RE: unable to tunnel to a module
From: Donny MATEO (donny.mateo@sg.ca-indosuez.com)
Date: Tue Nov 04 2003 - 03:32:59 GMT-3
Hi All,
Thanks for the valuable input. Currently working with TAC on the bug and
way to solve it...........
Cheers.
Donny
"Frank Jimenez" <franjime@cisco.com>
11/04/2003 01:25 PM
To: "'Donny MATEO'" <donny.mateo@sg.ca-indosuez.com>
cc:
Subject: RE: unable to tunnel to a module
This is a 4232-L3 module, right?
I think you're running into a bug - CSCdx30617
It's fixed in the next revs of CatOS - might want to contact TAC and see
if they
can assist.
Workarounds listed:
1. One can telnet to g3 or g4 (or its subinterface's IP address)
as session is nothing but a "telnet session"
2. A reset of L3 module could recover the problem temporarily
3. Moving sc0 into a different vlan can avoid this problem too.
Good luck!
Frank Jimenez, CCIE #5738
franjime@cisco.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Donny
MATEO
Sent: Monday, November 03, 2003 10:17 PM
To: ccielab@groupstudy.com
Subject: unable to tunnel to a module
Hi All,
Have any of you experience the following error message when trying to
tunnel to
L3 module on Catalyst switch ?
cat4k> (enable) sess 2
Trying IntlgLineCard-2...
session: Unable to tunnel to IntlgLineCard-2 (57)
cat4k> (enable)
Donny
"Bob Sinclair" <bsin@cox.net>
Sent by: nobody@groupstudy.com
11/04/2003 09:23 AM
Please respond to "Bob Sinclair"
To: "Volkov Dmitry" <dmitry.volkov@rogers.com>
cc: <security@groupstudy.com>, <ccielab@groupstudy.com>, (bcc:
Donny
MATEO/ADPC/ASIA/BANQUE_INDOSUEZ/FR)
Subject: Re: aaa authorization (last method)
Dmitry,
I labbed up the scenarios described earlier, and the results I got were asy
ou
suggest:
If you authenticate through any permitted AAA authentication method, thent
he
"if-authenticated" method will authorize, whether the AAA server is
reachable or
not.
The only scenario I could find where this did not work was when I had NO
AAA
authentication commands, but did have AAA authorization commands. Here
the
"if-authenticated" will fail. When the AAA server is down, it still
fails, and
adding the "none" method to the end does not help.
So, I have to agree that I see no case in which having both
"if-authenticated"
and "none" in the same list makes sense. One does seei t in legacy
configs,
maybe it is just superstition!
-Bob Sinclair
CCIE #10427, CISSP, MCSE
----- Original Message -----
From: "Volkov Dmitry" <dmitry.volkov@rogers.com>
To: "'Bob Sinclair'" <bsin@cox.net>
Cc: <security@groupstudy.com>; <ccielab@groupstudy.com>
Sent: Monday, November 03, 2003 6:56 PM
Subject: RE: aaa authorization (last method)
> Bob, see inline
>
> > -----Original Message-----
> > From: Bob Sinclair [mailto:bsin@cox.net]
> > Sent: Monday, November 03, 2003 6:32 PM
> > To: dmitry.volkov@rogers.com; security@groupstudy.com
> > Cc: ccielab@groupstudy.com
> > Subject: Re: aaa authorization (last method)
> >
> >
> > Dmitry,
> >
> > It seems to me that in order to pass the "if-authenticated" method,
> > AAA server needs to be reachable.
>
> Why ?? You ALREADY authenticated and "if-authenticated" will allow to
> authorize .
>
> > What if you successfully
> > authenticate and
> > then shut down the interface you would use to get to the AAA server?
> > Would you be able to no-shut it without the "none" fallback?
>
> Why not - since You already have been authenticated.
>
> >
> > What if the AAA server is unreachable and you authenticate with a
> > "none" or "local" fallback. You would be "authenticated" but if the
> > AAA server is
> > unreachable, will you be able authorized without the "none"
> > fallback? I
>
> Sure, as soon as condition "to be authenticated" is valid/completed
> You
will
> get exec, netw services or commands
>
>
> > don't think so, but we can lab it up.
> >
> > HTH,
> >
> > -Bob Sinclair
> > CCIE #10427, CISSP, MCSE
> >
> > ----- Original Message -----
> > From: "Volkov Dmitry" <dmitry.volkov@rogers.com>
> > To: "'Bob Sinclair'" <bsin@cox.net>; <security@groupstudy.com>
> > Cc: <ccielab@groupstudy.com>
> > Sent: Monday, November 03, 2003 6:10 PM
> > Subject: RE: aaa authorization (last method)
> >
> >
> > > Bob,
> > >
> > > I read it before but didn't get clarity...
> > > It appears to me both last resort methods "none" and
> > "if-authenticated"
> > are
> > > the same when they used as last one in authorization process.
> > >
> > > I don't get the difference.
> > > Can You be not authenticated and still proceed authorization ?
> > >
> > >
> > > Thanks,
> > > Dmitry
> > >
> > > > -----Original Message-----
> > > > From: Bob Sinclair [mailto:bsin@cox.net]
> > > > Sent: Monday, November 03, 2003 5:54 PM
> > > > To: Volkov Dmitry; security@groupstudy.com
> > > > Cc: ccielab@groupstudy.com
> > > > Subject: Re: aaa authorization (last method)
> > > >
> > > >
> > > > Dmitry,
> > > >
> > > > Most of the docs do indicate that "if-authenticated" should
> > > > normally be the last method: either you are authenticated and
> > > > therefore permitted, or you
> > > > are not authenticated and the method fails - failing a method
> > > > does not allow
> > > > you to try other methods. Adding the "none" option
> > appears to be a
> > > > fail-safe in the case of a down or unreachable server. See the
> > > > link below:
> > > >
> > > > http://www.cisco.com/en/US/partner/netsol/ns341/ns396/ns7/ns18
> > > > /networking_solutions_design_guide_chapter09186a00800f48eb.htm
> > > > l#1009459
> > > >
> > > >
> > > > -Bob Sinclair
> > > > CCIE #10427, CISSP, MCSE
> > > >
> > > > ----- Original Message -----
> > > > From: "Volkov Dmitry" <dmitry.volkov@rogers.com>
> > > > To: <security@groupstudy.com>
> > > > Cc: <ccielab@groupstudy.com>
> > > > Sent: Monday, November 03, 2003 10:36 AM
> > > > Subject: aaa authorization (last method)
> > > >
> > > >
> > > > > Does it make any sense to use both methods:
> > > > "if-authenticated" and "none"
> > > > > within the same aaa authorization list.
> > > > > for ex : aaa authorization exec TEST group tacacs+
> > > > if-authenticated none
> > > > >
> > > > > from com ref:
> > > > > If-Authenticated�The user is allowed to access the
> > > > requested function
> > > > > provided the user has been authenticated successfully.
> > > > > None�The network access server does not request
> > > > authorization information;
> > > > > authorization is not performed over this line/interface.
> > > > >
> > > > > Is it possible: to be not authenticated (for any
> > reasons) and still
> > > > request
> > > > > authorization ?
> > > > > AFAIK authorization happens after authentication (logically).
> > > > > What is the difference to use "if-authenticated" comparing
> > > > with "none" in
> > > > > this context ?
> > > > >
> > > > > Thanks,
> > > > > Dmitry
This archive was generated by hypermail 2.1.4
: Fri Dec 12 2003 - 12:29:08 GMT-3