|
|
This chapter provides information to help you identify and resolve potential problems with your CiscoSecure GRS software.
For information about obtaining technical assistance with your CiscoSecure GRS, see the section "Service and Support" in the publication Cisco Information Packet that shipped with your product.
If you are having problems with your CiscoSecure GRS system, check these items first:
The following examples are situations you might encounter when using CiscoSecure GRS. Symptoms are listed in alphabetical order:
Symptom Authentication, Authorization, or Accounting information not being received correctly.
Possible Cause Make sure the ports are configured correctly for the AAA vendor protocol you are using; for example, Livingston supports only port 1645. If you are using an older NAS, you might be able to use only port 1645, while CiscoSecure GRS must listen to both ports 1645 and 1646. If the ACS is using RADIUS, you cannot use ports 1645 and 1646.
Recommended Action Reconfigure your NAS or ACS to use different ports; for example, 1745 and 1746. See your NAS or ACS documentation.
Symptom Backup ACS not being used.
Possible Cause CiscoSecure GRS will cycle to the next ACS in the list only if no response at all is received from the previous ACS. The shared secret may be incorrect or the first ACS may be generating an error message.
Recommended Action Make sure the shared secret in CiscoSecure GRS matches the shared secret of the ACS. Correct the condition on the ACS that is causing the error message to be generated, or remove the first ACS from the list.
Symptom Cannot authenticate to the HG when using VPDN.
Possible Cause CiscoSecure GRS will not strip to the HG.
Recommended Action Create fully qualified domain names for the HG identifier, tunnel ID, and user on the HG.
Symptom Changes made in GUI are not taking effect.
Possible Cause Changes were not committed.
Recommended Action Click Add or Update, then Commit.
Symptom Changes made to data stores are not displayed.
Possible Cause Data store information has not been refreshed.
Recommended Action Either wait 10 minutes for the data stores to reload, or restart CiscoSecure GRS.
Symptom Changes made to Properties are not taking effect.
Possible Cause Properties information has not been refreshed.
Recommended Action Restart CiscoSecure GRS.
Symptom Data stores are incorrect.
Possible Cause Environment variables not set or set incorrectly.
Recommended Action See the section "Setting Environment Variables" in the appendix "Changing CiscoSecure GRS Data Stores" for instructions.
Symptom CiscoSecure GRS cannot connect to the NAS or ACS.
Possible Cause Shared secrets or authentication/accounting ports do not match.
Recommended Action Make sure the shared secrets match. The shared secret of the NAS must match the CiscoSecure GRS shared secret for the NAS, and the shared secret for the ACS must match the CiscoSecure GRS Domain shared secret. Make sure the authentication/accounting ports match and are configured correctly.
Symptom CiscoSecure GRS cannot communicate with the RADIUS NAS.
Possible Cause RADIUS vendor types do not match.
Recommended Action Make sure you are using the same vendor type (for example, Cisco RADIUS) on both the CiscoSecure GRS and the NAS.
Symptom Local accounting records are not being received.
Possible Cause No valid user profile in CiscoSecure ACS.
Recommended Action Create a valid user profile in CiscoSecure ACS. See your CiscoSecure Access Control Server for UNIX User Guide.
Symptom MaxSessions is not operating properly.
Possible Cause Accounting is not enabled.
Recommended Action Make sure Accounting is enabled.
Symptom MaxSessions and IP Range Checking are not operating correctly.
Possible Cause If you are using MaxSessions and IP Range Checking, you must have debug level set to at least Minimal.
Recommended Action See the section "Properties General Tab" in the chapter "Configuring CiscoSecure GRS" for instructions on setting the debug level.
Symptom MaxSessions information displayed in web browser is incorrect.
Possible Cause MaxSessions information was not updated after it was changed.
Recommended Action Click Reload or Refresh in your web browser to update MaxSessions information.
Symptom Multiple packets are being resent.
Possible Cause Multiple timeouts are taking place.
Recommended Action Increase the timeout parameter of the NAS to 20 seconds or greater, turn off debugging on the NAS, or turn off debugging on the HG if you are using VPDN.
Symptom No username in VPDN.
Possible Cause The CiscoSecure GRS is the same as the VPDN domain, and full stripping is enabled on the NAS, so the user is blank.
Recommended Action Turn off full stripping on the NAS.
Symptom NSM_Error in CiscoSecure GRS log file.
Possible Cause The entries in the /etc/services file override the settings in the grs.ini file.
Recommended Action Use the GUI to change port settings. See the chapter "Configuring CiscoSecure GRS" for instructions.
Symptom Unable to communicate after stopping VPDN.
Possible Cause The NAS was not reloaded after CiscoSecure GRS stopped using VPDN.
Recommended Action Reload the NAS. See your NAS documentation.
The flatfile data store produces .bak files in the working directory. If CiscoSecure GRS shuts down unexpectedly for any reason, there is a slight chance that the .db files might get corrupted. If this happens, just copy the .bak file for the corrupted file(s) to .db, restart CiscoSecure GRS, and continue working. The .bak files are located in the $GRSHOME/etc/.working directory.
The .bak files will always lag the .db files by one transaction, so only the last transaction before the unexpected system shutdown will be lost.
Use the following commands to troubleshoot your Cisco Systems NAS:
There are additional debug commands for VPDN:
See the documentation for your Cisco Systems NAS for more information on these commands.
|
|