AS5800 and Idle-Timeout Issue

Discussion in 'Cisco' started by Matt, Dec 1, 2005.

  1. Matt

    Matt Guest

    Hi,
    I have two AS5800 access servers. They seem to interpret Idle-Timeout
    and Ascend-Idle-Limit as Session-Limit or something like that.

    If I set the Idle-Timeout to 30 minutes, people seem to get kicked off
    line after 30 minutes with a reason of "Idle-Timeout" even if they were
    downloading a file.

    Any thoughts?


    My config for the groups and async is:

    interface Group-Async0
    no ip address
    encapsulation slip
    no group-range
    !
    interface Group-Async1
    ip unnumbered FastEthernet0/1/0
    ip access-group 105 in
    ip access-group 105 out
    encapsulation ppp
    dialer in-band
    dialer idle-timeout 0
    async dynamic address
    async dynamic routing
    async mode interactive
    peer default ip address pool pool0 pool1 pool2 pool3
    compress mppc
    ppp pfc remote ignore
    ppp acfc remote ignore
    ppp authentication chap pap
    ppp multilink
    group-range 1/6/00 1/11/143
    !
    interface Dialer1
    ip unnumbered FastEthernet0/1/0
    encapsulation ppp
    no ip route-cache
    no ip mroute-cache
    dialer in-band
    dialer idle-timeout 0
    no peer default ip address
    no fair-queue
    ppp authentication chap pap
    ppp multilink
    !
     
    Matt, Dec 1, 2005
    #1
    1. Advertisements

  2. Matt

    Matt Guest

    Actually it seems like it IS working....
    However, it seems like the AS5800 is not reset the idle timeout when
    someone passes data!!! Any thoughts on this one?!?!
     
    Matt, Dec 1, 2005
    #2
    1. Advertisements

  3. If you want any traffic to be considered as interesting, and hence to
    reset your idle timeout, then you would need to configure a dialer-group
    on the relevant interface (which I presume is group-async1, as there is
    no dialer rotary or dialer pool-member configured to bind it to dialer1),
    which dialer-group should point to a dialer-list.

    Cheers,

    Aaron

    --

    ~ Actually it seems like it IS working....
    ~ However, it seems like the AS5800 is not reset the idle timeout when
    ~ someone passes data!!! Any thoughts on this one?!?!
    ~
    ~
    ~ Matt wrote:
    ~ > Hi,
    ~ > I have two AS5800 access servers. They seem to interpret Idle-Timeout
    ~ > and Ascend-Idle-Limit as Session-Limit or something like that.
    ~ >
    ~ > If I set the Idle-Timeout to 30 minutes, people seem to get kicked off
    ~ > line after 30 minutes with a reason of "Idle-Timeout" even if they were
    ~ > downloading a file.
    ~ >
    ~ > Any thoughts?
    ~ >
    ~ >
    ~ > My config for the groups and async is:
    ~ >
    ~ > interface Group-Async0
    ~ > no ip address
    ~ > encapsulation slip
    ~ > no group-range
    ~ > !
    ~ > interface Group-Async1
    ~ > ip unnumbered FastEthernet0/1/0
    ~ > ip access-group 105 in
    ~ > ip access-group 105 out
    ~ > encapsulation ppp
    ~ > dialer in-band
    ~ > dialer idle-timeout 0
    ~ > async dynamic address
    ~ > async dynamic routing
    ~ > async mode interactive
    ~ > peer default ip address pool pool0 pool1 pool2 pool3
    ~ > compress mppc
    ~ > ppp pfc remote ignore
    ~ > ppp acfc remote ignore
    ~ > ppp authentication chap pap
    ~ > ppp multilink
    ~ > group-range 1/6/00 1/11/143
    ~ > !
    ~ > interface Dialer1
    ~ > ip unnumbered FastEthernet0/1/0
    ~ > encapsulation ppp
    ~ > no ip route-cache
    ~ > no ip mroute-cache
    ~ > dialer in-band
    ~ > dialer idle-timeout 0
    ~ > no peer default ip address
    ~ > no fair-queue
    ~ > ppp authentication chap pap
    ~ > ppp multilink
    ~ > !
     
    Aaron Leonard, Dec 2, 2005
    #3
  4. Matt

    Matt Guest

    Aaron,
    Thanks I'm about to check this out today, as it's working on one of our
    AS5800's but not the other. How can I go about setting an amount of
    data to be "interesting" so that just leaving mail open doesn't keep a
    connection up?
     
    Matt, Dec 5, 2005
    #4
  5. Matt

    Matt Guest

    Well,
    The configuration on both of our access servers look exactly the same...
    hrmmm =\
     
    Matt, Dec 5, 2005
    #5
  6. ~ Aaron,
    ~ Thanks I'm about to check this out today, as it's working on one of our
    ~ AS5800's but not the other. How can I go about setting an amount of
    ~ data to be "interesting" so that just leaving mail open doesn't keep a
    ~ connection up?


    interface <blah>
    dialer-group <woof>

    dialer-list <woof> protocol ip list <baz>

    access-list <baz> deny <stuff that's not interesting>
    access-list <baz> permit <stuff that is interesting>

    Btw, please be aware that IOS provides MANY MANY different places where
    a dialin modem call can be configured and MANY MANY idle timers that may
    or may not be applicable:

    - async lines
    - [group] async interfaces
    - legacy dialer interface (dialer rotary)
    - dialer profile interface
    - virtual-template interface
    - commands and timers downloaded from AAA (on virtual profile or on async)
    - RPM template

    Timers can include: line session-timeout, interface dialer timeouts,
    interface PPP timeouts, and probably some stuff I'm forgetting.

    Regards,

    Aaron

    ---

    ~
    ~ Aaron Leonard wrote:
    ~ > If you want any traffic to be considered as interesting, and hence to
    ~ > reset your idle timeout, then you would need to configure a dialer-group
    ~ > on the relevant interface (which I presume is group-async1, as there is
    ~ > no dialer rotary or dialer pool-member configured to bind it to dialer1),
    ~ > which dialer-group should point to a dialer-list.
    ~ >
    ~ > Cheers,
    ~ >
    ~ > Aaron
    ~ >
    ~ > --
    ~ >
    ~ > ~ Actually it seems like it IS working....
    ~ > ~ However, it seems like the AS5800 is not reset the idle timeout when
    ~ > ~ someone passes data!!! Any thoughts on this one?!?!
    ~ > ~
    ~ > ~
    ~ > ~ Matt wrote:
    ~ > ~ > Hi,
    ~ > ~ > I have two AS5800 access servers. They seem to interpret Idle-Timeout
    ~ > ~ > and Ascend-Idle-Limit as Session-Limit or something like that.
    ~ > ~ >
    ~ > ~ > If I set the Idle-Timeout to 30 minutes, people seem to get kicked off
    ~ > ~ > line after 30 minutes with a reason of "Idle-Timeout" even if they were
    ~ > ~ > downloading a file.
    ~ > ~ >
    ~ > ~ > Any thoughts?
    ~ > ~ >
    ~ > ~ >
    ~ > ~ > My config for the groups and async is:
    ~ > ~ >
    ~ > ~ > interface Group-Async0
    ~ > ~ > no ip address
    ~ > ~ > encapsulation slip
    ~ > ~ > no group-range
    ~ > ~ > !
    ~ > ~ > interface Group-Async1
    ~ > ~ > ip unnumbered FastEthernet0/1/0
    ~ > ~ > ip access-group 105 in
    ~ > ~ > ip access-group 105 out
    ~ > ~ > encapsulation ppp
    ~ > ~ > dialer in-band
    ~ > ~ > dialer idle-timeout 0
    ~ > ~ > async dynamic address
    ~ > ~ > async dynamic routing
    ~ > ~ > async mode interactive
    ~ > ~ > peer default ip address pool pool0 pool1 pool2 pool3
    ~ > ~ > compress mppc
    ~ > ~ > ppp pfc remote ignore
    ~ > ~ > ppp acfc remote ignore
    ~ > ~ > ppp authentication chap pap
    ~ > ~ > ppp multilink
    ~ > ~ > group-range 1/6/00 1/11/143
    ~ > ~ > !
    ~ > ~ > interface Dialer1
    ~ > ~ > ip unnumbered FastEthernet0/1/0
    ~ > ~ > encapsulation ppp
    ~ > ~ > no ip route-cache
    ~ > ~ > no ip mroute-cache
    ~ > ~ > dialer in-band
    ~ > ~ > dialer idle-timeout 0
    ~ > ~ > no peer default ip address
    ~ > ~ > no fair-queue
    ~ > ~ > ppp authentication chap pap
    ~ > ~ > ppp multilink
    ~ > ~ > !
    ~ >
     
    Aaron Leonard, Dec 5, 2005
    #6
  7. Matt

    Matt Guest

    Aaron,
    Right, so which is the one you'd want to use to monitor the traffic the
    user is actually putting out (or sucking in) and kick them off if they
    aren't using it?
     
    Matt, Dec 6, 2005
    #7
  8. Matt

    Matt Guest

    Won't putting in the access-list <baz> effectively prohibit any other
    traffic? I basically want to set something like a kilobytes threshold
    where if the person does not transfer xK in Xseconds the system says
    they are idle.

    Additionally, where would you recommend I configure idle-timeout? I
    have two AS5800's. The idle-timeout works on one, but not on the other.
    I just went through the configurations, and as far as I can tell they
    are configuration exactly the same.
     
    Matt, Dec 6, 2005
    #8
  9. ~ Won't putting in the access-list <baz> effectively prohibit any other
    ~ traffic?

    No, in the dialer-group -> dialer-list -> access-list scenario, the
    access list is used ONLY to determine whether the given traffic
    received/transmitted is "interesting" (i.e. warrants placing a new
    call and/or keeping an active call up rather than dropping it.) This
    access list has no effect on what traffic is forwarded given that a
    link is already up.

    ~ I basically want to set something like a kilobytes threshold
    ~ where if the person does not transfer xK in Xseconds the system says
    ~ they are idle.

    interface <blah>
    dialer idle-timeout <Xseconds>
    dialer load-threshold <n>
    dialer-group <woof>
    bandwidth <nK>

    So: if Xseconds elapse where the amount of "interesting traffic" as
    defined in <woof> is less than n/255 * nK, the call should drop.

    ~ Additionally, where would you recommend I configure idle-timeout? I
    ~ have two AS5800's. The idle-timeout works on one, but not on the other.
    ~ I just went through the configurations, and as far as I can tell they
    ~ are configuration exactly the same.


    Too many variables here I'm afraid. The most general approach is to
    configure stuff on a virtual-template and to have all the calls be
    on virtual profiles (interface virtual-access<n>). However, vprofiles
    only get interesting-traffic-based idle timers in 12.2(4)T and above,
    so you should be running current 12.3 mainline to take advantage of this.

    Assuming current 12.3M then, I'd do:


    virtual-profile virtual-template 1
    multilink virtual-template 1
    no virtual-profile if-needed

    interface virtual-template 1
    encapsulation ppp
    ppp timeout idle <nseconds>
    ip idle-group <n> in|out

    access-list 101 [ ... ]

    The downside of using vprofiles is that they typically use more CPU than
    physical B-channel or async interfaces, so if you are challenged CPU power
    wise (as can be the case with an AS5800 with many many calls active), you
    might want to reconsider.

    Cheers,

    Aaron

    ---


    ~ > interface <blah>
    ~ > dialer-group <woof>
    ~ >
    ~ > dialer-list <woof> protocol ip list <baz>
    ~ >
    ~ > access-list <baz> deny <stuff that's not interesting>
    ~ > access-list <baz> permit <stuff that is interesting>
    ~ >
    ~ > Btw, please be aware that IOS provides MANY MANY different places where
    ~ > a dialin modem call can be configured and MANY MANY idle timers that may
    ~ > or may not be applicable:
    ~ >
    ~ > - async lines
    ~ > - [group] async interfaces
    ~ > - legacy dialer interface (dialer rotary)
    ~ > - dialer profile interface
    ~ > - virtual-template interface
    ~ > - commands and timers downloaded from AAA (on virtual profile or on async)
    ~ > - RPM template
    ~ >
    ~ > Timers can include: line session-timeout, interface dialer timeouts,
    ~ > interface PPP timeouts, and probably some stuff I'm forgetting.
     
    Aaron Leonard, Dec 6, 2005
    #9
  10. Matt

    Matt Guest

    Aaron,
    Thanks very much.... again very helpful.
    And we are using Virtual-Templates.
    While I can put the idle timeout IN the template... I'd like to be able
    to use the Idle-Timeout attribute for Ascend/Cisco on my radius server
    to be able to set it that way.. can I?

    The original question was why is my access server not restarting the
    customer's Idle-Timeout?... across 2 AS5800's configured identical (so
    far as I can tell).. the one takes the Idle-Timeout and will reset it
    when the customer pushes any traffic. On the other AS5800, the
    idle-timeout just keeps counting down until the customer is disconnected
    with an "Idle-Timeout" message.
     
    Matt, Dec 6, 2005
    #10
  11. ~ Aaron,
    ~ Thanks very much.... again very helpful.
    ~ And we are using Virtual-Templates.
    ~ While I can put the idle timeout IN the template... I'd like to be able
    ~ to use the Idle-Timeout attribute for Ascend/Cisco on my radius server
    ~ to be able to set it that way.. can I?

    Um ... I guess so, don't know offhand.

    In general you can probably use the cisco avpair lcp:interface-config:<blah>
    (typed from dim memory, syntax only approximate) to push (most) any
    config command out.

    ~
    ~ The original question was why is my access server not restarting the
    ~ customer's Idle-Timeout?... across 2 AS5800's configured identical (so
    ~ far as I can tell).. the one takes the Idle-Timeout and will reset it
    ~ when the customer pushes any traffic. On the other AS5800, the
    ~ idle-timeout just keeps counting down until the customer is disconnected
    ~ with an "Idle-Timeout" message.

    Well, if they behave differently, there must be something different, eh?

    Different IOS version? Different config (grab the configs and diff 'em?)
    Different Radius server behavior? Different client behavior?

    These kind of things can be rather complex to track down ... many debugs,
    not all of them accessible to me from the top of my head, may need to be
    invoked to track this down.

    Cheers,

    Aaron
     
    Aaron Leonard, Dec 6, 2005
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.