FAQ-Explanations for offline of MA5200F

Publication Date:  2012-07-27 Views:  118 Downloads:  0
Issue Description
QMA5200F uses display aaa offline-record command to check why some users get offline. The following is explanations for why they get offline.

Alarm Information
No

Handling Process
A

1. user request to offline
   The users request to get offline and it is normal.
2. PPP echo fail/ARP detect fail/802.1x handshake fail
The three types of reasons belong to failure of handshaking, and they correspond to PPPOE user, VLAN user and 802.1 X users respectively. The root cause lies in that MA5200F sends handshaking packets (including ARP, ECHO, EAP packets)to users, but no response from them is received, so MA5200F thinks the user has gotten offline abnormally, and disconnects the user. The common reasons include drop-off of network cables, abnormal off of terminal, down of link, crash of terminal, congestion of link, CAR of host caused by user virus, etc. For the first four reasons, they are out of control and should be avoided as possible as much. If terminal and link are in normal state, and users drop offline frequently yet, please make sure if traffic at layer 2 network is normal, and if broadcast storm causes layer-2 network to congest. At this point, lots of packets will drop when the terminal PINGs MA5200F (pings users from MA5200).



Solution: If packets are dropped due to CAR from user to host caused by layer2 network congestion or virus from user, the fundamental solution is to optimize the layer 2 network (including virus scanning for client). At the same time, adjusting the handshaking time interval and times of MA5200F could ease the problem temporarily. Noticeably, revision of handshaking time interval and times could not root the problem out; when a user drops offline because of abnormal off, crash or drop-off of cables, the accounting will generate a large gap. The relevant commands include:
VLAN user: [MA5200F]user detect
PPPOE user: [MA5200F-Virtual-Template1]ppp keepalive
DOT1X user: [MA5200F-dot1x-template-1] keepalive retransmit
Others: If the above methods cannot address the problem, you could capture packets to locate the problem; that is, add a HUB between port of MA5200F and the switch, or configure port mirror for the switch to check the interaction process of handshaking packets between MA5200 and client side as to locate the problem.
3. message to client timeout
Once passing dail-up authentication, the user is online continuously; if it sends another request packet for coming online, it will be in negotiation state again, resulting in abnormality. Generally, it should not send a second request, so it can make sure that the client is problematic. The user has been online, but the client sends another PPP negotiation packet, and MA5200F responds it, which point, the problem belongs to this type if the user does not reply a packet.
4. CM IP address alloc fail
Address allocation fails. It is possible that there is no address in address pool, or the domain the user locates at is not assigned with address pool.
Solution: Check the configurations related to address pool.
5. CM Ifnet down
That the port of MA5200F which is accessed by the user is down causes dropping-offline; 
Solution: Check why the port is UP/DOWN, including network cable, working mode of port, etc.
6. WEB user request
WEB user gets offline normally.
If a user feedbacks dropping-offline unexpectedly, and the relevant reason is that heartbeat of WEB authentication user times out. Once the WEB authentication user passes authentication, it will regularly send detection packets (heartbeat) to WEB authentication client to prevent the WEB authentication client from shut-down by the user; if WEB authentication client is shut down unexpectedly, heartbeat packet will not receive reply; at this point, if no response is received for many times, WEB will inform MA5200 user that he is cut for timeout of heartbeat.
Solution: Make sure if the communication between client and WEB server is normal or not, and if layer 2 network discards packets, etc (refer to the way to check failure of handshaking). Check if the client enables VPN service; in some cases, VPN service could make the packets from client be forwarded VPN completely, resulting in failure of heartbeat. If the user is not sensitive to accounting time, you could shut down heartbeat packet at server.
7. LNS clear session
LNS clears SESSION, and LNS disconnects link.
8. AM lease timeout
DHCP lease times out and the packet to continue the lease is not received, and the user is cut.
9. DHCP server nak
DHCP server rejects. Generally, an address has been allocated, but IP/ARP triggering online needs it still.
10. DHCP time out
DHCP server response times out.
11. DHCP declinet
t
he client side refuses;
12. CM time out
MA5200F is configured with layer 3 WEB authentication, and the user needs IP packet only, so it will cause the user to be authenticated in pre-authentication domain, but it is required for the user to pass WEB authentication if it wants to come online actually. If the user has passed the authentication in pre-authentication domain but has not undergone WEB authentication, it will be cut in five minutes, and the offline reason is cm time out. For other cases, if such kind of offline reason occurs, it is usually caused by that the user terminates the process to access network surprisingly, and further timeout of packet message. This kind of case is not worth to care.
13. Srvcfg cut command
The command line is cut;
14. CM AAA connect check fail
Entries are found inconsistent in checkup; if there is a large deal of such reasons, contact 800 engineers of Huawei, please.
15. Idle cut
The user is cut because of idle. If the traffic of a user within a certain time is less than the value set on MA5200F, MA5200F will cut the user.
Solution: If idle cut is not required, use the undo idle-cut command in the domain to shut down the functionality of idle cut; if it is RADIUS that advertises the configuration data, you could disable RADIUS to send this attribute, or use RADIUS attribute conversion tool at MA5200F to disable idle cut functionality.
16. session time out
Session times out. RADIUS advertises No. 27 attribute which cuts the user offline when the value of session-timeout is 0. The attribute is the time left for a user to access network set by RADIUS.
Solution: make sure why RADIUS advertises session-timeout=0, and if the pre-paid account contains no balance, etc;
17. ppp authentication fail
PPPOE user fails in authentication. It generally results from false user name or password, or false port VLAN, etc.
18. AAA_RTACCTFAIL
A user’s failure in real-time accounting causes it being cut-offline. When the user is online, to reduce errors in accounting, MA5200F will send accounting packets to AAA server every a certain time (12 minutes by default); if the accounting packet receives no response within the times configured, MA5200F will regard real-time accounting as failure and will cut the user.
Solution: If the user is authenticated at the local, please make sure if the local bill pool and local FLASH have available room. If TFTP standby server for bill is configured, please make sure if TFTP server works normal, and if billings could back up to TFTP server; if the user is authenticated by RADIUS, please make sure if RADIUS works normal, and if the link to RADIUS is normal, and if RADIUS supports real-time accounting packets. If RADIUS does not support real-time accounting, shut down real-time accounting at MA5200.


Root Cause
No

END