11-29-2012 05:48 AM
I am trying to troubleshoot RFC3576 disconnects. When I delete a user account on the Amigopod, I get " Deleted guest account bmctest3. Connection is not connected to a NAS supporting disconnects."
I am on Amigopod 3.7, with AOS 22.214.171.124 code. I have a RFC3576 object configured and also added to the AAA profile. Actually, I have two RFC-3576 objects defined in both places, because I wasn't sure if the 3576 request comes from the Virtual HA Cluster IP or the interface IP of the Amigopod. I have 1812,1813 open on the firewall from Controller --> Amigopod (this has been in place and working fine for authenticating users). For testing, I have opened 1812,1813 and 3799 in both directions with still no luck. We need 1812, 1813 from Controller --> Amigopod for normal auth of users, but what FW rules do we need for 3799 -- from Amigopod --> Controller only?
I started a packet capture on the Amigopod for RADIUS traffic, and I only see normal Radius auth traffic from the Controller to the amigopod -- I don't see the amigopod trying to send a deauth packet to the controller. Also, I don't see any activity on the FW rules I have in place for testing for port 3799.
It seems like the amigopod isn't even trying to send disconnects to the controller -- any ideas?
Solved! Go to Solution.
11-29-2012 12:47 PM
The _only_ way to get the error you are stating is when the nastype does not contain '3576'. The NAS address in the sessions list is the exact as you have in the NAS List? Something must be making that lookup fail.
11-30-2012 10:35 AM
That was it, we had our two Aruba controllers defined in the Amigopod NAS list, but I didn't have the HA VRRP IP defined. I added the VRRP IP as a 3rd NAS and it is working now! Thank you.
06-06-2014 08:47 AM
Just wanted to add my findings to this as it may help someone down the road. When doing a client-deub I came across the RFC messages "User entry deleted: reason=RFC 3576 disconnect". I had made 2 adjustments in the end. I dont recall which one was the one that resolved this issue.
In my case we were using the clearpass server, the CP server was hosting the Web Portal for Captive Portal. I had went into the AAA Profiles, and selected the server that was used for authentication. I had removed the RFC 3576 Server from this config. I also went into the L3 Authentication for the Captive Portal Auth, I had added the option "Add switch IP address in the redirection URL".
After both of these were complete, I no longer received the RFC 3576 disconnects.
Hopes this helps someone down the road.