Search This Blog

Wednesday, June 11, 2014

Switch NVRAM no space



Today I encountered very strange error while trying to save switch configuration:

Switch#wr
Building configuration...

% Warning: Saving this config to nvram may corrupt any network management or security files stored at the end of nvram.
Continue? [no]:
% Configuration buffer full, can't add command: ntp clock-period 36028830
%Aborting Save. Compress the config.[OK]

This error indicate that there is no free space on the NVRAM for saving the running-configuration into the startup configuration, as you may recall the nonvolatile random-access memory (NVRAM) is an EEPROM chip which holds the startup configuration file and retains content when router is powered down or restarted.

In order to view the contents of the NVRAM just type:

Switch#dir nvram:
Directory of nvram:/

   36  -rw-       20748                    <no date>  startup-config
   37  ----        6592                    <no date>  private-config
    1  -rw-         657                    <no date>  IL-SW-UC-2H-#3801.cer

65536 bytes total (37120 bytes free)

As you can see there is only 37KB free on the NVRAM and my configuration weight a little bit more:

Switch#sh running-config
Building configuration...

Current configuration : 38563 bytes
!
! Last configuration change at 14:27:26 gmt Sun Jun 8 2014 by xxx
! NVRAM config last updated at 14:28:46 gmt Sun Jun 8 2014 by xxx
!
version 12.2
service nagle
no service pad
service tcp-keepalives-in
<OUTPUT OMMITED>

There is an option to use service compress-configuration which will compress the startup configuration but it’s valid only for higher series switches (such as the 45xx and 65xx).
On my 2960 switch it will give the following output:

Switch(config)#service compress-config
Boot ROMs do not support NVRAM compression.
Disabling service compress-config.

Switch(config)#

So in order to solve this issue I had to remove some configuration lines from the current configuration, after that I was able to save the running-config to the startup:

Switch#wr
Building configuration...
[OK]







Posted by at 1 comment:
Labels: ,

Sunday, June 1, 2014

Cisco 802.1x Radius fast fail-over




802.1x switch configuration for wired authentication:

aaa new-model
!
aaa authentication login default group radius enable local
aaa authentication dot1x default group radius
aaa authorization exec default group radius
aaa authorization network default group radius
aaa accounting exec default start-stop group radius
!
dot1x system-auth-control
!
radius-server host 10.10.0.17 auth-port 1812 acct-port 1813 key <PASSWORD>
radius-server host 10.20.0.29 auth-port 1812 acct-port 1813 key <PASSWORD> radius-server vsa send accounting
radius-server vsa send authentication

And the port configuration:

interface GigabitEthernetXXX
 switchport mode access
 switchport nonegotiate
 authentication port-control auto
 dot1x pae authenticator

Every time a client connect to the switch port he must authenticate before he can send traffic through this port. The authentication occurs through the first configured server – 10.10.0.17, and only if this server fails it will switch to the second.
The NAS-switch IP is 10.30.0.128.
Now we encounter a problem were the switchover takes too much time and some of the 
clients wasn’t able to authenticate in reasonable time.

The solution is to change the timeout and retries:

radius-server retransmit 2
radius-server timeout 2

This will dictate the switch to make 2 retries with 2 seconds timeout to the primary server and then switch to the secondary.

Here is the output:

001242: Jun  1 13:59:34.570: %AUTHMGR-5-START: Starting 'dot1x' for client (00b5.6d01.89b9) on Interface Gi0/33 AuditSessionID 0A1402C60000001500E52C27
SW-TEST(config-if)#
001243: Jun  1 13:59:34.587: RADIUS/ENCODE(00000018):Orig. component type = DOT1X
001244: Jun  1 13:59:34.587: RADIUS(00000018): Config NAS IP: 10.30.0.128
001245: Jun  1 13:59:34.587: RADIUS(00000018): Started 2 sec timeout
SW-TEST(config-if)#
001246: Jun  1 13:59:36.566: RADIUS(00000018): Request timed out
001247: Jun  1 13:59:36.566: RADIUS: Retransmit to (10.10.0.17:1812,1813) for id 1645/74
001248: Jun  1 13:59:36.566: RADIUS(00000018): Started 2 sec timeout
SW-TEST(config-if)#
001249: Jun  1 13:59:38.596: RADIUS(00000018): Request timed out
001250: Jun  1 13:59:38.596: RADIUS: Retransmit to (10.10.0.17:1812,1813) for id 1645/74
001253: Jun  1 13:59:40.694: RADIUS: Fail-over to (10.20.0.29:1812,1813) for id 1645/74
001254: Jun  1 13:59:40.694: RADIUS:  authenticator 2A 97 84 16 90 7C C0 5B - 47 FD BA E2 90 43 14 8B
001255: Jun  1 13:59:40.694: RADIUS:  User-Name           [1]   15  "host/XXX"
001256: Jun  1 13:59:40.694: RADIUS:  Service-Type        [6]   6   Framed                    [2]
001257: Jun  1 13:59:40.694: RADIUS:  Framed-MTU          [12]  6
SW-TEST(config-if)#   1500                     
001258: Jun  1 13:59:40.694: RADIUS:  Called-Station-Id   [30]  19  "00-1E-F6-11-B4-21"
001259: Jun  1 13:59:40.694: RADIUS:  Calling-Station-Id  [31]  19  "00-B5-6D-01-89-B9"
001260: Jun  1 13:59:40.694: RADIUS:  EAP-Message         [79]  20 
001261: Jun  1 13:59:40.694: RADIUS:   02 01 00 12 01 68 6F 73 74 2F 55 2D 53 79 73 74 65 6D     [ host/U-System]
001262: Jun  1 13:59:40.694: RADIUS:  Message-Authenticato[80]  18 
001263: Jun  1 13:59:40.694: RADIUS:   59 E7 07
SW-TEST(config-if)# 04 B1 7F 01 4C 18 F1 0D B5 9F D4 D0 9E                [ YL]

We can see that after two retries the switch failover to the secondary server with total time of 4 seconds instead of 15 seconds (default settings 3x retries with 5 seconds timeout).


Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)