VPN Concentrator 3000 RADIUS issue. error = -9 ("ENOBUFS")

Discussion in 'Cisco' started by Guyster, Oct 17, 2007.

  1. Guyster

    Guyster Guest

    we have a Cisco VPN3000 concentrator and a Crypto-Server radius box
    for authentication of the users. This setup was working fine for a
    number of months and is now playing up, users in existing groups (with
    one exception) and newly created groups will not authenticate:

    I am seeing a lot of the following errors in the event log on the VPN
    Concentrator:

    47114 10/17/2007 14:40:31.980 SEV=5 AUTH/2 RPT=42558
    Unable to open socket: server = 192.168.1.50, error = -9 ("ENOBUFS")

    47115 10/17/2007 14:40:31.980 SEV=4 AUTH/15 RPT=42701
    Server name = 192.168.1.50, type = RADIUS,
    group = Group_Name, status = Not-in-service

    I have spent a few hours on the phone to the guys at CryptoCard and it
    appears that the radius server isn't recieving any authentication
    requests from the VPN concentrator. none of the servers appear to be
    under any serious load. Has anyone come accross an issue like this
    before?

    Cheers
    Guy
     
    Guyster, Oct 17, 2007
    #1
    1. Advertising

  2. Guyster

    Trendkill Guest

    On Oct 17, 9:46 am, Guyster <> wrote:
    > we have a Cisco VPN3000 concentrator and a Crypto-Server radius box
    > for authentication of the users. This setup was working fine for a
    > number of months and is now playing up, users in existing groups (with
    > one exception) and newly created groups will not authenticate:
    >
    > I am seeing a lot of the following errors in the event log on the VPN
    > Concentrator:
    >
    > 47114 10/17/2007 14:40:31.980 SEV=5 AUTH/2 RPT=42558
    > Unable to open socket: server = 192.168.1.50, error = -9 ("ENOBUFS")
    >
    > 47115 10/17/2007 14:40:31.980 SEV=4 AUTH/15 RPT=42701
    > Server name = 192.168.1.50, type = RADIUS,
    > group = Group_Name, status = Not-in-service
    >
    > I have spent a few hours on the phone to the guys at CryptoCard and it
    > appears that the radius server isn't recieving any authentication
    > requests from the VPN concentrator. none of the servers appear to be
    > under any serious load. Has anyone come accross an issue like this
    > before?
    >
    > Cheers
    > Guy


    Can the concentrator ping the radius server? Have you bounced the
    radius auth service or the radius server altogether? Socket issues
    are usually related to establishing connections between the ports/
    services, so I would look at the radius server first. What is the one
    exception?
     
    Trendkill, Oct 17, 2007
    #2
    1. Advertising

  3. Guyster

    Guyster Guest

    On 17 Oct, 15:06, Trendkill <> wrote:
    > On Oct 17, 9:46 am, Guyster <> wrote:
    >
    >
    >
    > > we have a Cisco VPN3000 concentrator and a Crypto-Server radius box
    > > for authentication of the users. This setup was working fine for a
    > > number of months and is now playing up, users in existing groups (with
    > > one exception) and newly created groups will not authenticate:

    >
    > > I am seeing a lot of the following errors in the event log on the VPN
    > > Concentrator:

    >
    > > 47114 10/17/2007 14:40:31.980 SEV=5 AUTH/2 RPT=42558
    > > Unable to open socket: server = 192.168.1.50, error = -9 ("ENOBUFS")

    >
    > > 47115 10/17/2007 14:40:31.980 SEV=4 AUTH/15 RPT=42701
    > > Server name = 192.168.1.50, type = RADIUS,
    > > group = Group_Name, status = Not-in-service

    >
    > > I have spent a few hours on the phone to the guys at CryptoCard and it
    > > appears that the radius server isn't recieving any authentication
    > > requests from the VPN concentrator. none of the servers appear to be
    > > under any serious load. Has anyone come accross an issue like this
    > > before?

    >
    > > Cheers
    > > Guy

    >
    > Can the concentrator ping the radius server? Have you bounced the
    > radius auth service or the radius server altogether? Socket issues
    > are usually related to establishing connections between the ports/
    > services, so I would look at the radius server first. What is the one
    > exception?


    Hi,

    The concentrater is able to ping the radius box, the one exception is
    one group, if users are placed in this group they will successfully
    authenticate to the radius server - I have checked all the group
    settings and with the exception of the names and the address pools etc
    they have the same settings. I have been through the radius server
    settings at serious length with CryptoCard and there dont appear to be
    any problems, just nothing in the logs indicating an authentication
    request has been recieved, the radius server is also successfully
    authenticating a number of different services from other sources on
    the network. I was wondering why the groups were showing "status =
    not in service" but I cant find anything helpful on this.

    Cheers
    Guy
     
    Guyster, Oct 17, 2007
    #3
  4. Guyster

    Guyster Guest

    On 17 Oct, 15:51, Guyster <> wrote:
    > On 17 Oct, 15:06, Trendkill <> wrote:
    >
    >
    >
    > > On Oct 17, 9:46 am, Guyster <> wrote:

    >
    > > > we have a Cisco VPN3000 concentrator and a Crypto-Server radius box
    > > > for authentication of the users. This setup was working fine for a
    > > > number of months and is now playing up, users in existing groups (with
    > > > one exception) and newly created groups will not authenticate:

    >
    > > > I am seeing a lot of the following errors in the event log on the VPN
    > > > Concentrator:

    >
    > > > 47114 10/17/2007 14:40:31.980 SEV=5 AUTH/2 RPT=42558
    > > > Unable to open socket: server = 192.168.1.50, error = -9 ("ENOBUFS")

    >
    > > > 47115 10/17/2007 14:40:31.980 SEV=4 AUTH/15 RPT=42701
    > > > Server name = 192.168.1.50, type = RADIUS,
    > > > group = Group_Name, status = Not-in-service

    >
    > > > I have spent a few hours on the phone to the guys at CryptoCard and it
    > > > appears that the radius server isn't recieving any authentication
    > > > requests from the VPN concentrator. none of the servers appear to be
    > > > under any serious load. Has anyone come accross an issue like this
    > > > before?

    >
    > > > Cheers
    > > > Guy

    >
    > > Can the concentrator ping the radius server? Have you bounced the
    > > radius auth service or the radius server altogether? Socket issues
    > > are usually related to establishing connections between the ports/
    > > services, so I would look at the radius server first. What is the one
    > > exception?

    >
    > Hi,
    >
    > The concentrater is able to ping the radius box, the one exception is
    > one group, if users are placed in this group they will successfully
    > authenticate to the radius server - I have checked all the group
    > settings and with the exception of the names and the address pools etc
    > they have the same settings. I have been through the radius server
    > settings at serious length with CryptoCard and there dont appear to be
    > any problems, just nothing in the logs indicating an authentication
    > request has been recieved, the radius server is also successfully
    > authenticating a number of different services from other sources on
    > the network. I was wondering why the groups were showing "status =
    > not in service" but I cant find anything helpful on this.
    >
    > Cheers
    > Guy


    Hi,

    Sorry, I missed part of the error in my initial post, there are 3
    events logged together for each connection attempt:

    1368 10/17/2007 16:06:03.250 SEV=3 IP/60 RPT=247
    Unable to accept connection: no sockets available for task.

    1369 10/17/2007 16:06:03.250 SEV=5 AUTH/2 RPT=247
    Unable to open socket: server = 192.168.1.50, error = -9 ("ENOBUFS")

    1370 10/17/2007 16:06:03.250 SEV=4 AUTH/15 RPT=315
    Server name = 192.168.1.50, type = RADIUS,
    group = Group_Name, status = Not-in-service
     
    Guyster, Oct 17, 2007
    #4
  5. Guyster

    Trendkill Guest

    On Oct 17, 11:06 am, Guyster <> wrote:
    > On 17 Oct, 15:51, Guyster <> wrote:
    >
    >
    >
    > > On 17 Oct, 15:06, Trendkill <> wrote:

    >
    > > > On Oct 17, 9:46 am, Guyster <> wrote:

    >
    > > > > we have a Cisco VPN3000 concentrator and a Crypto-Server radius box
    > > > > for authentication of the users. This setup was working fine for a
    > > > > number of months and is now playing up, users in existing groups (with
    > > > > one exception) and newly created groups will not authenticate:

    >
    > > > > I am seeing a lot of the following errors in the event log on the VPN
    > > > > Concentrator:

    >
    > > > > 47114 10/17/2007 14:40:31.980 SEV=5 AUTH/2 RPT=42558
    > > > > Unable to open socket: server = 192.168.1.50, error = -9 ("ENOBUFS")

    >
    > > > > 47115 10/17/2007 14:40:31.980 SEV=4 AUTH/15 RPT=42701
    > > > > Server name = 192.168.1.50, type = RADIUS,
    > > > > group = Group_Name, status = Not-in-service

    >
    > > > > I have spent a few hours on the phone to the guys at CryptoCard and it
    > > > > appears that the radius server isn't recieving any authentication
    > > > > requests from the VPN concentrator. none of the servers appear to be
    > > > > under any serious load. Has anyone come accross an issue like this
    > > > > before?

    >
    > > > > Cheers
    > > > > Guy

    >
    > > > Can the concentrator ping the radius server? Have you bounced the
    > > > radius auth service or the radius server altogether? Socket issues
    > > > are usually related to establishing connections between the ports/
    > > > services, so I would look at the radius server first. What is the one
    > > > exception?

    >
    > > Hi,

    >
    > > The concentrater is able to ping the radius box, the one exception is
    > > one group, if users are placed in this group they will successfully
    > > authenticate to the radius server - I have checked all the group
    > > settings and with the exception of the names and the address pools etc
    > > they have the same settings. I have been through the radius server
    > > settings at serious length with CryptoCard and there dont appear to be
    > > any problems, just nothing in the logs indicating an authentication
    > > request has been recieved, the radius server is also successfully
    > > authenticating a number of different services from other sources on
    > > the network. I was wondering why the groups were showing "status =
    > > not in service" but I cant find anything helpful on this.

    >
    > > Cheers
    > > Guy

    >
    > Hi,
    >
    > Sorry, I missed part of the error in my initial post, there are 3
    > events logged together for each connection attempt:
    >
    > 1368 10/17/2007 16:06:03.250 SEV=3 IP/60 RPT=247
    > Unable to accept connection: no sockets available for task.
    >
    > 1369 10/17/2007 16:06:03.250 SEV=5 AUTH/2 RPT=247
    > Unable to open socket: server = 192.168.1.50, error = -9 ("ENOBUFS")
    >
    > 1370 10/17/2007 16:06:03.250 SEV=4 AUTH/15 RPT=315
    > Server name = 192.168.1.50, type = RADIUS,
    > group = Group_Name, status = Not-in-service


    Generally 'socket' errors have to do with session establishment, with
    goes along with you not seeing the authentication requests. Are any
    of the 'working' IDs or groups authenticating via the vpn concentrator
    itself, or another network device? Have you bounced both sides
    (rebooted the concentrator and radius server). Since the radius is
    working for some things, I would lean towards a concentrator issue.
    Have you looked at Cisco for bugs on your code rev on the concentrator?
     
    Trendkill, Oct 17, 2007
    #5
  6. Guyster

    Trendkill Guest

    On Oct 17, 11:06 am, Guyster <> wrote:
    > On 17 Oct, 15:51, Guyster <> wrote:
    >
    >
    >
    > > On 17 Oct, 15:06, Trendkill <> wrote:

    >
    > > > On Oct 17, 9:46 am, Guyster <> wrote:

    >
    > > > > we have a Cisco VPN3000 concentrator and a Crypto-Server radius box
    > > > > for authentication of the users. This setup was working fine for a
    > > > > number of months and is now playing up, users in existing groups (with
    > > > > one exception) and newly created groups will not authenticate:

    >
    > > > > I am seeing a lot of the following errors in the event log on the VPN
    > > > > Concentrator:

    >
    > > > > 47114 10/17/2007 14:40:31.980 SEV=5 AUTH/2 RPT=42558
    > > > > Unable to open socket: server = 192.168.1.50, error = -9 ("ENOBUFS")

    >
    > > > > 47115 10/17/2007 14:40:31.980 SEV=4 AUTH/15 RPT=42701
    > > > > Server name = 192.168.1.50, type = RADIUS,
    > > > > group = Group_Name, status = Not-in-service

    >
    > > > > I have spent a few hours on the phone to the guys at CryptoCard and it
    > > > > appears that the radius server isn't recieving any authentication
    > > > > requests from the VPN concentrator. none of the servers appear to be
    > > > > under any serious load. Has anyone come accross an issue like this
    > > > > before?

    >
    > > > > Cheers
    > > > > Guy

    >
    > > > Can the concentrator ping the radius server? Have you bounced the
    > > > radius auth service or the radius server altogether? Socket issues
    > > > are usually related to establishing connections between the ports/
    > > > services, so I would look at the radius server first. What is the one
    > > > exception?

    >
    > > Hi,

    >
    > > The concentrater is able to ping the radius box, the one exception is
    > > one group, if users are placed in this group they will successfully
    > > authenticate to the radius server - I have checked all the group
    > > settings and with the exception of the names and the address pools etc
    > > they have the same settings. I have been through the radius server
    > > settings at serious length with CryptoCard and there dont appear to be
    > > any problems, just nothing in the logs indicating an authentication
    > > request has been recieved, the radius server is also successfully
    > > authenticating a number of different services from other sources on
    > > the network. I was wondering why the groups were showing "status =
    > > not in service" but I cant find anything helpful on this.

    >
    > > Cheers
    > > Guy

    >
    > Hi,
    >
    > Sorry, I missed part of the error in my initial post, there are 3
    > events logged together for each connection attempt:
    >
    > 1368 10/17/2007 16:06:03.250 SEV=3 IP/60 RPT=247
    > Unable to accept connection: no sockets available for task.
    >
    > 1369 10/17/2007 16:06:03.250 SEV=5 AUTH/2 RPT=247
    > Unable to open socket: server = 192.168.1.50, error = -9 ("ENOBUFS")
    >
    > 1370 10/17/2007 16:06:03.250 SEV=4 AUTH/15 RPT=315
    > Server name = 192.168.1.50, type = RADIUS,
    > group = Group_Name, status = Not-in-service


    Have you tried bouncing the radius box. Perhaps something is wrong
    with auth sessions, that happens to be source specific. Sockets
    generally mean something about the actual session establishment, and
    usually indicate an issue with the source or destination. Have you
    checked cisco for bugs for your concentrator and code rev? Bounce the
    concentrator and see if the session request issue disappears. Hate to
    suggest simple reboots, but sometimes that will restore service while
    you are troubleshooting software or hardware issues more in depth.
    Especially since you seem to have some good logs.
     
    Trendkill, Oct 18, 2007
    #6
  7. Guyster

    Guyster Guest

    On 18 Oct, 01:11, Trendkill <> wrote:
    > On Oct 17, 11:06 am, Guyster <> wrote:
    >
    >
    >
    > > On 17 Oct, 15:51, Guyster <> wrote:

    >
    > > > On 17 Oct, 15:06, Trendkill <> wrote:

    >
    > > > > On Oct 17, 9:46 am, Guyster <> wrote:

    >
    > > > > > we have a Cisco VPN3000 concentrator and a Crypto-Server radius box
    > > > > > for authentication of the users. This setup was working fine for a
    > > > > > number of months and is now playing up, users in existing groups (with
    > > > > > one exception) and newly created groups will not authenticate:

    >
    > > > > > I am seeing a lot of the following errors in the event log on the VPN
    > > > > > Concentrator:

    >
    > > > > > 47114 10/17/2007 14:40:31.980 SEV=5 AUTH/2 RPT=42558
    > > > > > Unable to open socket: server = 192.168.1.50, error = -9 ("ENOBUFS")

    >
    > > > > > 47115 10/17/2007 14:40:31.980 SEV=4 AUTH/15 RPT=42701
    > > > > > Server name = 192.168.1.50, type = RADIUS,
    > > > > > group = Group_Name, status = Not-in-service

    >
    > > > > > I have spent a few hours on the phone to the guys at CryptoCard and it
    > > > > > appears that the radius server isn't recieving any authentication
    > > > > > requests from the VPN concentrator. none of the servers appear to be
    > > > > > under any serious load. Has anyone come accross an issue like this
    > > > > > before?

    >
    > > > > > Cheers
    > > > > > Guy

    >
    > > > > Can the concentrator ping the radius server? Have you bounced the
    > > > > radius auth service or the radius server altogether? Socket issues
    > > > > are usually related to establishing connections between the ports/
    > > > > services, so I would look at the radius server first. What is the one
    > > > > exception?

    >
    > > > Hi,

    >
    > > > The concentrater is able to ping the radius box, the one exception is
    > > > one group, if users are placed in this group they will successfully
    > > > authenticate to the radius server - I have checked all the group
    > > > settings and with the exception of the names and the address pools etc
    > > > they have the same settings. I have been through the radius server
    > > > settings at serious length with CryptoCard and there dont appear to be
    > > > any problems, just nothing in the logs indicating an authentication
    > > > request has been recieved, the radius server is also successfully
    > > > authenticating a number of different services from other sources on
    > > > the network. I was wondering why the groups were showing "status =
    > > > not in service" but I cant find anything helpful on this.

    >
    > > > Cheers
    > > > Guy

    >
    > > Hi,

    >
    > > Sorry, I missed part of the error in my initial post, there are 3
    > > events logged together for each connection attempt:

    >
    > > 1368 10/17/2007 16:06:03.250 SEV=3 IP/60 RPT=247
    > > Unable to accept connection: no sockets available for task.

    >
    > > 1369 10/17/2007 16:06:03.250 SEV=5 AUTH/2 RPT=247
    > > Unable to open socket: server = 192.168.1.50, error = -9 ("ENOBUFS")

    >
    > > 1370 10/17/2007 16:06:03.250 SEV=4 AUTH/15 RPT=315
    > > Server name = 192.168.1.50, type = RADIUS,
    > > group = Group_Name, status = Not-in-service

    >
    > Have you tried bouncing the radius box. Perhaps something is wrong
    > with auth sessions, that happens to be source specific. Sockets
    > generally mean something about the actual session establishment, and
    > usually indicate an issue with the source or destination. Have you
    > checked cisco for bugs for your concentrator and code rev? Bounce the
    > concentrator and see if the session request issue disappears. Hate to
    > suggest simple reboots, but sometimes that will restore service while
    > you are troubleshooting software or hardware issues more in depth.
    > Especially since you seem to have some good logs.


    Hi,

    Sorry I didn't get back to you, I had a couple of days off at the back
    end of last week. I have tried rebooting both the concentrator and
    the radius server to no avail. I have found some further information
    - there appears to be a limit of 64 authenticator sockets on the
    appliance, each group takes up one of these (there are a lot of
    groups!), I am not sure if this is configurable or what the best way
    around it will be though. You can get this from Status -> Memory ->
    Detailed Memory Information and you will see the sockets that are
    currently in use displayed at the bottom of the page. I need to see
    if there is some way around this issue

    Cheers
    Guy
     
    Guyster, Oct 22, 2007
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. filip
    Replies:
    2
    Views:
    2,443
    filip
    Nov 20, 2003
  2. Dietmar Romer

    VPN3000, radius: error = -9 ("ENOBUFS")

    Dietmar Romer, Aug 2, 2004, in forum: Cisco
    Replies:
    0
    Views:
    686
    Dietmar Romer
    Aug 2, 2004
  3. Eitan
    Replies:
    0
    Views:
    534
    Eitan
    Mar 5, 2006
  4. Replies:
    1
    Views:
    982
    James
    Aug 22, 2006
  5. ivrc
    Replies:
    0
    Views:
    407
Loading...

Share This Page