No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 Troubleshooting Guide V1.0 (VRPv8)

This document provides the maintenance guide of the device, including daily maintenance, emergence maintenance, and typical troubleshooting.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
RADIUS Troubleshooting

RADIUS Troubleshooting

The Dynamic ACL Delivered by the RADIUS Server Does Not Take Effect

This section describes the troubleshooting flowchart and provides a step-by-step troubleshooting procedure for the fault that the dynamic ACL delivered by the RADIUS server does not take effect.

Common Causes

This fault is commonly caused by one of the following:
  • The HW-Data-Filter attribute is not configured on the RADIUS server.
  • The RADIUS server is not configured to dynamically deliver ACLs on the device.
  • The resource for dynamic traffic classifier-behavior pairs is insufficient.
  • The resource for rules is insufficient on the device.
  • Rules are incorrectly delivered.
Troubleshooting Flowchart

The troubleshooting roadmap is as follows:
  • Check whether the RADIUS server configuration on the ME60 is correct.
  • Check whether the HW-Data-Filter attribute is configured on the RADIUS server.
  • Check whether the RADIUS server is configured to dynamically deliver ACLs on the ME60.
  • Check whether the number of traffic classifier-behavior pairs dynamically delivered by the RADIUS server exceeds the specification supported by the ME60.
  • Check whether the number of rules exceeds the specification supported by the ME60.
  • Check whether rules are correctly delivered.

Figure 4-125 shows the troubleshooting flowchart.

Figure 4-125 Troubleshooting flowchart for the fault that the ACL delivered by the RADIUS server does not take effect

Troubleshooting Procedure

Context

NOTE:

Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct the fault, you will have a record of your actions to provide Huawei technical support personnel.

NOTE:
  • The new password is at least eight characters long and contains at least two of upper-case letters, lower-case letters, digits, and special characters.
  • When configuring an authentication password, select the ciphertext mode because the password is saved in configuration files in simple text if you select simple text mode, which has a high risk. To ensure device security, change the password periodically.

Procedure

  1. Check that the RADIUS server configuration on the ME60 is correct.

    Run the test-aaa user-name password radius-group group-name command to check whether the RADIUS server works properly.

    • If the RADIUS server does not work properly, reconfigure the RADIUS server based on the guide. For configuration details.
    • If the RADIUS server works properly, go to step 2.

  2. Check that the HW-Data-Filter attribute is configured on the RADIUS server.

    The RADIUS server can dynamically deliver ACLs only after the HW-Data-Filter attribute is configured on the RADIUS server.

    • If the HW-Data-Filter attribute is not configured on the RADIUS server, configure the HW-Data-Filter attribute on the RADIUS server.
    • If the HW-Data-Filter attribute is configured on the RADIUS server, go to step 3.

  3. Check that the RADIUS server is configured to dynamically deliver ACLs on the ME60.

    Run the display this command in the system view to check whether the remote-download acl enable command is configured.

    NOTE:

    If the traffic classifier carried in the HW-Data-Filter attribute contains the name of a user group that does not exist on the ME60, enable the RADIUS server to dynamically create user groups.

    • If the RADIUS server is not configured to dynamically deliver ACLs on the ME60, run the remote-download acl enable command in the AAA view to enable the RADIUS server to dynamically deliver ACLs. To enable the RADIUS server to dynamically create user groups, run the remote-download user-group enable command in the AAA view.
    • If the RADIUS server is configured to dynamically deliver ACLs on the ME60, go to step 4.

  4. Check that the number of traffic classifier-behavior pairs dynamically delivered by the RADIUS server does not exceed the specification supported by the ME60.

    Run the display aaa remote-download acl item command to check whether the number of traffic classifier-behavior pairs delivered by the RADIUS server exceeds the specification supported by the ME60, or run the display alarm active command to check whether a hwRemoteDownloadAclThresholdAlarm alarm is generated.

    NOTE:

    The ME60 supports a maximum number of 1024 traffic classifier-behavior pairs. If the number of traffic classifier-behavior pairs delivered by the RADIUS server exceeds 1024, subsequent pairs fail to be delivered.

    • If the number of traffic classifier-behavior pairs delivered by the RADIUS server exceeds 1024, run the recycle remote-download acl classifier command to reclaim the idle classifier-behavior pairs.
    • If the number of traffic classifier-behavior pairs delivered by the RADIUS server does not exceed 1024, go to step 5.

  5. Check that the number of rules does not exceed the specification supported by the ME60.

    Check whether a hwXQoSRuleFaileAlarm alarm is generated on the NMS.

    NOTE:

    A traffic classifier-behavior pair can contain multiple rules. If the number of rules, including those carried in the dynamically delivered traffic classifier-behavior pairs and those configured using commands, exceeds the specification supported by the ME60, subsequent rules cannot take effect.

    • If a hwXQoSRuleFaileAlarm alarm is generated, reclaim some rules.
    • If a hwXQoSRuleFaileAlarm alarm is not generated, go to step 6.

  6. Check that rules are correctly delivered in the traffic classifier-behavior pairs.

    Run the display aaa remote-download acl item verbose command to check detailed information about traffic classifier-behavior pairs and determine whether rules are correctly delivered.

    • If no rules are delivered or rules are incorrectly delivered, configure the RADIUS server to deliver correct rules in the HW-Data-Filter attribute of the RADIUS Access-Accept packets or CoA packets.
    • If rules are correct, go to step 7.

  7. Collect the following information and contact Huawei technical support personnel.

    • Results of the troubleshooting procedure
    • Configuration files, log files, and alarm files from the devices
    • Debugging information about the devices

Relevant Alarms and Logs

Relevant Alarms

None

Relevant Logs

None

Interconnection Fails Between the Device and the RADIUS Server

This section describes the troubleshooting flowchart and provides a step-by-step troubleshooting procedure for the fault that the interconnection fails between the device and the RADIUS server.

Common Causes

This fault is commonly caused by one of the following:

  • The share-key configured on the device is inconsistent with the share-key configured on the RADIUS server.
  • The physical network between the device and the RADIUS server fails.
  • The RADIUS server becomes faulty.
  • The user information sent by the device to the RADIUS server is incorrect, causing an authentication failure.
  • Network access server (NAS) records on the RADIUS server do not contain any information about the device.
  • The python script fails to process or incorrectly processes the packets. This applies only to V800R011C00 and later.
Troubleshooting Flowchart

If the user cannot get online after the RADIUS authentication policy and the RADIUS server group are configured in the domain view, run the display aaa offline-record command to check the item User offline reason.

The interconnection between the RADIUS server and the device fails if User offline reason is displayed as one of the following:

  • radius authentication reject
  • radius authentication request send fail
The troubleshooting roadmap is as follows:
  • If the failure cause is displayed as radius authentication request send fail, run the ping command to check the connectivity of the physical network between the device and the RADIUS server.
  • If the failure cause is displayed as radius authentication reject, check the reply message returned by the RADIUS server to determine the fault cause. Alternatively, run the test-aaa user-name password radius-group group-name [ chap | pap ] [ test-group test-group-name ] command with user access attributes to locate the server reject cause.
NOTE:
  • The new password is at least eight characters long and contains at least two of upper-case letters, lower-case letters, digits, and special characters.
  • When configuring an authentication password, select the ciphertext mode because the password is saved in configuration files in simple text if you select simple text mode, which has a high risk. To ensure device security, change the password periodically.

The troubleshooting flowchart is as follows:.

Figure 4-126 Troubleshooting flowchart for the interconnection failure between the RADIUS server and the device (This applies only to V800R010C10 and earlier)

Figure 4-127 Troubleshooting flowchart for the interconnection failure between the RADIUS server and the device (This applies only to V800R011C00 and later)

Troubleshooting Procedure

Before performing the following steps, you can refer to Common Causes for Failing to Get Online and correct the fault according to prompts displayed by the device.

NOTE:
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct the fault, you will have a record of your actions to provide Huawei technical support personnel.
NOTE:
  • The new password is at least eight characters long and contains at least two of upper-case letters, lower-case letters, digits, and special characters.
  • When configuring an authentication password, select the ciphertext mode because the password is saved in configuration files in simple text if you select simple text mode, which has a high risk. To ensure device security, change the password periodically.

Procedure

  1. If the user cannot get online, run the display aaa online-fail-record command to check the failure record about the user.

    • If the failure cause is displayed as radius authentication request send fail, go to step 2.
    • If the failure cause is displayed as radius authentication reject,
      • go to step 2 (This applies only to V800R011C00 and later.)

      • go to step 6. (This applies only to V800R010C10 and earlier.)
    • If the failure cause is neither of the two, refer to other sections in this manual to find the solution.

  2. Run the ping command to check the connectivity of the physical network between the device and the RADIUS server.

    • If the ping operation fails, check the physical network between the device and the RADIUS server. For details, refer to the HUAWEI ME60 Multiservice Control Gateway Troubleshooting - IP Forwarding and Routing.
    • If the ping operation succeeds, go to step 3.

  3. Check that the RADIUS server information configured on the device is correct.

    Run the display radius-server configuration [ group groupname ] command in the system view to check whether the port number of the RADIUS authentication and accounting server configured in the RADIUS server group view on the device is the same as the actual monitoring port of the RADIUS server and whether the RADIUS server is Up.

    • If the RADIUS server is Up but the port number of the RADIUS server is incorrectly configured, run the radius-server group groupname command to enter the RADIUS group view, and then run the radius-server accounting ip-address port or radius-server authentication ip-address port command to modify the port number of the RADIUS server.
    • If the RADIUS server is Down, wait for a moment for the RADIUS server to automatically become Up before performing the preceding operations.

    If the user can get online, the fault is corrected; otherwise, go to step 4.

  4. Check that the RADIUS server is working properly.

    • If the RADIUS server is not working properly, contact engineers of the RADIUS server provider for a solution.
    • If the RADIUS server is working properly, go to step 5.

  5. Check the settings of the RADIUS server.

    Run the display this command on the device interface connecting the RADIUS server to check the NAS IP address of the device. Run the display radius-server configuration [ group groupname ] command in the system view to check the share-key of the device. Configure a share-key on the RADIUS server, and ensure that the share-key is consistent with the share-key configured on the device.

    If the user can get online, the fault is corrected; otherwise, go to step 6.

  6. Check that the python script successfully processes login request packets to be sent to the RADIUS server. This applies only to V800R011C00 and later.

    Run the access python-policy policy name command to enter the python policy template view. Then, run the display this command to check the python policy template configuration.

    • If the protocol radius packet process-fail passthrough command configuration is displayed, the python script will roll back packets to the state before they are processed upon packet processing failures. Go to Step 7.
    • If the protocol radius packet process-fail passthrough command configuration is not displayed, check whether the RADIUS server receives login request packets. If the RADIUS server receives login request packets, go to Step 7. Otherwise, contact Huawei technical support personnel.

  7. Run the display aaa online-fail-record command to check the reply message in the failure record.

    Determine the reason that the user's authentication request is denied by the RADIUS server according to the reply message returned by the RADIUS server.

    NOTE:
    A common user name error is that the user name configured on the RADIUS server is inconsistent with the user name sent by the device. For example, the user name configured on the device does not carry any domain name, but the user name sent by the device may carry a domain name. In that case, run the radius-server group groupname command to enter the RADIUS group view and then run the radius-server user-name { domain-included | original } command to set whether to carry a domain name in the user name. If you run the undo radius-server user-name domain-included command, the user name in a RADIUS packet will not include any domain name. If you run the radius-server user-name domain-included command, the user name will include a domain name. If you run the radius-server user-name original command, the original user name will be carried.

  8. Check that the user access information is correct.

    Run the trace command to view the access attributes in the user's RADIUS authentication packets, configure access attributes in RADIUS-test-group mode, and change the values of these access attributes. Then run the test-aaa user-name password RADIUS-group group-name [ chap | pap ] [ test-group test-group-name ] command to check whether the RADIUS authentication packets are authenticated by the RADIUS server to locate the fault cause.

    If the user can get online, the fault is corrected; otherwise,

    • go to step 9 (This applies only to V800R011C00 and later.)

    • go to step 8 (This applies only to V800R010C10 and earlier.)

  9. Check that the python script properly processes packets. This applies only to V800R011C00 and later.

    If the Python script fails to be executed, go to Step 10. Otherwise, go to Step 9.

    Run the access python-policy policy name command to enter the python policy template view. Then, run the protocol protocol-type packet process-fail passthrough command to configure the python script to roll back packets to the state before they are processed upon packet processing failures.

    Configure the RADIUS server that interworks with the BRAS to use only the attributes supported by the BRAS during interworking. Then, check whether user login succeeds.

    • If user login succeeds, obtain the specified script package from http://support.huawei.com.
    • If user login fails, go to Step 10.

  10. Collect the following information and contact Huawei technical support personnel.

    • Results of the preceding troubleshooting procedure
    • Configuration files, log files, and alarm files of the devices

Relevant Alarms and Logs

Relevant Alarms

None.

Relevant Logs

None.

Flexible Interoperation of RADIUS Attributes Fails to Be Enabled

This section describes how to troubleshoot RADIUS attribute flexible interoperation faults. This applies only to V800R011C00 and later.

Common Causes

Common causes are as follows:
  • The script package file is not available.
  • The suffix of the script package file is not .zip.
  • The name of the script package is invalid.
  • The script package file is larger than the allowed maximum size (8 MB).
  • The CF card space on the slave MPU is insufficient.
  • Digital signature verification of the script package fails.
  • Hash value verification of the script package fails.
  • The script package version does not match with the system software version.
  • In a scenario where a script package has been loaded on a device, the script files in the loaded script package are not included in the to-be-loaded script package.
  • The script package fails to be initialized.
Troubleshooting Flowchart

The troubleshooting roadmap is as follows:
  • Check that the script package to be loaded is available on the CF card of the master main control board.
  • Check that the suffix of the script package name is .zip.
  • Check that the script package name does not contain characters except letters, digits, and underscores (_), and that the length of the script package name does not exceed 64 characters (including .zip).
  • Check that the script package file is smaller than or equal to the allowed maximum size (8 MB).
  • Check that the CF card space on the slave main control board is sufficient. (The available space on the CF card must be greater than 60 MB.)
  • Check that files in the script package have not been modified.
  • Check that the script package version matches the system software version.
  • Check that the script files in the script package that has been loaded on the device are included in the to-be-loaded script package.

Figure 4-128 shows the troubleshooting flowchart.

Figure 4-128 Troubleshooting flowchart for the fault that flexible interoperation of RADIUS attributes fails to be enabled

Troubleshooting Procedure

Context

NOTE:

Save the results of each troubleshooting step. If the fault persists after following this procedure, Huawei will need these results for further troubleshooting.

Procedure

  1. Check that the script package to be loaded is available on the CF card of the master main control board on the ME60.

    Run the dir *.zip command to check whether the script package to be loaded is available on the CF card of the master main control board.

    • If the to-be-loaded script package is not available, upload it to the CF card of the master main control board.
    • If the to-be-loaded script package is available, go to Step 2.

  2. Check that the suffix of the script package name is .zip.

    Run the dir [ /all ] [ filename ] command to check whether the suffix of the script package name is .zip.

    • If the suffix is not .zip, obtain the specified script package from http://support.huawei.com or check whether the script package to be loaded is in the compressed format and change its suffix to .zip.
    • If the suffix is .zip, go to Step 3.

  3. Check that the script package name does not contain characters except letters, digits, and underscores (_), and its length does not exceed 64 characters (including .zip)

    Run the dir *.zip command to check whether the script package name contains characters except letters, digits, and underscores (_), and its length exceeds 64 characters (including .zip)

    • If the script package name contains characters except letters, digits, and underscores (_) or its length exceeds 64 characters (including .zip), obtain the specified script package from http://support.huawei.com or change the name of the script package to be loaded to meet the requirement.
    • If the script package name does not contain characters except letters, digits, and underscores (_) and its length is less than or equal to 64 characters (including .zip), go to Step 4.

  4. Check that the script package file is smaller than or equal to the allowed maximum size (8 MB).

    Run the dir *.zip command to check whether the script package file is larger than the allowed maximum size (8 MB).

    • If the file is larger than the allowed maximum size, obtain the specified script package from http://support.huawei.com.
    • If the file is not larger than the allowed maximum size, go to Step 5.

  5. Check that the CF card space on the slave main control board is sufficient.

    Run the cd slave#cfcard command in the user view to enter the CF card of the slave main control board. Then, run the dir [ /all ] [ filename ] command to check whether the available space on the CF card of the slave main control board meets the requirement.

    • If the available space does not meet the requirement, delete unnecessary files from the CF card of the slave main control board to ensure that the remaining space is greater than 60MB.
    • If the available space meets the requirement, go to Step 6.

  6. Check that digital signature verification succeeds when the script package is loaded.

    Run the access enable python extend script-package command to check whether the following message is displayed: "Error: The digital signature check of the python script package fails."

    • If the message is displayed, obtain the specified script package from http://support.huawei.com.
    • If the message is not displayed, go to Step 7.

  7. Check that the hash value check succeeds when the script package is loaded.

    Run the access enable python extend script-package command to check whether the following message is displayed: "Error: The hash value check of the python script package fails."

    • If the message is displayed, obtain the specified script package from http://support.huawei.com.
    • If the message is not displayed, go to Step 8.

  8. Check that the script package version matches the system software version.

    Run the access enable python extend script-package command to check whether the following message is displayed: "Error: The python script package version does not match the system software version."

    • If the message is displayed, obtain the specified script package from http://support.huawei.com.
    • If the message is not displayed, go to Step 9.

  9. Check that a script package has been loaded.

    Run the access enable python extend script-package command to check whether the following message is displayed: "Error:The script package does not contain referenced script files. Only the top 10 scripts are listed as follows."

    • If the message is displayed, run the display access python-script information command to check the name of the loaded script package. Compare the number and names of python script files in the loaded and to-be-loaded script packages. Check whether the package to be loaded includes all the python script files in the loaded script package. If not, obtain the specified script package from http://support.huawei.com.
    • If the message is not displayed, go to Step 10.

  10. Collect the following information and contact Huawei technical support:

    • Results of this troubleshooting procedure
    • Configuration, log, and alarm files
    • Device debugging information

Relevant Alarms and Logs

Relevant Alarms

None

Relevant Logs

None

Translation
Download
Updated: 2019-06-11

Document ID: EDOC1000175918

Views: 4782

Downloads: 209

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next