No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 Troubleshooting Guide V1.0 (VRPv8)

This document provides the maintenance guide of the device, including daily maintenance, emergence maintenance, and typical troubleshooting.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
User Fails to Get Online Troubleshooting

User Fails to Get Online Troubleshooting

Method of Troubleshooting User Logout

Troubleshooting User Login and Logout Faults

Method of troubleshooting the fault that a user fails to get online

Run the display aaa online-fail-record command to check why a user fails to get online.

For example, assume that the user HUAWEI-100-07002000000100 fails to get online.

<HUAWEI> display aaa online-fail-record username HUAWEI-100-07002000000100@isp1 user-type bind
  -------------------------------------------------------------------
  User name              : HUAWEI-100-07002000000100@isp1
  Domain name            : isp1
  User MAC               : 00e0-fc12-3456
  User access type       : IPoE
  User access interface  : GigabitEthernet7/0/2.1
  Qinq Vlan/User Vlan    : 0/100
  User IP address        : 255.255.255.255
  User ID                : 14
  User authen state      : Authened
  User acct state        : AcctIdle
  User author state      : AuthorIdle
  User login time        : 2007/12/04 16:49:07
  User online fail reason: PPP with authentication fail
  -------------------------------------------------------------------
 Info: Are you sure to show some information?(y/n)[y]:n

Check the User Login and Logout Cause to find the reason of the login failure.

If the cause of the login failure cannot be found by using the preceding method, the link between the user and the access device may be faulty. In this case, troubleshoot the link on the network.

Method of Troubleshooting the Fault that a User Is Logged out Unexpectedly

Run the display aaa abnormal-offline-record and display aaa offline-record commands to check the logout reason.

User Login and Logout Cause

AAA access limit
Display

AAA access limit

Common Causes

The number of access users using the same account exceeds the upper limit.

Solution
  1. Run the display domain domain-name command and check the User-access-limit field in the output. Run the display access-user domain domain-name command to check the number of access users using the same account. If the number of access users using the same account exceeds the upper limit, run the access-limit max-number command in the AAA view to increase the maximum number of users allowed to access the network using the same account.

  2. Run the display local-user domain domain-name command and check the Access-limit field in the output. Run the display access-user domain domain-name command to check the number of local access users using the same account. If the number of local access users using the same account exceeds the upper limit, run the local-user user-name access-limit max-number command in the AAA view to increase the maximum number of local users allowed to access the network using the same account.
AAA cut command
Display

AAA cut command

Common Causes

The cut access-user command is run manually on the access device to log users out.

AAA send authen request fail

Message

AAA send authen request fail

Common Causes

No reachable routes exist between the user and RADIUS server.

Troubleshooting Procedure

Run the ping command or check the routing table to check whether there are reachable routes between the user and RADIUS server.

AAA with Authentication no response

Display

AAA with Authentication no response

Common Causes

When being authenticated by a remote or local server, a user does not receive any responses from the authentication server before the authentication timeout period expires.

Solution

Run the display this command in the AAA view and check the name of the RADIUS server group that is bound to the user domain. Run the display RADIUS-server configuration group group-name command and check the Authentication-server field in the output to obtain the IP address of the authentication server. Run the ping ip-address command to check whether the authentication server is reachable. If the ping fails, see The Ping Operation Fails for details on how to resolve the problem.

AAA with authorization data error
Display

AAA with authorization data error

Common Causes

The Remote Authentication Dial In User Service (RADIUS) server has delivered an incorrect attribute value or the access device has no corresponding RADIUS attributes. Therefore, adding user authorization information fails.

AAA with flow limit

Display

AAA with flow limit

Common Causes

The service traffic of a user reaches the upper limit.

Solution

Check whether the remaining traffic of the user on the accounting server is 0. If there is no remaining traffic, the user is logged out normally and no further action is required.

AAA with pool filled fail
Display

AAA with pool filled fail

Common Causes

Obtaining the address pool list fails.

Solution

Contact Huawei technical support personnel.

AAA with RADIUS decode fail
Display

AAA with RADIUS decode fail

Common Causes

The RADIUS server has delivered attributes in an incorrect format. As a result, parsing a RADIUS authentication response packet fails.

AAA with RADIUS server cut command
Display

AAA with RADIUS server cut command

Common Causes

The RADIUS server forces a user to log out.

AAA with realtime accounting fail
Display

AAA with realtime accounting fail

Common Causes

The IP address of the accounting server is unreachable, and therefore real-time accounting for a user fails.

Relevant Alarms and Logs

This log displays as "Failed to process the normal realtime accounting. (User=[STRING], AcctSessionID=[STRING])".

AAA with start accounting fail
Display

AAA with start accounting fail

Common Causes

The IP address of the accounting server is unreachable, and therefore starting accounting for a user fails.

Relevant Alarms and Logs

This log displays as "Failed to start the normal accounting. (User=[STRING], AcctSessionID=[STRING])".

AAA with stop accounting fail
Display

AAA with stop accounting fail

Common Causes

The IP address of the accounting server is unreachable, and therefore stopping accounting for a user fails.

Relevant Alarms and Logs

This log displays as "Failed to stop the normal accounting. (User=[STRING], AcctSessionID=[STRING])".

ACK packet contains an IP address not on user segment
Message

ACK packet contains an IP address not on user segment

Common Causes

The IP address carried in a response packet from the remote DHCP server was not on the same network segment with the gateway IP address of the BRAS. The IP address was not included in any address pool bound to the domain.

Troubleshooting Method
  1. Run the display this command in the domain view to check the name of the address pool bound to the domain in the ip-pool field.

  2. Run the ip pool pool-name command in the system view and the address pool view is displayed.
    NOTE:
    The name of the address pool specified by pool-name is that displayed in Step 1.
  3. Run the display this command in the address pool view to check whether the gateway IP address (gateway) of the address pool bound to the domain is on the same network segment with the IP address carried in the response packet from the remote DHCP server.

    • If the two IP addresses are on the same network segment, contact Huawei technical support engineers.
    • If the two IP addresses are not on the same network segment, go to Step 4.
  4. Run the gateway ip-address { mask | mask-length } command in the address pool view to configure a gateway IP address for the address pool.

    NOTE:
    The configured gateway IP address of the address pool and the IP address carried in the response packet from the DHCP server must be on the same network segment.
Alloc Tunnel ID Fail
Display

Alloc Tunnel ID Fail

Common Causes

The tunnel ID fails to be applied for.

Solution

Check that the number of tunnels on the board or device has exceeded the upper limit. Increase the number of boards or deploy users on another device.

AM with lease timeout
Display

AM with lease timeout

Common Causes

A user does not extend the IP address lease, or the link at the user side is faulty so that the packets for requesting extension of the IP address lease are lost. As a result, the IP address lease of the user expires.

AM with Renew lease timeout
Display

AM with Renew lease timeout

Common Causes

The access device cannot communicate with the DHCP server, and therefore a PPPoE user fails to apply for extension of the IP address lease to the DHCP server.

ARP with detect fail
Display

ARP with detect fail

Common Causes
  • The intermediate transmission device discards or modifies ARP probe packets.
  • Fibers or optical modules are not properly installed or a link fault occurs.
  • There are too many probe response packets, and therefore some are dropped.
Authenticate fail
Display

Authenticate fail

Common Causes

The user name or password used for authentication is incorrect.

Authentication method error
Display

Authentication method error

Common Causes

The requested authentication type is different from the authentication type configured on the interface from which the user gets online.

Author of IP address and ip-include conflict
Display

Author of IP address and ip-include conflict

Common Causes

The address pool in the dual-stack user domain is configured incorrectly.

Bas interface access limit
Display

Bas interface access limit

Common Causes
  • The number of online users on a BAS interface reaches the upper limit.
  • The number of online users on the physical interface for the BAS interface reaches the upper limit.
Procedure
  1. Check whether the number of online users on a BAS interface reaches the upper limit.

    Run the display bas-interface command to check Access limit configured for the BAS interface. Run the display access-user interface command to check the number of online users on the BAS interface.

    • If the number of online users reaches Access limit, run the access-limit command in the AAA domain view to set a larger access limit value.
    • If the number of online users does not reach Access limit, perform Step 2.
  2. Check whether the number of online users on the physical interface for the BAS interface reaches the upper limit.

    Run the display this command to check port-access-limit configured for the physical interface for the BAS interface. Run the display access-user interface command to check the number of online users on the physical interface for the BAS interface.

    • If the number of online users on the physical interface for the BAS interface reaches port-access-limit, run the port-access-limit command to set a larger port access limit value.
    • If the number of online users on the physical interface for the BAS interface does not reach port access limit, contact Huawei technical personnel.
Block domain force user to offline
Display

Block domain force user to offline

Common Causes

The timer for blocking a domain expires, and therefore the domain users are forced offline.

Cannot get all of authorized IP address
Display

Cannot get all of authorized IP address

Common Causes

When a PPPoE or L2TP user went online, two or all of the IPv4, DHCPv6, and PD addresses were assigned to the user in the domain or authorized to the user by a server. However, the client initiated the negotiation of only one or two of these addresses. After the timer expired, the user was logged out.

CHAP authentication of the Web user is denied
Display

CHAP authentication of the Web user is denied

Common Causes

A user who is not a web user is switched between the pre-authentication domain and the authentication domain.

Solution
  1. Run the display this command to check whether the BAS interface is bound to the pre-authentication and authentication domains. If no pre-authentication is configured, configure a pre-authentication domain and bind the pre-authentication and authentication domains to the BAS interface.
  2. Check that the user uses web authentication for login.
Chap response from lns doesn't pass authentication
Message

Chap response from lns doesn't pass authentication.

Common Causes

A tunnel password is not set for an L2TP group on a LAC. As a result, the AVP_CHALLENGE_RESPONSE attribute fails the check.

CM with AAA auth ack time out
Display

CM with AAA auth ack time out

Common Causes

No AAA authentication response is received before the due time.

Solution

Contact Huawei technical support personnel.

CM with AAA connect check fail
Display

CM with AAA connect check fail

Common Causes

Mappings between the UCM entries and AAA entries are incorrect.

Solution

Contact Huawei technical support personnel.

CM with AAA ipv6 update ack time out
Display

CM with AAA ipv6 update ack time out

Common Causes

Waiting for an IPv6 entry update response from the AAA module times out.

Solution

Contact Huawei technical support personnel.

CM with AAA logout ack time out
Display

CM with AAA logout ack time out

Common Causes

Waiting for an AAA logout response times out.

Solution

Contact Huawei technical support personnel.

CM with access limit

Message

CM with access limit

Common Causes

The number of online users exceeds the allowable maximum number.

Troubleshooting Procedure
  1. Run the display domain domain-name command to check whether the number of online users exceeds the maximum number configured in the domain or delivered by the RADIUS server.
  2. If the number of online users exceeds the maximum number, run the access-limit max-number command to reconfigure the allowable maximum number.
CM with Framed IP address invalid
Display

CM with Framed IP address invalid

Common Causes

The IP address assigned by the RADIUS server has already been assigned to another device, and therefore the IP address is invalid.

CM with Ifnet down
Message

CM with Ifnet down

Common Causes

The board or subcard for user login is reset or removed.

Troubleshooting Procedure
  1. Run the display interface interface-type interface-number command to check the interface's physical status (the GigabitEthernetX/X/X current state field) and link layer protocol status (the Line protocol current state field).

    • If both the physical status and link layer protocol status are Up, contact Huawei technical support personnel.
    • If only one or no status is Up, go to Step 2.
  2. If the reset command is run, wait for the board or subcard to restart. If the board or subcard is removed, reinstall it.

CM with Ifnet ipv6 protocol down
Display

CM with Ifnet ipv6 protocol down

Common Causes

IPv6 has been disabled on the access device or an access interface. As a result, IPv6 on the access interface goes Down, causing an IPv6 user to be logged out or fail to log in.

CM with IP address alloc fail
Display

CM with IP address alloc fail

Common Causes

The UCM module fails to obtain an IP address.

Solution

Contact Huawei technical support personnel.

CM with PPP ipv6 conn up time out

Message

CM with PPP ipv6 conn up time out

Common Causes

IPv6 access is configured in a domain, but users do not use IPv6 to go online.

Troubleshooting Procedure
  • If users do not use IPv6 to go online, delete the IPv6 access configuration from the domain.
CM with user blocked
Display

CM with user blocked

Common Causes

A BAS interface is blocked using the following command: block [ start-vlan { start-vlan [ end-vlan end-vlan ] [ qinq pe-vlan ] | any qinq start-qinq-vlan [ end-qinq-vlan ] } | pvc start-vpi/start-vci [ end-vpi/end-vci ] ]

Solution

Check whether the BAS interface is blocked.

  • Run the display bas-interface command in the user view and check whether Manager state is Block and whether Block PE VLAN/CE VLAN has a value in the command output.
    • If Manager state is Block, the BAS interface is blocked. Check whether you need to block the BAS interface. If you do not want to block it, run the undo block [ start-vlan { start-vlan [ end-vlan end-vlan ] [ qinq pe-vlan ] | any qinq start-qinq-vlan [ end-qinq-vlan ] } | pvc start-vpi/start-vci [ end-vpi/end-vci ] ] command in the BAS interface view.
    • If Manager state is not Block, check whether Block PE VLAN/CE VLAN has a value.
      • If Block PE VLAN/CE VLAN has a value, a specified VLAN is blocked on the BAS interface. Check whether you need to block the VLAN on the BAS interface. If you do not want to block it, run the undo block [ start-vlan { start-vlan [ end-vlan end-vlan ] [ qinq pe-vlan ] | any qinq start-qinq-vlan [ end-qinq-vlan ] } | pvc start-vpi/start-vci [ end-vpi/end-vci ] ] command in the BAS interface view.
      • If Block PE VLAN/CE VLAN does not have a value, contact Huawei technical support personnel.
Dhcp decline
Display

Dhcp decline

Common Causes

The DHCP client sends a DHCPDECLINE message to the DHCP server because it detects that the IP address it is assigned has already been assigned to another client.

Feature Type

IPoE (IP over Ethernet)

Relevant Alarms and Logs

IPCONFLICT

DHCP lease timeout
Message

DHCP lease timeout

Common Causes

A DHCP user does not extend the IP address lease, or the user-side link fails. As a result, renewal messages are lost.

Troubleshooting Procedure
  1. Check whether renewal messages are correctly sent by the client.

  2. Troubleshoot the user-side link failure.

  3. Run the lease days [ hours [ minutes ] ] command in the IP address pool view to modify the DHCP user IP address lease.

Dhcp release
Display

Dhcp release

Common Causes

The UCM module instructs the AM module to reclaim an IP address that has been assigned by the remote DHCP server.

Feature Type

IPoE

Solution

Contact Huawei technical support personnel.

DHCP receive discover from a working user
Message

DHCP receive discover from a working user

Common Causes

A device has received Discover messages from online IPv4 users but does not have DHCPv4 message transparent transmission enabled.

Troubleshooting Procedure
  1. Run the display this command in the system view to check whether DHCPv4 message transparent transmission is enabled (whether undo dhcp through-packet is displayed in the command output).

    • If the undo dhcp through-packet command is not displayed, contact Huawei technical support personnel.
    • If the undo dhcp through-packet command is displayed, go to Step 2.
  2. Run the dhcp through-packet command in the system view to enable DHCPv4 message transparent transmission.

Dhcp repeat packet
Display

Dhcp repeat packet

Common Causes

An online user sends DHCPDISCOVER packets again. As a result, the DHCP server considers the user offline and logs out the user.

Feature Type

IPoE

DHCP server allocated a delayed state address in the RUI-slave address pool

Prompt Message

DHCP server allocated a delayed state address in the RUI-slave address pool

This applies only to V800R011C00 and later.

Common Causes

Delayed IP address release is enabled for an address pool. When a user goes offline, the RBS link is faulty. As a result, the IP address on the backup device fails to be released in time.

Troubleshooting Method

No action is required. Enable the user to go online again after IP address is released upon expiry of the delay.

Dhcp server speed limit
Message

Dhcp server speed limit

Common Causes

The rate at which a DHCPv4 server sends messages exceeds the configured speed limit.

Troubleshooting Procedure
  1. Run the display dhcp-server item ip-address command to check the speed limit (Speed Limit field) of a DHCPv4 server.

    • If the speed limit does not need to be adjusted, contact Huawei technical support personnel.
    • If the speed limit needs to be adjusted, go to Step 2.
  2. Run the dhcp-server ip-address [ vpn-instance vpn-instance ] send-discover-speed packet-number time command in the system view to reconfigure a speed limit at which a DHCPv4 server sends messages.

DHCP wait client packet timeout

Display

DHCP wait client packet timeout

Common Causes

The fault that Dynamic Host Configuration Protocol(DHCP) packets from a user are lost is commonly caused by one of the following:

  • Incorrect link bandwidth is configured.
  • A link is interrupted or the link delay is too long.
  • Some fields in packets cannot be identified by a transit device, causing packet loss.
Feature Type

IPoE

Solution

Troubleshoot the fault based on the actual networking and service requirements.

NOTE:
If DHCP snooping or broadcast suppression is configured on a transit device, DHCP packets may be dropped mistakenly by the transit device.
DHCP with IP address conflict
Display

DHCP with IP address conflict

Common Causes

An IP address conflict was detected.

Feature Type

IPoE

Solution

Contact Huawei technical support personnel.

Dhcp with MTU limit

Display

Dhcp with MTU limit

Common Causes

The MTU value configured on an interface is too small, and therefore the interface cannot send DHCP packets.

Feature Type

IPoE

DHCP with server nak
Display

DHCP with server nak

Common Causes

Multiple DHCP servers are deployed on the network. The IP address that a client obtains is assigned by a DHCP server but not the access device, and therefore the IP address is not within the assignable IP address segment of the access device.

Feature Type

IPoE

DHCP with server no response
Display

DHCP with server no response

Common Causes

When applying for an IP address to the remote server, the access device receives no response from the server. The fault is commonly caused by one of the following:

  • The remote server has no route to the access device.
  • The remote server has no assignable IP address.
  • The remote server fails to receive DHCPREQUEST packets from the access device due to a link fault.
Feature Type

IPoE

Relevant Alarms and Logs

None

DHCPV6 client decline
Message

DHCPV6 client decline

Common Causes

The DHCPv6 client sends a Decline message to the DHCPv6 server because the client detects that the IP address it is assigned has already been assigned to another client.

NOTE:
To check whether the IPv6 prefix pool contains a conflicting prefix address, run the display ipv6 prefix prefix-name used command. If Status is displayed as conflict, a conflict occurs.
Troubleshooting Procedure
  1. Allow the user to go online again.

  2. If the user still cannot log in, no available addresses exist in the IPv6 address pool. Run the display ipv6 pool pool-name command to check the name of the IPv6 prefix pool bound to the IPv6 address pool and run the prefix prefix-address/prefix-length command in the IPv6 prefix pool view to

    reconfigure an IPv6 address prefix.
DHCPV6 client release
Display

DHCPV6 client release

Common Causes

A Dynamic Host Configuration Protocol for IPv6 (DHCPv6) client sends a DHCP Release packet to release its IP address.

This message is displayed when users go offline in the following scenarios:

  • A PPPoE/LNS dual-stack user is configured to get offline when either of the user's IP addresses is released. The client sends a DHCP Release packet to release its IPv6 address.
  • A DHCPv6 client is an IPv6 user, and the DHCPv6 client sends a DHCP Release packet to release its IP address.
  • An IPv4/IPv6 dual-stack user uses DHCPv6 to apply for its IPv6 address. When the user goes offline, its IPv4 address is released first, and the client sends a DHCP Release packet to release its IPv6 address.
DHCPV6 ip alloc fail
Display

DHCPV6 ip alloc fail

Common Causes
  • No IPv6 address pool is configured in the AAA domain.

  • The IPv6 address pool is locked.

Procedure
  1. Run the display this command in the AAA view to check domain configurations. If no IPv6 address pool is configured, configure one. If an IPv6 address pool exists, go to Step 2.
  2. Run the display this command in the IPv6 address pool view to check whether the IPv6 address pool has the lock command configuration. If this command configuration exists, run the undo lock command to delete the configuration.
DHCPV6 lease expired
Message

DHCPV6 lease expired

Common Causes

A DHCPv6 user does not extend the IP address lease, or the user-side link fails. As a result, renewal messages are lost.

Troubleshooting Procedure
  1. Check whether renewal messages are correctly sent by the client.

  2. Troubleshoot the user-side link failure.

  3. Run the lifetime preferred-lifetime { days days-value [ hours hours-value [ minutes minutes-value ] ] | infinite } valid-lifetime { days days-value [ hours hours-value [ minutes minutes-value ] ] | infinite } command in the IPv6 prefix pool view to modify the IPv6 prefix lease.

DHCPV6 packet speed limit
Message

DHCPV6 packet speed limit

Common Causes

The rate at which a DHCPv6 server sends messages exceeds the configured speed limit.

Troubleshooting Procedure
  1. Run the displaydhcpv6-server item ipv6-address command to check the speed limit (Speed Limit field) of a DHCPv6 server.

    • If the speed limit does not need to be adjusted, contact Huawei technical support personnel.
    • If the speed limit needs to be adjusted, go to Step 2.
  2. Run the dhcpv6-server ipv6-address [ vpn-instance vpn-instance ] send-solicit-speed packet-number time command in the system view to reconfigure a speed limit at which a DHCPv6 server sends messages.

DHCPV6 repeat solicit
Message

DHCPV6 repeat solicit

Common Causes

A device has received Solicit messages from online IPv6 users but does not have DHCPv6 message transparent transmission enabled.

Troubleshooting Procedure
  1. Run the display this command in the system view to check whether DHCPv4 message transparent transmission is enabled (whether undo dhcpv6 through-packet is displayed in the command output).

    • If the undo dhcpv6 through-packet command is not displayed, contact Huawei technical support personnel.
    • If the undo dhcpv6 through-packet command is displayed, go to Step 2.
  2. Run the dhcpv6 through-packet command in the system view to enable DHCPv6 message transparent transmission.

DHCPV6 wait client timeout
Message

DHCPV6 wait client timeout

Common Causes

Common causes are as follows:

  • A DHCPv6 client does not receive the Advertise message from a DHCPv6 server.
  • A DHCPv6 client fails to process the Advertise message from a DHCPv6 server.
  • The link between a DHCPv6 client and server fails. As a result, the Request message from the DHCPv6 client is lost.
Troubleshooting Procedure

Contact Huawei technical support personnel.

DHCPV6 wait server timeout
Message

DHCPV6 wait server timeout

Common Causes

The link between a device and DHCPv6 server fails, or the DHCPv6 server goes Down.

Troubleshooting Procedure
  1. Check whether the DHCPv6 server can be pinged.

    • If the ping fails, check whether the link fails. If the link fails, troubleshoot the link failure.
    • If the ping succeeds, the physical link is working properly. Then go to Step 2.
  2. Run the display dhcpv6-server item ipv6-address command to check whether the DHCPv6 server is Up.

    • If the DHCPv6 server is not Up, troubleshoot the DHCPv6 server Down failure.
    • If the DHCPv6 server is Up, contact Huawei technical support personnel.
Failed to acquire a valid user name template

Prompt Message

Failed to acquire a valid user name template

This applies only to V800R011C00 and later.

Common Causes

The device fails to obtain a user name template from the authentication information during user login.

Troubleshooting Method

Check whether a user name template is bound to the user access interface. If no user name template is bzu, bind a user name template to the user access interface.

Fill HQOS to ucm fail

Message

Fill HQOS to ucm fail

Common Causes

The RADIUS-delivered QoS profile is not configured on the local device.

Troubleshooting Procedure
  1. Run the display qos-profile configuration command to check whether a RADIUS-delivered QoS profile is configured on the local device. By default, the device automatically convert all QoS profile names to lowercase.
  2. Perform either of the following operations:
    1. If the RADIUS-delivered QoS profile is not configured on the local device, run the radius-attribute qos-profile no-exist-policy online command in the RADIUS server group view to allow users to keep online.
    2. If the RADIUS-delivered QoS profile is configured on the local device but is automatically changed to lowercase, the device fails to fill the HQoS parameter with the originally delivered uppercase profile name. When this problem occurs, run the radius-attribute case-sensitive qos-profile-name command in the RADIUS server group view to allow the device to support case-sensitive QoS profiles.
Framing capability is invalid from LNS SCCRP
Message

Framing capability is invalid from LNS SCCRP

Common Causes

The AVP_FRAMING_CAP attribute in a packet delivered by a tunnel peer fails the check during tunnel or session setup.

Gateway different from former
Display

Gateway different from former

Common Causes

A user obtains an incorrect IP address, or the address pool configured on the access device has been modified. As a result, when the user sends ARP packets for getting online, the IP address that the user uses is not within the address pool.

Get L2TP group fail from host name when processing SCCRQ
Display

Get L2TP group fail from host name when processing SCCRQ

Common Causes

The L2TP group fails to be obtained based on the host name carried in an SCCRQ packet.

Solution

Check LNS configurations so that the host name carried in an SCCRQ packet can correctly match the L2TP group.

Idle cut

Display

Idle cut

Common Causes

The traffic volume of a user in the specific period of time is smaller than the set minimum traffic volume of the BRAS, and therefore the user is forced offline.

Solution

Run the idle-cut idle-time idle-data command in the AAA domain view to change the idle time of cutting a connection.

NOTE:
  • For Layer 2 DHCPv4 and DHCPv6 users whose IP addresses are not assigned by the BRAS (for example, they are assigned by a remote DHCP server), configuring idle-cut is not recommended. If idle-cut is configured and the users are logged out, the DHCP server will reclaim the IP addresses so that the users can no longer be triggered to go online.

  • For Layer 2 DHCPv4 and DHCPv6 users whose IP addresses are assigned by the BRAS, idle-cut can be configured.
    • If Layer 2 DHCPv4 users are logged out and need to be triggered to go online again, they must send ARP or IP packets to go online. Some STBs cannot send ARP packets to go online. You can run the arp-trigger command in the BAS interface view to enable users to send ARP packets to go online or run the ip-trigger command in the BAS interface view to enable users to send IP packets to go online. By default, the device does not allow users to send ARP or IP packets to go online. In addition, IP address reservation based on leases or MAC addresses must be configured using the reserved ip-address { lease | mac } command in the IP address pool view of the BRAS. If this function is not configured, the IP addresses used by users to go online may be allocated to other users, so that the users will fail to go online again.

    • If Layer 2 DHCPv6 users are logged out and need to be triggered to go online again, they must send NS/NA or IPv6 packets to go online. You can run the nd-trigger command in the BAS interface view to enable users to send NS/NA packets to go online or run the ipv6-trigger command in the BAS interface view to enable users to send IPv6 packets to go online. By default, the device does not allow users to send NS/NA or IPv6 packets to go online. In addition, IPv6 address reservation based on DUIDs or MAC addresses must be configured using the reserved ipv6-address { duid | mac } [ lease ] command in the IPv6 prefix pool view of the BRAS. If PD prefixes must be allocated, you must also run the reserved prefix { duid | mac } [ lease ] command in the IP prefix pool view to configure prefix reservation. If these functions are not configured, the IPv6 addresses and prefixes used by users to go online may be allocated to other users, so that the users will fail to go online again.

  • Do not configure idle-cut for Layer 3 DHCPv4 and DHCPv6 users because they cannot be triggered to go online.

  • Idle-cut cannot be configured or leased lines or leased line users.

  • Idle-cut takes effect only for users who go online after idle-cut is configured.

Idle timeout
Message

Idle timeout

Common Causes

The idle-cut function is configured, and the user traffic idle time exceeds the configured value.

Troubleshooting Procedure
  1. Run the display domain domain-name command to check the configured idle-cut time (Idle-data-attribute(time,flow) field).

  2. If the configured idle-cut time needs to be modified, run the idle-cut idle-time { idle-data | zero-rate } [ inbound | outbound ] command in the AAA domain view.

Invalid tunnel id from LNS SCCRP
Message

Invalid tunnel id from LNS SCCRP

Common Causes

The AVP_ASSIGNED_TUNNEL_ID attribute carried in a packet delivered by a tunnel peer fails the check during tunnel or session setup.

Interface delete
Display

Interface delete

Common Causes

The interface from which a user gets online is deleted.

Interface down
Display

Interface down

Common Causes

The shutdown command is run on the interface from which a user gets online, or the physical link of the interface is faulty. As a result, the user is offline.

Interface on Master down
Display

Interface on Master down

Common Causes

The shutdown command is run on the interface from which a user gets online, or the physical link of the interface is faulty. In addition, a master/slave MPU switchover is performed when the user is logged out.

IP alloc fail for trigger user
Display

IP alloc fail for trigger user

Common Causes

The IP address that a user applies for has been assigned to another user, and therefore the IP address fails to be assigned to the user.

IP address conflict
Display

IP address conflict

Common Causes

The IP address assigned by the RADIUS server to a user has already been used.

Procedure

Re-plan an IP address for this user on the RADIUS server.

IPv6 address conflicts too much times
Display

IPv6 address conflicts too much times

Common Causes

There are attack devices on the network, causing more than three address conflicts.

LAM access type is no match

Message

LAM access type is no match

Common Causes

The login user type and locally configured user type do not match.

Troubleshooting Procedure
  1. Run the display local-user username user-name command to check whether the configured user type (the Service-type value) is the same as the login user type.
  2. If the user types are not the same, run the local-user user-name service-type { ftp | ppp | ssh | telnet | terminal | mml | qx } * command to set the local user type to be the same as the login user type.
LAM authentication fail

Message

LAM authentication fail

Common Causes

The local authentication password is incorrect.

Troubleshooting Procedure
NOTE:
  • The new password is at least eight characters long and contains at least two of upper-case letters, lower-case letters, digits, and special characters.
  • When configuring an authentication password, select the ciphertext mode because the password is saved in configuration files in simple text if you select simple text mode, which has a high risk. To ensure device security, change the password periodically.
  1. Run the display local-user username user-name command to check whether the local user's password (the Password value) is the same as the login password.
  2. If the local user's password is not same as the login password, run the undo local-useruser-name command to delete the local user and run the local-user user-name password { cipher cipher-password | irreversible-cipher irreversible-password } command to recreate a local user and password.
LAM user does not exist

Message

LAM user does not exist

Common Causes

The local user does not exist.

Troubleshooting Procedure
NOTE:
  • The new password is at least eight characters long and contains at least two of upper-case letters, lower-case letters, digits, and special characters.
  • When configuring an authentication password, select the ciphertext mode because the password is saved in configuration files in simple text if you select simple text mode, which has a high risk. To ensure device security, change the password periodically.
  1. Run the display local-user command to check whether the local user exists.
  2. If no such local user exists, run the local-user user-name password { cipher cipher-password | irreversible-cipher irreversible-password } command to create such a local user.
LAM user state is block

Message

LAM user state is block

Common Causes

The number of times that incorrect passwords are entered exceeds the threshold.

Troubleshooting Procedure
  1. Run the display local-user username user-name command to check whether the local user is blocked.
  2. If the local user is blocked, the user will automatically be unblocked after the interval specified by the local-user user-name state block fail-times interval interval command expires. Alternatively, run the local-user user-name state active command to manually unblock the user.
layer3-subscriber does not support pd user
Display

layer3-subscriber does not support pd user

Common Causes

DHCPv6 Prefix Delegation is used by Layer 3 users for login.

Solution

Connect Layer 3 users to the network using NA or ND.

L2TP alloc tunnelid fail
Message

L2TP alloc tunnelid fail

Common Causes

The number of used tunnels exceeds the specification, and no idle tunnel IDs are available for allocation. As a result, an L2TP tunnel fails to be set up.

LNS tunnel name doesn't match LAC remote-name
Message

LNS tunnel name doesn't match LAC remote-name.

Common Causes

Strict tunnel check is configured for an L2TP group on a LAC, and the tunnel name in the packets delivered by an LNS is different from the remote name configured on the LAC. As a result, a tunnel fails to be set up.

L2TP NOT Enable or No L2TP License when processing SCCRQ
Display

L2TP NOT Enable or No L2TP License when processing SCCRQ

Common Causes

The L2TP license file is absent or not activated when SCCRQ packets are received.

Solution
  • Enable the L2TP function.
  • Purchase and activate the L2TP license file.
L2TP NOT Enable or No L2TP License when processing ICRQ
Display

L2TP NOT Enable or No L2TP License when processing ICRQ

Common Causes

The L2TP license file is absent or not activated when SCCRQ packets are received.

Solution
  • Enable the L2TP function.
  • Purchase and activate the L2TP license file.
L2TP Tunnel password error
Message

L2TP Tunnel password error

Common Causes

The tunnel password configured for an L2TP group is different from that carried in a packet delivered by an LNS. As a result, the AVP_CHALLENGE_RESPONSE attribute fails the check.

Local authen reject

Message

Local authen reject

Common Causes

The login password is incorrect.

Troubleshooting Procedure
NOTE:
  • The new password is at least eight characters long and contains at least two of upper-case letters, lower-case letters, digits, and special characters.
  • When configuring an authentication password, select the ciphertext mode because the password is saved in configuration files in simple text if you select simple text mode, which has a high risk. To ensure device security, change the password periodically.
  1. Run the display local-user username user-name command to check the user password.
    • If the password is a simple password, re-log in with the password.
    • If the password is in ciphertext, run the local-user user-name password { cipher cipher-password | irreversible-cipher irreversible-password } command to reconfigure a password.
local no this user

Message

local no this user

Common Causes

The local user is not configured on the device.

Troubleshooting Procedure
NOTE:
  • The new password is at least eight characters long and contains at least two of upper-case letters, lower-case letters, digits, and special characters.
  • When configuring an authentication password, select the ciphertext mode because the password is saved in configuration files in simple text if you select simple text mode, which has a high risk. To ensure device security, change the password periodically.
  1. Run the display local-user command to check all local users.
  2. If no such local user exists, run the local-user user-name password { cipher cipher-password | irreversible-cipher irreversible-password } command to create such a local user.
Mac-user ppp-preferred
Display

Mac-user ppp-preferred

Common Causes

PPP take precedence over DHCP when users attempt to get online from the access device. Therefore, when a user uses PPP to get online after getting online using DHCP, it is logged out as a DHCP user.

ND Detect Fail
Message

ND Detect Fail

Common Causes

Common causes are as follows:

  • A client does not reply to ND packets.
  • The link between a client and server fails. As a result, the reply packets from the client are lost.
Troubleshooting Procedure

Contact Huawei technical support personnel.

ND Repeat Request
Message

ND Repeat Request

Common Causes

A device receives an online user's ND login request.

Troubleshooting Procedure
  1. Check whether the user has roamed.

    • If the user has not roamed, the ND login request may be an attack. Contact Huawei technical support personnel to resolve this problem.
    • If the user has roamed, go to Step 2.
  2. Run the display access-user mac-address mac-address command to check whether there is information about the online ND user.

    • If there is information, the roaming user has re-logged in, and no action is required.
    • If there is no information, go to Step 3.
  3. Run the dhcp session-mismatch action offline command in the BAS interface view to enable the interface to log out the online user when the user resends DHCP or ND login requests.

Netmask assigned by RDS error (Value invalid)
Display

Netmask assigned by RDS error (Value invalid)

Common Causes

The RADIUS server mistakenly delivers the IP address of the access device to a PPPoE user.

No available prefix for conflicts of the interface id specified by RADIUS
Display

No available prefix for conflicts of the interface id specified by RADIUS

Common Causes

The IPv6 address (consisting of an interface ID delivered by the RADIUS server and an IP address prefix) has been assigned to another user.

Solution

Contact Huawei technical support personnel.

No IPv6 address available
Display

No IPv6 address available

Common Causes

No IP address can be assigned.

Solution

Contact Huawei technical support personnel.

No prefix available
Display

No prefix available

Common Causes

No IP address prefix can be assigned.

Solution

Contact Huawei technical support personnel.

No response of control packet from peer
Display

No response of control packet from peer

Common Causes

The remote end fails to respond to all protocol packets along the L2TP tunnel. And then the tunnel goes Down. The problem may be caused by a link failure, performance fault of the remote end, or packet loss due to the CAR on the ME60.

Feature Type

L2TP

Not bind IPv6 pool or ip alloc fail

Message

Not bind IPv6 pool or ip alloc fail

Common Causes

No IPv6 address pools are configured in the domain, or the DHCPv6 server fails to assign IPv6 addresses.

Troubleshooting Procedure
  1. Run the display domain domain-name command to check whether IPv6 address pools (the IPv6-Pool-name value) are configured in the domain.
  2. If no IPv6 address pools are configured, run the ipv6-pool pool-name command in the domain view to configure an IPv6 address pool.
  3. If the DHCPv6 server fails to assign IPv6 addresses, reapply for addresses.
Online user number exceed GTL license limit
Display

Online user number exceed GTL license limit

Common Causes

The number of online users exceeds the limit allowed by the GTL license.

Relevant Alarms and Logs

This log displays as "The number of users exceeded the limit allowed by the GTL license."

Over limit of users and NOT EAP USER
Display

Over limit of users and NOT EAP USER

Common Causes

DHCPv6 users who request to go online using IPoE and not using EAP authentication are denied from accessing the network when the number of online DHCPv6 users on the board exceeds the upper limit.

Solution
  1. Implement 802.1X authentication for EAP users.
  2. Deny access of DHCPv6 users if the number of online DHCPv6 users on the board exceeds the upper limit.
Packet Authenticator Error
Display

Packet Authenticator Error

Fault Symptom

In Web authentication mode, a user fails to be authenticated.

Common Causes
  • The key in an authentication packet sent by the portal server is different from the key calculated by the HUAWEI ME60.
Procedure

Check whether the key configured on the HUAWEI ME60 is the same as that configured on the portal server.

  • If the keys are different, run the web-auth-server server-ip [ vpn-instance instance-name ] [ port portnum [ all ] ] [ key key ] [ NAS-ip-address ] command to change the key to the same as that on the portal server.
  • If the keys are the same, check whether the user can be authenticated successfully. If the authentication is successful, no action is required.

If the authentication failure persists, contact Huawei technical support personnel.

Portswitch preprocess fail for reach interface ip-stack access limit

Prompt Message

Portswitch preprocess fail for reach interface ip-stack access limit

This applies only to V800R011C00 and later.

Common Causes

The number of users on the roaming destination interface exceeds the upper limit.

Troubleshooting Method

Properly plan the number of users on each interface.

PPP negotiate fail

Display

PPP negotiate fail

Common Causes

PPP negotiation is interrupted.

Solution

Mirror on the interface from which the user gets online. Check PPP packets, and locate the fault based on interaction packets.

NOTE:
  • If the user sends the same type of PPP negotiation packet many times, check whether the access device supports this type of PPP negotiation.
  • Check the type and content of the negotiation packet that the user sends before the LCP or PPPoE termination packet to confirm whether the access device supports this type of PPP negotiation.
PPP up recv lcp again
Display

PPP up recv lcp again

Common Causes

A user tears down and re-initiates a connection, and therefore the access device receives LCP negotiation packets.

Feature Type

PPP

PPP user request
Display

PPP user request

Common Causes

A PPP user sends a logout request.

Feature Type

PPP

PPP with authentication fail

Display

PPP with authentication fail

Common Causes
  • Too many users attempt to get online in a specified period of time.
  • The CPU usage is too high (remaining above than 95%).
Feature Type

PPP

Solution

Run the display this command in the AAA view to check whether the access speed command has been configured. If the access speed command has been configured, check whether the user access rate exceeds the upper limit.

Run the display cpu-usage command to check the CPU usage. If the CPU usage remains above than 95%, locate and resolve this problem.

PPP with echo fail

Display

PPP with echo fail

Common Causes
  • The intermediate transmission device discards or modifies probe packets.
  • Fibers or optical modules are improperly installed or a link fault occurs.
Solution

Run the display aaa offline-record command to check the user login time and logout time.

Run the display this command in the virtual template (VT) view to check the interval at which PPP Keepalive packets are sent.

  • If the difference between the user login time and logout time is equal to the interval, user packets are properly transmitted but no response to KeepAlive packets is received. Get packets head on the downstream device to check where the response packets are discarded and rectify the fault.

  • If the difference between the user login time and logout time is unequal to the interval, KeepAlive packets can be received and there are responses to KeepAlive packets. In this situation, check whether the user functions properly and rectify any detected fault.

Prefix conflict with same option
Prompt Message

Prefix conflict with same option

This applies only to V800R010C10 and later.

Common Causes

In a dual-device hot backup scenario, when information about the first user in a family is backed up to the backup device, the system detects that another user in the family is already online with a prefix different from that assigned to the first user in the family. As a result, the backup device notifies the host to go offline.

Troubleshooting Method

Check whether an RBS switchover is performed and whether another user in the family goes online from the new master device with a different prefix assigned earlier than the user whose information is backed up on the backup device when the switchover is being performed.

  • If so, no action is required.
  • If not, contact Huawei technical support personnel.
Prefix conflict with different option
Prompt Message

Prefix conflict with different option

This applies only to V800R010C10 and later.

Common Causes

In a dual-device hot backup scenario, when information about the first user in a family is backed up to the backup device, no information about other users in the family exists on the backup device. However, the same prefix has been assigned to an online user in a different family. As a result, the backup device notifies the host to go offline.

Troubleshooting Method

Check whether an RBS switchover is performed and whether the prefix assigned to the first user in a family has been assigned to a user in another family who goes online earlier than the first user when the switchover is being performed.

  • If so, no action is required.
  • If not, contact Huawei technical support personnel.
RADIUS alloc incorrect IP
Display

RADIUS alloc incorrect IP

Common Causes

The address pool containing the IP address that the RADIUS server assigns to an IPoE user cannot be found on the access device.

Radius authorize invalid vlan
Prompt Message

Radius authorize invalid vlan

This applies only to V800R010C10 and later.

Common Causes

The VLAN attribute delivered by the RADIUS server is incorrect.

Troubleshooting Method
The requirements for the RADIUS server to deliver the VLAN attribute are as follows:
  1. The Tunnel-Type (64), Tunnel-Medium-Type (65), and Tunnel-Private-Group-ID (81) attributes must be delivered at the same time.
  2. The values of the Tunnel-Type (64) and Tunnel-Private-Group-ID (81) attributes must be 13 and 6, respectively. The Tunnel-Private-Group-ID (81) attribute must carry a specific VLAN ID with a value ranging from 1 to 4094.

Therefore, you need to run the debugging radius packet command to enable debugging of RADIUS packets. After the user goes online again, find the error in the VLAN attribute of RADIUS packets and inform related personnel on the RADIUS server side to correct the error.

RADIUS authentication reject

Message

RADIUS authentication reject

Common Causes

The user name or password is different from that on the RADISU server.

Troubleshooting Procedure

Check whether the login user name or password and that on the RADIUS server are the same. If not the same, change them to be the same and reapply for login.

Radius client request
Message

Radius client request

Common Cause

The AC sends a request to the RADIUS server to log out the user.

RADIUS decode packet fail

Message

RADIUS decode packet fail

Common Causes

The device-delivered RADIUS attribute or format is different from that defined in the RADIUS attribute document.

Troubleshooting Procedure
  1. Run the debugging radius packet command to enable the debugging on RADIUS packets and check the device-delivered RADIUS attribute or format.
  2. Contact Huawei technical support personnel to check whether the device-delivered RADIUS attribute or format is the same as that defined in the RADIUS attribute document. If not the same, contact Huawei technical support personnel for modification.
Receive window size is invalid from LNS SCCRP
Message

Receive window size is invalid from LNS SCCRP

Common Causes

The AVP_RECEIVE_WINDOW_SIZE attribute in a packet delivered by a tunnel peer fails the check during tunnel or session setup.

Receive unsupport AVP from LNS
Message

Receive unsupport AVP from LNS

Common Causes

Unknown AVP attributes are received from an LNS during tunnel or session setup.

Relay Forward have no valid linkaddress
Display

Relay Forward have no valid link-address

Common Causes

No valid link address is carried in the relay head of a packet.

Solution

Check that a valid link address with all 0s is carried in the Layer 3 relay header.

Renew timeout in shortlease
Display

Renew timeout in shortlease

Common Causes

A user does not extend the short lease of an IP address, or the link at the user side is faulty so that the packets for requesting the extension of the short lease are lost. As a result, the short lease of the IP address expires.

Sending RADIUS packets failed due to speed-limit
Display

Sending RADIUS packets failed due to speed-limit

Common Causes

The user access rate exceeded the threshold.

Procedure
  1. Check the CPU usage of the ME device and neighboring NEs, such as the RADIUS server and DHCP server. If their CPU usage is high, the user access rate limit is proper. Adjusting the user access rate is not recommended.
  2. Check the performance of the ME device and neighboring NEs. If their performance is adequate for higher user access rate, run the access-speed command in the AAA view to set a higher user access rate.
Session time out
Display

Session time out

Common Causes

A user has no remaining online time.

Session timeout
Message

Session timeout

Common Causes

The duration quota that a RADIUS delivers to a user is exhausted.

Troubleshooting Procedure

After the user's duration quota is exhausted, if the user needs to re-log in, the user must renew the fee or apply for a new duration quota.

Srvcfg cut command
Display

Srvcfg cut command

Common Causes

A command is run to delete leased-line users.

SRVCFG failed to process
Display

SRVCFG failed to process

Common Causes

The access device fails to select a user authentication type.

Solution

Contact Huawei technical support personnel.

The domain does not bind IPv6 pool
Display

The domain does not bind IPv6 pool

Common Causes

No IPv6 address pool is bound to a user domain, and therefore IPv6 users in the domain cannot get online.

The domain has not binded ip-pool or ipv6-pool
Display

The domain has not binded ip-pool or ipv6-pool.

Common Causes

No address pool is bound to a user domain, and therefore users in the domain cannot get online.

The number of L2NAT users exceeds limit

Prompt Message

The number of L2NAT users exceeds limit

This applies only to V800R011C00 and later.

Common Causes

The number of L2 NAT users reaches the upper limit.

Troubleshooting Method

Expand device capacity and allow new users to go online from another device.

The RADIUS server does not reply with Authentication ACK messages
Display

The RADIUS server does not reply with Authentication ACK messages

Common Causes
  • The RADIUS server fails.
  • The RADIUS server is unreachable to the ME device at the IP layer, which may be caused by an intermediate device failure.
Procedure
  1. Run the ping command to check whether the RADIUS server is reachable to the ME device at the IP layer. If the RADIUS server is unreachable to the ME device, check whether an intermediate device fails. If so, rectify the fault. If the RADIUS server is reachable to the ME device, go to Step 2.
  2. Check whether the RADIUS server is working properly. If the RADIUS server is not working properly, rectify the server fault.
The vrf of domain is not accord with the pool
Message

The vrf of domain is not accord with the pool

Common Causes
  • The VPN instance configured in an AAA domain is different from that configured in any address pool bound to the AAA domain.
  • A device is configured to trust the VPN instance bound to a BAS interface in the AAA domain view, but the VPN instance on the BAS interface is different from that configured in any IP address pool bound to the AAA domain.
Troubleshooting Procedure
  1. Run the display this command in the AAA domain view to check whether a device is configured to trust the VPN instance bound to the BAS interface through which Layer 2 users go online (whether trust vpn-instance access-interface is displayed in the command output).

    • If the device is configured to trust the VPN instance bound to the BAS interface, go to Step 2.
    • If the device is not configured to trust the VPN instance bound to the BAS interface, go to Step 3.
  2. Run the display this command in the BAS interface view and IP address pool view and check whether the VPN instance on the BAS interface is the same as that configured in the IP address pool.

    • If the VPN instances are different, run the vpn-instance instance-name command in the BAS interface view or IP address pool view to ensure that the two VPN instances are the same.
    • If the VPN instances are the same, contact Huawei technical support personnel.
  3. Run the display this command in the AAA domain view and IP address pool view and check whether the VPN instance in the AAA domain is the same as that configured in the IP address pool.

    • If the VPN instances are different, run the vpn-instance instance-name command in the AAA domain view or IP address pool view to ensure that the two VPN instances are the same.
    • If the VPN instances are the same, contact Huawei technical support personnel.
The Web user is authenticated when processing CHAP authentication request
Display

The Web user is authenticated when processing CHAP authentication request

Common Causes

The challenge request of a user who has been switched to the authentication domain is reprocessed.

Solution

Check that the user has been switched to the authentication domain. If the user has been switched to the authentication domain, no further action is required.

The Web user is being authenticated when processing CHAP authentication request
Display

The Web user is being authenticated when processing CHAP authentication request

Common Causes

The challenge request packet of a user is processed when the user is being authenticated.

Solution

Suspend the current web authentication and wait for the previous web authentication to be completed.

The Web user is authenticated when processing authentication request
Display

The Web user is authenticated when processing authentication request

Common Causes

The authentication request of a user who has been switched to the authentication domain is reprocessed.

Solution

Check that the user has been switched to the authentication domain. If the user has been switched to the authentication domain, no further action is required.

The Web user is being authenticated when processing authentication request
Display

The Web user is being authenticated when processing authentication request

Common Causes

An authentication request is received from a user when the user is being authenticated.

Solution

Suspend the current web authentication and wait for the previous web authentication to be completed.

There is no host name in SCCRQ
Display

There is no host name in SCCRQ

Common Causes

No host name is carried in an SCCRQ packet.

Solution

Rectify the error in the SCCRQ packet on the LAC-side sender.

Tunnel down when processing ICRQ
Display

Tunnel down when processing ICRQ

Common Causes

The tunnel is Down when ICRQ packets are received.

Solution
  1. Delete the tunnel and re-configure a tunnel.
  2. Connect users to the network from another tunnel.
Up to user max session

Message

Up to user max session

Common Causes

The number of access sessions set up by users with the same user name exceeds the upper limit.

Troubleshooting Procedure
  1. Run the display domain domain-name command to check the upper limit of the access sessions set up by users with the same user name.
  2. If the number of access sessions set up by users with the same user name exceeds the upper limit, run the user-max-session max-session-number [ case-insensitive local-user-name ] command to increase the upper limit.
User access conflicts with key configuration modification

Prompt Message

User access conflicts with key configuration modification

This applies only to V800R011C00 and later.

Common Causes

A conflict arising from key configuration modification occurs during user login. For example, the sub-interface through which users go online is deleted during the user login process.

Troubleshooting Method

Enable the user to go online again after the configuration is complete.

User access speed too fast
Display

User access speed too fast

Common Causes

The user access speed is too fast.

Use config to create tunnel with no start lns ip-address
Message

Use config to create tunnel with no start lns ip-address

Common Causes

A LAC is configured to use locally configured IP addresses, not addresses delivered by a RADIUS server; however, the start l2tp ip command is not run on the LAC. As a result, a tunnel fails to be set up.

User's password expired
Message

User's password expired

Common Causes

A user's password expires.

Troubleshooting Procedure
NOTE:
  • The new password is at least eight characters long and contains at least two of upper-case letters, lower-case letters, digits, and special characters.
  • When configuring an authentication password, select the ciphertext mode because the password is saved in configuration files in simple text if you select simple text mode, which has a high risk. To ensure device security, change the password periodically.
  1. Run the display local-user username user-name command to check whether the user's password expires.

    • If Password expired is displayed as no, the password has not expired. In this situation, contact Huawei technical support personnel.
    • If Password expired is displayed as yes, the password expires. In this situation, go to Step2.
  2. Run the local-user user-name password { cipher cipher-password | irreversible-cipher irreversible-password }command in the AAA view to re-create a password.

  3. To modify the password lifetime, run the user-password expire expire-time prompt prompt days command in the AAA view to set a password lifetime and enable a device to prompt users to change the password n days (specified by prompt days) before the password expires.

WEB authentication request is denied when processing authentication request
Display

WEB authentication request is denied when processing authentication request

Common Causes

A user who is not a web user is switched between the pre-authentication domain and the authentication domain.

Solution
  1. Check that the BAS interface is bound to the pre-authentication and authentication domains. If no pre-authentication is configured, configure a pre-authentication domain and bind the pre-authentication and authentication domains to the BAS interface.
  2. Check that the user uses web authentication for login.
Web user request
Display

Web user request

Common Causes

A Web user sends a logout request.

Feature Type

Web

Translation
Download
Updated: 2019-06-11

Document ID: EDOC1000175918

Views: 4618

Downloads: 208

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next