Web Authentication Fails Due to Inconsistent Listening Ports on the ME60 and Web Server

Publication Date:  2013-12-31 Views:  462 Downloads:  0
Issue Description
In web authentication mode, a user can open the authentication page but authentication fails. Based on the traced information, no packet is exchanged between the ME60 and web server.
Alarm Information
None
Handling Process
1. Trace the authentication process. The TCP connection setup between the ME60 and web server as well as the authentication page push process are displayed, but no packet is exchanged between the ME60 and web server.
Aug 19 2013 10:57:31.780.1 XIANDIANZIKEJIDAXUEBEI_ME60 BTRC/7/BTRC_TraceInfo:[objectID=2][slotID=1][PORTAL][user info:
  MAC Address    : 60EB-6902-45E2
  IP Address     : 10.170.72.233
  Interface      : GigabitEthernet1/0/0.1
  PE VLAN ID     : 1001
  CE VLAN ID     : 3101
  Access Mode    : IPoE ]
[trace info:(CID:35)SYN to server received(sp:49602).]

Aug 19 2013 10:57:31.780.2 XIANDIANZIKEJIDAXUEBEI_ME60 BTRC/7/BTRC_TraceInfo:[objectID=2][slotID=1][PORTAL][user info:
  MAC Address    : 60EB-6902-45E2
  IP Address     : 10.170.72.233
  Interface      : GigabitEthernet1/0/0.1
  PE VLAN ID     : 1001
  CE VLAN ID     : 3101
  Access Mode    : IPoE ]
[trace info:(CID:35)SYN-ACK sent to client.]

Aug 19 2013 10:57:31.780.3 XIANDIANZIKEJIDAXUEBEI_ME60 BTRC/7/BTRC_TraceInfo:[objectID=2][slotID=1][PORTAL][user info:
  MAC Address    : 60EB-6902-45E2
  IP Address     : 10.170.72.233
  Interface      : GigabitEthernet1/0/0.1
  PE VLAN ID     : 1001
  CE VLAN ID     : 3101
  Access Mode    : IPoE ]
[trace info:(CID:35)ACK to server received(sp:49602).]

Aug 19 2013 10:57:31.780.4 XIANDIANZIKEJIDAXUEBEI_ME60 BTRC/7/BTRC_TraceInfo:[objectID=2][slotID=1][PORTAL][user info:
  MAC Address    : 60EB-6902-45E2
  IP Address     : 10.170.72.233
  Interface      : GigabitEthernet1/0/0.1
  PE VLAN ID     : 1001
  CE VLAN ID     : 3101
  Access Mode    : IPoE ]
[trace info:(CID:35)HTTP-GET to server received(sp:49602).]

Aug 19 2013 10:57:31.780.5 XIANDIANZIKEJIDAXUEBEI_ME60 BTRC/7/BTRC_TraceInfo:[objectID=2][slotID=1][PORTAL][user info:
  MAC Address    : 60EB-6902-45E2
  IP Address     : 10.170.72.233
  Interface      : GigabitEthernet1/0/0.1
  PE VLAN ID     : 1001
  CE VLAN ID     : 3101
  Access Mode    : IPoE ]
[trace info:(CID:35)HTTP REDIRECTION(with FIN) sent to client.]

Aug 19 2013 10:57:31.780.6 XIANDIANZIKEJIDAXUEBEI_ME60 BTRC/7/BTRC_TraceInfo:[objectID=2][slotID=1][PORTAL][user info:
  MAC Address    : 60EB-6902-45E2
  IP Address     : 10.170.72.233
  Interface      : GigabitEthernet1/0/0.1
  PE VLAN ID     : 1001
  CE VLAN ID     : 3101
  Access Mode    : IPoE ]
[trace info:(CID:35)ACK for FIN to server received(sp:49602).]

Aug 19 2013 10:57:31.780.7 XIANDIANZIKEJIDAXUEBEI_ME60 BTRC/7/BTRC_TraceInfo:[objectID=2][slotID=1][PORTAL][user info:
  MAC Address    : 60EB-6902-45E2
  IP Address     : 10.170.72.233
  Interface      : GigabitEthernet1/0/0.1
  PE VLAN ID     : 1001
  CE VLAN ID     : 3101
  Access Mode    : IPoE ]
[trace info:(CID:35)FIN to server received(sp:49602).]

Aug 19 2013 10:57:31.780.8 XIANDIANZIKEJIDAXUEBEI_ME60 BTRC/7/BTRC_TraceInfo:[objectID=2][slotID=1][PORTAL][user info:
  MAC Address    : 60EB-6902-45E2
  IP Address     : 10.170.72.233
  Interface      : GigabitEthernet1/0/0.1
  PE VLAN ID     : 1001
  CE VLAN ID     : 3101
  Access Mode    : IPoE ]
[trace info:(CID:35)ACK for FIN sent to client.]
2. Check the web server status. The web server is in Down state. Therefore, the ME60 and web server fail to communicate.
<ME60>display web-auth-server configuration
  Source interface      : LoopBack100
  Listening port        : 2000
  Portal                : version 1, version 2
  Include reply message : enabled
  ------------------------------------------------------------------------------
  Server           State  Shared-key         Port  PortFlag   NAS-IP  DetectTime
  Vpn-instance
  ------------------------------------------------------------------------------
  211.137.185.106  DOWN   -                 50100  NO         NO        0  
  -                            
  ------------------------------------------------------------------------------
  1 Web authentication server(s) in total
3. Check whether parameter settings on the ME60 and web server are consistent. The listening port number on the ME60 is 50100, but the listening port number on the web server is 2000.
4. Set the listening port numbers on the ME60 and web server to the same. The fault is rectified.
web-auth-server 10.255.44.1 port 2000 key simple *****
Root Cause
The authentication page can be displayed, indicating proper connectivity. Other services are working properly, indicating no loop. The possible causes are as follows:
1. The web server does not send Authentication Request packets.
2. The ME60 does not receive Authentication Request packets because the packets are discarded by an intermediate device.
3. The ME60 does not process the received Authentication Request packets due to a fault on the ME60.
4. Parameter settings on the ME60 and web server are inconsistent, leading to a communication failure.
Suggestions
If the authentication page is displayed and the web server is in Down state, communication between the ME60 and web server fails. The display of the authentication page indicates that the route is reachable. Check whether parameter settings on the two ends are consistent, especially the source address and listening port number.

END