Wired Intelligent Edge (Campus Switching and Routing)

Reply
Frequent Contributor I

Dynamic Segmentation: User Data Retrieval of type 1 for user failed

I've configured a 2930F with local user roles, and the client gets assigned that role fine from ClearPass. With 'show port-access clients' I can see the user is connected to the network with the correct user role. However when I try to enable user-based tunneling, I'm getting these error messages.

 

2930F(eth-5)# enable
2930F(eth-5)#
I 10/08/19 18:32:12 00435 ports: port 5 is Blocked by AAA
0012:18:51:21.95 TNT mtnodeUserCtrl:aqLookupSpecify failed: result= -13
0012:18:51:21.95 TNT mtnodeUserCtrl:User Data Retrieval of type 1 for user b827eb-cb3eea failed
0012:18:51:21.95 TNT mtnodeUserCtrl:userTNodeProcAddUserReq: UAC FSM failed for USER_TNODE_UAC_START_EVT
I 10/08/19 18:32:12 00076 ports: port 5 is now on-line
I 10/08/19 18:32:12 00001 vlan: TUNNELED_NODE_SERVER_RESERVED virtual LAN enabled (11 times in 60 seconds)
I 10/08/19 18:32:12 00002 vlan: TUNNELED_NODE_SERVER_RESERVED virtual LAN disabled (11 times in 60 seconds)

And then the result=-13 error just repeats.

I have configured the secondary user role:

 

aaa authorization user-role name "UBT-LUR-Camera"
   policy "camera"
   vlan-id 3308
   tunneled-node-server-redirect secondary-role "UBT-Camera"

And on the mobility controller I have role UBT-Camera with VLAN 3308 enabled and with allowall ACL.

 

Connection to the controllers also seem fine:

# show tunneled-node-server state

 Local Master Server (LMS) State

 LMS Type     IP Address       State        Capability Role
 Primary   :  10.133.5.61      Complete     Per User   Operational Primary
 Secondary :  10.133.5.62      Complete     Per User   Operational Secondary

Any tips for troubleshooting this?

 

Thanks!

Highlighted
Regular Contributor I

Re: Dynamic Segmentation: User Data Retrieval of type 1 for user failed

The tunnel is in a completed state with the switch from your output.

 

Is VLAN 3308 enabled on the switch?

 

Did you enable user roles on the switch?

 

aaa authorization user-role enable

 

Did you check your radius configuration on switch? Specifically if the RADIUS key is correct.

 

Lastly, Did you disable and enable the port?

 

int 5 

disable

enable

 

After this what do you see on the output for "show port-access clients"

 

What is the output of "show tunneled-node-users down".

 

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.


Ajay Kumar Ravipati
ACMA (V8) | ACMP (V8) | CCENT | CCNA (R&S) | PAN-OS 8.0 ACE
Frequent Contributor I

Re: Dynamic Segmentation: User Data Retrieval of type 1 for user failed

I have enabled user roles. (I was following the dynamic segmentation video series from Youtube). If I remove the secondary-role:

 

aaa authorization user-role name "UBT-LUR-Camera"
 no tunneled-node-server-redirect

Then enable port I can see:

Port  Client Name   MAC Address       IP Address      User Role         Type  VLAN
----- ------------- ----------------- --------------- ----------------- ----- ----
5     b827ebcb3eea  b827eb-cb3eea     n/a             UBT-LUR-Camera    MAC   3308

RADIUS is working too and I get the roles etc. But after enablind the redirect I get those error messages (after disabling the port and then enabling it again).

 

show port-access client and show tunneled-node-users are empty

 

When I followed the videos port-based tunneling worked, so I guess the controller is in somewhat working condition :)

 

 

 

Regular Contributor I

Re: Dynamic Segmentation: User Data Retrieval of type 1 for user failed

On the switch is the port configured as an access port or a trunk port?

 

What is the image version of the controller ?

 

On the controller what is the output of "show tunneled-node config" "show tunneled-node-mgr trace-buf" and "show tunneled-node-mgr stats".

 

Just to verify is the vlan 3308 in up state in the controller(MD that you are trying to redirect the user-traffic when you use the tunneled-node-server-redirect command)?

 

 

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.

 

Ajay Kumar Ravipati
ACMA (V8) | ACMP (V8) | CCENT | CCNA (R&S) | PAN-OS 8.0 ACE
Frequent Contributor I

Re: Dynamic Segmentation: User Data Retrieval of type 1 for user failed

It's an access port. Controllers are managed by Mobility Master, running the commands from the MC:

(i1-mc1) #show tunneled-node state

Tunneled Node State
-------------------
IP  MAC  port  state  vlan  tunnel  inactive-time
--  ---  ----  -----  ----  ------  -------------

(i1-mc1) #show tunneled-node config

Tunneled node Server:Enabled
Tunnel Loop Prevention:Disabled
(i1-mc1) #show vlan  3308

VLAN CONFIGURATION
------------------
VLAN   Description  Ports         AAA Profile  Option-82
----   -----------  -----         -----------  ---------
3308   VLAN3308     GE0/0/0-0/1   N/A          Disabled


(i1-mc1) #show interface gigabitethernet 0/0/1 trusted-vlan

Name:  GE0/0/1
Trusted Vlan(s)
3308

(i1-mc1) #show interface gigabitethernet 0/0/1

GE 0/0/1 is up, line protocol is up

gi0/0/1 is the uplink trunk port towards the rest of the network. Controllers are 8.4.0.4 and switch 16.09

Regular Contributor I

Re: Dynamic Segmentation: User Data Retrieval of type 1 for user failed

Each tunneled-node client uses one AP license.

 

What is the output of show license-usage ap

 

Please refer this document to configure.

 

https://www.arubanetworks.com/techdocs/ArubaOS_81_Web_Help/Content/ArubaFrameStyles/Mux_config/Configuring_a_Wired_Tunn.htm

 

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.


Ajay Kumar Ravipati
ACMA (V8) | ACMP (V8) | CCENT | CCNA (R&S) | PAN-OS 8.0 ACE
Frequent Contributor I

Re: Dynamic Segmentation: User Data Retrieval of type 1 for user failed

(i1-mc1) #show license-usage ap

AP Licenses
-----------
Type                      Number
----                      ------
AP Licenses               16
PEF Licenses              16
MM Licenses               16
Controller License        True
Overall AP License Limit  16

AP Usage
--------
Type             Count
----             -----
Active CAPs      0
Active RAPs      0
Remote-node APs  0
Active MUX       0
Active PUTN      1
Total APs        1

Remaining AP Capacity
---------------------
Type  Number
----  ------
CAPs  15
RAPs  15

 

I believe I have everything configured that's in the link?

Regular Contributor I

Re: Dynamic Segmentation: User Data Retrieval of type 1 for user failed

The PUTN is using one license so you are good on the license front.

 

What do you see in the logs for this user?

 

Show log security 50     

Show log user 50

 

I believe the user is wired, whats the scenario when you use a wireless user with the tunneled-node redirect command enabled?

 

 

 

Ajay Kumar Ravipati
ACMA (V8) | ACMP (V8) | CCENT | CCNA (R&S) | PAN-OS 8.0 ACE
Frequent Contributor I

Re: Dynamic Segmentation: User Data Retrieval of type 1 for user failed

Log's have only row about my admin login, but nothing related to the tunneled node (I tried disabling and then enabling the port).

 

Not really sure about the second part though... tunneled node is for wired users not wireless and the redirect is configured in the 2930F switch.

Regular Contributor I

Re: Dynamic Segmentation: User Data Retrieval of type 1 for user failed

Ah yes, my bad. Was asking my routine wired users TShoot questions :D

 

The configuration looks legit. The only thing that comes to my mind is the GRE tunnel.

 

Is GRE Traffic allowed ?

 

The switch establishes a user GRE tunnel when you add the redirect command.

 

When the attribute "UBT-LUR-Camera" in matched in clearpass, then clearpass redirects this user over the GRE tunnel to MD.

 

The UBT-Camera (secondary role) should be mentioned in this redirect message.

 

What are you seeing wrt clearpass redirect message?

 

 

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.


Ajay Kumar Ravipati
ACMA (V8) | ACMP (V8) | CCENT | CCNA (R&S) | PAN-OS 8.0 ACE
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: