Manuals / NEC / Computer Equipment / Network Hardware

NEC IP8800/S3600, IP8800/S6600, IP8800/S2400 manual Layer 2 Authentication Communication Failure

Models: IP8800/S6700 IP8800/S3600 IP8800/S6600 IP8800/S6300 IP8800/S2400

1 250

Download 250 pages 34.34 Kb

Page 151

3. Troubleshooting Functional Failures in Operation

3.12 Layer 2 Authentication Communication Failure

3.12.1Communication Failure on Using IEEE 802.1X

If authentication is disabled when using IEEE 802.1X, isolate the problem by following failure analysis methods shown in the table below.

Table 3-48: IEEE 802.1X Failure Analysis Method

No.	Troubleshooting Steps and Command		Action

1	Execute the show dot1x command and	If "Dot1x doesn't seem to be running" is displayed, IEEE802.1X has stopped.
	check the operation status of the	Check to see if the dot1x system-auth-controlcommand is set in the
	IEEE802.1X.	configuration.
		Go to No. 2 if "System 802.1X: Enable" is displayed.

2	Execute the show dot1x statistics	If RxTotal of [EAPOL frames] is 0, the terminal does not send EAPOL. If
	command and confirm that EAPOL is	RxInvalid or RxLenErr is not 0, illegal EAPOL has been received from the
	exchanged.	terminal. When illegal EAPOL is received, log is recorded. The log can be
		browsed using show dotlx logging command. The log shows the "Invalid
		EAPOL frame received" message and the contents of illegal EAPOL. Check the
		Supplicant setting on the terminal.
		Otherwise, go to No. 3.

3	Execute the show dot1x statistics	If "TxTotal" of [EAP overRADIUS frames] is set to 0, it indicates that no data is
	command and confirm that data is sent to the	sent to the RADIUS server. Confirm the following:
	RADIUS server.	•	Check to see if aaa authentication dot1x default group
			radius is set by the configuration command.
		•	Check to see if the configuration command radius-server host is set
			correctly.
		• If the authentication mode is port authentication or VLAN authentication
			(static), confirm that the authentication terminal is not registered by the
			configuration command mac-address-table static. If the
			authentication mode is VLAN authentication (dynamic), confirm that the
			authentication terminal is not registered by the configuration command
			mac-address.
		• If the authentication mode is VLAN authentication (dynamic), check to see if
			aaa authorization network default group radius is set by
			the configuration command.
		Otherwise, go to No. 4.

4	Execute the show dot1x statistics	If "RxTotal" of [EAP overRADIUS frames] is set to 0, packets are not received
	command and confirm that data is received	from the RADIUS server. Confirm the following:
	from the RADIUS server.	• If the RADIUS server is accommodated in the remote network, confirm that the
			route to the remote network exists.
		• Confirm that the port of the RADIUS server is excluded from authentication.
		Otherwise, go to No. 5.

5	Execute the show dot1x logging	• If "Invalid EAP over RADIUS frames received" is output, illegal packets are
	command and check exchange with the		received from the RADIUS server. Check to see if the RADIUS server is
	RADIUS server.		normally operating.
		• If "Failed to connect to RADIUS server" is output, connection to the RADIUS
			server failed. Check to see if the RADIUS server is normally operating.
		Otherwise, go to No. 6.

89

Image 151

NEC IP8800/S3600, IP8800/S6600 manual Layer 2 Authentication Communication Failure, Communication Failure on Using Ieee

Contents

IP88S36-T001-000 Troubleshooting GuideCopyright c 2009, NEC Corporation, All rights reserved November, 2009 1st Edition IP88S36-T001-000Intended users IntroductionApplicable product Correction of this manualIP8800/S6700, IP8800/S6600, IP8800/S6300 Troubleshooting Guide IP88S36-T001Operation Commands, Vol.1 IP88S63-S006 IP8800/S3600, IP8800/S2400Introduction IIIBGP4+ Conventions abbreviationsCIR MIP Conventions kB, MB, GB, and TB Page Contents IPv4 Network Communication Failure Layer 2 Authentication Communication FailureNetwork Interface Communication Failure Layer 2 Network Communication FailureSnmp Communication Failure 110 Problems on Power Saving Feature 123When Resource Shortage Occurs in Shared Memory 135 Communication Failure on High-reliability Function 103Restarting the System 160 Transferring Files for Maintenance Information 144Testing Line 154 Writing to MC 152Be careful in operation Safety guide for the IP8800/S6700 seriesSymbols Operations and actionsDo not put foreign matters in the device Do not use power not specifiedDo not place the device in an unstable location Do not remove the device coverDo not touch the potential tap Grounding is requiredDo not plug too many leads into a single outlet Handle the power cable with cautionKeep air dusters away from fire Before carrying the device, remove the cables Do not install the device in a humid or dusty environmentDo not stack the devices Do not block the intake and/or exhaust portDo not drop an optional component Do not roughly handle the power cableDo not touch the inside of the device An SFP-T has the following label attached Lithium batteryCleaning Be careful of laser beamsDo not attach a label or the like to the transceivers Handle a memory card with careAttach an option component with care Use air dusters with care Handle the optical connector with careMaintenance and cleaning Do not bring a TV or radio close to the devicePage Safety guide for the IP8800/S6600 series Safety Guide IP8800/S6600Do not place the device in an unstable location Safety Guide IP8800/S6600Model Mass Number of people XixIP8800/S6604 45 kg/100 lb Or more IP8800/S6608 64 kg/142 lb Label below is attached to the device Handle the power cable with cautionKeep air dusters away from fire IP8800/S6604 Use support brackets only for IP8800/S6604Use support brackets with care Model ItemsDo not block the intake and/or exhaust port Do not roughly handle the power cable Lithium battery Handle a memory card with care Attach an option component with care Do not bring a TV or radio close to the device Safety guide for the IP8800/S6300 series Safety Guide IP8800/S6300Do not place the device in an unstable location Safety Guide IP8800/S6300Grounding is required IP8800/S6304 45kg/100 lb Or more IP8800/S6308 64kg/142 lb Model Mass Number of peopleKeep air dusters away from fire IP8800/S6304 Use support brackets only for IP8800/S6304Do not block the intake and/or exhaust port Do not roughly handle the power cable Lithium battery Handle a memory card with care Damaged by the static electricity Attach an option component with careDo not bring a TV or radio close to the device Operations and Handling Safety guide for the IP8800/S3600 and IP8800/S2400 seriesDo not put foreign materials in the device Safety Guide IP8800/S3600 IP8800/S2400Device in Trouble Action to Be Taken Do not use power not specified Do not use too many plugs at a single outlet Do not use the cable with the protection cap detachedDo not block the intake/exhaust port Do not place the device in an unstable locationXlvi Precaution on carrying the deviceBe careful of the laser beams Do not touch the device directly if you have metal allergiesDo not ride, recline, or place a heavy loading on the device Do not bring a TV or radio close to the device Handle a memory card and a dummy memory card with care Before installing or UninstallingDiscarding the device Use air dusters with carePage Overview Overview Failure Analysis OverviewSystem and Partial Failure Analysis Overview LED Indications, Switches, and ConnectorsName Type Status Description Failure Analysis for IP8800/S3600 and IP8800/S2400 Connecting operation terminalOverview Name Type Status Description LED Green Lit in green Power on OFF Power OFF or power failureConnector Memory card slot Name Type Function DescriptionBlocked Overview Name Type Function DescriptionOrange 100/1000BASE-T Ethernet port Sent/receivedFunctional Failure Status and Reference Functional Failure Analysis OverviewSubitem Reference Overview Subitem Reference Schedule Is Disabled IP8800/S6700 Time Synchronization by NTP Is DisabledActive System Switchover Is Disabled Active BSU Switchover Is DisabledPage Troubleshooting System Failures Failure Action Troubleshooting Procedure on System FailuresTroubleshooting System Failures Troubleshooting System FailuresTroubleshooting System Failures Action Power Failure Check ItemsReplacement Method of Optional Components Follow the steps in -4 Isolating Power Supply Failure Troubleshooting for IP8800/S3600 and IP8800/ S2400Power failure according to -4 Isolating Power Supply Isolating Power Supply FailureFailures on External Power Unit to isolate the failure Isolating Failures on Power Module Isolating Failures on External Power UnitIsolating Failures on External Power Unit Isolating Failures on External Power Unit Main BodyReplacement Method of System and Optional Components Troubleshooting Functional Failures in Operation Troubleshooting Functional Failures in Operation Forgot the Login User Password Problems on Login PasswordForgot the System Administrator Password Instruction in -1 Problems and Actions When MC Problems on MCMC not found is displayed when MC is accessed Problems and Actions When MC not found is displayedSystem and Partial Failure Analysis Overview Problems on Operation TerminalProblems and Actions When Connecting to Console Unable to Input/Display from the Console CorrectlyProblems and Actions When Connecting to Modem Login from the Remote Operation Terminal Is FailedSymptom Action to Be Taken or Reference Some users remain in the login Login Authentication Using RADIUS/TACACS+ Is DisabledCommand Authorization Using RADIUS/TACACS+ Is Disabled Disabled, check No or laterTroubleshooting Functional Failures in Operation Checking port status NIF Status Problem ActionNetwork Interface Communication Failure Ethernet Port Cannot Be ConnectedChecking statistical information Port Status Problem ActionCheck and Action for Port Status Check and Action for BSU/PSP Operation Status Communication Failure in Basic Switching Unit BSU/PSPBSU Operation Problem Action Status Checking BSU/PSP operation statusConfiguration of Basic Switching Unit BSU Status, see 3.20 Problems on RedundantActions against Troubles on 10BASE-T/100BASE-TX/ 1000BASE-T Troubleshooting Steps Problem Action Troubleshooting for Failed 10BASE-T/100BASE-TX/1000BASE-T10 Failure Analysis Method for Troubles on 1000BASE-X Actions against Troubles on 1000BASE-XActions against Troubles on 10GBASE-R 11 Failure Analysis Method for Troubles on 10GBASE-R Troubleshooting Functional Failures in OperationTroubleshooting Steps and Command Action Communication Failure on Using PoEAllocations Communication Failure on Using Link AggregationFunction of the port by the power inline command Check the setting of failed link aggregationTion, set the Duplex mode to Full Check the setting of failed port status usingCH Disabled Link aggregation group is Disabled and DownLayer 2 Network Communication Failure Layer 2 Communication by Vlan Is DisabledChecking Vlan status Take the action below according to the Type displayed Checking MAC address tableChecking filtering/QoS Failures on Using Spanning TreeFlooding is executed if the MAC address is not displayed 14 Spanning Tree Failure Analysis Method Failures on Using Ring ProtocolSee 3.4 Network Interface Communication Failure Analysis Flow Replace the faulty PartsTroubleshooting Steps Action Command 15 Ring Protocol Failure Analysis MethodSpanning tree or Gsrp is used at Configurations Same time Command to check timer values forTransmission delay is not considered See the manual Configuration GuideMulticast Relay by Igmp snooping Is Disabled Multicast in the VLAN. IP8800/S3600 16 Troubleshooting on Multicast RelayHas been set up appropriately for system operation Show system commandGroup address If a multicast router is connected, check mrouter-portIs it a relay within the same VLAN? Multicast Relay by MLD snooping Is DisabledCheck the following You want to use IPv6 multicast at 17 Troubleshooting on Multicast RelayUsing the show mld-snooping IPv4 Network Communication Failure Communication Is Disabled or Is DisconnectedRoute Checking logChecking interface status Checking ARP resolution information with neighboring systemChecking option license OP-NPAR OP-NPAR Checking DHCP/BOOTP setting informationChecking filtering/QoS setting information Checking unicast routing informationDHCP/BOOTP relay communication failure IP Addresses Cannot Be Assigned Using Dhcp FunctionChecking the log and interface Checking ARP resolution information with neighboring systemChecking route information Checking DHCP/BOOTP setting information Checking filtering/QoS setting informationDhcp server communication trouble Checking the log message and interface Checking configurationAssociated with each log message Checking layer 2 network DynamicDNS Cooperation in Dhcp Function Is DisabledSystem DNS update disabled Check the configurationChecking route information 18 RIP Failure Analysis Method IPv4 Unicast Routing Communication FailureNo RIP Routing Information Exists No Ospf Routing Information Exists21 VRF Failure Analysis Method No BGP4 Routing Information ExistsNo Routing Information Exist OP-NPAR 20 BGP4 Failure Analysis Method22 Common Check Items Communication on IPv4 PIM-SM Network Is DisabledIPv4 Multicast Routing Communication Failure Common check itemsBSR check items 24 Rendezvous Point Router Check Items Rendezvous point router check itemsLast-hop-router check items 23 BSR Check ItemsFirst-hop-router check items Multicast Data Is Double-relayed on IPv4 PIM-SM Network26 first-hop-router Check Items Multicast Sender First-hop-router Last-hop-router Data Communication on IPv4 PIM-SSM Network Is Disabled27 Check Items When Double-relay Continues 28 Common Check Items29 last-hop-router Check Items 30 first-hop-router Check Items Multicast Data Is Double-relayed on IPv4 PIM-SSM NetworkIs Double-relayed on IPv4 PIM-SSM Network 31 Check Items When Double-relay Continues5 IPv4 Multicast Communication Failure In VRF OP-NPAR 32 Check Items for VRFIPv6 Network Communication Failure Checking the log and interface Checking NDP resolution information with neighboring systemChecking unicast interface information Checking RA setting information 2 IPv6 Dhcp TroubleshootingConfiguration is not distributed See the manuals Message Log Reference Checking the status of the IPv6 Dhcp server in this systemCheck the status of IPv6DHCP server Duplicate acquisition by the client Procedure to check configurationProcedure for restoring from duplicate distribution Checking client settingCondition Cause Binding Information Route Information Reproducing the Duid Reconfiguring route informationIf Duid of this system conflicts with other system Deleting the file containing Duid informationChecking the Duid 35 Failure Analysis of RIPng 10 IPv6 Unicast Routing Communication FailureNo RIPng Routing Information Exists No OSPFv3 Routing Information ExistsGo to No.5 if no route exist Hop address resolution in BGP4+ exist ExistsNo BGP4+ Routing Information Exists 37 BGP4+ Failure Analysis Method11 IPv6 Multicast Routing Communication Failure Communication on IPv6 PIM-SM Network Is Disabled38 Common Check Items If the unicast route does not exist, see 3.10 IPv6 Unicast Neighboring router using the show ipv6 pimCommand with interface parameter specified Relay target group address Rendezvous point setting41 last-hop-router Check Items Multicast receiver Configuration to run MLD39 BSR Check Items 40 Rendezvous Point Router Check ItemsMulticast Data Is Double-relayed on IPv6 PIM-SM Network 43 Check Items When Double-relay Continues42 first-hop-router Check Items 44 Common Check Items Communication on IPv6 PIM-SSM Network Is DisabledTo the ports to which neighboring routers connect 45 last-hop-router Check Items For MLD snooping Multicast Data Is Double-relayed on IPv6 PIM-SSM Network46 first-hop-router Check Items Group join function is runningTroubleshooting Functional Failures in Operation 47 Check Items When Double-relay ContinuesCommunication Failure on Using Ieee Layer 2 Authentication Communication Failure48 Ieee 802.1X Failure Analysis Method To see if authentication failed Following cause. Check to see if there is any problemTable setting failed Authentication dynamic mode, go to NoTunnel-Type for the Radius server to VLAN13 Command and check to see if dynamicAssignment of Vlan authentication Authentication dynamic. Match the Vlan ID set for50 Failure Analysis Method for Web Authentication Communication Failure on Using Web AuthenticationPort for authentication Check to see authentication Ipv4 access listConfirm that authentication IPv4 access list is applied IPv4 access list are set in the access list as wellRestarted. The Web server starts to perform authentication AuthenticatedCommand Soon After Suspended When Web Server Is restarted UsingCheck Point Troubleshooting Steps 51 Checking Web Authentication ConfigurationSetting Information Failure Analysis Method for Web Authentication 52 Web Authentication Failure Analysis Method53 Failure Analysis Method for MAC Authentication Communication Failure on Using MAC AuthenticationConfiguration command mac-authentication port IPv4 access list is appliedNot applied to the port for authentication Authentication is displayed by the show To No.7Failure Analysis Method for MAC Authentication Communication Failure on Using Authentication Vlan OP-VAA54 Checking MAC Authentication Configuration 55 MAC Authentication Failure Analysis Method100 56 Authentication Vlan Failure Analysis MethodWhen Vlan Identification Table Resource Shortage Occurs 57 Checking Authentication Vlan Configuration101 102 Gsrp Communication Failures Communication Failure on High-reliability Function104 60 Analysis Method for Gsrp Unknown Adjacency105 61 Vrrp Failure Analysis Method106 107 62 Vrrp Failure Analysis Method108 109 Set up, and the virtual router may operate. IP8800/S3600MIBs Cannot Be Obtained from Snmp Manager Snmp Communication FailureTraps Cannot Be Received by Snmp Manager 111 Checking route to the collector Checking operation status by operation commandChecking configuration Checking failures etc SFlow Packets Do Not Reach CollectorCollector information must be set correctly Checking configurationChecking NIF/port status Checking settings of collector114 Checking transmission interval of counter sample Flow Sample Does Not Reach CollectorCounter Sample Does Not Reach Collector Checking presence/absence of the relay packet64 Failure Analysis When Using Oadp Function 63 Failure Analysis Method When Using Lldp FunctionsNetwork Interface Communication Failure Otherwise, see 3.5 Layer 2 Network Communication Failure Checking Filtering/QoS Setting Information to check for it117 Otherwise, see 3.4 Network Interface Communication FailureNTP Communication Failure Time Synchronization by NTP Is Disabled65 NTP Failure Analysis Method Port Becomes Inactive Due to IEEE802.3ah/UDLD Function Communication Failure on IEEE802.3ah/UDLD Function67 Problems and Actions When Switching Active System Active System Switchover Is DisabledCause for Switchover Disabled Troubleshooting Steps 68 Failure Analysis Method When BSU Switchover Disabled Active BSU Switchover Is DisabledBoards 122Display of Result Confirmation Cause Action Problems on Power Saving FeatureSet to disabled, delete the entry that is Schedule error caused byNeighboring system in 3.9.1 Communication Is Disabled or Is Neighboring system in 3.6.1 Communication Is Disabled or IsDisconnected 125 Checking Filtering/QoS Setting Information Communication Failure Caused by Settings of Filtering/QoSChecking packet discarding by filtering 127 IP8800/S3600 and IP8800/S2400Page 129 IP8800/S6700 IP8800/S6600 IP8800/S6300Operation Log Message for Checking Resource Use Status MAC Address Table Resource ShortageChecking Resource Usage of MAC Address Table Operation Log Message for Checking Resource UsageFile Name Specified for get Log Message 131132 Checking Vlan Identification Table Resource Usage Tag translation function Vlan setting.*1Vlan Identification Table Entry Clear Method Entry to Be Cleared StepChecking Resource Usage of Shared Memory When Resource Shortage Occurs in Shared MemoryPage 137 Collecting Failure InformationFile Name Specified for get Acquiring Basic Information Collecting Failure InformationAvailable Information via ftp Collecting Failure Information139 Collecting basic informationCollecting memory dump when communication failure occurs Collecting Failure Information Using dump Command IP8800140 141 After above log is displayed, execute next the dump command142 143 Maintenance Information Transferring Files for Maintenance InformationStorage Location and File Name File Transfer Transferring dump files to the remote operation terminal Transferring Files Using ftp Command145 146 147 ETA148 Transferring failure backup information files to a consoleTransferring dump files to a console Transferring log information to a console149 IP8800/S6700 IP8800/S6600 IP8800/S6300150 Files That Can Be Acquired Using ftp CommandFile Name Specified for Acquired Files 151 10 Collecting Dump Files from the Remote TerminalWriting to MC Writing File to MC Using Operation Terminal153 Line TestLine Test Type for Each Frame Loopback Point Testing LineEthernet Port Checking frame loopback within system155 Command IP8800/S6700 IP8800/S6600 IP8800/S6300156 Checking frame loopback at a loop connector157 Page 159 Restarting the SystemRestarting the System Restarting the SystemParameter to input Active Standby None 161Set the system to restart Or stop Specifying when162 163 Selecting CPU Memory Dump TypeCollecting memory Dump Back to command input mode164 Collect Memory dump? Memorydump is Restart?165 AppendixAppendix a Contents of show tech-support Command Display 167 168 169 170 171 172 173 IP8800/S3600 Table A-2 Details of Display Contents IP8800/S3600174 175 Information 2 for Ver.10.7 Earlier Update for Ver.11.1 and later176 Log information during software177 178 179 180 IP8800/S2400 Table A-3 Details of Display Contents IP8800/S2400181 182 Information on L2 loop detection For Ver.10.7 and later 183MLD snooping group information Built-in WEB authentication DB For Ver.10.3 and laterAuthenticated user account 184185 Page 187 IndexIndex 188