|
|
This chapter provides information to help you identify and resolve potential problems with your CiscoSecure Global Roaming Server (GRS) software.
If you are having problems with your CiscoSecure GRS system, check these items first:
The following examples are situations you might encounter when using CiscoSecure GRS. Symptoms are listed in alphabetical order:
Symptom Authentication, authorization, or accounting (AAA) information not being received correctly.
Possible Cause Make sure the ports are configured correctly for the AAA vendor protocol you are using; for example, Livingston supports only port 1645. If you are using an older NAS, you might be able to use only port 1645, while CiscoSecure GRS must listen to both ports 1645 and 1646. If the ACS is using RADIUS, you cannot use ports 1645 and 1646.
Recommended Action Reconfigure your NAS or ACS to use different ports; for example, 1745 and 1746. See your NAS or ACS documentation.
Symptom Backup ACS not being used.
Possible Cause CiscoSecure GRS will cycle to the next ACS in the list only if no response at all is received from the previous ACS. The shared secret might be incorrect or the first ACS might be generating an error message.
Recommended Action Make sure the shared secret in CiscoSecure GRS matches the shared secret of the ACS. Correct the condition on the ACS that is causing the error message to be generated, or remove the first ACS from the list.
Symptom Cannot authenticate to the home gateway (HG) when using Virtual Private Dial-Up Network (VPDN).
Possible Cause CiscoSecure GRS will not strip to the HG.
Recommended Action Create fully qualified domain names for the HG identifier, tunnel ID, and user on the HG.
Symptom Changes made in the graphical user interface (GUI) are not taking effect.
Possible Cause Changes were not committed.
Recommended Action Click Add or Update, then Commit.
Symptom Changes made to data stores are not displayed.
Possible Cause Data store information has not been refreshed.
Recommended Action Either wait 10 minutes for the data stores to reload, or restart CiscoSecure GRS.
Symptom Changes made to Properties are not taking effect.
Possible Cause Properties information has not been refreshed.
Recommended Action Restart CiscoSecure GRS.
Symptom Data stores are incorrect.
Possible Cause Environment variables not set or set incorrectly.
Recommended Action See the "Setting Environment Variables" section for instructions.
Symptom CiscoSecure GRS cannot connect to the NAS or ACS.
Possible Cause Shared secrets or authentication/accounting ports do not match.
Recommended Action Make sure the shared secrets match. The shared secret of the NAS must match the CiscoSecure GRS shared secret for the NAS, and the shared secret for the ACS must match the CiscoSecure GRS domain shared secret. Make sure the authentication/accounting ports match and are configured correctly.
Symptom CiscoSecure GRS cannot communicate with the RADIUS NAS.
Possible Cause RADIUS vendor types do not match.
Recommended Action Make sure you are using the same vendor type (for example, Cisco RADIUS) on both the CiscoSecure GRS and the NAS.
Symptom Local accounting records are not being received.
Possible Cause No valid user profile in CiscoSecure ACS.
Recommended Action Create a valid user profile in CiscoSecure ACS. See your CiscoSecure ACS 2.3 for UNIX User Guide.
Symptom MaxSessions is not operating properly.
Possible Cause Accounting is not enabled.
Recommended Action Make sure accounting is enabled.
Symptom MaxSessions information displayed in web browser is incorrect.
Possible Cause MaxSessions information was not updated after it was changed.
Recommended Action Click Reload or Refresh in your web browser to update MaxSessions information.
Symptom Multiple packets are being resent.
Possible Cause Multiple timeouts are taking place.
Recommended Action Increase the timeout parameter of the NAS to 20 seconds or more, turn off debugging on the NAS, or turn off debugging on the HG if you are using VPDN.
Symptom No username in VPDN.
Possible Cause The CiscoSecure GRS is the same as the VPDN domain, and full stripping is enabled on the NAS, so the user is blank.
Recommended Action Turn off full stripping on the NAS.
Symptom NSM_Error in CiscoSecure GRS log file.
Possible Cause The entries in the /etc/services file override the settings in the grs.ini file.
Recommended Action Use the GUI to change port settings. See "Configuring CiscoSecure GRS" for instructions.
Symptom Unable to communicate after stopping VPDN.
Possible Cause The NAS was not reloaded after CiscoSecure GRS stopped using VPDN.
Recommended Action Reload the NAS. See your NAS documentation for more information.
Symptom GUI does not respond.
Possible Cause The active CiscoSecure GRS window or dialog box is hidden by another window or dialog box.
Recommended Action Relocate windows and dialog boxes to reveal the CiscoSecure GRS window or dialog that requires attention. Click, select, or type in information that is required to close the window or dialog.
The flatfile data store produces .bak files in the working directory. If CiscoSecure GRS shuts down unexpectedly for any reason, there is a slight chance that the .db files might get corrupted. If this happens, just copy the .bak file for the corrupted file(s) to .db, restart CiscoSecure GRS, and continue working. The .bak files are located in the $GRSHOME/etc/.working directory.
The .bak files will always lag the .db files by one transaction, so only the last transaction before the unexpected system shutdown will be lost.
Use the following commands to troubleshoot your Cisco Systems NAS:
There are additional debug commands for VPDN:
See the documentation for your Cisco Systems NAS for more information on these commands.
Posted: Wed Feb 24 12:12:47 PST 1999
Copyright 1989-1999©Cisco Systems Inc.