "Active", which means that it can't connect. AuthClntRepsWait most likely means that it's not able to authenticate the subscriber - it's waiting a response from the Radius server. "show network-access aaa statistics authentication" can be checked to confirm.

 

13.3R10.2 is a really old release, but your configuration should work.

 

Best regards,

Sergii

-------------------------------------------------------------------

Please accept the solution if your problem is resolved Smiley Happy

-------------------------------------------------------------------

Highlighted
Junos

Re: MX80 QinQ subscribers sessions doesn`t applying service profile

‎01-10-2020 06:03 AM

That`s all I have

dmitry@Mine-Juniper-GW# run show network-access aaa statistics authentication detail
Authentication module statistics
  Requests received: 95383
  Accepts: 18569
  Rejects: 76807
    RADIUS authentication failures: 76807
      Queue request deleted: 0
      Malformed reply: 0
      No server configured: 0
      Access Profile configuration not found: 0
      Unable to create client record: 0
      Unable to create client request: 0
      Unable to build authentication request: 0
      No available server: 0
      Unable to create handle: 0
      Unable to queue request: 0
      Invalid credentials: 76807
      Malformed request: 0
      License unavailable: 0
      Redirect requested: 0
      Internal failure: 0
    Local authentication failures: 0
    LDAP lookup failures: 0
  Challenges: 0
  Timed out requests: 7
Highlighted
Junos

Re: MX80 QinQ subscribers sessions doesn`t applying service profile

‎01-10-2020 06:11 AM

Can you check which counter is incrementing?

Highlighted
Junos

Re: MX80 QinQ subscribers sessions doesn`t applying service profile

‎01-10-2020 07:27 AM

for a clean experiment, I rebooted the system, that's what we have

dmitry@Mine-Juniper-GW# run show subscribers
Interface           IP Address/VLAN ID                      User Name                      LS:RI
demux0.1073741824   0x8100.1002 0x8100.11                                             default:default
demux0.1073741825   0x8100.1002 0x8100.15                                             default:default
demux0.1073741826   0x8100.1002 0x8100.14                                             default:default
demux0.1073741827   0x8100.1002 0x8100.13                                             default:default
demux0.1073741828   0x8100.1002 0x8100.10                                             default:default
demux0.1073741829   0x8100.1002 0x8100.12                                             default:default
demux0.1073741825   89.1.3.2                            OPT82NOIP.68ff.7b98.0083       default:default
demux0.1073741824   10.38.96.3                              OPT82NOIP.64d1.5406.c59c       default:default
demux0.1073741825   10.38.96.5                              OPT82NOIP.64d1.5406.c5a0       default:default
demux0.1073741827   10.38.96.4                              OPT82NOIP.64d1.5406.c59e       default:default
demux0.1073741826   10.38.96.6                              OPT82NOIP.64d1.5406.c59f       default:default
demux0.1073741828   10.38.96.7                              OPT82NOIP.64d1.5406.c59b       default:default
demux0.1073741829   10.38.96.8                              OPT82NOIP.64d1.5406.c59d       default:default
dmitry@Mine-Juniper-GW# run show network-access aaa statistics authentication detail
Authentication module statistics
  Requests received: 7
  Accepts: 7
  Rejects: 0
    RADIUS authentication failures: 0
      Queue request deleted: 0
      Malformed reply: 0
      No server configured: 0
      Access Profile configuration not found: 0
      Unable to create client record: 0
      Unable to create client request: 0
      Unable to build authentication request: 0
      No available server: 0
      Unable to create handle: 0
      Unable to queue request: 0
      Invalid credentials: 0
      Malformed request: 0
      License unavailable: 0
      Redirect requested: 0
      Internal failure: 0
    Local authentication failures: 0
    LDAP lookup failures: 0
  Challenges: 0
  Timed out requests: 0
Highlighted
Junos

Re: MX80 QinQ subscribers sessions doesn`t applying service profile

‎01-10-2020 07:29 AM

after 5 minutes no counter is incrementing

Highlighted
Junos

Re: MX80 QinQ subscribers sessions doesn`t applying service profile

[ Edited ]
‎01-10-2020 07:47 AM

after 15 minutes subscriber has still Authentication State: AuthClntRespWait

dmitry@Mine-Juniper-GW# run show network-access aaa subscribers session-id 7 detail
Type: dhcp
Stripped username: OPT82NOIP.68ff.7b98.0083
AAA Logical system/Routing instance: default:default
Target Logical system/Routing instance: default:default
Access-profile: BILLING
Session ID: 7
Accounting Session ID: 7
Multi Accounting Session ID: 0
IP Address: 89.1.3.2
Authentication State: AuthClntRespWait
Accounting State: Acc-Init
Provisioning Type: None

 

dmitry@Mine-Juniper-GW# run show network-access aaa statistics accounting detail
Accounting module statistics
  Requests received: 1
    Account on requests: 1
    Accounting start requests: 2684271748
    Accounting interim requests: 2684271748
    Accounting stop requests: 2684271748
  Accounting response failures: 0
  Accounting response success: 0
    Account on responses: 0
    Accounting start responses: 2684271748
    Accounting interim responses: 2684271748
    Accounting stop responses: 2684271748
  Timed out requests: 0
  Accounting rollover requests: 2684271748
  Accounting unknown responses: 2684271748
  Accounting pending account requests: 2684271748
  Accounting malformed responses: 2684271748
  Accounting retransmissions: 2684271748
  Accounting bad authenticators: 2684271748
  Accounting packets dropped: 2684271748

 

Highlighted
Junos

Re: MX80 QinQ subscribers sessions doesn`t applying service profile

‎01-10-2020 11:48 PM

Same situation with version 15.1R7.9 

dmitry@Mine-Juniper-GW# run show network-access aaa subscribers session-id 11 detail
Type: dhcp
Username: OPT82NOIP.68ff.7b98.0083
Stripped username: OPT82NOIP.68ff.7b98.0083
AAA Logical system/Routing instance: default:default
Target Logical system/Routing instance: default:default
Access-profile: BILLING
Session ID: 11
Accounting Session ID: 11
Multi Accounting Session ID: 0
IP Address: 89.1.3.2
Authentication State: AuthClntRespWait
Accounting State: Acc-Init
Converted to time accounting: no
Provisioning Type: None

 

dmitry@Mine-Juniper-GW# run show network-access aaa statistics authentication detail
Authentication module statistics
  Requests received: 7
  Accepts: 7
  Rejects: 0
    RADIUS authentication failures: 0
      Queue request deleted: 0
      Malformed reply: 0
      No server configured: 0
      Access Profile configuration not found: 0
      Unable to create client record: 0
      Unable to create client request: 0
      Unable to build authentication request: 0
      No available server: 0
      Unable to create handle: 0
      Unable to queue request: 0
      Invalid credentials: 0
      Malformed request: 0
      License unavailable: 0
      Redirect requested: 0
      Internal failure: 0
    Local authentication failures: 0
    LDAP lookup failures: 0
  Challenges: 0
  Timed out requests: 0


Does anyone have any ideas?

Highlighted
Junos

Re: MX80 QinQ subscribers sessions doesn`t applying service profile

‎01-14-2020 01:56 AM

Please keep 15.1R7.9, remove all subscribers and enable the following trace logs:

set system processes general-authentication-service traceoptions file jtac-authd.log
set system processes general-authentication-service traceoptions file size 100m
set system processes general-authentication-service traceoptions file files 10
set system processes general-authentication-service traceoptions flag all
set system processes smg-service traceoptions file jtac-bbesmgd.log
set system processes smg-service traceoptions file size 100m
set system processes smg-service traceoptions file files 10
set system processes smg-service traceoptions level all
set system processes smg-service traceoptions flag all
set system processes dhcp-service traceoptions file jtac-jdhcpd.log
set system processes dhcp-service traceoptions file size 100m
set system processes dhcp-service traceoptions file files 10
set system processes dhcp-service traceoptions level all
set system processes dhcp-service traceoptions flag all

Then try to connect only one subscriber and check jtac-bbesmgd.log and jtac-authd.log for any clues (or provide its contents here).

 

Best regards,

Sergii

-------------------------------------------------------------------

Please accept the solution if your problem is resolved Smiley Happy

-------------------------------------------------------------------

Highlighted
Junos

Re: MX80 QinQ subscribers sessions doesn`t applying service profile

‎01-14-2020 05:42 AM

I attached log files with one subscriber

Attachments

Highlighted
Junos

Re: MX80 QinQ subscribers sessions doesn`t applying service profile

‎01-14-2020 06:49 AM

Thank you for attaching the requested logs - I don't see a single DHCP request from CPE. For some reasons it seems to ignore offers sent by MX. Can you please check whether you have any DHCP bindings (collect at least 4 outputs):

show dhcp server binding detail | refresh 20

Best regards,

Sergii

-------------------------------------------------------------------

Please accept the solution if your problem is resolved Smiley Happy

-------------------------------------------------------------------

Highlighted
Junos

Re: MX80 QinQ subscribers sessions doesn`t applying service profile

‎01-14-2020 07:00 AM
dmitry@Mine-Juniper-GW# run show dhcp server binding | refresh 20 ---(refreshed at 2020-01-14 14:58:30 UTC)---
IP address Session Id Hardware address Expires State Interface 89.190.112.15 233 64:d1:54:06:c5:9d -4654 SELECTING demux0.3221---(backing up)---
---(refreshed at 2020-01-14 14:58:30 UTC)---
IP address Session Id Hardware address Expires State Interface 89.190.112.15 233 64:d1:54:06:c5:9d -4654 SELECTING demux0.3221---(refreshed at 2020-01-14 14:58:50 UTC)---
IP address Session Id Hardware address Expires State Interface 89.190.112.15 233 64:d1:54:06:c5:9d -4674 SELECTING demux0.3221---(refreshed at 2020-01-14 14:59:10 UTC)---
IP address Session Id Hardware address Expires State Interface 89.190.112.15 233 64:d1:54:06:c5:9d -4694 SELECTING demux0.3221---(refreshed at 2020-01-14 14:59:30 UTC)---
IP address Session Id Hardware address Expires State Interface 89.190.112.15 233 64:d1:54:06:c5:9d -4714 SELECTING demux0.3221---(*more 100%)---[abort]
[edit]
dmitry@Mine-Juniper-GW#
Highlighted
Junos

Re: MX80 QinQ subscribers sessions doesn`t applying service profile

‎01-14-2020 07:07 AM

It means that MX sends DHCP Offer, but doesn't receive DHCP Request. The issue is on CPE side - it doesn't send DHCP Request.

 

Best regards,

Sergii

-------------------------------------------------------------------

Please accept the solution if your problem is resolved Smiley Happy

-------------------------------------------------------------------

Highlighted
Junos

Re: MX80 QinQ subscribers sessions doesn`t applying service profile

‎01-14-2020 07:24 AM
Is it means problem on user side?
Highlighted
Junos
Solution
Accepted by topic author Wildarp
‎01-14-2020 08:21 AM

Re: MX80 QinQ subscribers sessions doesn`t applying service profile

‎01-14-2020 07:32 AM

Exactly. CPE (subscriber) and MX need to exchange four DHCP packets to get CPE connected to MX via DHCP (aka DORA process) - please check out this link for more detail.

According to the logs, in your scenario only two packets are exchanged, and CPE doesn't send DHCP Request. You can also use the following command to check packets that are exchanged between RE (routing engine ) and CPE:

monitor traffic interface xe-0/0/1 no-resolve

Best regards,

Sergii

-------------------------------------------------------------------

Please accept the solution if your problem is resolved Smiley Happy

-------------------------------------------------------------------

Highlighted
Junos

Re: MX80 QinQ subscribers sessions doesn`t applying service profile

‎01-14-2020 08:20 AM
Thank you so much for your help
Feedback