No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Troubleshooting Login Failures of Dual-Device Backup Users

This document describes how to troubleshoot login failures of dual-device backup users.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Troubleshooting Login Failures of Dual-Device Backup Users

Troubleshooting Login Failures of Dual-Device Backup Users

Introduction

This document describes how to troubleshoot login failures of dual-device backup users.

Understanding Dual-Device Backup

Dual-device backup is a feature that ensures service continuity in scenarios where the Virtual Router Redundancy Protocol (VRRP) is deployed. Dual-device backup enables the master device to back up service control data to the backup device in real time. When the master device or the link directly connected to it fails, service traffic quickly switches to the backup device. When the master device or the link directly connected to it recovers, service traffic switches back to the master device. Dual-device backup improves service and network reliability.

Symptom

Dual-device backup is deployed on two devices working in master/backup mode. After NAS parameters are configured and address pools are bound to user domains on the two devices, users cannot access the network.

Troubleshooting Roadmap

To locate the fault, perform the following steps:

  1. Run the display aaa online-fail-record command in the system view to check user login failure records for fault diagnosis.
  2. If a hyphen (-) is displayed in the Online fail reason field, the cause of login failure cannot be located. In this case, run the display backup-user command to locate the fault based on the backup user information in the command output.

Troubleshooting Procedure

Check user login failure records and locate the fault based on login failure causes.

  1. Run the display aaa online-fail-record command in the system view to query user login failure records. Records can be queried by domain name, user access interface, MAC address, slot ID, user type, username, and time range. Locate the fault based on the failure cause displayed in the Online fail reason field. If a hyphen (-) is displayed in the Online fail reason field, the cause of login failure cannot be located. In this case, go to step 2.

    # Display login failure records of users connecting through GE 0/1/1.1.

    <HUAWEI> display aaa online-fail-record interface gigabitethernet 0/1/1.1 
      ------------------------------------------------------------------- 
      User name              : HUAWEI-100-07002000000100@isp1 
      Domain name            : isp1 
      User MAC               : 00e0-fc12-3451 
      Stack type flag        : IPv4 
      User access type       : telnet 
      User access interface  : GigabitEthernet0/1/1.1 
      Qinq Vlan/User Vlan : 0/100 
      User IP address        : 255.255.255.255 
      User ID                : 14 
      User authen state      : Authened 
      User acct state        : AcctIdle 
      User author state      : AuthorIdle 
      User login time        : 2009-12-04 16:49:07 
      Online fail reason     : Local authentication no user 
      ------------------------------------------------------------------- 
    Are you sure to display some information?[Y/N]:

    Common causes of login failures of dual-device backup users are as follows:

    • Command output:

      AAA access limit

      Common causes:

      The number of access users using the same account or the number of local users with the same username exceeds the limit.

      Handling Suggestion:

      • Run the display domain domain-name command and check the User-access-limit field in the output. Run the display local-user domain command to check the number of access users using the same account. If the number of access users using the same account exceeds the limit (displayed in the User-access-limit field), run the access-limit max-number command in the AAA domain view to set the limit to a larger value.
      • Run the display local-user domain domain-name command and check the Access-limit field in the output. Run the display local-user domain command to check the number of local users with the same username. If the number of local users with the same username exceeds the limit (displayed in the Access-limit field), run the local-user user-name access-limit max-number command in the AAA domain view to set the limit to a larger value.
    • Command output:

      Authenticate fail

      Common causes:

      Authentication has failed. This may be caused by an incorrect username or password.

      Handling Suggestion:

      Enter the correct username and password for re-authentication.

    • Command output:

      Idle timeout

      Common causes:

      Idle-cut parameters are configured using the idle-cut command, and users have been logged out because the user traffic rate has been lower than the specified traffic threshold for longer than the period specified by idle-time.

      Handling Suggestion:

      • Run the display domain domain-name command to check whether the values of the Idle-data-attribute(time,flow) field exceed those specified by idle-time and idle-rate in the idle-cut command.
      • If the values of the Idle-data-attribute(time,flow) field exceed the configured values, run the idle-cut idle-time { idle-data | zero-rate } [ inbound | outbound ] command in the AAA domain view to set the idle-cut parameters to larger values.
    • Command output:

      Interface delete

      Common causes:

      The interface through which users go online has been deleted.

      Handling Suggestion:

      Reconfigure a user access interface.

    • Command output:

      Interface down

      Common causes:

      The interface through which users go online was shut down using the shutdown command or the physical link directly connected to the interface has failed.

      Handling suggestion:

      Check whether the shutdown command was run on the user access interface and whether the physical link connected to the interface has failed.

    • Command output:

      IP address conflict

      Common causes:

      The IP address assigned by the RADIUS server to a user is already in use.

      Handling Suggestion:

      Enable the RADIUS server to re-assign an IP address to this user.

    • Command output:

      local no this user

      Common causes:

      The local user is not configured on the device.

      Handling Suggestion:

      • Run the display local-user command to check the information of all local users.
      • If the local user does not exist on the device, run the local-user user-name password { cipher cipher-password | irreversible-cipher irreversible-password } command to create the local user.
      NOTE:
      • For security purposes, use an eight-character or longer password that contains at least two types of the following: uppercase letters, lowercase letters, digits, and special characters.
      • You are advised to configure your password in ciphertext mode and change it periodically.
    • Command output:

      Prefix conflict with same option

      The preceding output applies only to devices running V800R010C10 or later.

      Common causes:

      In a dual-device backup scenario, when the first user connects from the master device and the user's information is backed up to the backup device, an online user already exists on the backup device. The prefix used by the online user differs from that of the backup user. As a result, the backup device instructs the master device to log out the user whose information is backed up.

      Handling suggestion:

      Check whether an RBP switchover was performed, whether the user connected from the new master device earlier than the backup user during the switchover, and whether the prefixes of the online user and backup user are different. If these conditions are met, no action is required. Otherwise, contact Huawei technical support.

    • Command output:

      Session timeout

      Common causes:

      The duration quota delivered by a RADIUS server to a user has been exhausted.

      Handling suggestion:

      After the user's duration quota is exhausted, the user must pay for renewal or apply for a new duration quota to log in again.

    • Command output:

      The RADIUS server does not reply with Authentication ACK messages

      Common causes:

      The RADIUS server is unreachable by the router at the IP layer, which can be caused by a RADIUS server failure or an intermediate device failure.

      Handling suggestion:

      Run the ping command to check whether the RADIUS server is reachable by the router at the IP layer. If the RADIUS server is unreachable, check whether an intermediate device has failed. If an intermediate device has failed, rectify the fault. If the RADIUS server is reachable, check the working status of the RADIUS server and rectify the RADIUS server fault.

    • Command output:

      User's password expired

      Common causes:

      A user is logged out because the user's password has expired.

      Handling suggestion:

      • Run the display local-user username user-name command to check whether the user's password has expired. If no is displayed in the Password expired field, the password has not expired. In this case, contact Huawei technical support. If yes is displayed in the Password expired field, the password has expired. In this case, go to the next step.
      • Run the local-user user-name password { cipher cipher-password | irreversible-cipher irreversible-password } command in the AAA view to modify the password.
      • (Optional) Run the user-password expire expire-time prompt prompt-days command in the AAA view to set the number of days before password expiration for the system to prompt users to change their passwords.
      NOTE:
      • For security purposes, use an eight-character or longer password that contains at least two types of the following: uppercase letters, lowercase letters, digits, and special characters.
      • You are advised to configure your password in ciphertext mode and change it periodically.
  2. Check that the backup user information is correct.

    Run the display backup-user command in the system view to check the backup user information. If the value in the RBP or RBS field differs from the configured value or a hyphen (-) is displayed in the RBP or RBS field, the backup user information is incorrect. In this case, perform reconfiguration according to the following steps. If the backup user information is correct, go to step 3.

    # Display information about a backup user with the user ID 60.

    <HUAWEI> display backup-user user-id 60 
     ----------------------------------------------------------- 
                     RUI Backup User information 
     ----------------------------------------------------------- 
      UserIndex       : 60          Cid       : 60 
      SessionID       : 0           MAC       : 00e0-fc12-3456 
      PeVlan          : 700         CeVlan : 0 
      Vrid            : 0           IP        : 10.1.255.94 
      TriggerSendFlag : 1           Vpn       : -- 
      BackUpID        : 1           RBP       : zhhg 
      ProcessID       : 3           RBS       : tnl7-8 
      Interface       : GigabitEthernet0/1/1.7 
      UserName        : 0700@ll 
      Backup from     : Remote Server 
      User mode       : virtual 
     -----------------------------------------------------------
    NOTE:

    You can run the display backup-user command and perform reconfiguration according to the following steps on both the master and backup devices.

    • Check whether the value of the RBP field is correct. If the value differs from the configured value or a hyphen (-) is displayed in this field, the user backup information is incorrect. Perform reconfiguration according to the following steps.
      1. Run the system-view command to enter the system view.
      2. Run the remote-backup-profile profile-name command to create an RBP and enter its view.
      3. Run the peer-backup { hot | virtual } command to enable hot or virtual backup between devices.
      4. Run the vrrp-id vrid interface interface-type interface-number [ odd-mac | even-mac ] command to bind the RBP to a VRRP group.
      5. Run the backup-id backup-id remote-backup-service service-name command to configure a backup ID for the RBP and associate the RBP with a specified RBS.
      6. Run the service-type { arp | ipsec | l2tp | lacp | bras | multicast | igmp | igmp-snooping | no-host-multicast | dhcp-server | nd } command to enable remote backup for user services.
      7. Run the commit command to commit the configuration.
    • Check whether the value of the RBS field is correct. If the value differs from the configured value or a hyphen (-) is displayed in this field, the user backup information is incorrect. Perform reconfiguration according to the following steps.
      1. Run the system-view command to enter the system view.
      2. Run the remote-backup-service service-name command to create an RBS and enter its view.
      3. Run the peer peer-ip-address source source-ip-address port port-id command to configure TCP connection parameters for the RBS.
      4. Run the commit command to commit the configuration.
  3. Collect the results from the preceding steps and device configuration files, and contact Huawei technical support.

Troubleshooting Summary

  • If a user fails to go online, the device automatically records the cause of login failure. You can locate the cause by checking the Online fail reason field in the display aaa online-fail-record command output.
  • In dual-device backup scenarios, run the display backup-user command to check whether the values of the RBP and RBS fields are consistent with the configured values. If they are different, perform reconfiguration.

Related Information

For more information about dual-device backup, see NE40E V800R011C00SPC200 Product Documentation 01.

Translation
Download
Updated: 2019-07-03

Document ID: EDOC1100092119

Views: 244

Downloads: 17

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next