The network diagram is as follows:
The preceding network uses tunnel forwarding and 802.1x authentication. The TSM server functions as the RADIUS server. Only few STAs can go online.
Involved Products and Versions
AC6605 and AC6005 of V200R003C00SPC500 and earlier versions
Check the packet forwarding statistics on the AC. The statistics show that a large number of unnecessary UDP packets exist on the network. Run the display cpu-defend configuration wired command to check the CPU defense information. The command output shows that the CHAP packets from the TSM server are categorized as unknown packets, which are dropped for exceeding the CP CAR. As a result, STAs cannot finish the authentication process.
The CHAP packets exchanged between the TSM server and AC are categorized as unknown packets and discarded for exceeding the CP CAR.
Increase the default value of Rate-limit(PPS) in the unknown-packet field from 64 to 256. The customer needs to locate the sources of the unnecessary UDP packets.
The troubleshooting roadmap is as follows:
1, Obtain packets on the wireless NIC to determine the faulty procedure. It is found that the STA has not received an authentication packet from the AC.
2, Check whether the TSM server sends an authentication packet to the AC. Perform packet header obtainment on the TSM server. The analysis of the obtained packets shows that the TSM server has sent an authentication packet to the AC.
3, Check logs on the AC's control plane to determine whether the authentication information exists on the AC. It is found that the AC's control plane has not received the authentication information delivered by the TSM server.
4, Check whether the authentication packet is lost during forwarding. The packet forwarding statistics shows that a large number of unnecessary UDP packets are sent to the AC' s control plane, and the authentication packet from the TSM server is categorized as an unknown packet and discarded for exceeding the CP CAR.
5, Modify the CAR values to rectify the fault. Locate the sources of the unnecessary UDP packets.