Huawei - Troubleshooting - User Access

HUAWEI NetEngine80E/40E Router V600R003C00 Troubleshooting - User Access Issue 02 Date 2011-09-10 HUAWEI TECHNOLOGIES CO., LTD. Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied. Huawei Technologies Co., Ltd. Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China Website: http://www.huawei.com Email: support@huawei.com Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. i HUAWEI NetEngine80E/40E Router Troubleshooting - User Access About This Document About This Document Purpose NOTE l This document takes interface numbers and link types of the NE40E-X8 as an example. In working situations, the actual interface numbers and link types may be different from those used in this document. l On NE80E/40E series excluding NE40E-X1 and NE40E-X2, line processing boards are called Line Processing Units (LPUs) and switching fabric boards are called Switching Fabric Units (SFUs). On the NE40E-X1 and NE40E-X2, there are no LPUs and SFUs, and NPUs implement the same functions of LPUs and SFUs to exchange and forward packets. This document describes how to troubleshoot the services of the HUAWEI NetEngine80E/ 40E in terms of common faults and causes, troubleshooting cases, and FAQs. This document describes the procedure and method for troubleshooting for the HUAWEI NetEngine80E/40E. Related Versions The following table lists the product versions related to this document. Product Name Version HUAWEI NetEngine80E/40E Router V600R003C00 Intended Audience This document is intended for: l System maintenance engineers l Commissioning engineers l Network monitoring engineers Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. ii HUAWEI NetEngine80E/40E Router Troubleshooting - User Access About This Document Symbol Conventions The symbols that may be found in this document are defined as follows. Symbol Description DANGER WARNING CAUTION Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury. Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury. Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results. TIP Indicates a tip that may help you solve a problem or save time. NOTE Provides additional information to emphasize or supplement important points of the main text. Command Conventions The command conventions that may be found in this document are defined as follows. Issue 02 (2011-09-10) Convention Description Boldface The keywords of a command line are in boldface. Italic Command arguments are in italics. [] Items (keywords or arguments) in brackets [ ] are optional. { x | y | ... } Optional items are grouped in braces and separated by vertical bars. One item is selected. [ x | y | ... ] Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected. { x | y | ... }* Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected. [ x | y | ... ]* Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected. &<1-n> The parameter before the & sign can be repeated 1 to n times. # A line starting with the # sign is comments. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. iii HUAWEI NetEngine80E/40E Router Troubleshooting - User Access About This Document Change History Changes between document issues are cumulative. The latest document issue contains all the changes made in earlier issues. Changes in Issue 02 (2011-08-12) The second commercial release. There is no update compared with the previous issue. Changes in Issue 01 (2011-05-30) Initial field trial release. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. iv HUAWEI NetEngine80E/40E Router Troubleshooting - User Access Contents Contents About This Document.....................................................................................................................ii 1 User Fails to Get Online Troubleshooting...............................................................................1 1.1 Method of Troubleshooting User Logout...........................................................................................................2 1.1.1 Troubleshooting User Logout Faults.........................................................................................................2 1.2 User Logout Cause.............................................................................................................................................2 1.2.1 AAA access limit.......................................................................................................................................2 1.2.2 AAA cut command....................................................................................................................................3 1.2.3 AAA update ipv6 address fail...................................................................................................................3 1.2.4 AAA with Authentication no response......................................................................................................3 1.2.5 AAA with authorization data error............................................................................................................4 1.2.6 AAA with flow limit..................................................................................................................................4 1.2.7 AAA with HQOS filled fail.......................................................................................................................4 1.2.8 AAA with logout fail.................................................................................................................................5 1.2.9 AAA with message send fail.....................................................................................................................5 1.2.10 AAA with pool filled fail.........................................................................................................................5 1.2.11 AAA with radius decode fail...................................................................................................................5 1.2.12 AAA with radius server cut command....................................................................................................6 1.2.13 AAA with realtime accouting fail...........................................................................................................6 1.2.14 AAA with start accounting fail................................................................................................................6 1.2.15 AAA with stop accounting fail................................................................................................................6 1.2.16 AAA with timer create fail......................................................................................................................7 1.2.17 AAA with update.....................................................................................................................................7 1.2.18 AAA with user information err...............................................................................................................7 1.2.19 AAA_SERVICE_CHANGE...................................................................................................................7 1.2.20 AM with check fail..................................................................................................................................8 1.2.21 AM with lease timeout............................................................................................................................8 1.2.22 AM with Renew lease timeout................................................................................................................8 1.2.23 ARP with connect check fail...................................................................................................................8 1.2.24 ARP with detect fail................................................................................................................................9 1.2.25 ARP with start detect fail.........................................................................................................................9 1.2.26 Authenticate fail......................................................................................................................................9 1.2.27 Authentication method error....................................................................................................................9 1.2.28 Author of IP address and ip-include conflict.........................................................................................10 Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. v HUAWEI NetEngine80E/40E Router Troubleshooting - User Access Contents 1.2.29 Block domain force user to offline........................................................................................................10 1.2.30 Board on Master removed.....................................................................................................................10 1.2.31 Board remove........................................................................................................................................10 1.2.32 Card on Master removed.......................................................................................................................10 1.2.33 Card remove..........................................................................................................................................11 1.2.34 CM with AAA auth ack time out...........................................................................................................11 1.2.35 CM with AAA connect check fail.........................................................................................................11 1.2.36 CM with AAA ipv6 update ack time out...............................................................................................11 1.2.37 CM with AAA logout ack time out.......................................................................................................12 1.2.38 CM with add to FC fail..........................................................................................................................12 1.2.39 CM with AM ip ack time out.................................................................................................................12 1.2.40 CM with AMV6 ipv6 ack time out........................................................................................................12 1.2.41 CM with ARP detect ack time out.........................................................................................................13 1.2.42 CM with DHCPACC conn up time out.................................................................................................13 1.2.43 CM with DHCPv6 conn up time out.....................................................................................................13 1.2.44 CM with Framed IP address invalid......................................................................................................14 1.2.45 CM with Ifnet ipv6 protocol down........................................................................................................14 1.2.46 CM with IP address alloc fail................................................................................................................14 1.2.47 CM with l2tp session fail.......................................................................................................................14 1.2.48 CM with login fail.................................................................................................................................15 1.2.49 CM with MSEADA cib ack time out....................................................................................................15 1.2.50 CM with MSEADA update workslot time out......................................................................................15 1.2.51 CM with Nas error.................................................................................................................................16 1.2.52 CM with PPP conn up time out.............................................................................................................16 1.2.53 CM with PPP ipv6 conn up time out.....................................................................................................16 1.2.54 CM with start arp detect fail..................................................................................................................17 1.2.55 CM with time out...................................................................................................................................17 1.2.56 CM with WEB logout resp time out......................................................................................................17 1.2.57 Connect check fail.................................................................................................................................18 1.2.58 Dhcp decline..........................................................................................................................................18 1.2.59 Dhcp release..........................................................................................................................................18 1.2.60 Dhcp repeat packet................................................................................................................................19 1.2.61 DHCP user state timeout.......................................................................................................................19 1.2.62 DHCP wait client packet timeout..........................................................................................................19 1.2.63 DHCP with IP address conflict..............................................................................................................20 1.2.64 Dhcp with MTU limit............................................................................................................................20 1.2.65 DHCP with server nak...........................................................................................................................20 1.2.66 DHCP with server no response..............................................................................................................21 1.2.67 DHCP with unknown error....................................................................................................................21 1.2.68 DHCPV6 client decline.........................................................................................................................21 1.2.69 DHCPV6 client release..........................................................................................................................22 1.2.70 DHCPV6 inner error..............................................................................................................................22 Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. vi HUAWEI NetEngine80E/40E Router Troubleshooting - User Access Contents 1.2.71 DHCPV6 ip alloc fail............................................................................................................................22 1.2.72 DHCPV6 wait client timeout.................................................................................................................23 1.2.73 DHCPV6 wait UCM timeout................................................................................................................23 1.2.74 EAP connection down...........................................................................................................................23 1.2.75 EAPOL server session timeout .............................................................................................................24 1.2.76 EAPOL user request..............................................................................................................................24 1.2.77 EAPOL with authentication fail............................................................................................................24 1.2.78 EAPOL with connect check fail............................................................................................................25 1.2.79 EAPOL with echo fail...........................................................................................................................25 1.2.80 EAPOL with nas error...........................................................................................................................25 1.2.81 Fail to add 588 insegment......................................................................................................................26 1.2.82 Fail to add 588 outsegment....................................................................................................................26 1.2.83 Fail to add elabel map............................................................................................................................26 1.2.84 Fail to add internal pfb...........................................................................................................................26 1.2.85 Fail to add internal product main fwd entry..........................................................................................27 1.2.86 Fail to add l2tp lac fwd table.................................................................................................................27 1.2.87 Fail to add l2tp lns fwd table.................................................................................................................27 1.2.88 Fail to add l2tp lts fwd table..................................................................................................................28 1.2.89 Fail to add mac hash..............................................................................................................................28 1.2.90 Fail to add node fresh list......................................................................................................................28 1.2.91 Fail to add qos para................................................................................................................................29 1.2.92 Fail to add user mac...............................................................................................................................29 1.2.93 Fail to add x11 and 588 fwd table.........................................................................................................29 1.2.94 Fail to apply new user mac indexs.........................................................................................................29 1.2.95 Fail to apply qos resource......................................................................................................................30 1.2.96 Fail to check ucm oper...........................................................................................................................30 1.2.97 Fail to chek ucm oper msg.....................................................................................................................30 1.2.98 Fail to chek ucm oper msg when modify..............................................................................................31 1.2.99 Fail to del internal pfb...........................................................................................................................31 1.2.100 Fail to del ip hash.................................................................................................................................31 1.2.101 Fail to del mac hash.............................................................................................................................31 1.2.102 Fail to dowm load out bound SQ id.....................................................................................................32 1.2.103 Fail to fill qos profile for rui user........................................................................................................32 1.2.104 Fail to get cib item when modify.........................................................................................................32 1.2.105 Fail to get ppp info when modify........................................................................................................32 1.2.106 Fail to get rui user info........................................................................................................................33 1.2.107 Fail to Init Cib......................................................................................................................................33 1.2.108 Fail to Init cib list ................................................................................................................................33 1.2.109 Fail to normal down load qos resource................................................................................................34 1.2.110 Fail to portal add user info...................................................................................................................34 1.2.111 Fail to qinq user oper...........................................................................................................................34 1.2.112 Fail to resource Apply.........................................................................................................................34 Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. vii HUAWEI NetEngine80E/40E Router Troubleshooting - User Access Contents 1.2.113 Fail to set local cid from golbal cid.....................................................................................................35 1.2.114 Fail to set qos data...............................................................................................................................35 1.2.115 Fail to transport access type.................................................................................................................35 1.2.116 Failed to add user to board for user is not up......................................................................................36 1.2.117 Failed to realtime backup....................................................................................................................36 1.2.118 Failed to switch workslot for user is not up.........................................................................................36 1.2.119 Failed to update ipv6 address, it's a ipv4 user.....................................................................................36 1.2.120 Failed to update user mac table...........................................................................................................37 1.2.121 Fail to trans access type.......................................................................................................................37 1.2.122 FTP with receive data fail....................................................................................................................37 1.2.123 FTP with server idle timeout...............................................................................................................37 1.2.124 FTP with service closing.....................................................................................................................38 1.2.125 FTP with sever closed..........................................................................................................................38 1.2.126 FTP with user login fail.......................................................................................................................38 1.2.127 FTP with user switch...........................................................................................................................38 1.2.128 Gateway different from former............................................................................................................38 1.2.129 GTL license needed.............................................................................................................................39 1.2.130 Idle cut.................................................................................................................................................39 1.2.131 Interface delete....................................................................................................................................39 1.2.132 Interface down.....................................................................................................................................39 1.2.133 Interface on Master down....................................................................................................................40 1.2.134 IP alloc fail for trigger user..................................................................................................................40 1.2.135 IPv6 address allocation failed because of inner cause.........................................................................40 1.2.136 IPv6 address conflicts too much times................................................................................................40 1.2.137 L2TP alloc sessionid fail.....................................................................................................................41 1.2.138 L2TP alloc tunnelid fail.......................................................................................................................41 1.2.139 L2TP checking ICRP error..................................................................................................................41 1.2.140 L2TP checking SCCRP error..............................................................................................................42 1.2.141 L2TP connect check fail......................................................................................................................42 1.2.142 L2TP cut command.............................................................................................................................42 1.2.143 L2TP download lac fib fail..................................................................................................................43 1.2.144 L2TP FSM error..................................................................................................................................43 1.2.145 L2TP get tunnel fail.............................................................................................................................43 1.2.146 L2TP init tunnel struct fail...................................................................................................................44 1.2.147 L2TP inner error..................................................................................................................................44 1.2.148 L2TP other error..................................................................................................................................44 1.2.149 L2TP peer cleared tunnel.....................................................................................................................45 1.2.150 L2TP rebuild tunnel fail......................................................................................................................45 1.2.151 L2TP remote slot.................................................................................................................................45 1.2.152 L2TP request offline............................................................................................................................46 1.2.153 L2TP send ICCN fail...........................................................................................................................46 1.2.154 L2TP send ICRQ fail...........................................................................................................................46 Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. viii HUAWEI NetEngine80E/40E Router Troubleshooting - User Access Contents 1.2.155 L2TP send SCCRQ fail.......................................................................................................................47 1.2.156 L2TP service is unavailable.................................................................................................................47 1.2.157 L2TP sessionlimit ...............................................................................................................................47 1.2.158 L2TP with connect check fail..............................................................................................................48 1.2.159 LAC clear session................................................................................................................................48 1.2.160 LAC clear tunnel.................................................................................................................................49 1.2.161 Layer2-VPN down...............................................................................................................................49 1.2.162 LNS clear session................................................................................................................................49 1.2.163 LNS clear tunnel..................................................................................................................................50 1.2.164 LNS cleared session.............................................................................................................................50 1.2.165 Mac-user ppp-preferred.......................................................................................................................50 1.2.166 MSEADA failed to get pfb data..........................................................................................................50 1.2.167 MSEADA failed to add cid from vcd..................................................................................................51 1.2.168 MSEADA failed to download 2800 cib table......................................................................................51 1.2.169 MSEADA failed to download 2800 uaib table....................................................................................51 1.2.170 MSEADA failed to download 588 l2tp global table...........................................................................52 1.2.171 MSEADA failed to download 588 l2tp global table...........................................................................52 1.2.172 MSEADA failed to download dual user table.....................................................................................52 1.2.173 MSEADA failed to get lns info...........................................................................................................52 1.2.174 MSEADA portswitch notify access module fail.................................................................................53 1.2.175 MSEADA portswitch process fail.......................................................................................................53 1.2.176 MSEADA with cib checked fail..........................................................................................................53 1.2.177 MSEADA with user added fail............................................................................................................53 1.2.178 MSEQOS with SQ reserved fail..........................................................................................................54 1.2.179 Nas error..............................................................................................................................................54 1.2.180 Nas request to offline...........................................................................................................................54 1.2.181 ND Add Prefix Fail..............................................................................................................................55 1.2.182 ND Detect Fail.....................................................................................................................................55 1.2.183 ND Table Check Fail...........................................................................................................................55 1.2.184 Netmask assigned by RDS error(Value invalid).................................................................................55 1.2.185 No available prefix for conflicts of the interface id specified by radius.............................................56 1.2.186 No IPv6 address available...................................................................................................................56 1.2.187 No prefix available..............................................................................................................................56 1.2.188 No response of control packet from peer.............................................................................................57 1.2.189 Online user number exceed GTL license limit....................................................................................57 1.2.190 Ppp is already down when modify......................................................................................................57 1.2.191 PPP negotiate fail.................................................................................................................................57 1.2.192 PPP pvc interface down.......................................................................................................................58 1.2.193 PPP up recv lcp again..........................................................................................................................58 1.2.194 PPP user over LNS request..................................................................................................................59 1.2.195 PPP user request..................................................................................................................................59 1.2.196 PPP with authentication fail................................................................................................................59 Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. ix HUAWEI NetEngine80E/40E Router Troubleshooting - User Access Contents 1.2.197 PPP with connect check fail................................................................................................................60 1.2.198 PPP with echo fail................................................................................................................................60 1.2.199 Radius alloc incorrect IP......................................................................................................................61 1.2.200 Renew timeout in shortlease................................................................................................................61 1.2.201 RUI request cold backup user offline for slave...................................................................................61 1.2.202 RUI request offline..............................................................................................................................61 1.2.203 RUI trigger to create pppoe cib failed.................................................................................................62 1.2.204 Service unavailable..............................................................................................................................62 1.2.205 Session time out...................................................................................................................................62 1.2.206 Srvcfg cut command............................................................................................................................62 1.2.207 SRVCFG failed to process..................................................................................................................63 1.2.208 The domain does not bind IPv6 pool...................................................................................................63 1.2.209 The domain has not binded ip-pool or ipv6-pool................................................................................63 1.2.210 Trunk is no member.............................................................................................................................63 1.2.211 Tunnel with session null......................................................................................................................64 1.2.212 UCM failed to apply resoure for trunk user........................................................................................64 1.2.213 UCM failed to send ipv6 update message to AAA.............................................................................64 1.2.214 UCM failed to send ipv6 update message to MSEADA.....................................................................64 1.2.215 UCM failed to update work-slot of trunk-interface user.....................................................................65 1.2.216 UCM portswitch preprocess fail..........................................................................................................65 1.2.217 UCM portswitch process fail...............................................................................................................65 1.2.218 UCM update ipv6 address fail.............................................................................................................66 1.2.219 Unmatched Vpn-Instance....................................................................................................................66 1.2.220 User access speed too fast...................................................................................................................66 1.2.221 User info is conflict with rui user........................................................................................................66 1.2.222 Wait cib ack time out...........................................................................................................................67 1.2.223 Wait DHCP connection request time out............................................................................................67 1.2.224 Wait EAPOL auth request time out.....................................................................................................67 1.2.225 Wait EAPOL down ack time out.........................................................................................................68 1.2.226 Wait L2TP connection up time out......................................................................................................68 1.2.227 Wait PPP auth request time out...........................................................................................................68 1.2.228 Wait PPP auth request time out...........................................................................................................69 1.2.229 Wait WEB down ack time out.............................................................................................................69 1.2.230 Wait WEB user ack time out...............................................................................................................69 1.2.231 Web user requst...................................................................................................................................70 1.2.232 Web with unknown error.....................................................................................................................70 1.2.233 WLAN AC wpa handshake fail...........................................................................................................70 1.2.234 WLAN user deassociate......................................................................................................................71 1.3 Troubleshooting IPoX......................................................................................................................................71 1.3.1 Typical Networking.................................................................................................................................71 1.3.2 Troubleshooting Flowchart......................................................................................................................73 1.3.3 Troubleshooting Procedure......................................................................................................................73 Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. x HUAWEI NetEngine80E/40E Router Troubleshooting - User Access Contents 1.4 Related Troubleshooting Cases........................................................................................................................74 1.4.1 Local Authentication Fails beacause Authorization Mode and Accounting Mode Are Incorrectly Set ..........................................................................................................................................................................74 1.4.2 After an Accounting Failure, the Super Password Is Invalid After Being Entered.................................75 1.4.3 Unreachable RADIUS Server Causes Level-3 Users to Log In as Level-1 Users..................................77 1.4.4 A DHCP Client Fails to Obtain an IP Address from the DHCP Server Through the BRAS..................79 1.4.5 The Device Does not Respond to the Authentication Request Packet Sent by the Web Authentication Server................................................................................................................................................................80 1.4.6 Web Authentication Fails........................................................................................................................82 1.4.7 Error 619 Occurs After Users Attached to the NE80E/40E Dial Up......................................................84 1.4.8 Error Message, Indicating that Communication Between a User Access Device and a Portal Server Fails, Is Displayed During Web Authentication........................................................................................................85 1.4.9 router Fails to Communicate with a RADIUS Server Because an ACL Rule Is Configured on the router's Interface Connected to the RADIUS Server........................................................................................88 1.4.10 Users Are Repeatedly Logged Out of the MAN Due to Route Flapping..............................................89 1.4.11 Dial-up Fails Because the Format of the Packet Sent from the BRAS Is Inconsistent with That on the RADIUS Server................................................................................................................................................94 1.4.12 Uses Fail to Log In Because the GTL License File Is Not Loaded.......................................................96 1.4.13 Modems of a Certain Brand Fail to Access the Internet Because Multiple Interfaces Respond to the PADO Packet....................................................................................................................................................96 1.4.14 A User Cannot Obtain the Associated Authority Because the AAA Authorization Mode and AAA Authentication Mode Are Inconsistent.............................................................................................................97 1.4.15 Failure to Obtain an IP Address............................................................................................................99 1.4.16 Web Authentication Fails....................................................................................................................102 1.4.17 Mandatory Web Authentication Fails..................................................................................................105 2 Client Fails to Obtain an IP Address Troubleshooting..................................................... 108 2.1 An Ethernet Client Fails to Obtain an IP Address (the HUAWEI NetEngine80E/40E Functions as the DHCP Server)..................................................................................................................................................................109 2.1.1 Common Causes....................................................................................................................................109 2.1.2 Troubleshooting Flowchart....................................................................................................................109 2.1.3 Troubleshooting Procedure....................................................................................................................111 2.1.4 Relevant Alarms and Logs....................................................................................................................113 2.2 An Ethernet Client Cannot Obtain an IP Address (the HUAWEI NetEngine80E/40E Functions as the DHCP Relay)....................................................................................................................................................................113 2.2.1 Common Causes....................................................................................................................................113 2.2.2 Troubleshooting Flowchart....................................................................................................................113 2.2.3 Troubleshooting Procedure....................................................................................................................114 2.2.4 Relevant Alarms and Logs....................................................................................................................115 2.3 A PPPoX/IPoX Client Fails to Obtain an IP Address (the HUAWEI NetEngine80E/40E Functions as the DHCP Server)..................................................................................................................................................................116 2.3.1 Common Causes....................................................................................................................................116 2.3.2 Troubleshooting Flowchart....................................................................................................................116 2.3.3 Troubleshooting Procedure....................................................................................................................118 2.3.4 Relevant Alarms and Logs....................................................................................................................120 Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. xi HUAWEI NetEngine80E/40E Router Troubleshooting - User Access Contents 2.4 A PPPoX/IPoX Client Cannot Obtain an IP Address (the HUAWEI NetEngine80E/40E Functions as the DHCP Relay)....................................................................................................................................................................120 2.4.1 Common Causes....................................................................................................................................120 2.4.2 Troubleshooting Flowchart....................................................................................................................120 2.4.3 Troubleshooting Procedure....................................................................................................................122 2.4.4 Relevant Alarms and Logs....................................................................................................................124 2.5 Related Troubleshooting Cases......................................................................................................................124 2.5.1 User Fails to Obtain an IP Address from a DHCP Relay Agent Connected to a DHCP Server over Active and Standby Links..........................................................................................................................................124 Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. xii HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 1 User Fails to Get Online Troubleshooting User Fails to Get Online Troubleshooting About This Chapter 1.1 Method of Troubleshooting User Logout 1.2 User Logout Cause 1.3 Troubleshooting IPoX This section describes the configuration notes, flows, and procedures for IPoX troubleshooting based on the typical IPoX networking. 1.4 Related Troubleshooting Cases Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 1 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting 1.1 Method of Troubleshooting User Logout 1.1.1 Troubleshooting User Logout Faults Method of troubleshooting the fault that a user fails to get online Run the display aaa online-fail-record command to check why a user fails to get online. For example, assume that the user HUAWEI-100-07 fails to get online. <HUAWEI> display aaa online-fail-record username HUAWEI-100-07 002000000100@isp1 user-type bind ------------------------------------------------------------------User name : HUAWEI-100-07002000000100@isp1 Domain name : isp1 User MAC : 0016-ecb7-a879 User access type : IPoE User access interface : GigabitEthernet7/0/2.1 Qinq Vlan/User Vlan : 0/100 User IP address : 255.255.255.255 User ID : 14 User authen state : Authened User acct state : AcctIdle User author state : AuthorIdle User login time : 2007/12/04 16:49:07 User online fail reason: PPP with authentication fail ------------------------------------------------------------------Info: Are you sure to show some information?(y/n)[y]:n Check the 1.2 User Logout Cause to find the reason of the login failure. If the cause of the login failure cannot be found by using the preceding method, the link between the user and the access device may be faulty. In this case, troubleshoot the link on the network. Method of Troubleshooting the Fault that a User Is Logged out Unexpectedly Run the display aaa abnormal-offline-record and display aaa offline-record commands to check the logout reason. 1.2 User Logout Cause 1.2.1 AAA access limit Display AAA access limit Common Causes The number of access users using the same account exceeds the upper limit. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 2 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Solution 1. Run the display domain domain-name command and check the User-access-limit field in the output. Run the display access-user domain domain-name command to check the number of access users using the same account. If the number of access users using the same account exceeds the upper limit, run the access-limit max-number command in the AAA view to increase the maximum number of users allowed to access the network using the same account. 2. Run the display local-user domain domain-name command and check the Access-limit field in the output. Run the display access-user domain domain-name command to check the number of local access users using the same account. If the number of local access users using the same account exceeds the upper limit, run the local-user user-name accesslimit max-number command in the AAA view to increase the maximum number of local users allowed to access the network using the same account. 1.2.2 AAA cut command Display AAA cut command Common Causes The cut access-user command is run manually on the access device to log users out. 1.2.3 AAA update ipv6 address fail Display AAA update ipv6 address fail Common Causes Instructing AAA to update an IPv6 address fails. Solution Contact Huawei technical support personnel. 1.2.4 AAA with Authentication no response Display AAA with Authentication no response Common Causes When being authenticated by a remote or local server, a user does not receive any responses from the authentication server before the authentication timeout period expires. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 3 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Solution Run the display this command in the AAA view and check the name of the RADIUS server group that is bound to the user domain. Run the display radius-server configuration group group-name command and check the Authentication-server field in the output to obtain the IP address of the authentication server. Run the ping ip-address command to check whether the authentication server is reachable. If the ping fails, see The Ping Operation Fails for details on how to resolve the problem. 1.2.5 AAA with authorization data error Display AAA with authorization data error Common Causes The RADIUS server has delivered an incorrect attribute value or the access device has no corresponding RADIUS attributes. Therefore, adding user authorization information fails. 1.2.6 AAA with flow limit Display AAA with flow limit Common Causes The service traffic of a user reaches the upper limit. Solution Check whether the remaining traffic of the user on the accounting server is 0. If there is no remaining traffic, the user is logged out normally and no further action is required. 1.2.7 AAA with HQOS filled fail Display AAA with HQOS filled fail Common Causes A user fails to obtain authorized QoS information. Solution Contact Huawei technical support personnel. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting 1.2.8 AAA with logout fail Display AAA with logout fail Common Causes The access device cannot communicate with the accounting server configured in the preauthentication domain. As a result, a user logout fails. 1.2.9 AAA with message send fail Display AAA with message send fail Common Causes Sending authorization information fails. Solution Contact Huawei technical support personnel. 1.2.10 AAA with pool filled fail Display AAA with pool filled fail Common Causes Obtaining the address pool list fails. Solution Contact Huawei technical support personnel. 1.2.11 AAA with radius decode fail Display AAA with radius decode fail Common Causes The RADIUS server has delivered attributes in an incorrect format. As a result, parsing a RADIUS authentication response packet fails. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 5 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting 1.2.12 AAA with radius server cut command Display AAA with radius server cut command Common Causes The RADIUS server forces a user to log out. 1.2.13 AAA with realtime accouting fail Display AAA with realtime accouting fail Common Causes The IP address of the accounting server is unreachable, and therefore real-time accounting for a user fails. Relevant Alarms and Logs This log displays as "Failed to process the normal realtime accounting. (User=[STRING], AcctSessionID=[STRING])". 1.2.14 AAA with start accounting fail Display AAA with start accounting fail Common Causes The IP address of the accounting server is unreachable, and therefore starting accounting for a user fails. Relevant Alarms and Logs This log displays as "Failed to start the normal accounting. (User=[STRING], AcctSessionID= [STRING])". 1.2.15 AAA with stop accounting fail Display AAA with stop accounting fail Common Causes The IP address of the accounting server is unreachable, and therefore stopping accounting for a user fails. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 6 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Relevant Alarms and Logs This log displays as "Failed to stop the normal accounting. (User=[STRING], AcctSessionID= [STRING])". 1.2.16 AAA with timer create fail Display AAA with timer create fail Common Causes Starting the timer for prompting remaining user time fails. Solution Contact Huawei technical support personnel. 1.2.17 AAA with update Display AAA with update Common Causes Requesting user information update fails. Solution Contact Huawei technical support personnel. 1.2.18 AAA with user information err Display AAA with user information err Common Causes The AAA module has saved incorrect user information. Solution Contact Huawei technical support personnel. 1.2.19 AAA_SERVICE_CHANGE Display AAA_SERVICE_CHANGE Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 7 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Common Causes Changing an AAA service fails. Procedure Contact Huawei technical support personnel. 1.2.20 AM with check fail Display AM with check fail Common Causes Mappings between AM entries and UCM entries are incorrect. Solution Contact Huawei technical support personnel. 1.2.21 AM with lease timeout Display AM with lease timeout Common Causes A user does not extend the IP address lease, or the link at the user side is faulty so that the packets for requesting extension of the IP address lease are lost. As a result, the IP address lease of the user expires. 1.2.22 AM with Renew lease timeout Display AM with Renew lease timeout Common Causes The access device cannot communicate with the DHCP server, and therefore a PPPoE user fails to apply for extension of the IP address lease to the DHCP server. 1.2.23 ARP with connect check fail Display ARP with connect check fail Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 8 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Common Causes The ARP module detects that mappings between ARP entries and UCM entries are incorrect. Solution Contact Huawei technical support personnel. 1.2.24 ARP with detect fail Display ARP with detect fail Common Causes l The intermediate transmission device discards or modifies ARP probe packets. l Fibers or optical modules are not properly installed or a link fault occurs. l There are too many probe response packets, and therefore some are dropped. 1.2.25 ARP with start detect fail Display ARP with start detect fail Common Causes Starting an ARP probe fails. Solution Contact Huawei technical support personnel. 1.2.26 Authenticate fail Display Authenticate fail Common Causes The user name or password used for authentication is incorrect. 1.2.27 Authentication method error Display Authentication method error Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 9 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Common Causes The requested authentication type is different from the authentication type configured on the interface from which the user gets online. 1.2.28 Author of IP address and ip-include conflict Display Author of IP address and ip-include conflict Common Causes The address pool in the dual-stack user domain is configured incorrectly. 1.2.29 Block domain force user to offline Display Block domain force user to offline Common Causes The timer for blocking a domain expires, and therefore the domain users are forced offline. 1.2.30 Board on Master removed Display Board on Master removed Common Causes A board for user access is faulty, causing users that get online from the board to be logged out. In addition, a master/slave MPU switchover occurs during the logout. 1.2.31 Board remove Display Board remove Common Causes A board for user access is faulty, causing users that get online from the board to be logged out. 1.2.32 Card on Master removed Display Card on Master removed Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 10 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Common Causes A sub-card for user access is faulty, causing users that get online from the sub-card to be logged out. In addition, a master/slave MPU switchover occurs during the logout. 1.2.33 Card remove Display Card remove Common Causes A sub-card for user access is faulty, causing users that get online from the sub-card to be logged out. 1.2.34 CM with AAA auth ack time out Display CM with AAA auth ack time out Common Causes No AAA authentication response is received before the due time. Solution Contact Huawei technical support personnel. 1.2.35 CM with AAA connect check fail Display CM with AAA connect check fail Common Causes Mappings between the UCM entries and AAA entries are incorrect. Solution Contact Huawei technical support personnel. 1.2.36 CM with AAA ipv6 update ack time out Display CM with AAA ipv6 update ack time out Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 11 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Common Causes Waiting for an IPv6 entry update response from the AAA module times out. Solution Contact Huawei technical support personnel. 1.2.37 CM with AAA logout ack time out Display CM with AAA logout ack time out Common Causes Waiting for an AAA logout response times out. Solution Contact Huawei technical support personnel. 1.2.38 CM with add to FC fail Display CM with add to FC fail Common Causes A user entry on the LPU fails to be created or modified. 1.2.39 CM with AM ip ack time out Display CM with AM ip ack time out Common Causes A PPPoE user fails to obtain an IP address because the AM module does not assign an IP address within the timeout period. Solution Contact Huawei technical support personnel. 1.2.40 CM with AMV6 ipv6 ack time out Display CM with AMV6 ipv6 ack time out Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 12 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Common Causes Assigning an IPv6 address times out. Solution Contact Huawei technical support personnel. 1.2.41 CM with ARP detect ack time out Display CM with ARP detect ack time out Common Causes Waiting for an ARP probe start or stop response times out. Solution Contact Huawei technical support personnel. 1.2.42 CM with DHCPACC conn up time out Display CM with DHCPACC conn up time out Common Causes Waiting for an Up event of the DHCP module times out. Feature Type IPoE Solution Contact Huawei technical support personnel. 1.2.43 CM with DHCPv6 conn up time out Display CM with DHCPv6 conn up time out Common Causes Waiting for an Up message of the DHCPv6 module times out. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 13 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Feature Type IPoEv6 Solution Contact Huawei technical support personnel. 1.2.44 CM with Framed IP address invalid Display CM with Framed IP address invalid Common Causes The IP address assigned by the RADIUS server has already been assigned to another device, and therefore the IP address is invalid. 1.2.45 CM with Ifnet ipv6 protocol down Display CM with Ifnet ipv6 protocol down Common Causes IPv6 has been disabled on the access device or an access interface. As a result, IPv6 on the access interface goes Down, causing an IPv6 user to be logged out or fail to log in. 1.2.46 CM with IP address alloc fail Display CM with IP address alloc fail Common Causes The UCM module fails to obtain an IP address. Solution Contact Huawei technical support personnel. 1.2.47 CM with l2tp session fail Display CM with l2tp session fail Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 14 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Common Causes An L2TP session fails to be set up. Feature Type L2TP Solution Contact Huawei technical support personnel. 1.2.48 CM with login fail Display CM with login fail Common Causes A user fails to log in. Solution Contact Huawei technical support personnel. 1.2.49 CM with MSEADA cib ack time out Display CM with MSEADA cib ack time out Common Causes Creating a user forwarding entry times out. Solution Contact Huawei technical support personnel. 1.2.50 CM with MSEADA update workslot time out Display CM with MSEADA update workslot time out Common Causes Updating the LPU from which users gets online times out. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 15 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Solution Contact Huawei technical support personnel. 1.2.51 CM with Nas error Display CM with Nas error Common Causes A system error, such as a memory application failure, occurs. Solution Contact Huawei technical support personnel. 1.2.52 CM with PPP conn up time out Display CM with PPP conn up time out Common Causes Waiting for a connection Up message from the PPP module times out. Feature Type PPP Solution Contact Huawei technical support personnel. 1.2.53 CM with PPP ipv6 conn up time out Display CM with PPP ipv6 conn up time out Common Causes Waiting for an IPv6 connection Up message from the PPP module times out. Feature Type PPP IPv6 Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 16 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Solution Contact Huawei technical support personnel. 1.2.54 CM with start arp detect fail Display CM with start arp detect fail Common Causes Starting an ARP probe fails. Solution Contact Huawei technical support personnel. 1.2.55 CM with time out Display CM with time out Common Causes The UCM timer expires. Solution Contact Huawei technical support personnel. 1.2.56 CM with WEB logout resp time out Display CM with WEB logout resp time out Common Causes Waiting for a Web module logout response times out. Feature Type Web Solution Contact Huawei technical support personnel. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 17 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting 1.2.57 Connect check fail Display Connect check fail Common Causes The mappings of the ACM, EAP, and ARP entries of users are incorrect. Solution Contact Huawei technical support personnel. 1.2.58 Dhcp decline Display Dhcp decline Common Causes The DHCP client sends a DHCPDECLINE message to the DHCP server because it detects that the IP address it is assigned has already been assigned to another client. Feature Type IPoE Relevant Alarms and Logs IPCONFLICT 1.2.59 Dhcp release Display Dhcp release Common Causes The UCM module instructs the AM module to reclaim an IP address that has been assigned by the remote DHCP server. Feature Type IPoE Solution Contact Huawei technical support personnel. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 18 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting 1.2.60 Dhcp repeat packet Display Dhcp repeat packet Common Causes An online user sends DHCPDISCOVER packets again. As a result, the DHCP server considers the user offline and logs out the user. Feature Type IPoE 1.2.61 DHCP user state timeout Display DHCP user state timeout Common Causes The timer of waiting for a UCM response expires. Feature Type IPoE Solution Contact Huawei technical support personnel. 1.2.62 DHCP wait client packet timeout Display DHCP wait client packet timeout Common Causes The fault that DHCP packets from a user are lost is commonly caused by one of the following: l Incorrect link bandwidth is configured. l A link is interrupted or the link delay is too long. l Some fields in packets cannot be identified by a transit device, causing packet loss. Feature Type IPoE Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 19 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Solution Troubleshoot the fault based on the actual networking and service requirements. TIP If DHCP snooping or broadcast suppression is configured on a transit device, DHCP packets may be dropped mistakenly by the transit device. 1.2.63 DHCP with IP address conflict Display DHCP with IP address conflict Common Causes An IP address conflict occurs, and therefore the LPU UCM module fails to create the index of the IP address. Feature Type IPoE Solution Contact Huawei technical support personnel. 1.2.64 Dhcp with MTU limit Display Dhcp with MTU limit Common Causes The MTU value configured on an interface is too small, and therefore the interface cannot send DHCP packets. Feature Type IPoE 1.2.65 DHCP with server nak Display DHCP with server nak Common Causes Multiple DHCP servers are deployed on the network. The IP address that a client obtains is assign by a DHCP server but not the access device, and therefore the IP address is not within the assignable IP address segment of the access device. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 20 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Feature Type IPoE 1.2.66 DHCP with server no response Display DHCP with server no response Common Causes When applying for an IP address to the remote server, the access device receives no response from the server. The fault is commonly caused by one of the following: l The remote server has no route to the access device. l The remote server has no assignable IP address. l The remote server fails to receive DHCPREQUEST packets from the access device due to a link fault. Feature Type IPoE Relevant Alarms and Logs AM_1.3.6.1.4.1.2011.6.8.2.2.0.4_hwDhcpServerDown 1.2.67 DHCP with unknown error Display DHCP with unknown error Common Causes This is an unknown error. Feature Type IPoE Solution Contact Huawei technical support personnel. 1.2.68 DHCPV6 client decline Display DHCPV6 client decline Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 21 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Common Causes A DHCP client sends a DHCPDECLINE packet to the DHCP server because it detects that the IPv6 address it is assigned has already been assigned to another client. Feature Type IPoEv6 1.2.69 DHCPV6 client release Display DHCPV6 client release Common Causes Release packets from a DHCPv6 client are received by the access device. Feature Type IPoEv6 1.2.70 DHCPV6 inner error Display DHCPV6 inner error Common Causes A system error occurs, such as a failure in sending packets or in querying entries, or mappings of entries are incorrect. Feature Type IPoEv6 Solution Contact Huawei technical support personnel. 1.2.71 DHCPV6 ip alloc fail Display DHCPV6 ip alloc fail Common Causes The DHCPv6 server fails to assign an IPv6 address. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 22 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Feature Type IPoEv6 Solution Contact Huawei technical support personnel. 1.2.72 DHCPV6 wait client timeout Display DHCPV6 wait client timeout Common Causes DHCPv6 packets of a user are discarded. This fault is commonly caused by one of the following: l A link fault occurs or the link delay is too long. l The configured link bandwidth is not proper. l Some fields of these DHCPv6 packets cannot be identified by a transit device, causing packet loss. Feature Type IPoEv6 1.2.73 DHCPV6 wait UCM timeout Display DHCPV6 wait UCM timeout Common Causes The timer of waiting for a UCM response expires. Feature Type IPoEv6 Solution Contact Huawei technical support personnel. 1.2.74 EAP connection down Display EAP connection down Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 23 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Common Causes The IP address of an EAPol user is assigned when the user is in the authentication domain, and therefore the user fails to enter the pre-authentication domain after logging out. Feature Type dot1x 1.2.75 EAPOL server session timeout Display EAPOL server session timeout Common Causes EAPol user authentication times out, and therefore the user cannot log in. Feature Type dot1x Solution Contact Huawei technical support personnel. 1.2.76 EAPOL user request Display EAPOL user request Common Causes An EAPoL user sends a logout request. Feature Type dot1x 1.2.77 EAPOL with authentication fail Display EAPOL with authentication fail Common Causes An EAPoL user inputs an incorrect username or password, and therefore the user cannot pass the authentication. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 24 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Feature Type dot1x 1.2.78 EAPOL with connect check fail Display EAPOL with connect check fail Common Causes Synchronizing EAPoL user entries fails. Feature Type dot1x Solution Contact Huawei technical support personnel. 1.2.79 EAPOL with echo fail Display EAPOL with echo fail Common Causes The link between the access device and an EAPoL user is faulty or the user disconnects the physical connection with the access device. As a result, no Echo reply is received by the access device and the user is logged out. Feature Type dot1x 1.2.80 EAPOL with nas error Display EAPOL with nas error Common Causes The EAPoL module has a bug in internal processing. Feature Type dot1x Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 25 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Solution Contact Huawei technical support personnel. 1.2.81 Fail to add 588 insegment Display Fail to add 588 insegment Common Causes Adding a 588 InSegment forwarding entry fails. Solution Contact Huawei technical support personnel. 1.2.82 Fail to add 588 outsegment Display Fail to add 588 outsegment Common Causes Creating a user forwarding entry fails. Solution Contact Huawei technical support personnel. 1.2.83 Fail to add elabel map Display Fail to add elabel map Common Causes A user forwarding entry fails to be added. Solution Contact Huawei technical support personnel. 1.2.84 Fail to add internal pfb Display Fail to add internal pfb Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 26 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Common Causes The LPU UCM module fails to create a user forwarding entry. Solution Contact Huawei technical support personnel. 1.2.85 Fail to add internal product main fwd entry Display Fail to add internal product main fwd entry Common Causes A user forwarding entry fails to be added. Solution Contact Huawei technical support personnel. 1.2.86 Fail to add l2tp lac fwd table Display Fail to add l2tp lac fwd table Common Causes The LAC forwarding entry of an L2TP user fails to be delivered. Feature Type L2TP Solution Contact Huawei technical support personnel. 1.2.87 Fail to add l2tp lns fwd table Display Fail to add l2tp lns fwd table Common Causes Delivering an LNS forwarding entry for an L2TP user fails. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 27 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Feature Type L2TP Solution Contact Huawei technical support personnel. 1.2.88 Fail to add l2tp lts fwd table Display Fail to add l2tp lts fwd table Common Causes An L2TP LTS forwarding entry fails to be delivered. Feature Type L2TP Solution Contact Huawei technical support personnel. 1.2.89 Fail to add mac hash Display Fail to add mac hash Common Causes The LPU UCM module fails to create a MAC address index. Solution Contact Huawei technical support personnel. 1.2.90 Fail to add node fresh list Display Fail to add node fresh list Common Causes The UCM module of an LPU fails to add a low-frequency refreshing queue. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 28 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Solution Contact Huawei technical support personnel. 1.2.91 Fail to add qos para Display Fail to add qos para Common Causes Adding QoS parameters fails. Solution Contact Huawei technical support personnel. 1.2.92 Fail to add user mac Display Fail to add user mac Common Causes The UCM module of an LPU fails to deliver a user's MAC entry. Solution Contact Huawei technical support personnel. 1.2.93 Fail to add x11 and 588 fwd table Display Fail to add x11 and 588 fwd table Common Causes A user forwarding entry fails to be added. Solution Contact Huawei technical support personnel. 1.2.94 Fail to apply new user mac indexs Display Fail to apply new user mac indexs Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 29 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Common Causes Creating a MAC entry index fails. Solution Contact Huawei technical support personnel. 1.2.95 Fail to apply qos resource Display Fail to apply qos resource Common Causes Applying for QoS resources fails. Solution Contact Huawei technical support personnel. 1.2.96 Fail to check ucm oper Display Fail to check ucm oper Common Causes The UCM module of an LPU detects an incorrect entry addition message. Solution Contact Huawei technical support personnel. 1.2.97 Fail to chek ucm oper msg Display Fail to chek ucm oper msg Common Causes The LPU UCM module detects an incorrect entry deletion message. Solution Contact Huawei technical support personnel. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 30 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting 1.2.98 Fail to chek ucm oper msg when modify Display Fail to chek ucm oper msg when modify Common Causes The LPU UCM module detects an incorrect entry update message. Solution Contact Huawei technical support personnel. 1.2.99 Fail to del internal pfb Display Fail to del internal pfb Common Causes The LPU UCM module fails to delete a forwarding entry. Solution Contact Huawei technical support personnel. 1.2.100 Fail to del ip hash Display Fail to del ip hash Common Causes The LPU UCM module fails to delete an IP address index. Solution Contact Huawei technical support personnel. 1.2.101 Fail to del mac hash Display Fail to del mac hash Common Causes The LPU UCM module fails to delete a MAC entry. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 31 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Solution Contact Huawei technical support personnel. 1.2.102 Fail to dowm load out bound SQ id Display Fail to dowm load out bound SQ id Common Causes The LPU UCM module fails to deliver downstream HQoS information. Solution Contact Huawei technical support personnel. 1.2.103 Fail to fill qos profile for rui user Display Fail to fill qos profile for rui user Common Causes RUI fails to trigger the addition of QoS information for a user. Solution Contact Huawei technical support personnel. 1.2.104 Fail to get cib item when modify Display Fail to get cib item when modify Common Causes A user entry cannot be found on the LPU UCM module when this entry is to be updated. Solution Contact Huawei technical support personnel. 1.2.105 Fail to get ppp info when modify Display Fail to get ppp info when modify Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 32 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Common Causes Obtaining a PPPoE user entry fails when updating user information. Feature Type PPP Solution Contact Huawei technical support personnel. 1.2.106 Fail to get rui user info Display Fail to get rui user info Common Causes In RUI, user authorization information fails to be delivered from the master device to the backup device. Solution Contact Huawei technical support personnel. 1.2.107 Fail to Init Cib Display Fail to Init Cib Common Causes A UCM entry of a user fails to be created on the LPU. Solution Contact Huawei technical support personnel. 1.2.108 Fail to Init cib list Display Fail to Init cib list Common Causes The LPU UCM module fails to create the user entry index list. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 33 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Solution Contact Huawei technical support personnel. 1.2.109 Fail to normal down load qos resource Display Fail to normal down load qos resource Common Causes The LPU UCM module fails to deliver QoS resources. Solution Contact Huawei technical support personnel. 1.2.110 Fail to portal add user info Display Fail to portal add user info Common Causes Creating the portal information of a user fails. Solution Contact Huawei technical support personnel. 1.2.111 Fail to qinq user oper Display Fail to qinq user oper Common Causes Delivering the QinQ entry of a user fails. Solution Contact Huawei technical support personnel. 1.2.112 Fail to resource Apply Display Fail to resource Apply Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 34 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Common Causes Applying for forwarding resources for a user fails. Solution Contact Huawei technical support personnel. 1.2.113 Fail to set local cid from golbal cid Display Fail to set local cid from golbal cid Common Causes The LPU UCM module fails to obtain the LPU CID. Solution Contact Huawei technical support personnel. 1.2.114 Fail to set qos data Display Fail to set qos data Common Causes Delivering QoS data fails. Solution Contact Huawei technical support personnel. 1.2.115 Fail to transport access type Display Fail to transport access type Common Causes The access type of a user fails to be obtained when L2TP information about the user is to be added. Feature Type L2TP Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 35 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Solution Contact Huawei technical support personnel. 1.2.116 Failed to add user to board for user is not up Display Failed to add user to board for user is not up Common Causes The LPU CID corresponding to a user is incorrect, and therefore the user entry cannot be created. Solution Contact Huawei technical support personnel. 1.2.117 Failed to realtime backup Display Failed to realtime backup Common Causes Real-time backup between the master MPU and slave MPU fails. Solution Contact Huawei technical support personnel. 1.2.118 Failed to switch workslot for user is not up Display Failed to switch workslot for user is not up Common Causes A member interface of an inter-board trunk interface becomes faulty. Therefore, a user fails to get online from the trunk interface during port switch. 1.2.119 Failed to update ipv6 address, it's a ipv4 user Display Failed to update ipv6 address, it's a ipv4 user Common Causes An IPv6 address is delivered to an IPv4 user incorrectly. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 36 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Solution Contact Huawei technical support personnel. 1.2.120 Failed to update user mac table Display Failed to update user mac table Common Causes The LPU UCM module fails to update the MAC table. Solution Contact Huawei technical support personnel. 1.2.121 Fail to trans access type Display Fail to trans access type Common Causes The user access type is incorrect. Solution Contact Huawei technical support personnel. 1.2.122 FTP with receive data fail Display FTP with receive data fail Common Causes This fault occurs only in management user access. 1.2.123 FTP with server idle timeout Display FTP with server idle timeout Common Causes This fault occurs only in management user access. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 37 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting 1.2.124 FTP with service closing Display FTP with service closing Common Causes This fault occurs only in management user access. 1.2.125 FTP with sever closed Display FTP with sever closed Common Causes This fault occurs only in management user access. 1.2.126 FTP with user login fail Display FTP with user login fail Common Causes This fault occurs only in management user access. 1.2.127 FTP with user switch Display FTP with user switch Common Causes This fault occurs only in management user access. 1.2.128 Gateway different from former Display Gateway different from former Common Causes A user obtains an incorrect IP address, or the address pool configured on the access device has been modified. As a result, when the user send ARP packets for getting online, the IP address that the user uses is not within the address pool. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 38 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting 1.2.129 GTL license needed Display GTL license needed Common Causes The GTL license of the BRAS LPU from which a user gets online is not activated. Relevant Alarms and Logs This log displays as "This slot did not have any GTL license. (Slot=[ULONG])". 1.2.130 Idle cut Display Idle cut Common Causes The traffic volume of a user in the specific period of time is smaller than the set minimum traffic volume of the BRAS, and therefore the user is forced offline. Solution Run the idle-cut idle-time idle-data command in the AAA domain view to change the idle time of cutting a connection. 1.2.131 Interface delete Display Interface delete Common Causes The interface from which a user gets online is deleted. 1.2.132 Interface down Display Interface down Common Causes The shutdown command is run on the interface from which a user gets online, or the physical link of the interface is faulty. As a result, the user is offline. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 39 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting 1.2.133 Interface on Master down Display Interface on Master down Common Causes The shutdown command is run on the interface from which a user gets online, or the physical link of the interface is faulty. In addition, a master/slave MPU switchover is performed when the user is logged out. 1.2.134 IP alloc fail for trigger user Display IP alloc fail for trigger user Common Causes The IP address that a user applies for has been assigned to another user, and therefore the IP address fails to be assigned to the user. 1.2.135 IPv6 address allocation failed because of inner cause Display IPv6 address allocation failed because of inner cause Common Causes The memory is incorrectly allocated, or incorrect messages are received. Solution Contact Huawei technical support personnel. 1.2.136 IPv6 address conflicts too much times Display IPv6 address conflicts too much times Common Causes There are attack devices on the network, causing more than three address conflicts. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 40 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting 1.2.137 L2TP alloc sessionid fail Display L2TP alloc sessionid fail Common Causes Applying for an L2TP session ID fails. Feature Type L2TP Solution Contact Huawei technical support personnel. 1.2.138 L2TP alloc tunnelid fail Display L2TP alloc tunnelid fail Common Causes Applying for an L2TP tunnel ID fails. Feature Type L2TP 1.2.139 L2TP checking ICRP error Display L2TP checking ICRP error Common Causes An L2TP tunnel fails to be set up. Feature Type L2TP Solution Contact Huawei technical support personnel. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 41 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting 1.2.140 L2TP checking SCCRP error Display L2TP checking SCCRP error Common Causes An L2TP tunnel fails to be set up. Feature Type L2TP Solution Contact Huawei technical support personnel. 1.2.141 L2TP connect check fail Display L2TP connect check fail Common Causes Mappings among L2TP user entries are incorrect. Feature Type L2TP Solution Contact Huawei technical support personnel. 1.2.142 L2TP cut command Display L2TP cut command Common Causes The reset tunnel command is run on the access device. Feature Type L2TP Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 42 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting 1.2.143 L2TP download lac fib fail Display L2TP download lac fib fail Common Causes L2TP users' forwarding entries fail to be delivered. Feature Type L2TP Solution Contact Huawei technical support personnel. 1.2.144 L2TP FSM error Display L2TP FSM error Common Causes A state machine of the L2TP module is incorrect. Feature Type L2TP Solution Contact Huawei technical support personnel. 1.2.145 L2TP get tunnel fail Display L2TP get tunnel fail Common Causes The LAC or LNS fails to select a tunnel between the two devices for an L2TP user. Feature Type L2TP Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 43 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Solution Contact Huawei technical support personnel. 1.2.146 L2TP init tunnel struct fail Display L2TP init tunnel struct fail Common Causes Initializing the L2TP tunnel structure fails. Feature Type L2TP Solution Contact Huawei technical support personnel. 1.2.147 L2TP inner error Display L2TP inner error Common Causes The L2TP module has an internal error. Feature Type L2TP Solution Contact Huawei technical support personnel. 1.2.148 L2TP other error Display L2TP other error Common Causes The L2TP module has an internal error. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 44 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Feature Type L2TP Solution Contact Huawei technical support personnel. 1.2.149 L2TP peer cleared tunnel Display L2TP peer cleared tunnel Common Causes The LAC or LNS detects user logouts, and therefore tears down the tunnel (between the LAC and LNS) for the logout users. Feature Type L2TP Solution Contact Huawei technical support personnel. 1.2.150 L2TP rebuild tunnel fail Display L2TP rebuild tunnel fail Common Causes An L2TP tunnel fails to be set up. Feature Type L2TP Solution Contact Huawei technical support personnel. 1.2.151 L2TP remote slot Display L2TP remote slot Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 45 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Common Causes A board for L2TP user access is faulty, causing users that have gone online from the board to be logged out. Feature Type L2TP 1.2.152 L2TP request offline Display L2TP request offline Common Causes An L2TP user sends a logout request. Feature Type L2TP Solution Contact Huawei technical support personnel. 1.2.153 L2TP send ICCN fail Display L2TP send ICCN fail Common Causes The access device fails to send ICCN packets using L2TP. Feature Type L2TP Solution Contact Huawei technical support personnel. 1.2.154 L2TP send ICRQ fail Display L2TP send ICRQ fail Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 46 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Common Causes The access device fails to send ICRQ packets using L2TP. Feature Type L2TP Solution Contact Huawei technical support personnel. 1.2.155 L2TP send SCCRQ fail Display L2TP send SCCRQ fail Common Causes The access device fails to send SCCRQ packets by using L2TP. Feature Type L2TP Solution Contact Huawei technical support personnel. 1.2.156 L2TP service is unavailable Display L2TP service is unavailable Common Causes L2TP is not enabled on the access device. Feature Type L2TP 1.2.157 L2TP sessionlimit Display L2TP sessionlimit Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 47 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Common Causes The number of users whose services are transmitted using the same L2TP tunnel reaches the upper limit that is configured on the access device or delivered by the RADIUS server. Feature Type L2TP 1.2.158 L2TP with connect check fail Display L2TP with connect check fail Common Causes The mappings of user entries are incorrect. Feature Type L2TP Solution Contact Huawei technical support personnel. 1.2.159 LAC clear session Display LAC clear session Common Causes When the LAC is faulty or detects that L2TP users are offline, the LAC sends requests to log out related users to the LNS. Feature Type L2TP Solution "LAC clear session" is displayed on the LNS that runs properly. Run the display aaa offlinerecord, display aaa online-fail-record, and display aaa abnormal-offline-record commands on the LAC to check the offline reason. Then, further locate the fault based on the offline reason and troubleshooting manuals. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 48 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting 1.2.160 LAC clear tunnel Display LAC clear tunnel Common Causes The LAC detects a user logout, and therefore tears down the tunnel for the user. Feature Type L2TP 1.2.161 Layer2-VPN down Display Layer2-VPN down Common Causes A Layer 2 VPN goes Down, causing L2VPN leased line users to be logged out. Feature Type L2VPN 1.2.162 LNS clear session Display LNS clear session Common Causes The LNS is faulty or detects that an L2TP user logs out, and therefore sends a request to log out the user to the LAC. Feature Type L2TP Solution "LNS clear session" is displayed on the LAC that runs properly. Run the display aaa offlinerecord, display aaa online-fail-record, and display aaa abnormal-offline-record commands on the LNS to check the offline reason. Then, further locate the fault based on the offline reason and troubleshooting manuals. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 49 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting 1.2.163 LNS clear tunnel Display LNS clear tunnel Common Causes The LNS detects local user logouts, and therefore tears down the corresponding tunnels. Feature Type L2TP 1.2.164 LNS cleared session Display LNS cleared session Common Causes A session fails to be set up. Feature Type L2TP Solution Contact Huawei technical support personnel. 1.2.165 Mac-user ppp-preferred Display Mac-user ppp-preferred Common Causes PPP take precedence over DHCP when users attempt to get online from the access device. Therefore, when a user uses PPP to get online after getting online using DHCP, it is logged out as a DHCP user. 1.2.166 MSEADA failed to get pfb data Display MSEADA failed to get pfb data Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 50 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Common Causes The LPU UCM module fails to obtain LPU information. Solution Contact Huawei technical support personnel. 1.2.167 MSEADA failed to add cid from vcd Display MSEADA failed to add cid from vcd Common Causes The LPU UCM module fails to deliver VCDs of PPPoA users. Solution Contact Huawei technical support personnel. 1.2.168 MSEADA failed to download 2800 cib table Display MSEADA failed to download 2800 cib table Common Causes The LPU UCM module fails to deliver a user forwarding entry. Solution Contact Huawei technical support personnel. 1.2.169 MSEADA failed to download 2800 uaib table Display MSEADA failed to download 2800 uaib table Common Causes The LPU UCM module fails to deliver a user forwarding entry. Solution Contact Huawei technical support personnel. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 51 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting 1.2.170 MSEADA failed to download 588 l2tp global table Display MSEADA failed to download 588 l2tp global table Common Causes L2TP forwarding entries fail to be delivered. Solution Contact Huawei technical support personnel. 1.2.171 MSEADA failed to download 588 l2tp global table Display MSEADA failed to download 588 l2tp global table Common Causes L2TP forwarding entries fail to be delivered. Solution Contact Huawei technical support personnel. 1.2.172 MSEADA failed to download dual user table Display MSEADA failed to download dual user table Common Causes The LPU UCM module fails to deliver forwarding entries. Solution Contact Huawei technical support personnel. 1.2.173 MSEADA failed to get lns info Display MSEADA failed to get lns info Common Causes An L2TP user fails to obtain L2TP information. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 52 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Solution Contact Huawei technical support personnel. 1.2.174 MSEADA portswitch notify access module fail Display MSEADA portswitch notify access module fail Common Causes The LPU UCM module fails to be notified of the port switch failure of a user. Solution Contact Huawei technical support personnel. 1.2.175 MSEADA portswitch process fail Display MSEADA portswitch process fail Common Causes After a user gets online from a port, it switches to another port to get online but fails. Solution Contact Huawei technical support personnel. 1.2.176 MSEADA with cib checked fail Display MSEADA with cib checked fail Common Causes The LPU UCM module detects that mappings between LPU UCM entries and MPU UCM entries are incorrect. Solution Contact Huawei technical support personnel. 1.2.177 MSEADA with user added fail Display MSEADA with user added fail Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 53 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Common Causes The LPU UCM module fails to create user entries. Solution Contact Huawei technical support personnel. 1.2.178 MSEQOS with SQ reserved fail Display MSEQOS with SQ reserved fail Common Causes Delivering QoS resources fails. Solution Contact Huawei technical support personnel. 1.2.179 Nas error Display Nas error Common Causes The system has an internal error. Solution Contact Huawei technical support personnel. 1.2.180 Nas request to offline Display Nas request to offline Common Causes The access device sends a request to log out a user. Solution Contact Huawei technical support personnel. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 54 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting 1.2.181 ND Add Prefix Fail Display ND Add Prefix Fail Common Causes Prefixes fail to be added for ND users. Solution Contact Huawei technical support personnel. 1.2.182 ND Detect Fail Display ND Detect Fail Common Causes l The intermediate transmission device discards or modifies ARP probe packets. l Fibers or optical modules are not properly installed or a link fault occurs. l There are too many probe response packets, and therefore some of them are dropped. Solution Contact Huawei technical support personnel. 1.2.183 ND Table Check Fail Display ND Table Check Fail Common Causes Mappings between ND entries and UCM entries are incorrect. Solution Contact Huawei technical support personnel. 1.2.184 Netmask assigned by RDS error(Value invalid) Display Netmask assigned by RDS error (Value invalid) Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 55 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Common Causes The RADIUS server mistakenly delivers the IP address of the access device to a PPPoE user. 1.2.185 No available prefix for conflicts of the interface id specified by radius Display No available prefix for conflicts of the interface id specified by radius Common Causes The IPv6 address (consisting of an interface ID delivered by the RADIUS server and an IP address prefix) has been assigned to another user. Solution Contact Huawei technical support personnel. 1.2.186 No IPv6 address available Display No IPv6 address available Common Causes No IP address can be assigned. Solution Contact Huawei technical support personnel. 1.2.187 No prefix available Display No prefix available Common Causes No IP address prefix can be assigned. Solution Contact Huawei technical support personnel. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 56 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting 1.2.188 No response of control packet from peer Display No response of control packet from peer Common Causes The physical link to the peer LAC or LNS device is faulty and therefore response packets from the peer LAC or LNS device are not received. Feature Type L2TP 1.2.189 Online user number exceed GTL license limit Display Online user number exceed GTL license limit Common Causes The number of online users exceeds the limit allowed by the GTL license. Relevant Alarms and Logs This log displays as "The number of users exceeded the limit allowed by the GTL license." 1.2.190 Ppp is already down when modify Display Ppp is already down when modify Common Causes When modifying a PPP connection, the access device detects that the PPP connection has been torn down. Feature Type PPP Solution Contact Huawei technical support personnel. 1.2.191 PPP negotiate fail Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 57 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Display PPP negotiate fail Common Causes PPP negotiation is interrupted. Solution Capture packets on the mirrored interface of the interface from which the user gets online. Check PPP packets, and locate the fault based on interaction packets. TIP l If the user sends the same type of PPP negotiation packet many times, check whether the access device supports this type of PPP negotiation. l Check the type and content of the negotiation packet that the user sends before the LCP or PPPoE termination packet to confirm whether the access device supports this type of PPP negotiation. 1.2.192 PPP pvc interface down Display PPP pvc interface down Common Causes The link between the access device and a user is faulty, causing the PVC based on the link to be faulty. Feature Type PPP 1.2.193 PPP up recv lcp again Display PPP up recv lcp again Common Causes A user tears down and re-initiates a connection, and therefore the access device receives LCP negotiation packets. Feature Type PPP Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 58 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting 1.2.194 PPP user over LNS request Display PPP user over LNS request Common Causes A user fails to set up a session, and therefore the user fails to get online. Feature Type PPP Solution Contact Huawei technical support personnel. 1.2.195 PPP user request Display PPP user request Common Causes A PPP user sends a logout request. Feature Type PPP 1.2.196 PPP with authentication fail Display PPP with authentication fail Common Causes l Too many users attempt to get online in a specified period of time. l The CPU usage is too high (remaining above than 95%). Feature Type PPP Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 59 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Solution Run the display this command in the AAA view to check whether the access speed command has been configured. If the access speed command has been configured, check whether the user access rate exceeds the upper limit. Run the display cpu-usage command to check the CPU usage. If the CPU usage remains above than 95%, locate and resolve this problem. 1.2.197 PPP with connect check fail Display PPP with connect check fail Common Causes Mappings of PPP user entries are incorrect. Feature Type PPP Solution Contact Huawei technical support personnel. 1.2.198 PPP with echo fail Display PPP with echo fail Common Causes l The intermediate transmission device discards or modifies probe packets. l Fibers or optical modules are improperly installed or a link fault occurs. Solution Run the display aaa offline-record command to check the user login time and logout time. Run the display this command in the virtual template (VT) view to check the interval at which PPP Keepalive packets are sent. l If the difference between the user login time and logout time is equal to the interval, user packets are properly transmitted but no response to KeepAlive packets is received. Capture packets on the downstream device to check where the response packets are discarded and rectify the fault. l If the difference between the user login time and logout time is unequal to the interval, KeepAlive packets can be received and there are responses to KeepAlive packets. In this situation, check whether the user functions properly and rectify any detected fault. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 60 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting 1.2.199 Radius alloc incorrect IP Display Radius alloc incorrect IP Common Causes The address pool containing the IP address that the RADIUS server assigns to an IPoE user cannot be found on the access device. 1.2.200 Renew timeout in shortlease Display Renew timeout in shortlease Common Causes A user does not extend the short lease of an IP address, or the link at the user side is faulty so that the packets for requesting the extension of the short lease are lost. As a result, the short lease of the IP address expires. 1.2.201 RUI request cold backup user offline for slave Display RUI request cold backup user offline for slave Common Causes In the dual-system hot backup scenario, when the remote backup template on the master access device becomes backup, the users that do not support dual-system host backup are logged out. The possible cause is that VRRP tracked by the remote backup profile on the local access device detects a fault on a network-side port, or a fault of peer VRRP that has a higher priority than VRRP on the local access device is rectified. 1.2.202 RUI request offline Display RUI request offline Common Causes RUI triggers a user logout. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 61 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting 1.2.203 RUI trigger to create pppoe cib failed Display RUI trigger to create pppoe cib failed Common Causes RUI fails to trigger the addition of a PPPoE user entry. Feature Type PPPoE Solution Contact Huawei technical support personnel. 1.2.204 Service unavailable Display Service unavailable Common Causes An L2TP user attempts to log in to the access device where L2TP is disabled. 1.2.205 Session time out Display Session time out Common Causes A user has no remaining online time. 1.2.206 Srvcfg cut command Display Srvcfg cut command Common Causes A command is run to delete leased-line users. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 62 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting 1.2.207 SRVCFG failed to process Display SRVCFG failed to process Common Causes The access device fails to select a user authentication type. Solution Contact Huawei technical support personnel. 1.2.208 The domain does not bind IPv6 pool Display The domain does not bind IPv6 pool Common Causes No IPv6 address pool is bound to a user domain, and therefore IPv6 users in the domain cannot get online. 1.2.209 The domain has not binded ip-pool or ipv6-pool Display The domain has not binded ip-pool or ipv6-pool Common Causes No address pool is bound to a user domain, and therefore users in the domain cannot get online. 1.2.210 Trunk is no member Display Trunk is no member Common Causes The LPU UCM module detects that a trunk interface of the LPU has no member interface, and therefore users cannot get online from the trunk interface. Solution Contact Huawei technical support personnel. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 63 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting 1.2.211 Tunnel with session null Display Tunnel with session null Common Causes The L2TP session based on which a tunnel is established does not exist. Feature Type L2TP Solution Contact Huawei technical support personnel. 1.2.212 UCM failed to apply resoure for trunk user Display UCM failed to apply resoure for trunk user Common Causes The LPU UCM module fails to assign resources to users that get online from a trunk interface. Solution Contact Huawei technical support personnel. 1.2.213 UCM failed to send ipv6 update message to AAA Display UCM failed to send ipv6 update message to AAA Common Causes The AAA module does not receive an IPv6 update message. Solution Contact Huawei technical support personnel. 1.2.214 UCM failed to send ipv6 update message to MSEADA Display UCM failed to send ipv6 update message to MSEADA Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 64 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Common Causes The LPU UCM module fails to update IPv6 entries. Solution Contact Huawei technical support personnel. 1.2.215 UCM failed to update work-slot of trunk-interface user Display UCM failed to update work-slot of trunk-interface user Common Causes Updating the LPU of trunk interface users fails. Solution Contact Huawei technical support personnel. 1.2.216 UCM portswitch preprocess fail Display UCM portswitch preprocess fail Common Causes The LPU UCM module fails to prepare for the switch of a user access port. Solution Contact Huawei technical support personnel. 1.2.217 UCM portswitch process fail Display UCM portswitch process fail Common Causes The LPU UCM module fails to switch the interface from which users get online. Solution Contact Huawei technical support personnel. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 65 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Relevant Alarms and Logs This log displays as "The wlan user roam failed. (CID=[ULONG],Failed reason=[STRING])". 1.2.218 UCM update ipv6 address fail Display UCM update ipv6 address fail Common Causes The LPU UCM module fails to create an IPv6 address index. Solution Contact Huawei technical support personnel. 1.2.219 Unmatched Vpn-Instance Display Unmatched Vpn-Instance Common Causes This fault is commonly caused by one of the following: 1. The VPN configured in the PPPoE user domain (or delivered by the RADIUS server) is different from that configured on the virtual template. 2. The VPN configured in the domain of static users or Layer 3 users (or delivered by the RADIUS server) is different from that configured on an access interface. 1.2.220 User access speed too fast Display User access speed too fast Common Causes The user access speed is too fast. 1.2.221 User info is conflict with rui user Display User info is conflict with rui user Common Causes A fault occurs at the network side in the dual-system hot backup networking, causing the users of the master device to get offline. Online users, however, are not synchronized to the backup device. As a result, RUI forces these online users to go offline. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 66 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting 1.2.222 Wait cib ack time out Display Wait cib ack time out Common Causes No message about successful user entry delivery is received by the access device in due time. Solution Contact Huawei technical support personnel. 1.2.223 Wait DHCP connection request time out Display Wait DHCP connection request time out Common Causes No DHCP connection request from a user is received in due time. Feature Type IPoE Solution Contact Huawei technical support personnel. 1.2.224 Wait EAPOL auth request time out Display Wait EAPOL auth request time out Common Causes No EAPoL authentication request from a user is received by the access device in due time. Feature Type dot1x Solution Contact Huawei technical support personnel. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 67 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting 1.2.225 Wait EAPOL down ack time out Display Wait EAPOL down ack time out Common Causes No logout response message about an EAPoL user is received by the access device in due time. Feature Type dot1x Solution Contact Huawei technical support personnel. 1.2.226 Wait L2TP connection up time out Display Wait L2TP connection up time out Common Causes No message about the Up event of an L2TP connection is received by the access device in due time. Feature Type L2TP Solution Contact Huawei technical support personnel. 1.2.227 Wait PPP auth request time out Display Wait PPP auth request time out Common Causes No PPP authentication request rfrom a user is received by the access device in due time. Feature Type PPP Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 68 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Solution Contact Huawei technical support personnel. 1.2.228 Wait PPP auth request time out Display Wait PPP auth request time out Common Causes No Web authentication request from a user is received by the access device in due time. Feature Type Web Solution Contact Huawei technical support personnel. 1.2.229 Wait WEB down ack time out Display Wait WEB down ack time out Common Causes No logout response message about a Web user is received by the access device in due time. Feature Type Web Solution Contact Huawei technical support personnel. 1.2.230 Wait WEB user ack time out Display Wait WEB user ack time out Common Causes No message about the successful login of a Web user is received in due time. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 69 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Feature Type Web Solution Contact Huawei technical support personnel. 1.2.231 Web user requst Display Web user requst Common Causes A Web user sends a logout request. Feature Type Web 1.2.232 Web with unknown error Display Web with unknown error Common Causes This is an unknown error. Feature Type Web Solution Contact Huawei technical support personnel. 1.2.233 WLAN AC wpa handshake fail Display WLAN AC wpa handshake fail Common Causes The WPA encryption method is used for password interaction among the AC and AP devices, and a user on a wireless network. There is a high probability that the wireless link between the AP device and the user is faulty. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 70 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting 1.2.234 WLAN user deassociate Display WLAN user deassociate Common Causes The AC device detects that a user gets offline or the user sends a logout request, and therefore the management module of the AC device deletes the user. 1.3 Troubleshooting IPoX This section describes the configuration notes, flows, and procedures for IPoX troubleshooting based on the typical IPoX networking. 1.3.1 Typical Networking Figure 1-1 IPoE networking Eth IP Data I n t e rn e t subscriber Router Figure 1-2 Networking for IPoEoV and static user Eth IP Data Eth Q IP Data I n t e r ne t LAN Switch subscriber Router Figure 1-3 Networking for IPoEoQ Eth IP Data Eth Q IP Data Eth Q Q IP Data I n t e rn et subscriber Issue 02 (2011-09-10) LAN Switch LAN Switch Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Router 71 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Figure 1-4 Networking for IPoA and IPoEoA User RADIUS Server Internet DSLAM Issue 02 (2011-09-10) Router Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 72 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting 1.3.2 Troubleshooting Flowchart Figure 1-5 IPoX troubleshooting flowchart IPoX user cannot go online Passed authentication? No Check authentication domain or preauthentication domain No Configure address pool or DHCP server properly Yes Obtained an IP address? Yes Enable service tracing or debugging Fault removed? No Technical support Yes End 1.3.3 Troubleshooting Procedure Procedure Step 1 Check whether the user passes authentication. l If the web authentication fails, solve the problem by referring to 1.4.16 Web Authentication Fails . Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 73 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting l If the mandatory web authentication fails, solve the problem by referring to 1.4.17 Mandatory Web Authentication Fails . Step 2 Check whether the user has obtained an IP address. The IP addresses of IPoX users can be assigned by the local router or the remote DHCP server: l If the IP address is assigned by the local device, check the configuration of the local address pool. l If the IP address is assigned by the remote DHCP server, check the communication between the local device and the DHCP server. For detailed procedure, see 1.4.15 Failure to Obtain an IP Address . Step 3 Enable service tracing to locate the fault through the login process. Step 4 Enable debugging. The output information of debugging is more specific than the service tracing information. It helps you locate the fault. If the fault persists, contact Huawei engineers. NOTE Debugging cannot be performed for a single user. Therefore, it is not recommended. ----End 1.4 Related Troubleshooting Cases 1.4.1 Local Authentication Fails beacause Authorization Mode and Accounting Mode Are Incorrectly Set The system is configured to perform local authentication when the HWTACACS server is Down (there is no response to HWTACACS authentication). However, the configuration does not take effect. Fault Symptom The system is configured to perform local authentication when the HWTACACS server is Down (there is no response to HWTACACS authentication). Despite the configuration, local authentication of Telnet users fails when the HWTACACS server is Down. Fault Analysis 1. When the HWTACACS server is Up, Telnet users are authenticated by the HWTACACS server. This indicates that the HWTACACS server is properly configured. When the HWTACACS server is Down, local authentication is not performed. Therefore, it can be concluded that local authentication is not correctly configured. 2. Check configurations of the device, and you can find the following configurations: authentication-scheme tacacs authentication-mode hwtacacs local Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 74 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting authentication-super hwtacacs super # authorization-scheme tacacs authorization-mode hwtacacs authorization-cmd 3 hwtacacs # accounting-scheme tacacs accounting-mode hwtacacs The preceding configurations show that the authentication mode is hwtacacs local, which indicates that HWTACACS authentication is performed before local authentication, and the authorization mode and accounting mode are both hwtacacs. The authentication mode is properly configured. When the HWTACACS server goes Down, the system performs the local authentication. HWTACACS authorization and accounting, however, cannot be performed because the HWTACACS server is now unavailable. As a result, local authentication fails. Procedure Step 1 Run the system-view command to enter the system view. Step 2 Run the aaa command to enter the AAA view. Step 3 Configure an authorization mode and an accounting mode. l Configuring the authorization mode as HWTACACS authorization before local authorization 1. Run the authorization-scheme tacacs command to enter the authorization scheme view. 2. Run the authorization-mode hwtacacs local command to configure the authorization mode as HWTACACS authorization before local authorization. l Configuring the accounting mode as HWTACACS accounting before non-accounting 1. Run the accounting-scheme tacacs command to enter the accounting scheme view. 2. Run the accounting-mode hwtacacs none command to configure the accounting mode as HWTACACS accounting before non-accounting. You do not have to configure the accounting mode. This is because accounting does not take effect with administrator users, whose accounting mode is non-accounting by default. After the preceding operations, local authentication is successfully performed on Telnet users when the HWTACACS server goes Down. The fault is cleared. ----End Summary User management includes authentication, authorization, and accounting. When configuring the authentication mode, ensure the consistency between the authorization and accounting modes to guarantee successful login for Telnet users. 1.4.2 After an Accounting Failure, the Super Password Is Invalid After Being Entered The super password is invalid. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 75 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Fault Symptom On the network shown in Figure 1-6, the RADIUS server is used to authenticate access users and implement accounting for access users. In addition, the authentication mode for upgrading the user level in an authentication scheme is set to super. After a user runs the super command and enters the super password, the message aaa cut user is displayed on the router. The user fails the authentication. Figure 1-6 After an accounting failure, the super password is invalid after being entered Access users Router RADIUS Server 10.1.1.1/24 Network Fault Analysis 1. The super password is statically configured on the router and is by no means invalid. The following information is displayed in the logs on the router: RDS/4/RDACCTDOWN: RADIUS accounting server (IP:10.1.1.1) is down! The preceding information indicates that the communication between the RADIUS accounting server and the router is interrupted, but the RADIUS authentication server communicates normally with the router. 2. After the display this command is run in the AAA view of the router, the AAA configurations are displayed as follows: accounting-scheme default accounting-mode radius The preceding information indicates that the RADIUS accounting mode is adopted. It is inferred that the communication between the RADIUS accounting server and the router is interrupted and thus an accounting failure occurs. As a result, the router is logged out. It is suspected that the RADIUS accounting server is disabled or faulty or the link is faulty. Procedure Step 1 Check whether the RADIUS accounting server is disabled or faulty. If so, restore the RADIUS server. Step 2 Check whether the link works properly. If so, restore the link. NOTE You can also run the accounting-mode none command in the accounting scheme view to change the accounting mode to non-accounting. Accounting is insignificant for administrator users. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 76 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting After the preceding operations, the user can pass the authentication after entering the super password. The fault is rectified. ----End Summary User management includes authentication, authorization, and accounting. You should consider authentication, authorization, and accounting in a comprehensive manner when configuring AAA. A user cannot pass the authentication if failing any one of the operations. 1.4.3 Unreachable RADIUS Server Causes Level-3 Users to Log In as Level-1 Users Fault Symptom On a network shown in Figure 1-7, users access the Internet through the router in RADIUS authentication mode. After the RADIUS server becomes unreachable, although users are configured as level-3 users, the login users can operate only as level-1 users. Figure 1-7 Unreachable RADIUS server causing level-3 users to log in as level-1 users Router RADIUS Server Internet User Fault Analysis 1. Users log in to the router as level-1 users, indicating that they have been authenticated and authorized successfully. Nevertheless, the users are authenticated and authorized not by RADIUS and therefore they are level-1 users but not level-3 users. 2. Check user names used by them to log in to the router. As the user names do not contain domain names, the system uses the default domain name to authenticate and authorize the users. 3. Run the display this command in the AAA view to check the configuration on the router. The command output is as follows: aaa authentication-scheme default0 authentication-mode radius Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 77 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting local authentication-scheme huawei authentication-mode radius # authorization-scheme default0 authorization-mode ifauthenticated authorization-scheme huawei authorization-mode if-authenticated # domain default0 radius-server group isp domain huawei authentication-scheme huawei radius-server group isp The command output shows that the default domain-based authentication scheme is RADIUS authentication followed by local re-authentication. In addition, the authorization scheme is if-authenticated authentication. If the RADIUS server is unreachable, RADIUS authentication is unavailable. In this case, local re-authentication is adopted. After passing local re-authentication, the users will be authorized in if-authenticated authorization mode. If-authenticated authorization is invalid for users that are authorized in local mode. Therefore, the authorization level provided by the system to the authenticated users is the VTY default level (level 1). If local authorization is adopted, the system provides a locally-set authorization level for users. Procedure Step 1 Run the system-view command to enter the system view. Step 2 Run the aaa command to enter the AAA view. Step 3 Run the authorization-scheme default command to enter the default authentication scheme view. Step 4 Run the authorization-mode if-authenticated local command to authenticate users in ifauthenticated mode and then in local mode. After the preceding operations, users log in to the router as level-3 users. The fault is then rectified. ----End Summary When users log in without domain names, the system uses the default domain name to perform authentication and authorization. If local authentication is adopted, the system provides locallyset level for users only after the local authorization mode is adopted; if the local authorization mode is not adopted, the system provides the default VTY level (level 1) for users. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 78 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting 1.4.4 A DHCP Client Fails to Obtain an IP Address from the DHCP Server Through the BRAS Fault Symptom In the networking shown in Figure 1-8, the AP is connected to the BRAS in VLAN access mode; the BRAS functions as the gateway of the AP. The AP is configured to obtain an IP address from the DHCP server through the BRAS. After the configuration, the AP cannot obtain an IP address from the DHCP server. Figure 1-8 Networking for a DHCP client failing to obtain an IP address from the DHCP server through the BRAS DHCP Server AP Switch BRAS Fault Analysis 1. The ping from the BRAS to the AC is successful. 2. Run the trace mac enable command to globally enable MAC trace. 3. Run the trace mac mac-address vlan vlan-id command to check the connectivity between the BRAS and AP. -[2010/5/22 16:34:41-][DHCPR][0023-8902-5120]:Receive OFFER packet successfully (Ciadd:0.0.0.0 Yiadd:172.16.32.3 Siadd:0.0.0.0 Giadd:172.16.32.1 chaddr: 0023-8902-5120 RouteIP:172.16.32.1 SubMask:255.255.255.0 ServerId:1.1.1.1 lease:1800s The command output shows that the BRAS has received a DHCPOFFER message sent from the DHCP server. 4. Run the display aaa online-fail-record interface interface-type interface-number command to check the cause of user access failure. -------------------------------------------------------------------------User name : SD-WH-GQHWBS-2.M-02001000002... Domain name : fit-apnm User MAC : 0023-8902-5120 User access type : IPoE User access interface : GigabitEthernet1/0/1.1 Qinq Vlan/User Vlan: Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 79 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting 0/2512 User IP address : 255.255.255.255 User ID : 100734 User authen state : Authened User acct state : AcctIdle User author state : AuthorIdle User login time : 2010/05/22 17:12:48 User online fail reason: DHCP server no response ------------------------------------------------------------------Are you sure to show some information?(y/n)[y]: 5. Run the debugging ip packet command, and you can find that the source IP address of the DHCPOFFER message is 222.175.193.178. The IP address of the DHCP server in the DHCP server group configured on the BRAS, however, is 222.174.192.22. *2.2206331108 SD-WH-GQHW-BS-2.MAN IP/7/ debug_case:Slot=1; Receiving, interface = GigabitEthernet1/0/1.1, version = 4, headlen = 20, tos = 96, pktlen = 369, pktid = 2298, offset = 0, ttl = 255, protocol = 17, checksum = 17582, s = 2.2.2.2, d = 172.16.32.1 prompt: Receiving IP packet from GigabitEthernet1/0/1.1 After the BRAS receives the DHCPOFFER message, it finds that the source IP address of the message is not the IP address of the DHCP server. Therefore, the BRAS considers the message invalid and discards the message. In this manner, the AP cannot obtain an IP address. Procedure Step 1 Run the system-view view to enter the system view. Step 2 Run the dhcp-server group group-name command to enter the DHCP server group view. Step 3 Run the dhcp-server 2.2.2.2 command to configure the IP address of the DHCP server to be the source IP address of the DHCPOFFER message. After that, the AP can obtain an IP address from the DHCP server through the BRAS. Or, you can set the IP address of the actual DHCP server to 222.174.192.22. After that, the AP can obtain an IP address from the DHCP server through the BRAS. ----End Summary If a user cannot obtain an IP address from the DHCP server through the BRAS, you can check whether the IP address of the DHCP server is the same as that configured on the BRAS. If the IP addresses are different, configure them to be the same. 1.4.5 The Device Does not Respond to the Authentication Request Packet Sent by the Web Authentication Server The device receives the authentication request packet from the Web authentication server. The Web authentication server, however, fails to receive a reply from the device. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 80 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Fault Analysis 1. Run the debugging web packet command in the user view to view the debugging information about the Web module. *0.890027513 BAS02 WEB/7/DEBUG: packet received from socket( len = 52 Vrf = 0): ver : 2 type : auth req Method : pap SerialNo: 63489 ReqID : 0 UserIP : 10.1.1.1 ErrCode : 0 AttrNum : 2 *0.890027514 BAS02 WEB/7/ DEBUG: 02 03 01 00 f8 01 00 00 3d b2 ed 0a 00 00 00 02 a1 04 35 5c cc b4 62 f2 40 d0 bc 3c 07 d9 70 8a 01 0a 64 6f 6e 67 68 70 32 30 02 0a 64 6f 6e 67 68 70 32 30 *0.890027514 BAS02 WEB/7/ DEBUG: The command output shows that the device receives the authentication request packet from the Web authentication server of portal version 2.0. 2. Run the display web-auth-server configuration command on the device to view the configuration of the Web authentication server. Source interfce : Listening port : 2000 Portal : version 1, version 2 Display reply message : enabled -----------------------------------------------------------------------Server Share-Password Port NAS-IP Vpninstance -----------------------------------------------------------------------10.2.2.2 50100 NO -----------------------------------------------------------------------1 Web authentication server(s) in total The displayed Portal item shows that the Web authentication server configured on the device also supports portal version 2.0. In addition, the IP address and port number of the Web authentication server configured on the device are the same as that of the actual Web authentication server. The shared key, however, is not configured. If the protocol between Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 81 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting the device and the Web authentication server is portal version 2.0 or a later version, you must configure the shared key. Procedure Step 1 Run the system-view command to enter the system view. Step 2 Run the web-auth-server server-ip key key command to configure the shared key for the Web authentication server. After the configuration, the device can communicate with the Web authentication server. ----End Summary If the protocol between the device and the Web authentication server is portal version 2.0 or a later version, you must configure the shared key. 1.4.6 Web Authentication Fails Fault Symptom In the networking shown in Figure 1-9, a user needs to be authenticated by the Web authentication server through the device. After the configuration, the use can open the Web page and enter the user name and password. After that, the system prompts that the network access times out. User authentication thus fails. Figure 1-9 Networking for Web authentication failure Radius Server Backbone PC Router NAT Fault Analysis 1. Run the debugging web packet command in the user view to check information about Web authentication packets. *1.1043515286 BRAS WEB/7/DEBUG: packet received from socket( len = 65 Vrf = 0): ver : 2 type : auth req Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 82 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Method : pap SerialNo: 1280 ReqID : 0 UserIP : 10.1.1.1 ErrCode : 0 AttrNum : 2 *1.1043515286 BRAS WEB/7/DEBUG: 02 03 01 00 05 00 00 00 76 76 a6 f3 00 00 d2 9f db 59 67 f1 9d 1c 68 5f ec 78 69 5a 02 08 31 31 31 31 31 31 01 19 64 78 31 74 6c 61 6e 2e 73 63 2e 63 68 6e 74 65 6c 2e *1.1043515286 BRAS WEB/7/DEBUG: *1.1043515385 BRAS WEB/7/DEBUG: packet sent to socket( len = 32 Vrf = 0): ver : 2 type : auth ack Method : pap SerialNo: 1280 ReqID : 0 UserIP : 10.1.1.1 ErrCode : 0 AttrNum : 0 *1.1043515385 BRAS WEB/7/DEBUG: 02 04 01 00 05 00 00 00 76 76 a6 f3 00 00 64 16 d9 a8 91 f7 29 22 63 19 37 c5 c7 4d *1.1043545315 BRAS WEB/7/DEBUG: *1.1043545315 BRAS WEB/7/DEBUG: *1.1043545315 BRAS WEB/7/DEBUG: packet sent to socket( len = 32 Vrf = 0): ver : 2 type : logout ntf Method : pap SerialNo: 0 ReqID : 0 UserIP : 10.1.1.1 ErrCode : 0 AttrNum : 0 *1.1043545315 BRAS WEB/7/DEBUG: 02 08 01 00 00 00 00 00 76 76 a6 f3 00 00 7b ec ab c0 c7 5d a8 66 00 e0 51 6b fa 64 00 a6 40 63 02 22 77 6f 6d 00 00 f1 b1 00 00 66 ad The command output shows that the device has sent an ACK packet indicating successful authentication to the Web authentication server but receives no response (type : logout ntf). 2. Check information on the firewall, and you can find that the source IP address of the ACK packet is the IP address of the upstream interface on the device. The Web authentication server, however, is configured to receive only packets with the IP address of the loopback interface on the device. This indicates that user authentication fails because the source IP address of packets sent by the device is incorrectly configured. Procedure Step 1 Run the system-view command to enter the system view. Step 2 Run the web-auth-server source interface interface-type interface-number command configure the source interface on the device for sending packets to the Web authentication server to be the loopback interface on the device. After the configuration, user authentication is successful. ----End Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 83 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Summary If a user fails Web authentication through the device, you can check whether the IP address of the actual Web authentication server is the same IP address of the Web authentication server configured on the device. If the IP addresses are different, configure them to be the same. 1.4.7 Error 619 Occurs After Users Attached to the NE80E/40E Dial Up Fault Symptom Error 619 occurs on PCs after users access the BRAS (the NE80E/40E) and dial up. The following figure shows the networking diagram. Figure 1-10 Networking diagram of user accessing the NE80E/40E PC S-switch Router Internet Fault Analysis After PADS packets arrive at PCs, LCP packets cannot be exchanged between PCs NE80E/ 40E during PPP negotiation, causing error 619. 1. Run the display license resource usage command to check entry-specific resource usage defined in the license file. Resource usage of access user traffic is 16125/32768, indicating that the number of login users is lower than the upper limit defined in the license file. 2. Run the display ip pool command to check information about address pools. The free item is 1258, indicating that certain addresses are available. 3. Run the display domain command to check the domain configurations. The Online item displays the number of online users in each domain. 4. Run the display access-user slot command to check the online user list. All online users are attached to one LPU of the NE80E/40E, and the number of online users reached to the maximum number of allowed PPPoX and DHCP users. Procedure Step 1 Switch services on certain interfaces of the LPU to another LPU. Error 619 is not displayed. The fault is then rectified. ----End Summary Error 619 occurs usually because of the BRAS specifications such as maximum number of allowed access users defined in a license file, maximum number of addresses in an address pool, Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 84 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting or maximum number of allowed access users on a specific LPU. Check the BRAS specifications before performing configurations. 1.4.8 Error Message, Indicating that Communication Between a User Access Device and a Portal Server Fails, Is Displayed During Web Authentication Fault Symptom On the network shown in Figure 1-11, a device is configured with RADIUS authentication and provides access services for WLAN users. WLAN users need to pass Web authentication. After accessing the device, a user obtains an IP address and is directed to a correct Web page. The user then enters the user name, password, and verification code for authentication. The system then prompts an error message indicating that the device fails to communicate with the portal server. Figure 1-11 Networking diagram of a Web authentication failure Portal Server BRAS Radius Server Switch AP PC Issue 02 (2011-09-10) PHONE Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 85 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Fault Analysis 1. Run the display domain domain-name command to check the configuration of the authentication domain. The configuration is correct. 2. Run the display radius-server configuration command to check RADIUS attributes. RADIUS attributes are correct. 3. Run the debugging radius packet command to check packets exchanged between the device and the RADIUS server. May 29 2010 10:49:41.230.1 1.1.111.4 RDS/7/ DEBUG: Radius Sent a Packet Server Template: 6 Server IP : 190.93.254.251 Vpn-Instance: NAS Port : 1812 Protocol: Standard Code : Authentication request Len : 279 ID : 36 [User-Name(1) ] [9 ] [test@ld] [User-Password(2) ] [18] [8b17c44b1201d848959fd18c50690f9e] [NAS-Port(5) ] [6 ] [68173824] [NAS-IP-Address(4) ] [6 ] [190.93.16.4] [Service-Type(6) ] [6 ] [2] [Framed-Protocol(7) ] [6 ] [1] [Filter-ID(11) ] [6 ] [0] [Vendor-Specific(26) ] [6 ] [ ] [NAS-Identifier(32) ] [11] [1.1.111.4] [NAS-Port-Type(61) ] [6 ] [15] [NAS-Port-Id(87) ] [33] [eth 4/1/4:4096.4096 0/0/0/0/0/0] [Acct-Session-Id(44) ] [35] [1.1.11104104000000000a7a7cf000020] [Connect-Info(77) ] [12] [1000000000] The command output shows that the vendor-specific attribute numbered 26 delivered by the RADIUS server cannot be identified. 4. Run the radius-attribute disable vendor-specific send command to disable the RADIUS server from sending the vendor-specific attribute. The fault persists. 5. Run the debugging radius packet command again to check packets exchanged between the device and the RADIUS server. May 29 2010 11:10:41.230.1 1.1.111.4 RDS/7/ DEBUG: Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 86 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Radius Sent a Packet Server Template: 6 Server IP : 190.93.254.251 Vpn-Instance: NAS Port : 1812 Protocol: Standard Code : Authentication request Len : 279 ID : 36 [User-Name(1) [test@ld] [User-Password(2) [8b17c44b1201d848959fd18c50690f9e] [NAS-Port(5) [68173824] [NAS-IP-Address(4) [190.93.16.4] [Service-Type(6) [2] [Framed-Protocol(7) [1] [Filter-ID(11) [0] [Vendor-Specific(26) [ ] [NAS-Identifier(32) [1.1.111.4] [NAS-Port-Type(61) [15] [NAS-Port-Id(87) 0/0/0/0/0/0] [Acct-Session-Id(44) [1.1.11104104000000000a7a7cf000020] [Connect-Info(77) [1000000000] ] [9 ] ] [18] ] [6 ] ] [6 ] ] [6 ] ] [6 ] ] [6 ] ] [6 ] ] [11] ] [6 ] ] [33] [eth 4/1/4:4096.4096 ] [35] ] [12] The command output shows that the user group that the RADIUS server delivers to the device is policy 0. 6. Run the display this command in the domain view to check the configurations of the domain. service-type hsi web-server 219.150.59.241 web-server url https://wlan.ct10000.com/ nm/ web-server mode post user-group wlan ip-pool wlan The command output shows that the user group configured in the domain is wlan. The user group configured in the domain is different from that delivered by the RADIUS server, causing the Web authentication failure. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 87 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Procedure Step 1 Run the system-view command to enter the system view. Step 2 Run the aaa command to enter the AAA view. Step 3 Run the domain domain-name command to enter the domain view. Step 4 Run the user-group 0 command to configure a user group the same as that delivered by the RADIUS server. The user can be authenticated. The fault is then rectified. ----End Summary When a user accessing a device needs to be authenticated by a Web server, ensure that the user group attribute configured on the RADIUS server is the same as that configured on the device; otherwise, the device fails to communicate with the portal server during Web authentication. 1.4.9 router Fails to Communicate with a RADIUS Server Because an ACL Rule Is Configured on the router's Interface Connected to the RADIUS Server Users access the router fail to pass authentication. Fault Symptom On the network shown in Figure 1-12, Router B is newly deployed and configured with RADIUS authentication and accounting. All users at the site access the Internet through Router B. Router A is a non-Huawei device. After the configuration, all dial-up users at this site fail to pass authentication. Figure 1-12 Networking diagram of a connection between the router and the RADIUS server Radius Server Network Router A Router B Access Network Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 88 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Fault Analysis 1. Run the debugging radius packet command to enable the debugging. The command output shows that the router has sent a request carrying the Code field being 1 for authentication, but does not receive a response from the RADIUS server. 2. Check debugging information on the RADIUS server. It has received the request and replied with a packet carrying the Code field being 2. As the reply packet is not received, the reply packet may be discarded during forwarding or the route for the reply packet is incorrect. 3. Ping the RADIUS server from the router. The ping is successful, indicating that the route for the returned packet is correct. The replied packet must have been discarded during forwarding. 4. Change the source IP address to another IP address in a different network segment for the packet sent from the router to the RADIUS server. The reply packet can be received, and then users can go online. Considering that IP packets are sent successfully and UDP packets are returned by the RADIUS server, an intermediate device may apply an ACL rule to UDP packets with source IP addresses in a specified network segment. 5. On the basis of a check, Router A is configured with an ACL rule, thus discarding UDP packets replied by the RADIUS server. Procedure Step 1 Delete the ACL rule on Router A. The RouterB can communicate with the RADIUS server. The fault is then rectified. ----End Summary When users cannot go online, first check whether the Router sends requests for authentication and receives replies. In this troubleshooting case, the RADIUS server has received a request for authentication and sent a reply. The Router cannot receive the reply, which is caused by incorrect ACL rule set on an device between the Router and the RADIUS server. 1.4.10 Users Are Repeatedly Logged Out of the MAN Due to Route Flapping Users are repeatedly logged out of the MAN. A check of the LSDB shows that conflicting IP addresses and router IDs exist in the network, which cause the OSPF route flapping. Fault Symptom On the network shown in Figure 1-13, users attached to Router E are repeatedly logged out of the MAN. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 89 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Figure 1-13 Networking diagram for the case in which users are repeatedly logged out of the MAN due to route flapping RouterA RouterID 1.1.1.1 GE1/0/1 10.0.0.1/30 GE1/0/1 10.0.0.2/30 RouterB RouterID 2.2.2.2 RouterC RouterID 3.3.3.3 GE1/0/1 40.0.0.1/30 Metro Ethernet Network GE1/0/1 40.0.0.2/30 RouterD RouterID 4.4.4.4 RouterE RouterID 5.5.5.5 User Fault Analysis 1. Since the users all access the MAN through Router E, maybe there is a problem with the forwarding on Router E. Run the display ospf lsdb command on Router E several times to check the OSPF LSDB. The command output shows that the value of the LS age field in the Network LSA with the Link State ID being 10.0.0.2 is always smaller than 20 and the LSA is aged out frequently (the age value changes to 3600). In normal situations, however, the age value is not always smaller than 20 or aged out frequently. <RouterE> display ospf lsdb OSPF Process 1 with Router ID 5.5.5.5 Link State Database Area: 0.0.0.0 Type LinkState ID AdvRouter 10.0.0.2 2.2.2.2 Age Len Sequence 32 800029BE Metric …… Network 6 0 …… 2. Run the display ospf lsdb network 10.0.0.2 command repeatedly on Router E to view detailed information about this LSA. The command output shows that the ID of the router advertising this LSA is 2.2.2.2, but the attached router frequently changes between 1.1.1.1 and 3.3.3.3. It is possible that an IP address conflict occurs on the network. <RouterE> display ospf lsdb network 10.0.0.2 Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 90 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting OSPF Process 1 with Router ID 5.5.5.5 Area: 0.0.0.0 Link State Database Type : Network Ls id : 10.0.0.2 Adv rtr : 2.2.2.2 Ls age : 7 Len : 32 Options : E seq# : 80002ca3 chksum : 0x8995 Net mask : 255.255.255.252 Attached Router 1.1.1.1 Attached Router 2.2.2.2 <RouterE> display ospf lsdb network 10.0.0.2 OSPF Process 1 with Router ID 5.5.5.5 Area: 0.0.0.0 Link State Database Type : Ls id : Adv rtr : Ls age : Len : Options : seq# : chksum : Net mask : Attached Attached 3. Network 10.0.0.2 2.2.2.2 7 32 E 80002ca3 0x8995 255.255.255.252 Router 3.3.3.3 Router 2.2.2.2 The initial network planning scheme is as follows: l The IP address of GE 1/0/1 on Router A is 10.0.0.1/30, and that on Router B is 10.0.0.2/30. l The IP address of GE 1/0/1 on Router C is 40.0.0.1/30, and that on Router D is 40.0.0.2/30. l The router IDs of Router A, Router B, Router C, and Router D are 1.1.1.1, 2.2.2.2, 3.3.3.3, and 4.4.4.4 respectively. Based on the preceding network planning scheme, Router B should be the router advertising the Network LSA with the Link State ID being 10.0.0.2 and the attached routers should be 1.1.1.1 and 2.2.2.2. 4. In this case, it is possible that an IP address conflict occurs on the network segment where both Router C and Router D reside. Run the display ip interface brief and display ospf brief commands on RouterA, RouterB, RouterC, and Router D. The actual configurations on the devices are as follows (as shown in Figure 1-14): l All the configurations on Router A and Router B are the same as that in the network planning scheme. l The IP addresses of GE 1/0/1 on Router C and Router D are 10.0.0.1/30 and 10.0.0.2/30, which differ from that in the network planning scheme and conflict with the IP addresses of Router A and Router B. l The router ID of Router D is 2.2.2.2, which differs from that in the network planning scheme and conflicts with the router ID of Router B. l Both Router B and Router D are DRs. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 91 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Figure 1-14 Networking diagram where conflicting IP addresses and router IDs are configured RouterA RouterID 1.1.1.1 GE1/0/1 10.0.0.1/30 GE1/0/1 10.0.0.2/30 RouterB RouterID 2.2.2.2 RouterC RouterID 3.3.3.3 GE1/0/1 10.0.0.1/30 Metro Ethernet Network GE1/0/1 10.0.0.2/30 RouterD RouterID 2.2.2.2 RouterE RouterID 5.5.5.5 User 5. As the DRs on the network segment 10.0.0.0/30, both Router B and Router D send the Network LSA with the following information: l Link State ID: 10.0.0.2 l Advertising Router: 2.2.2.2 l In the LSA sent from Router B, the attached routers are 1.1.1.1 and 2.2.2.2; in the LSA sent from Router D, the attached routers are 3.3.3.3 and 2.2.2.2. According to OSPF, a device determines whether a received LSA was generated by itself based on the standard and procedure shown in Figure 1-15. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 92 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Figure 1-15 Standard and procedure used to determine whether the LSA was generated by the system itself An LSA is received. Yes Is the Advertising Router the same as the local Router ID? No Is the Link State ID the same as the IP address of a local interface? No Yes Is the device able to genarate the LSA? No The LSA is aged and advertised. A new LSA is generated and advertised. When Router B receives a Network LSA with the Link State ID being 10.0.0.2 from Router D, it determines that the LSA was generated by itself because: l The value of the Advertising Router field in the LSA is 2.2.2.2, which is the router ID of Router B, and the Link State ID in the LSA is the same as the IP address of GE 1/0/1 on Router B. l Router B is a DR; so, it is able to generate the Network LSA. Then, Router B advertises an updated Network LSA. When Router D receives the LSA from Router B, it also advertises the updated LSA. As a result, Router B and Router D repeatedly update the LSA, which leads to the frequent change in the LSDB on each device and causes route flapping. Procedure Step 1 Run the system-view to enter the system view. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 93 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting NOTE The configuration is performed on Router B. The configuration steps of Router A are similar to that of Router B except the router ID, and are not mentioned here. Step 2 Run the interface interface-type interface-number command to enter the interface view. Step 3 Run the ip address ip-address command to assign a correct IP address. Step 4 Run the quit command to return to the system view. Step 5 Run the router id router-id command to set a correct router ID. Step 6 Run the return command to return to the user view. CAUTION Restarting an OSPF process leads to the re-establishment of all neighbor relationships in the process and transient interruption of services. Step 7 Run the reset ospf process-id process command to restart the OSPF process. After the configuration is complete, run the display ospf lsdb command repeatedly to ensure that the LSDB has stabilized. At that time, the users can normally access the MAN, and the fault is rectified. ----End Summary In normal situations, the value of the LS age field in an LSA increases from 0. When a corresponding Link State Update packet is received, the age value of the LSA is updated based on the Age field in that Link State Update packet. If the age value of an LSA is small for a long time and then suddenly changes to 3600, it indicates that the network topology is unstable, which is possibly due to loops or IP address conflicts. In this case, you can repeatedly run the display ospf lsdb command to check the LSDB and find the unstable LSA. If the networking is complicated, you can also run the tracert command to isolate the problem to a device. 1.4.11 Dial-up Fails Because the Format of the Packet Sent from the BRAS Is Inconsistent with That on the RADIUS Server Fault Symptom On the network shown in Figure 1-16, a user accesses the interface GE 1/0/1 on the router through the switch in QinQ mode. VLAN tags are terminated on the router. The user account is bound to a specific interface in a VLAN on the RADIUS server. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 94 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Figure 1-16 Networking diagram of the unsuccessful dial-up because the format of the packet sent from the device is inconsistent with that on the RADIUS server User GE 1/0/1 Network Switch Router A "691" error is prompted when the user dials up. Fault Analysis 1. Check that the information about the interface and VLAN bound to the user account on the RADIUS server is the same as the actual interface and VLAN for the user traffic. 2. Run the display this command in the view of GE 1/0/1 on the router to check the configurations on the interface. The command output shows the outer VLAN and inner VLAN configured on the interface are correct. 3. Enable the debugging of the RADIUS server. The following information is displayed: [Reply-Message(18) [175] [29;User(ntest0001)'s Authen Attrib ai-vlan-id: NAS is 601.1001, Radius is ge--1,0,1:601.1001--0,0,0,0,0,0, Not match) Attrib(Authen NAS is 601.1001 is the user information sent from the BRAS to the RADIUS server; Radius is ge--1,0,1:601.1001 is the user information stored on the RADIUS server. The router only sends the user VLAN information (601.1001) to the RADIUS server. The RADIUS server, however, stores information about both the VLAN (601.1001) and interface (ge--1,0,1) bound to the user account. The information sent for authentication does not completely match the information stored on the RADIUS server. Therefore, the user fails the authentication. On the router, the attribute carrying the user information is Nas-Port-Id, which has four formats. By default, the attribute is in the version 2.0 format. In this case, the format should be changed to standard so that it can be consistent with the packet format (VLAN+interface) on the RADIUS server. Procedure Step 1 Run the system-view to enter the system view. Step 2 Run the aaa command to enter the AAA view. Step 3 Run the vlanpvc-to-username standard command to set the format of Nas-Port-Id to be sent by the router to the RADIUS server to standard. After the format has been changed, the user successfully dials up. ----End Summary The possible causes of a "691" error in user dial-up are as follows: Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 95 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting l The interface and VLAN bound to the user account are different from the planned interface and VLAN l The VLANs configured on the interface of the BRAS are incorrect. l The format of user information sent from the BRAS is different from that on the RADIUS server. l A certain policy is created to control communication between the router and the RADIUS server, which causes the router unable to communicate with the RADIUS server. 1.4.12 Uses Fail to Log In Because the GTL License File Is Not Loaded Fault Symptom One router is newly deployed at a site. After PPPoE services are configured on the router, dialup users fail to access the device and "619" errors are prompted. Fault Analysis 1. Run the display aaa online-fail-record command to find the cause of the user login failure. The command output does not contain a cause. 2. Run the debugging ucm all command. The command output shows an error message "This slot did not have any GTL license. (Slot=3)." The cause is that the GTL license file is not loaded to the router. Procedure Step 1 Contact Huawei technical support personnel to obtain the correct GTL license file, and then upload the file to the cfcard:/ path on the router. Step 2 Run the license active filename command in the user view to activate the GTL license file and obtain the authority of corresponding functions. ----End Summary A correct GTL license file must be obtained before the deployment of a device at a new site; otherwise, users cannot access the device. The GTL license provides a control on the BAS function of boards and a control over the number of users on an entire device. By default, the BAS function of boards is disabled; so, you need to buy a GTL license. In addition, you need to run the bas enable command in the slot view to enable the BAS function on the board. By default, a device supports the access of 4K users. It means that the device supports the access of 4K users when there are board licenses. If more than 4K users access the device, you need to buy a GTL license. 1.4.13 Modems of a Certain Brand Fail to Access the Internet Because Multiple Interfaces Respond to the PADO Packet Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 96 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Fault Symptom On a network, three routers process user Internet services. Each router has two LPUs on which sub-interfaces terminate all user VLAN tags, and all users can normally access the network. Later, one more router is added for expansion, and each router now has four LPUs. Since then, a lot of users make complaints that they fail to access the Internet. The analysis of the MAC addresses of the modems of those users shows that their modems are of the same brand. Fault Analysis 1. Run the trace access-user object object-id command on any one of the routers to trace the users failing to log in. The command output shows that the router has received the PPP negotiation request but the negotiation process stopped at the LCP negotiation phase. 2. Capture the packets on one of the modems. It is found that the modem sends a PADR packet after receiving the first PADO packet. After the router replies with a PADS packet, the modem does not complete PPP negotiation but directly sends a PADT packet to terminate the negotiation. The session ID of the captured PADT packet is 0. It indicates that the modem processes only the PADO packets sent from the routers. 3. Users can access the Internet before the network expansion. The only change on the network after expansion is that the number of BAS interfaces increases. After the modem sends the PADI packet, the number of received PADO packets increases from 6 to 16. This may cause the failure of PPP negotiation. Then, adjust the number of BAS interfaces that respond to the modem. A test shows that the modem counts the received PADO packets right after sending the PADI packet. If more than 10 PADO packets are received, the modem stops PPP negotiation. Procedure Step 1 Reduce the number of BAS interfaces that respond to a user's authentication request through certain network optimization. ----End Summary The protocol processing flow may vary with the brands or models of modems. In network planning, try to reduce the number of BAS interfaces that respond to a user's authentication request. 1.4.14 A User Cannot Obtain the Associated Authority Because the AAA Authorization Mode and AAA Authentication Mode Are Inconsistent Fault Symptom On the router, AAA local authentication is configured for a Telnet user and the level-15 authority is assigned to the user. After a VTY user logs in, run the display user-interface command to view the authority of the VTY user. You can find that the VTY user can obtain only the level-0 authority, not the level-15 authority. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 97 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting <HUAWEI> display userinterface Idx Type Tx/Rx 0 CON 0 9600 33 AUX 0 9600 + 34 VTY 0 Modem Privi ActualPrivi Auth Int 3 N - 0 0 N 0 A - The VTY user can obtain the level-15 authority only after the super command is run. Fault Analysis 1. Run the display current-configuration command to check the authentication mode configured on the VTY user interface. <HUAWEI> display current-configuration user-interface vty 0 4 authentication-mode aaa protocol inbound all The command output shows that the VTY user interface is correctly configured with the AAA authentication mode. 2. Run the display current-configuration command to check the AAA configuration. <HUAWEI> display current-configuration # aaa local-user ipops password cipher .J]K3BK;Q!! local-user ipops service-type telnet ssh local-user ipops level 15 authentication-scheme default authentication-mode local authentication-super super # authorization-scheme default authorization-mode if-authenticated # accounting-scheme default accounting start-fail online # domain default # The command output shows that the authorization mode used in the authentication scheme is if-authenticated. In if-authenticated mode, a user can obtain the related authority only after the user passes the authentication that is not in none mode. When a VTY user logs in, the router authorizes the VTY user in if-authenticated mode. Although the local user is configured with the level-15 authority, the VTY user cannot obtain the level-15 authority, because the authorization mode is not local authorization. Instead, the default authority is assigned to the VTY user. The default authority of a VTY user is the level-0 authority, and therefore the VTY user is assigned the level-0 authority. Procedure Step 1 Run the system-view command to enter the system view. Step 2 Run the aaa command to enter the AAA view. Step 3 Run the authorization-scheme default command to enter the default authentication scheme view. Step 4 Run the authentication-mode local command to configure the local authentication mode. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 98 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting After the configuration, when the VTY user logs in, run the display user-interface command to view the authority of the VTY user. <HUAWEI> display userinterface Idx Type Tx/Rx 0 CON 0 9600 33 AUX 0 9600 + 34 VTY 0 Modem Privi ActualPrivi Auth Int 3 N - 0 0 N 15 A - The command output shows that the VTY user can obtain the level 15 authority. Thus, the fault is rectified. ----End Summary When configuring the AAA authentication mode, ensure that the authentication mode and the authorization mode are consistent. 1.4.15 Failure to Obtain an IP Address Scenario Figure 1-17 IPoX networking RADIUS Server I n t e r ne t subscriber Router Fault Analysis The possible causes are as follows: l If the IP address is assigned by the local router, the failure may be caused by the improper configuration of the local address pool. l If the IP address is assigned by the remote DHCP server, the failure may be caused by the improper configuration of address pool or communication error. l The authentication mode of the domain is incorrect. Procedure Step 1 Check whether the IP address is assigned by the router or the remote DHCP server. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 99 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Step 2 Check the configuration of local IP address assignment. If the IP address is assigned by the local router, run the display domain command to check the address pool referenced by the domain. l For a web authentication user, check the configuration of pre-authentication domain. l For a binding authentication user, check the configuration of authentication domain. l Run the display ip pool command to check that there is idle IP address in the address pool. Step 3 Check the DHCP server. If the IP address is assigned by the remote DHCP server, do as follows: l Run the ping command to check the communication between the remote DHCP server and the NE80E/40E . l Run the display domain command to check whether the address pool referenced by the domain is correct. l Run the display ip pool command to check whether the address pool type is remote and the address pool has referenced the DHCP server group. Step 4 Check the authentication. To obtain an IP address, the user must pass the authentication of the domain. l The web authentication user is authenticated in the pre-authentication domain and adopts the account format of the binding authentication. l The binding authentication user is authenticated in the authentication domain. l For the local authentication or RADIUS user, the user name and password must be configured on the AAA server. Step 5 Enable service tracing. The key messages in service tracing are as follows: l DHCP DISCOVER packet Dec 4 2009 16:39:38.940.2 HUAWEI DHCPACC/7/ DHCPACC_DBG: PKT INFO: Hardware Type = 1, Hardware Address Length = 6 Hops = 0, Transaction ID = 0 Seconds = 0, Broadcast Flag = 1 Client IP Address = 0.0.0.0, Your IP Address = 0.0.0.0 Server IP Address = 0.0.0.0, Gateway IP Address = 0.0.0.0 Client Hardware Address = 0001-9901-0101 Server Host Name = [N/A], Boot File Name = [N/ A] Dhcp message type = DHCP_DISCOVER This is the first DHCP message. If the message is not included in the output, check if the layer-2 network operates well. The access type configured on BAS interface is layer2subscriber. The web authentication and fast authentication are configured on the BAS interface. The BAS interface is up. NOTE If the user gets online more than once, the DHCP Request packet is sent, while this message is not sent. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 100 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting l Authentication message [UCM DBG]MSG Recv From:DHCP Code:DHCPACC_UCM_CONN_REQ(200) Event:CONN_REQ Src: 635 Dst:4294967295 [UCM DBG]MSG Send To:AAA Code:UCM_AAA_AUTH_REQ(83) Src:628 Dst:628 Dec 4 2009 16:39:38.940.30 HUAWEI UCM/7/DebugInfo: [UCM DBG]UserName:HUAWEI@kouki Dec 4 2009 16:39:38.940.31 HUAWEI UCM/7/DebugInfo: [UCM DBG]UCM -> AAA : Send Msg Success The preceding message shows that the CM sends the authentication request after it receives the connection request of the user. l Dec 4 2009 16:39:38.940.46 HUAWEI AAA/7/AAADBG: [AAA debug] Code: AAA->UCM authen ack UserID: 628 Dec 4 2009 16:39:38.940.47 HUAWEI AAA/7/AAADBG: AAA EVENT:CID = 628,UserName = HUAWEI@kouki Authen State is OK Dec 4 2009 16:39:38.940.48 HUAWEI UCM/7/DebugInfo: [UCM DBG]Translate Msg(84) to Event(3) Dec 4 2009 16:39:38.940.49 HUAWEI UCM/7/DebugInfo: [UCM DBG]MSG Recv From:AAA Code:AAA_UCM_AUTH_ACK(84) Event:AUTH_PASS Src:628 Dst:628 l Connection response message Dec 4 [UCM Dec 4 [UCM Dec 4 [UCM Dec 4 [UCM 2009 16:39:38.940.56 HUAWEI UCM/7/DebugInfo: DBG]Send Connect Ack to DHCPACC. Lease Time = 0 NeedReAuthen = 0 2009 16:39:38.940.57 HUAWEI UCM/7/DebugInfo: DBG]MSG Send To:DHCP Code:UCM_DHCPACC_CONN_ACK(201) Src:628 Dst:635 2009 16:39:38.940.58 HUAWEI UCM/7/DebugInfo: DBG]Result:0 Server:0 Gate:ffffffff 2009 16:39:38.940.59 HUAWEI UCM/7/DebugInfo: DBG]UCM -> DACC : Send Msg Success After the authentication succeeds, the CM sends the connection response message to the DHCPACC. l IP address assignment request Dec 4 2009 16:39:38.940.71 HUAWEI DHCPS/7/DHCPS_DBG: Event: Enter AM_DHCPS_ReqIp to apply ip [ffffffff] Dec 4 2009 16:39:38.940.72 HUAWEI DHCPS/7/DHCPS_DBG: Event: The applied free ip is a000061 Dec 4 2009 16:39:38.940.73 HUAWEI DHCPS/7/DHCPS_DBG:AM_DHCPS_ReqIp return VOS_OK Dec 4 2009 16:39:38.940.74 HUAWEI DHCPS/7/DHCPS_DBG: Event: DHCPS:AM_DHCPS_ReqIp return VOS_OK.Apply OK and send Offer. After the DHCPACC receives the connection response message, it forwards the DHCP Discovery message to the DHCPS. Then, the DHCPS applies for IP address to the address manager (AM). Sep 5 2009 11:31:54.230.5 HUAWEI DHCPACC/7/DHCPACC_DBG: Event: DHCPACC_UcmAcp tForDiscover: Send discovery packet to server successfully and useris state is c hanged to DHCPACC_DIS_WAIT_SERVER_OFFER If successfully is not included in the preceding message, check the configuration of the local address pool. l DHCP protocol packet Dec [ [ [ [ [ [ [ [ [ [ Issue 02 (2011-09-10) 4 2009 16:39:38.940.77 HUAWEI DHCPS/7/DHCPS_DBG: DHCPS send ] : ===== Xid ]:0 cmd ]:2 Htype ]:1 Hlen ]:6 Hops ]:0 Secs ]:0 Flag ]:32768 Ciadd ]:0.0.0.0 Yiadd ]:10.0.0.97 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 101 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting [ Siadd ]:0.0.0.0 [ Giadd ]:10.0.0.1 [ Sname ]: [ File ]: [ Option]:----Message type:OFFER Server id:10.0.0.1 leasetime:259200s Renewtime:129600s Rebindtime:226800s Option82 :RID:HUAWEI-0100-0000-GE,CID:0100-0000-GE From the preceding three messages, you can learn whether the DHCP Offer, DHCP Request, or DHCP Ack packets fail. Analyze the returned packet to find the cause of the fault. If the IP address is assigned by a remote DHCP server, the output of the service tracing also shows you how the device interoperates with the DHCP server. Step 6 Analyze the debugging information. The output information of debugging is more specific than the service tracing information. It helps you locate the fault. ----End Summary To use the DHCP server to assign IP addresses, make sure that the DHCP server can communicate with the NE80E/40E . 1.4.16 Web Authentication Fails Scenario The networking is as shown in 1.4.15 Failure to Obtain an IP Address . Fault Analysis The possible causes are as follows: l The web authentication is configured improperly. l An error occurs to the RADIUS server. Procedure Step 1 Display the online failure records. <HUAWEI> display aaa online-fail-record ------------------------------------------------------------------User name : 0001-0101-0101@local User MAC : 0001-0101-0101 User access type : IPoE User interface : Atm4/0/2 User Pe Vlan : 0 User Ce Vlan : 0 User IP address : User ID : 14 User authen state : Authened User acct state : AcctIdle User author state : AuthorIdle User login time : 2009-09-05 12:58:05 Online fail reason : LAM user does not exist Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 102 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting ------------------------------------------------------------------------------------------------------------------------------------- Table 1-1shows the reasons why the user fails to go online. Table 1-1 Reasons for online failure User Online Fail Reason Meaning Web user request Indicates that the user sends an offline request. DHCP decline Indicates the DHCP decline. IP address alloc fail Indicates the failure to assign IP addresses. IP address conflict Indicates that the IP addresses conflict. MAC address conflict Indicates that the MAC addresses conflict. Start accounting fail Indicates the failure to start accounting. Domain or user access limit Indicates the limit on domain or user access. Port access limit Indicates the access limit on the port. Send authentication request fail Indicates the failure to send the authentication request. RADIUS authentication reject Indicates that the RADUIS server rejects the authentication request. RADIUS authentication send fail Indicates the failure to send the RADIUS authentication request. Local authentication reject Indicates that the local authentication is rejected. Local authentication no user Indicates that the user name cannot be found in the local authentication domain. Local Authentication user type not match Indicates that the user type does not match with the local domain. Local Authentication user block Indicates that the account is not activated in the local authentication. Step 2 Troubleshoot the Web authentication. If there is no corresponding online failure record or the failure record is "web user request", it indicates the Web authentication is not complete or an error occurs in the authentication. In this case, debug the Web authentication and analyze the output of the debugging command. Dec 4 2009 10:54:58.190.7 HUAWEI WEB/8/DEBUG: Received packet from socket (length = 32 Vrf = 0): Version : 2 Type : challenge request Method : chap SerialNo : 112 RequestID : 0 UserIP : 4.2.127.242 ErrorCode : 0 AttributeNumber : 1 Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 103 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Dec 4 2009 10:54:58.190.8 HUAWEI WEB/8/DEBUG: 02 01 00 00 00 4d 00 00 03 03 c8 c3 00 00 00 00 56 74 98 e8 7e b7 a4 5d 7c 6a 74 11 2c f9 66 94 Dec 4 2009 10:54:58.190.9HUAWEI WEB/8/DEBUG: Sent packet to socket (length = 50 Vrf = 0): Version : 2 Type : challenge ack Method : chap SerialNo : 77 RequestID : 14 UserIP : 4.2.127.242 ErrorCode : 0 AttributeNumber : 1 Dec 4 2009 10:54:58.190.10 HUAWEI WEB/8/DEBUG: 02 02 00 00 00 4d 00 0e 03 03 c8 c3 00 00 00 01 fb 08 7e 70 27 36 37 c5 9b cb 9b 14 cf ac 40 38 03 12 49 eb 51 11 bd 15 63 ff 8b c7 59 ad 61 59 30 30 30 30 30 40 76 6c 61 6e If the web server is of V1, the preceding information is not included in the output. If the web server is of version 2, the info req packet is received before the info ack request. If the NE80E/ 40E cannot receive the info rep packet, check the configuration of the web server. Dec 4 2009 10:54:58.190.1 HUAWEI WEB/8/DEBUG: Received packet from socket (length = 57 Vrf = 0): Version : 2 Type : authentication request Method : chap SerialNo : 77 RequestID : 14 UserIP : 3.3.200.195 ErrorCode : 0 AttributeNumber : 2 Dec 4 2009 10:54:58.190.2 HUAWEI WEB/8/DEBUG: 02 01 00 00 00 62 00 00 0c 2f 7f ff 00 00 00 00 c3 12 23 44 44 ae 92 67 4e e5 c3 99 7d 8b 43 2a In case of CHAP authentication, the web server sends the challenge req request. If the NE80E/ 40E cannot receive this message, check the configuration of the Web server. Dec 4 2009 10:54:58.220.1 HUAWEI WEB/8/DEBUG: Sent packet to socket (length = 32 Vrf = 0): Version : 2 Type : authentication ack Method : chap SerialNo : 77 RequestID : 14 UserIP : 3.3.200.195 ErrorCode : 0 AttributeNumber : 0 Dec 4 2009 10:54:58.220.2 HUAWEI WEB/8/DEBUG: 02 04 00 00 00 4d 00 0e 03 03 c8 c3 00 00 00 00 a9 ae 06 5f 62 94 f7 9a b2 a5 35 f8 12 95 dc 6f 89 03 Dec 4 2009 10:54:58.220.3 HUAWEI WEB/8/DEBUG: Received packet from socket (length = 32 Vrf = 0): Version : 2 Type : ack of authentication ack Method : chap SerialNo : 77 RequestID : 14 UserIP : 3.3.200.195 ErrorCode : 0 AttributeNumber : 0 Dec 4 2009 10:54:58.220.4 HUAWEI WEB/8/DEBUG: 02 07 00 00 00 4d 00 0e 03 03 c8 c3 00 00 00 00 1e 66 fb e1 e5 2a 4f e3 c7 c3 35 45 f3 79 c3 cd Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 104 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting In the authentication request, if the PAP authentication is used, the method field in the packet is PAP. If the user does not receive this packet in authentication, check the web server. Dec 4 2009 10:54:58.220.5 HUAWEI WEB/8/DEBUG: Sent packet to socket (length = 32 Vrf = 0): Version : 2 Type : authentication ack Method : chap SerialNo : 77 RequestID : 14 UserIP : 3.3.200.195 ErrorCode : 0 AttributeNumber : 0 Dec 4 2009 10:54:58.220.6 HUAWEI WEB/8/DEBUG: 02 04 00 00 00 4d 00 0e 03 03 c8 c3 00 00 00 00 a9 ae 06 5f 62 94 f7 9a b2 a5 35 f8 12 95 dc 6f The preceding information is the authentication response that informs the web server of the authentication result. If the NE80E/40E receives the logout req packet immediately after or before the auth ack packet, check whether the interval between the auth ack packet and the auth req packet exceeds the time-out time of the web server. Dec 4 2009 10:54:58.220.7 HUAWEI WEB/8/DEBUG: Received packet from socket (length = 32 Vrf = 0): Version : 2 Type : ack of authentication ack Method : chap SerialNo : 77 RequestID : 14 UserIP : 3.3.200.195 ErrorCode : 0 AttributeNumber : 0 Dec 4 2009 10:54:58.220.8 HUAWEI WEB/8/DEBUG: 02 07 00 00 00 4d 00 0e 03 03 c8 c3 00 00 00 00 1e 66 fb e1 e5 2a 4f e3 c7 c3 35 45 f3 79 c3 cd After receiving the authentication success response, the web server needs to display the authentication success page for the user. If the success page is not displayed, the user cannot go online. The NE80E/40Eallows the user to access the Internet and conducts the accounting for the user only after receiving the result from the web server. You can analyze the output of service tracing in the same way you analyze the debugging information and get the same result. Step 3 Check the configuration. For details, see 1.3 Troubleshooting IPoX . Step 4 Troubleshoot the RADIUS server. For the RADIUS authentication failure, refer to 5 "RADIUS Troubleshooting." If the fault persists, contact Huawei technical personnel. ----End 1.4.17 Mandatory Web Authentication Fails Scenario The networking is as shown in 1.4.15 Failure to Obtain an IP Address . Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 105 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Fault Analysis The possible causes are as follows: l The user does not obtain an IP address. l The route of the web server is wrong. l The ACL is applied. l The server works abnormally. l The user group is configured improperly. l The DNS server is configured improperly. Procedure Step 1 Check whether the user has obtained an IP address. An IP address is the prerequisite to any online activity. If the user cannot obtain an IP address, solve the problem by referring to 1.4.15 Failure to Obtain an IP Address . Step 2 Access the web server with the IP address. After obtaining the IP address, enter the IP address of the web server in the browser. If the web page is displayed, it indicates that the traffic policy, the route, and the server work properly. If you fail to open the web page, do as follows: l Check the route to the web server by using the ping and tracert commands. l Check the traffic policy, the classifier, and the behavior. Make sure the traffic policy is applied to the correct interface. l Check whether the web server works normally. Step 3 Access a website that you are not authorized to. If you can get access to the web server, try to access an IP address that you are not authorized to. If you cannot be redirected to the web page, it indicates that the configuration of the mandatory web authentication is improper. In this case, do as follows: l Check the user group by using the display access-user command. l Check the traffic policy. Only the web server and DNS can be accessed. Do not forbid the authorized addresses. l Check the interface that the traffic policy is applied to. For some users, the traffic policy is applied to the sub-interface, not the main interface. Step 4 Enter the domain name in the browser. If you can be redirected to the web page after entering an IP address, try to enter a domain name in the browser. If you are not redirected to the web server, check the following: l Whether the DNS is configured with an ACL permitting the user access. l Whether the route to the DNS is reachable. l Whether the DNS operates well. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 106 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting Besides, you can also replace the DNS with another one to see if the mandatory web authentication failure is caused by the DNS. Step 5 Capture packets at the client. If the preceding methods do not work, capture packets at the client and analyze the packets. ----End Summary If mandatory web authentication does not work, check the configurations of the user group number and the traffic policy. If you are redirected to the mandatory web server by entering any IP address, rather than domain name, the failure may be caused by the DNS server. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 107 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 2 2 Client Fails to Obtain an IP Address Troubleshooting Client Fails to Obtain an IP Address Troubleshooting About This Chapter 2.1 An Ethernet Client Fails to Obtain an IP Address (the HUAWEI NetEngine80E/40E Functions as the DHCP Server) This section describes the troubleshooting flowchart and provides a step-by-step troubleshooting procedure for the fault that an Ethernet client fails to obtain an IP address when the HUAWEI NetEngine80E/40E functions as the DHCP server. 2.2 An Ethernet Client Cannot Obtain an IP Address (the HUAWEI NetEngine80E/40E Functions as the DHCP Relay) This section describes the troubleshooting flowchart and provides a step-by-step troubleshooting procedure for the fault that an Ethernet client fails to obtain an IP address when the HUAWEI NetEngine80E/40E functions as the DHCP relay. 2.3 A PPPoX/IPoX Client Fails to Obtain an IP Address (the HUAWEI NetEngine80E/40E Functions as the DHCP Server) This section describes the troubleshooting flowchart and provides a step-by-step troubleshooting procedure for the fault that a PPPoX/IPoX client fails to obtain an IP address when the HUAWEI NetEngine80E/40E functions as the DHCP server. 2.4 A PPPoX/IPoX Client Cannot Obtain an IP Address (the HUAWEI NetEngine80E/40E Functions as the DHCP Relay) This section describes the troubleshooting flowchart and provides a step-by-step troubleshooting procedure for the fault that a PPPoX/IPoX client cannot obtain an IP address when the HUAWEI NetEngine80E/40E functions as the DHCP relay. 2.5 Related Troubleshooting Cases Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 108 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 2 Client Fails to Obtain an IP Address Troubleshooting 2.1 An Ethernet Client Fails to Obtain an IP Address (the HUAWEI NetEngine80E/40E Functions as the DHCP Server) This section describes the troubleshooting flowchart and provides a step-by-step troubleshooting procedure for the fault that an Ethernet client fails to obtain an IP address when the HUAWEI NetEngine80E/40E functions as the DHCP server. 2.1.1 Common Causes This fault is commonly caused by one of the following: l DHCP is not enabled. l The IP address of the interface connecting to the client is incorrect, or the IP address pool whose gateway is the same as the IP address of the interface connecting to the client does not exist. l The IP address pool is incorrectly configured. For example, the IP address pool is configured to be the Server or Remote type, or the IP address pool is locked. l The IP address pool has no assignable IP address. l The link between the DHCP server and the client is faulty. l Another device along the link is incorrectly configured. 2.1.2 Troubleshooting Flowchart When the HUAWEI NetEngine80E/40E functions as the DHCP server, a PPPoX/IPoX client cannot obtain an IP address. The troubleshooting roadmap is as follows: l Check that the IP address pool of the DHCP server is correctly configured and IP addresses can be assigned. l Check the link between the DHCP server and the client is normal. l Check that other devices along the link are correctly configured. Figure 2-1 shows the troubleshooting flowchart. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 109 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 2 Client Fails to Obtain an IP Address Troubleshooting Figure 2-1 Troubleshooting flowchart for the fault that an Ethernet client fails to obtain an IP address (the HUAWEI NetEngine80E/40E functions as the DHCP server) A client fails to obtain an IP address Is DHCP enabled? No Enable DHCP Is fault rectified? Yes No Yes Is the interface at the user side assigned a correct IP address? No Configure a correct IP address Yes No Yes Does an IP address pool exist? No Create an IP address pool Is fault rectified? Yes No Yes Is the IP address pool correctly configured? No Rectify the fault according to the specific troubleshooting procedure Is fault rectified? Yes No Yes Does the IP address pool have assignable IP addresses? No Increase the number of IP addresses in the IP address pool or solve the IP address conflict problem Is fault rectified? Yes No Yes Is the link between the DHCP server and the client normal? No Rectify the link fault Is fault rectified? Yes No Yes Are other devices correctly configured? No Rectify the fault according to user manual for these devices Is fault rectified? Yes No Yes Seek technical support Issue 02 (2011-09-10) Is fault rectified? Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. End 110 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 2 Client Fails to Obtain an IP Address Troubleshooting 2.1.3 Troubleshooting Procedure Before performing the following procedure, you can also refer to common causes for users fail to get online to solve this fault. NOTE Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct the fault, you will have a record of your actions to provide Huawei technical support personnel. Procedure Step 1 Check that the DHCP function is enabled. Run the display current-configuration | include undo dhcp enable command to check whether the DHCP function is enabled. By default, the DHCP function is enabled. l If the command output shows undo dhcp enable, it indicates that the DHCP function is disabled, and you need to run the dhcp enable command to enable the DHCP function. l If there is no command output, it indicates that the DHCP function is enabled. Then, go to Step 2. Step 2 Check that the interface connecting to the client is configured with a correct IP address. Run the display this command in the view of the interface connecting to the client to check whether an IP address is configured for the interface. l If the IP address is incorrect or no IP address is configured, run the ip address ipaddress command to correctly configure an IP address. l If the IP address is correct, go to Step 3. Step 3 Check that the IP address pool is correctly configured. Run the display current-configuration filter gateway ip-address mask command to check whether there is a local IP address pool whose IP addresses belong to the same network segment with the gateway (relay access) or with the IP address of an interface (non-relay access). l If there is no command output, it indicates that the IP address pool does not exist. In this case, run the following commands. – Run the ip pool pool-name server command to create an IP address pool. – Run the gateway ip-address { mask | mask-length } command to create the gateway of the IP address pool. – Run the section section-num start-ip-address [ end-ip-address ] to configure the range of assignable IP addresses. For detailed configurations of the IP address pool, refer to the HUAWEI NetEngine80E/ 40E Configuration Guide - User Access. l If the correct IP address pool exists, go to Step 4. Step 4 Check that the IP address pool is correctly configured and IP addresses can be assigned. Run the display ip pool name pool-name command to check whether the corresponding fields have the correct values based on the following check steps. If any field has an incorrect value, rectify the fault based on the following rectification procedure. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 111 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 2 Client Fails to Obtain an IP Address Troubleshooting Item Field Correct Value Restoration Procedure Check whether the type of the IP address pool is Server. Position Server If the field is displayed as Local or Remote, run the ip pool pool-name bas remote command again to set the IP address pool to the Server type. Check whether the IP address pool is locked. Status Unlocked If the field is displayed as Locked, run the undo lock command to unlock the IP address pool. Check whether the IP address pool has assignable IP addresses. idle If the idle field is displayed as a value larger than 0, it indicates that assignable IP addresses exist in the IP address pool. l If there are conflicting IP addresses, run the reset conflict-ipaddress command to mark the conflicting IP addresses as idle. conflicted If the conflicted field is displayed as 0, it indicates that there are no conflicting IP addresses. l Re-plan the network and increase the number of IP addresses in the IP address pool. After the preceding steps, if the client still cannot acquire an IP address, go to Step 5. Step 5 Check that the link between the DHCP server and the client is normal. On the client, configure an IP address to make the client and the IP address pool of the DHCP server on the same network segment (note that the IP address of the client cannot conflict with an assigned IP address). Then, ping the IP address on the DHCP server to check whether the link between the DHCP server and the client is normal. l If the ping operation fails, it indicates that a routing fault occurs between the DHCP server and the client, and you need to rectify the fault immediately. l If the ping operation succeeds, go to Step 6. Step 6 Check that the configurations of other devices along the link are correct, including the DHCP relay, DSLAM, LAN switch, and the client. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 112 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 2 Client Fails to Obtain an IP Address Troubleshooting Check whether the configurations of these devices are correct based on the device manuals. If not, modify the configurations. After the preceding steps, if the client still cannot acquire an IP address, go to Step 7. Step 7 Collect the following information and contact Huawei technical support personnel. l Results of the preceding troubleshooting procedure l Configuration files, log files, and alarm files of the devices ----End 2.1.4 Relevant Alarms and Logs Relevant Alarms None. Relevant Logs None. 2.2 An Ethernet Client Cannot Obtain an IP Address (the HUAWEI NetEngine80E/40E Functions as the DHCP Relay) This section describes the troubleshooting flowchart and provides a step-by-step troubleshooting procedure for the fault that an Ethernet client fails to obtain an IP address when the HUAWEI NetEngine80E/40E functions as the DHCP relay. 2.2.1 Common Causes This fault is commonly caused by one of the following: l DHCP relay is not enabled. l Incorrect DHCP option number, relay agent address, or DHCP server address is configured. l The link between the DHCP relay and the DHCP server or between the DHCP relay and the client is faulty. l Another device along the link is incorrectly configured. 2.2.2 Troubleshooting Flowchart When the HUAWEI NetEngine80E/40E functions as the DHCP relay, an Ethernet client enabled with DHCPv4 cannot obtain an IP address. The troubleshooting roadmap is as follows: l Check that the DHCP relay is correctly configured. l Check the link connectivity between the DHCP relay and the DHCP server or between the DHCP relay and the client. l Check that other devices along the link are correctly configured. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 113 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 2 Client Fails to Obtain an IP Address Troubleshooting Figure 2-2 shows the troubleshooting flowchart. Figure 2-2 Troubleshooting flowchart for the fault that an Ethernet client fails to obtain an IP address (the HUAWEI NetEngine80E/40E functions as the DHCP relay) A c lie n t fa ils to o b ta in a n IP a d d re s s Is D H C P e n a b le d? No E n a b le D H C P Is fa u lt re c tifie d ? Yes No Yes Is D H C P re la y e n a b le d? No E n a b le D H C P re la y Is fa u lt re c tifie d ? Yes No Yes A re D H C P re la y a ttrib u te s c o rre c t? No C o rre c tly c o n fig u re D H C P re la y a ttrib u te s Is fa u lt re c tifie d ? Yes No Yes Is th e lin k b e tw e e n th e D H C P re la y a n d D H C P s e rv e r/c lie n t n o rm a l? No R e c tify th e lin k fa u lt Is fa u lt re c tifie d ? Yes No Yes A re o th e r d e v ic e s c o rre c tly c o n fig u re d ? No R e c tify th e fa u lt a c c o rd in g to u s e r m a n u a l fo r th e s e d e v ic e s Is fa u lt re c tifie d ? Yes No Yes S e e k te c h n ic a l s u p p o rt End 2.2.3 Troubleshooting Procedure Before performing the following procedure, you can also refer to common causes for users fail to get online to solve this fault. NOTE Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct the fault, you will have a record of your actions to provide Huawei technical support personnel. Procedure Step 1 Check that the DHCP function is enabled. Run the display current-configuration | include undo dhcp enable command to check whether the DHCP function is enabled. By default, the DHCP function is enabled. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 114 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 2 Client Fails to Obtain an IP Address Troubleshooting l If the command output shows undo dhcp enable, it indicates that the DHCP function is disabled, and you need to run the dhcp enable command to enable the DHCP function. l If there is no command output, it indicates that the DHCP function is enabled. Then, go to Step 2. Step 2 Check that the DHCP relay function is enabled and correct attributes are configured. Run the display dhcp relay address interface interface-type interface-number command. l If there is no command output, it indicates that the DHCP relay function is disabled or the IP address of the DHCP server is not configured. Therefore, run the dhcp select relay command to enable the DHCP relay function, and then run the ip relay address command to configure the IP address of the DHCP server. l If the field, Dhcp Option (DHCP option number), Relay Agent IP (IP address of the relay agent), or Server IP (IP address of the DHCP server), is incorrectly displayed, run the ip relay address command to modify the relevant attribute. l If all these fields are correctly displayed, go to Step 2. Step 3 Check that the link between the DHCP relay and the DHCP server is normal. Run the ping -a source-ip-address destination-ip-address command on the DHCP relay. sourceip-address indicates the IP address of the interface on the DHCP relay connecting to a client, and destination-ip-address indicates the IP address of the DHCP server. l If the ping operation fails, it indicates that a routing fault occurs between the DHCP relay and the DHCP server, and you need to rectify the fault immediately. l If the ping operation succeeds, go to Step 3. Step 4 Check that the link between the DHCP relay and the client is normal. On the client end, configure an IP address to make the client and the DHCP relay on the same network segment (note that the IP address of the client cannot conflict with an assigned IP address). Then, ping the IP address on the DHCP relay to check whether the link between the DHCP relay and the client is normal. l If the ping operation fails, it indicates that a routing fault occurs between the DHCP relay and the client, and you need to rectify the fault immediately. l If the ping operation succeeds, go to Step 4. Step 5 Check that configurations of other devices along the link are correct, including the DHCP server, DSLAM, LAN switch, and the client. Check whether the configurations of these devices are correct based on the device manuals. If not, modify the configurations. After the preceding steps, if the client still cannot acquire an IP address, go to Step 5. Step 6 Collect the following information and contact Huawei technical support personnel. l Results of the preceding troubleshooting procedure l Configuration files, log files, and alarm files of the devices ----End 2.2.4 Relevant Alarms and Logs Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 115 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 2 Client Fails to Obtain an IP Address Troubleshooting Relevant Alarms None. Relevant Logs None. 2.3 A PPPoX/IPoX Client Fails to Obtain an IP Address (the HUAWEI NetEngine80E/40E Functions as the DHCP Server) This section describes the troubleshooting flowchart and provides a step-by-step troubleshooting procedure for the fault that a PPPoX/IPoX client fails to obtain an IP address when the HUAWEI NetEngine80E/40E functions as the DHCP server. 2.3.1 Common Causes This fault is commonly caused by one of the following: l The client is bound to an incorrect domain. l The IP address pool is incorrectly configured. For example, the IP address pool is configured to be the Server or Remote type, or the IP address pool is locked. l The IP address pool has no assignable IP address. l The BAS interface is incorrectly configured. l The link between the DHCP server and the client is faulty. l Another device along the link is incorrectly configured. 2.3.2 Troubleshooting Flowchart When the HUAWEI NetEngine80E/40E functions as the DHCP server, a PPPoX/IPoX client enabled with DHCPv4 cannot obtain an IP address. The troubleshooting roadmap is as follows: l Check that the IP address pool and BAS interface of the DHCP server are correctly configured and IP addresses can be assigned. l Check the link connectivity between the DHCP server and the client. l Check that other devices along the link are correctly configured. Figure 2-3 shows the troubleshooting flowchart. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 116 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 2 Client Fails to Obtain an IP Address Troubleshooting Figure 2-3 Troubleshooting flowchart for the fault that a PPPoX/IPoX client cannot obtain an IP address (the HUAWEI NetEngine80E/40E functions as the DHCP server) A client fails to obtain an IP address Is the interface bound to a correct domain? No Bind the correct domain to the interface Yes Is fault rectified? Yes No Is the domain bound to a correct IP address? No Bind a correct IP address to the domain Is fault rectified? Yes No Yes Is the IP address pool correctly configured. No Rectify the fault according to the specific troubleshooting procedure Yes Is fault rectified? Yes No Does the IP address pool have assignable IP addresses? No Increase the number of IP addresses in the IP address pool or solve the IP address conflict problem Yes Is fault rectified? Yes No Is the BAS interface correctly configured? No Rectify the fault according to the specific troubleshooting procedure Yes Is fault rectified? Yes No Is the link between the DHCP server and the client normal? No Rectify the link fault Is fault rectified? Yes Yes No Are other devices correctly configured? No Rectify the fault according to the user manual for the specific device Yes No Yes Seek technical support Issue 02 (2011-09-10) Is fault rectified? Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. End 117 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 2 Client Fails to Obtain an IP Address Troubleshooting 2.3.3 Troubleshooting Procedure Before performing the following procedure, you can also refer to common causes for users fail to get online to solve this fault. NOTE Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct the fault, you will have a record of your actions to provide Huawei technical support personnel. Procedure Step 1 Check that the interface connecting to the client is bound to the correct domain. Run the display this command on the interface to check whether the interface is bound to the correct domain. l If the incorrect domain is bound, run the default-domain authentication domain-name command to bind the interface to the correct domain. l If the correct domain is bound, go to Step 2. Step 2 Check that the domain is bound to a correct IP address pool. Run the display domain domain-name command to check the IP-address-pool-name field to see whether the correct IP address pool is bound. l If the incorrect IP address pool is bound, run the ip-pool pool-name command to bind the domain to the correct IP address pool. NOTE The IP address pool specified by pool-name must be created in advance. Details are as follows: l Run the ip pool pool-name local command to create an IP address pool. l Run the gateway ip-address { mask | mask-length } command to create the gateway of the IP address pool. l Run the section section-num start-ip-address [ end-ip-address ] to configure the range of assignable IP addresses. For detailed configurations of the IP address pool, refer to the HUAWEI NetEngine80E/40E Configuration Guide - User Access. l If the correct IP address pool is bound, go to Step 3. Step 3 Check that the IP address pool is correctly configured and IP addresses can be assigned. Run the display ip pool name pool-name command to check whether the corresponding fields have the correct values based on the following check steps. If any field has the incorrect value, rectify the fault based on the following procedure. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 118 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 2 Client Fails to Obtain an IP Address Troubleshooting Item Field Correct Value Restoration Procedure Check whether the type of the IP address pool is Local. Position Local If the field is displayed as Remote or Server, run the ip pool poolname bas local command again to configure the IP address pool to the Local type. Check whether the IP address pool is locked. Status Unlocked If the field is displayed as Locked, run the undo lock command to unlock the IP address pool. Check whether the IP address pool has assignable IP addresses. idle If the idle field is displayed as a value larger than 0, it indicates that assignable IP addresses exist in the IP address pool. l If there are conflicting IP addresses, run the reset conflict-ipaddress command to mark the conflicting IP addresses as idle. conflicted If the conflicted field is displayed as 0, it indicates that there are no conflicting IP addresses. l Re-plan the network and increase the number of IP addresses in the IP address pool. After the preceding steps, if the client still cannot acquire an IP address, go to Step 4. Step 4 Check that the interface at the client side and BAS are correctly configured. For detailed configurations of BAS, refer to the HUAWEI NetEngine80E/40E Configuration Guide - User Access. After the preceding steps, if the client still cannot acquire an IP address, go to Step 5. Step 5 Check that the link between the DHCP server and the client is normal. On the client, configure an IP address to make the client and the IP address pool of the DHCP server on the same network segment (note that the IP address of the client cannot conflict with an assigned IP address). Then, ping the IP address on the DHCP server to check whether the link between the DHCP server and the client is normal. l Issue 02 (2011-09-10) If the ping operation fails, it indicates that a routing fault occurs between the DHCP server and the client, and you need to rectify the fault immediately. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 119 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access l 2 Client Fails to Obtain an IP Address Troubleshooting If the ping operation succeeds, go to Step 6. Step 6 Check that the configurations of other devices along the link are correct, including the DHCP relay, DSLAM, LAN switch, and the client. Check whether the configurations of these devices are correct. If not, modify the configurations. After the preceding steps, if the client still cannot acquire an IP address, go to Step 7. Step 7 Collect the following information and contact Huawei technical support personnel. l Results of the preceding troubleshooting procedure l Configuration files, log files, and alarm files of the devices ----End 2.3.4 Relevant Alarms and Logs Relevant Alarms None. Relevant Logs None. 2.4 A PPPoX/IPoX Client Cannot Obtain an IP Address (the HUAWEI NetEngine80E/40E Functions as the DHCP Relay) This section describes the troubleshooting flowchart and provides a step-by-step troubleshooting procedure for the fault that a PPPoX/IPoX client cannot obtain an IP address when the HUAWEI NetEngine80E/40E functions as the DHCP relay. 2.4.1 Common Causes This fault is commonly caused by one of the following: l The client is bound to an incorrect domain. l The IP address pool is incorrectly configured. For example, the IP address pool is configured to be the Server or Remote type, the IP address pool is locked, or the IP address of the DHCP server is incorrect. l The IP address pool has no assignable IP address. l The BAS interface is incorrectly configured. l The link between the DHCP relay and the DHCP server or between the DHCP relay and the client is faulty. l Another device along the link is incorrectly configured. 2.4.2 Troubleshooting Flowchart When the HUAWEI NetEngine80E/40E functions as the DHCP relay, a PPPoX/IPoX client enabled with DHCPv4 cannot obtain an IP address. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 120 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 2 Client Fails to Obtain an IP Address Troubleshooting The troubleshooting roadmap is as follows: l Check that the IP address pool and BAS interface of the DHCP relay are correctly configured. l Check the link connectivity between the DHCP relay and the DHCP server or between the DHCP relay and the client. l Check that other devices along the link are correctly configured. Figure 2-4 shows the troubleshooting flowchart. Figure 2-4 Troubleshooting flowchart for the fault that a PPPoX/IPoX client cannot obtain an IP address (the HUAWEI NetEngine80E/40E functions as the DHCP relay) A client fails to obtain an IP address Is the interface bound to a correct domain? No Bind the correct domain to the interface Yes No Yes Is the domain bound to a correct IP address pool? No Bind a correct IP address pool to the domain Yes Is fault rectified? Yes No Is the IP address pool correctly configured. No Rectify the fault according to the specific troubleshooting procedure Is fault rectified? Yes No Yes Is the BAS interface correctly configured? No Rectify the fault according to the specific troubleshooting procedure Is fault rectified? Yes No Yes Is the link between the DHCP relay and DHCP server/client normal? No Rectify the link fault Is fault rectified? Yes No Yes No Are other devices correctly configured? Rectify the fault according to the user manual for the specific device Is fault rectified? Yes No Yes Seek technical support Issue 02 (2011-09-10) Is fault rectified? Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. End 121 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 2 Client Fails to Obtain an IP Address Troubleshooting 2.4.3 Troubleshooting Procedure Before performing the following procedure, you can also refer to common causes for users fail to get online to solve this fault. NOTE Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct the fault, you will have a record of your actions to provide Huawei technical support personnel. Procedure Step 1 Check that the interface on the user end is bound to the correct domain. Run the display this command on the interface to check whether the interface is bound to the correct domain. l If the incorrect domain is bound, run the default-domain authentication domain-name command to bind the interface to the correct domain. l If the correct domain is bound, go to Step 2. Step 2 Check that the domain is bound to a correct IP address pool. Run the display domain domain-name command to check the IP-address-pool-name field to see whether the bound IP address pool is correct. l If the incorrect IP address pool is bound, run the ip-pool pool-name command to bind the domain to the correct IP address pool. NOTE The IP address pool specified by pool-name must be created in advance. Details are as follows: l Run the ip pool pool-name remote command to create an IP address pool. l Run the gateway ip-address { mask | mask-length } command to create the gateway of the IP address pool. l Run the dhcp-server group group-name command to configure the DHCP server group. For detailed configurations of the IP address pool, refer to the HUAWEI NetEngine80E/40E Configuration Guide - User Access. l If the correct IP address pool is bound, go to Step 3. Step 3 Check that the IP address pool and the IP address of the DHCP server are correctly configured. Run the display ip pool name pool-name command to check whether values of the corresponding fields are correct. If any field is displayed with an incorrect value, rectify the fault based on the following rectification procedure. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 122 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 2 Client Fails to Obtain an IP Address Troubleshooting Item Field Correct Value Restoration Procedure Check whether the IP address pool is a remote IP address pool. Position Remote If the field is displayed as Local or Server, run the ip pool pool-name bas remote command again to configure the IP address pool to the Remote type. Check whether the IP address pool is locked. Status Unlocked If the field is displayed as Locked, run the undo lock command to unlock the IP address pool. Check whether the IP address pool is configured with an correct DHCP server address. 1. Run the display ip pool name pool-name command to view the DHCP-Group field. Correct DHCP server name and address l If the DHCP server group is incorrectly configured for the IP address pool, configure it correctly by running the dhcp-server group groupname command. 2. Then, run the display dhcpserver group group-name command to view the PrimaryServer and SecondaryServer fields. l If the DHCP server address is incorrectly configured for the IP address pool, configure it correctly by running the dhcp-server ipaddress command. After the preceding steps, if the client still cannot acquire an IP address, go to Step 4. Step 4 Check that the interface at the client side and BAS are correctly configured. For detailed configurations of BAS, refer to the HUAWEI NetEngine80E/40E Configuration Guide - User Access. After the preceding steps, if the client still cannot acquire an IP address, go to Step 5. Step 5 Check that the links between the DHCP relay and the DHCP server and between the DHCP relay and the client are normal. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 123 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 2 Client Fails to Obtain an IP Address Troubleshooting Run the ping command on the DHCP relay to check whether the route between the DHCP server and the client is normal. NOTE Since the client cannot acquire an IP address automatically, you need to first assign IP addresses of the same network segment to the interfaces between the client and the DHCP relay (note that the configured IP addresses cannot conflict with existing IP addresses). l If the ping operation fails, it indicates that a routing fault occurs, and you need to rectify the fault immediately. l If the ping operation succeeds, go to Step 6. Step 6 Check that the configurations of other devices along the link are correct, including the DHCP relay, DSLAM, LAN switch, and the client. Check whether the configurations of these devices are correct. If not, modify the configurations. After the preceding steps, if the client still cannot acquire an IP address, go to Step 7. Step 7 Collect the following information and contact Huawei technical support personnel. l Results of the preceding troubleshooting procedure l Configuration files, log files, and alarm files of the devices ----End 2.4.4 Relevant Alarms and Logs Relevant Alarms None. Relevant Logs None. 2.5 Related Troubleshooting Cases 2.5.1 User Fails to Obtain an IP Address from a DHCP Relay Agent Connected to a DHCP Server over Active and Standby Links Fault Symptom A user needs to obtain an address from a remote DHCP server before going online. A router functions as a DHCP relay agent and is connected to a remote DHCP server over active and standby links. The user accessing the DHCP relay agent fails to obtain the address from the DHCP server. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 124 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 2 Client Fails to Obtain an IP Address Troubleshooting Figure 2-5 Networking diagram of DHCP Relay agent connected to a DHCP server over active and standby links DHCP Relay DHCP Server Access Network 10.1.1.2 Access Users Fault Analysis 1. On the router, ping the remote DHCP server. The ping is successful, indicating that the router properly communicates with the remote DHCP server. 2. Run the display current-configuration command to check the router configurations. The router configurations are correct and unchanged. 3. Check the DHCP process on the remote DHCP server. The DHCP process has been started normally. 4. On the remote DHCP server, check whether certain addresses in the DHCP address pool are idle. A number of IP addresses in the DHCP address pool are idle. 5. On the remote DHCP server, check the received DHCPREQUEST messages. DHCPREQUEST messages have been received. The source IP address in the received DHCPREQUEST messages, which is different from the router's source IP address configured on the remote DHCP server, is the interface address of the standby link of the router. 6. On the remote DCHP server, ping the IP address of the connected router interface of the active link. The ping fails, indicating that the active link fails. When the router's active link connected to the remote DHCP server fails, the router sends DHCPREQUEST messages to the remote DHCP server by using the interface of the standby link. The DHCPREQUEST messages carry the interface address of the standby link as DHCP client's source IP address, but the remote DHCP server is configured with the interface address of the active link. The remote DHCP server sends DHCPREPLY messages along the active link. As a result, the router fails to receive the DHCPREPLY messages, and thus the user fails to obtain an address. Procedure Step 1 Perform the following procedures to rectify the fault: 1. Issue 02 (2011-09-10) Create the interface named Loopback 10. Assign an IP address to this loopback interface. Configure a routing protocol on Loopback 10. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 125 HUAWEI NetEngine80E/40E Router Troubleshooting - User Access 2 Client Fails to Obtain an IP Address Troubleshooting After the configuration, the DHCP server can successfully ping Loopback 10 on the router. 2. Run the system-view command to enter the system view. 3. Run the dhcp select relay interface loopback 10 command to enable DHCP relay on Loopback 10. 4. Run the ip relay address 10.1.1.2 interface loopback 10 command to allow Loopback 10 to function as the DHCP server agent. Step 2 On the remote DHCP server, change the DHCP client's source IP address to the address of Loopback 10. The user can obtain an address. The fault is then rectified. Step 3 Repair the active link and configure it as the standby link. ----End Summary l When a DHCP relay agent is connected to a remote DHCP server along active and standby links, configure the remote DHCP server with client's source IP address to a logical interface (for example, a loopback interface) of the DHCP relay agent, preventing packet loss after a physical link fails. l It is recommended that you restore the services before rectifying the link fault in the case of service interruption caused by the active link failure and active/standby switchover. Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 126

Huawei - Troubleshooting - User Access

Related documents

Products

Support

Huawei - Troubleshooting - User Access

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib