Documente Academic
Documente Profesional
Documente Cultură
V600R008C10
Issue 02
Date 2014-09-30
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: support@huawei.com
Purpose
This document describes the troubleshooting of user access, including information collection
methods, common processing flows, common troubleshooting methods, and troubleshooting
cases.
NOTICE
Note the following precautions:
l The encryption algorithms DES/3DES/SKIPJACK/RC2/RSA (RSA-1024 or lower)/MD2/
MD4/MD5 (in digital signature scenarios and password encryption)/SHA1 (in digital
signature scenarios) have a low security, which may bring security risks. If protocols allowed,
using more secure encryption algorithms, such as AES/RSA (RSA-2048 or higher)/SHA2/
HMAC-SHA2, is recommended.
l If the plain parameter is specified, the password will be saved in plaintext in the configuration
file, which has a high security risk. Therefore, specifying the cipher parameter is
recommended. To further improve device security, periodically change the password.
l Do not set both the start and end characters of a password to "%$%$." This causes the
password to be displayed directly in the configuration file.
Related Versions
The following table lists the product versions related to this document.
Intended Audience
This document is intended for:
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Convention Description
&<1-n> The parameter before the & sign can be repeated 1 to n times.
Change History
Changes between document issues are cumulative. The latest document issue contains all the
changes made in earlier issues.
Contents
3 RADIUS Troubleshooting.......................................................................................................163
3.1 The Dynamic ACL Delivered by the RADIUS Server Does Not Take Effect..........................................................164
3.1.1 Common Causes......................................................................................................................................................164
3.1.2 Troubleshooting Flowchart......................................................................................................................................164
3.1.3 Troubleshooting Procedure......................................................................................................................................165
3.1.4 Relevant Alarms and Logs......................................................................................................................................167
1.3 IPv4
1.4 IPv6
1.5 L2TP
For example, assume that the user HUAWEI-100-07002000000100 fails to get online.
<HUAWEI> display aaa online-fail-record username HUAWEI-100-07002000000100@isp1
user-type bind
-------------------------------------------------------------------
User name : HUAWEI-100-07002000000100@isp1
Domain name : isp1
User MAC : 0016-ecb7-a879
User access type : IPoE
User access interface : GigabitEthernet7/0/2.1
Qinq Vlan/User Vlan : 0/100
User IP address : 255.255.255.255
User ID : 14
User authen state : Authened
User acct state : AcctIdle
User author state : AuthorIdle
User login time : 2007/12/04 16:49:07
User online fail reason: PPP with authentication fail
-------------------------------------------------------------------
Info: Are you sure to show some information?(y/n)[y]:n
Check the 1.2 User Login and Logout Cause to find the reason of the login failure.
If the cause of the login failure cannot be found by using the preceding method, the link between
the user and the access device may be faulty. In this case, troubleshoot the link on the network.
Display
AAA access limit
Common Causes
The number of access users using the same account exceeds the upper limit.
Solution
1. Run the display domain domain-name command and check the User-access-limit field in
the output. Run the display access-user domain domain-name command to check the
number of access users using the same account. If the number of access users using the
same account exceeds the upper limit, run the access-limit max-number command in the
AAA view to increase the maximum number of users allowed to access the network using
the same account.
2. Run the display local-user domain domain-name command and check the Access-limit
field in the output. Run the display access-user domain domain-name command to check
the number of local access users using the same account. If the number of local access users
using the same account exceeds the upper limit, run the local-user user-name access-
limit max-number command in the AAA view to increase the maximum number of local
users allowed to access the network using the same account.
Common Causes
The cut access-user command is run manually on the access device to log users out.
Message
AAA send authen request fail
Common Causes
No reachable routes exist between the user and RADIUS server.
Troubleshooting Procedure
Run the ping command or check the routing table to check whether there are reachable routes
between the user and RADIUS server.
Display
AAA with Authentication no response
Common Causes
When being authenticated by a remote or local server, a user does not receive any responses
from the authentication server before the authentication timeout period expires.
Solution
Run the display this command in the AAA view and check the name of the RADIUS server
group that is bound to the user domain. Run the display RADIUS-server configuration
group group-name command and check the Authentication-server field in the output to obtain
the IP address of the authentication server. Run the ping ip-address command to check whether
the authentication server is reachable. If the ping fails, see The Ping Operation Fails for details
on how to resolve the problem.
Display
AAA with authorization data error
Common Causes
The Remote Authentication Dial In User Service(RADIUS) server has delivered an incorrect
attribute value or the access device has no corresponding RADIUS attributes. Therefore, adding
user authorization information fails.
Display
AAA with flow limit
Common Causes
The service traffic of a user reaches the upper limit.
Solution
Check whether the remaining traffic of the user on the accounting server is 0. If there is no
remaining traffic, the user is logged out normally and no further action is required.
Message
AAA with local bill pool no space
Common Causes
The local bill pool is full.
Troubleshooting Procedure
1. Run the display local-bill information command to check the number of total local bills
and unused local bills. If the number of unused local bills (Void-No field) is 0, the local
bill pool is full.
2. Run the local-bill { cache | cfcard } backup-interval backup-interval command to enable
the device to automatically back up local bills to a bill server at a specified interval or run
the local-bill cache backup or local-bill cfcard backup command to manually back up
local bills to a bill server.
Display
AAA with pool filled fail
Common Causes
Obtaining the address pool list fails.
Solution
Contact Huawei technical support personnel.
Display
AAA with RADIUS decode fail
Common Causes
The RADIUS server has delivered attributes in an incorrect format. As a result, parsing a
RADIUS authentication response packet fails.
Display
AAA with RADIUS server cut command
Common Causes
The RADIUS server forces a user to log out.
Display
AAA with realtime accounting fail
Common Causes
The IP address of the accounting server is unreachable, and therefore real-time accounting for
a user fails.
Display
AAA with start accounting fail
Common Causes
The IP address of the accounting server is unreachable, and therefore starting accounting for a
user fails.
Display
AAA with stop accounting fail
Common Causes
The IP address of the accounting server is unreachable, and therefore stopping accounting for a
user fails.
Display
AM with lease timeout
Common Causes
A user does not extend the IP address lease, or the link at the user side is faulty so that the packets
for requesting extension of the IP address lease are lost. As a result, the IP address lease of the
user expires.
Display
AM with Renew lease timeout
Common Causes
The access device cannot communicate with the DHCP server, and therefore a PPPoE user fails
to apply for extension of the IP address lease to the DHCP server.
Display
ARP with detect fail
Common Causes
l The intermediate transmission device discards or modifies ARP probe packets.
l Fibers or optical modules are not properly installed or a link fault occurs.
l There are too many probe response packets, and therefore some are dropped.
Display
Authenticate fail
Common Causes
The user name or password used for authentication is incorrect.
Display
Authentication method error
Common Causes
The requested authentication type is different from the authentication type configured on the
interface from which the user gets online.
Display
Author of IP address and ip-include conflict
Common Causes
The address pool in the dual-stack user domain is configured incorrectly.
Display
Bas interface access limit
Common Causes
l The number of online users on a BAS interface reaches the upper limit.
l The number of online users on the physical interface for the BAS interface reaches the
upper limit.
Procedure
1. Check whether the number of online users on a BAS interface reaches the upper limit.
Run the display bas-interface command to check Access limit configured for the BAS
interface. Run the display access-user interface command to check the number of online
users on the BAS interface.
l If the number of online users reaches Access limit, run the access-limit command in
the AAA domain view to set a larger access limit value.
l If the number of online users does not reach Access limit, perform Step 2.
2. Check whether the number of online users on the physical interface for the BAS interface
reaches the upper limit.
Run the display this command to check port-access-limit configured for the physical
interface for the BAS interface. Run the display access-user interface command to check
the number of online users on the physical interface for the BAS interface.
l If the number of online users on the physical interface for the BAS interface reaches
port-access-limit, run the port-access-limit command to set a larger port access limit
value.
l If the number of online users on the physical interface for the BAS interface does not
reach port access limit, contact Huawei technical personnel.
Display
Block domain force user to offline
Common Causes
The timer for blocking a domain expires, and therefore the domain users are forced offline.
Display
Cannot get all of authorized IP address
Common Causes
When a PPPoE or L2TP user went online, two or all of the IPv4, DHCPv6, and PD addresses
were assigned to the user in the domain or authorized to the user by a server. However, the client
initiated the negotiation of only one or two of these addresses. After the timer expired, the user
was logged out.
Display
CM with AAA auth ack time out
Common Causes
No AAA authentication response is received before the due time.
Solution
Contact Huawei technical support personnel.
Display
CM with AAA connect check fail
Common Causes
Mappings between the UCM entries and AAA entries are incorrect.
Solution
Contact Huawei technical support personnel.
Display
CM with AAA ipv6 update ack time out
Common Causes
Waiting for an IPv6 entry update response from the AAA module times out.
Solution
Contact Huawei technical support personnel.
Display
CM with AAA logout ack time out
Common Causes
Waiting for an AAA logout response times out.
Solution
Contact Huawei technical support personnel.
Message
CM with access limit
Common Causes
The number of online users exceeds the allowable maximum number.
Troubleshooting Procedure
1. Run the display domain domain-name command to check whether the number of online
users exceeds the maximum number configured in the domain or delivered by the RADIUS
server.
2. If the number of online users exceeds the maximum number, run the access-limit max-
number command to reconfigure the allowable maximum number.
Display
CM with Framed IP address invalid
Common Causes
The IP address assigned by the RADIUS server has already been assigned to another device,
and therefore the IP address is invalid.
Message
CM with Ifnet down
Common Causes
The board or subcard for user login is reset or removed.
Troubleshooting Procedure
1. Run the display interface interface-type interface-number command to check the
interface's physical status (the GigabitEthernetX/X/X current state field) and link layer
protocol status (the Line protocol current state field).
l If both the physical status and link layer protocol status are Up, contact Huawei technical
support personnel.
l If only one or no status is Up, go to Step 2.
2. If the reset command is run, wait for the board or subcard to restart. If the board or subcard
is removed, reinstall it.
Display
CM with Ifnet ipv6 protocol down
Common Causes
IPv6 has been disabled on the access device or an access interface. As a result, IPv6 on the access
interface goes Down, causing an IPv6 user to be logged out or fail to log in.
Display
CM with IP address alloc fail
Common Causes
The UCM module fails to obtain an IP address.
Solution
Contact Huawei technical support personnel.
Common Causes
An L2TP session fails to be set up.
Feature Type
L2TP
Solution
Contact Huawei technical support personnel.
Message
CM with PPP ipv6 conn up time out
Common Causes
IPv6 access is configured in a domain, but users do not use IPv6 to go online.
Troubleshooting Procedure
l If users do not use IPv6 to go online, delete the IPv6 access configuration from the domain.
Common Causes
A BAS interface is blocked using the following command: block [ start-vlan { start-vlan [ end-
vlan end-vlan ] [ qinq pe-vlan ] | any qinq start-qinq-vlan [ end-qinq-vlan ] } | pvc start-vpi/
start-vci [ end-vpi/end-vci ] ]
Solution
Check whether the BAS interface is blocked.
l Run the display bas-interface command in the user view and check whether Manager
state is Block and whether Block PE VLAN/CE VLAN has a value in the command
output.
– If Manager state is Block, the BAS interface is blocked. Check whether you need to
block the BAS interface. If you do not want to block it, run the undo block [ start-
vlan { start-vlan [ end-vlan end-vlan ] [ qinq pe-vlan ] | any qinq start-qinq-vlan
[ end-qinq-vlan ] } | pvc start-vpi/start-vci [ end-vpi/end-vci ] ] command in the BAS
interface view.
– If Manager state is not Block, check whether Block PE VLAN/CE VLAN has a value.
– If Block PE VLAN/CE VLAN has a value, a specified VLAN is blocked on the
BAS interface. Check whether you need to block the VLAN on the BAS interface.
If you do not want to block it, run the undo block [ start-vlan { start-vlan [ end-
vlan end-vlan ] [ qinq pe-vlan ] | any qinq start-qinq-vlan [ end-qinq-vlan ] } |
pvc start-vpi/start-vci [ end-vpi/end-vci ] ] command in the BAS interface view.
– If Block PE VLAN/CE VLAN does not have a value, contact Huawei technical
support personnel.
Display
Dhcp decline
Common Causes
The DHCP client sends a DHCPDECLINE message to the DHCP server because it detects that
the IP address it is assigned has already been assigned to another client.
Feature Type
IPoE (IP over Ethernet)
Message
DHCP lease timeout
Common Causes
A DHCP user does not extend the IP address lease, or the user-side link fails. As a result, renewal
messages are lost.
Troubleshooting Procedure
1. Check whether renewal messages are correctly sent by the client.
2. Troubleshoot the user-side link failure.
3. Run the lease days [ hours [ minutes ] ] command in the IP address pool view to modify
the DHCP user IP address lease.
Display
Dhcp release
Common Causes
The UCM module instructs the AM module to reclaim an IP address that has been assigned by
the remote DHCP server.
Feature Type
IPoE
Solution
Contact Huawei technical support personnel.
Message
DHCP receive discover from a working user
Common Causes
A device has received Discover messages from online IPv4 users but does not have DHCPv4
message transparent transmission enabled.
Troubleshooting Procedure
1. Run the display this command in the system view to check whether DHCPv4 message
transparent transmission is enabled (whether undo dhcp through-packet is displayed in
the command output).
l If the undo dhcp through-packet command is not displayed, contact Huawei technical
support personnel.
l If the undo dhcp through-packet command is displayed, go to Step 2.
2. Run the dhcp through-packet command in the system view to enable DHCPv4 message
transparent transmission.
Display
Dhcp repeat packet
Common Causes
An online user sends DHCPDISCOVER packets again. As a result, the DHCP server considers
the user offline and logs out the user.
Feature Type
IPoE
Message
Dhcp sever speed limit
Common Causes
The rate at which a DHCPv4 server sends messages exceeds the configured speed limit.
Troubleshooting Procedure
1. Run the display dhcp-server item ip-address command to check the speed limit (Speed
Limit field) of a DHCPv4 server.
l If the speed limit does not need to be adjusted, contact Huawei technical support
personnel.
l If the speed limit needs to be adjusted, go to Step 2.
2. Run the dhcp-server ip-address [ vpn-instance vpn-instance ] send-discover-speed
packet-number time command in the system view to reconfigure a speed limit at which a
DHCPv4 server sends messages.
Display
DHCP wait client packet timeout
Common Causes
The fault that Dynamic Host Configuration Protocol(DHCP) packets from a user are lost is
commonly caused by one of the following:
Feature Type
IPoE
Solution
Troubleshoot the fault based on the actual networking and service requirements.
NOTE
If DHCP snooping or broadcast suppression is configured on a transit device, DHCP packets may be
dropped mistakenly by the transit device.
Display
DHCP with IP address conflict
Common Causes
An IP address conflict was detected.
Feature Type
IPoE
Solution
Contact Huawei technical support personnel.
Display
Dhcp with MTU limit
Common Causes
The MTU value configured on an interface is too small, and therefore the interface cannot send
DHCP packets.
Feature Type
IPoE
Display
DHCP with server nak
Common Causes
Multiple DHCP servers are deployed on the network. The IP address that a client obtains is
assigned by a DHCP server but not the access device, and therefore the IP address is not within
the assignable IP address segment of the access device.
Feature Type
IPoE
Display
DHCP with server no response
Common Causes
When applying for an IP address to the remote server, the access device receives no response
from the server. The fault is commonly caused by one of the following:
Feature Type
IPoE
Message
DHCPV6 client decline
Common Causes
The DHCPv6 client sends a Decline message to the DHCPv6 server because the client detects
that the IP address it is assigned has already been assigned to another client.
NOTE
To check whether the IPv6 prefix pool contains a conflicting prefix address, run the display ipv6 prefix
prefix-name used command. If Status is displayed as conflict, a conflict occurs.
Troubleshooting Procedure
1. Allow the user to go online again.
2. If the user still cannot log in, no available addresses exist in the IPv6 address pool. Run the
display ipv6 pool pool-name command to check the name of the IPv6 prefix pool bound
to the IPv6 address pool and run the prefix prefix-address/prefix-length command in the
IPv6 prefix pool view to
reconfigure an IPv6 address prefix.
Display
DHCPV6 client release
Common Causes
A Dynamic Host Configuration Protocol for IPv6 (DHCPv6) client sends a DHCP Release
packet to release its IP address.
l A PPPoE/LNS dual-stack user is configured to get offline when either of the user's IP
addresses is released. The client sends a DHCP Release packet to release its IPv6 address.
l A DHCPv6 client is an IPv6 user, and the DHCPv6 client sends a DHCP Release packet
to release its IP address.
l An IPv4/IPv6 dual-stack user uses DHCPv6 to apply for its IPv6 address. When the user
goes offline, its IPv4 address is released first, and the client sends a DHCP Release packet
to release its IPv6 address.
Display
DHCPV6 ip alloc fail
Common Causes
l No IPv6 address pool is configured in the AAA domain.
l The IPv6 address pool is locked.
Procedure
1. Run the display this command in the AAA view to check domain configurations. If no
IPv6 address pool is configured, configure one. If an IPv6 address pool exists, go to Step
2.
2. Run the display this command in the IPv6 address pool view to check whether the IPv6
address pool has the lock command configuration. If this command configuration exists,
run the undo lock command to delete the configuration.
Message
DHCPV6 lease expired
Common Causes
A DHCPv6 user does not extend the IP address lease, or the user-side link fails. As a result,
renewal messages are lost.
Troubleshooting Procedure
1. Check whether renewal messages are correctly sent by the client.
2. Troubleshoot the user-side link failure.
3. Run the lifetime preferred-lifetime { days days-value [ hours hours-value [ minutes
minutes-value ] ] | infinite } valid-lifetime { days days-value [ hours hours-value
[ minutes minutes-value ] ] | infinite } command in the IPv6 prefix pool view to modify
the IPv6 prefix lease.
Message
DHCPV6 packet speed limit
Common Causes
The rate at which a DHCPv6 server sends messages exceeds the configured speed limit.
Troubleshooting Procedure
1. Run the displaydhcpv6-server item ipv6-address command to check the speed limit
(Speed Limit field) of a DHCPv6 server.
l If the speed limit does not need to be adjusted, contact Huawei technical support
personnel.
l If the speed limit needs to be adjusted, go to Step 2.
2. Run the dhcpv6-server ipv6-address [ vpn-instance vpn-instance ] send-solicit-speed
packet-number time command in the system view to reconfigure a speed limit at which a
DHCPv6 server sends messages.
Message
DHCPV6 repeat solicit
Common Causes
A device has received Solicit messages from online IPv6 users but does not have DHCPv6
message transparent transmission enabled.
Troubleshooting Procedure
1. Run the display this command in the system view to check whether DHCPv4 message
transparent transmission is enabled (whether undo dhcpv6 through-packet is displayed
in the command output).
l If the undo dhcpv6 through-packet command is not displayed, contact Huawei
technical support personnel.
l If the undo dhcpv6 through-packet command is displayed, go to Step 2.
2. Run the dhcpv6 through-packet command in the system view to enable DHCPv6 message
transparent transmission.
Message
DHCPV6 wait client timeout
Common Causes
Common causes are as follows:
l A DHCPv6 client does not receive the Advertise message from a DHCPv6 server.
l A DHCPv6 client fails to process the Advertise message from a DHCPv6 server.
l The link between a DHCPv6 client and server fails. As a result, the Request message from
the DHCPv6 client is lost.
Troubleshooting Procedure
Contact Huawei technical support personnel.
Message
DHCPV6 wait server timeout
Common Causes
The link between a device and DHCPv6 server fails, or the DHCPv6 server goes Down.
Troubleshooting Procedure
1. Check whether the DHCPv6 server can be pinged.
l If the ping fails, check whether the link fails. If the link fails, troubleshoot the link
failure.
l If the ping succeeds, the physical link is working properly. Then go to Step 2.
2. Run the display dhcpv6-server item ipv6-address command to check whether the
DHCPv6 server is Up.
l If the DHCPv6 server is not Up, troubleshoot the DHCPv6 server Down failure.
l If the DHCPv6 server is Up, contact Huawei technical support personnel.
Message
Fill HQOS to ucm fail
Common Causes
The RADIUS-delivered QoS profile is not configured on the local device.
Troubleshooting Procedure
1. Run the display qos-profile configuration command to check whether a RADIUS-
delivered QoS profile is configured on the local device. By default, the device automatically
convert all QoS profile names to lowercase.
2. Perform either of the following operations:
a. If the RADIUS-delivered QoS profile is not configured on the local device, run the
radius-attribute qos-profile no-exist-policy online command in the RADIUS server
group view to allow users to keep online.
b. If the RADIUS-delivered QoS profile is configured on the local device but is
automatically changed to lowercase, the device fails to fill the HQoS parameter with
the originally delivered uppercase profile name. When this problem occurs, run the
radius-attribute case-sensitive qos-profile-name command in the RADIUS server
group view to allow the device to support case-sensitive QoS profiles.
Display
Gateway different from former
Common Causes
A user obtains an incorrect IP address, or the address pool configured on the access device has
been modified. As a result, when the user sends ARP packets for getting online, the IP address
that the user uses is not within the address pool.
Display
GTL license needed
Common Causes
The GTL license of the BRAS LPU from which a user gets online is not activated.
Display
Idle cut
Common Causes
The traffic volume of a user in the specific period of time is smaller than the set minimum traffic
volume of the BRAS, and therefore the user is forced offline.
Solution
Run the idle-cut idle-time idle-data command in the AAA domain view to change the idle time
of cutting a connection.
Message
Idle timeout
Common Causes
The idle-cut function is configured, and the user traffic idle time exceeds the configured value.
Troubleshooting Procedure
1. Run the display domain domain-name command to check the configured idle-cut time
(Idle-data-attribute(time,flow) field).
2. If the configured idle-cut time needs to be modified, run the idle-cut idle-time { idle-
data | zero-rate } [ inbound | outbound ] command in the AAA domain view.
Display
Interface delete
Common Causes
The interface from which a user gets online is deleted.
Display
Interface down
Common Causes
The shutdown command is run on the interface from which a user gets online, or the physical
link of the interface is faulty. As a result, the user is offline.
Display
Interface on Master down
Common Causes
The shutdown command is run on the interface from which a user gets online, or the physical
link of the interface is faulty. In addition, a master/slave MPU switchover is performed when
the user is logged out.
Display
IP alloc fail for trigger user
Common Causes
The IP address that a user applies for has been assigned to another user, and therefore the IP
address fails to be assigned to the user.
Display
IP address conflict
Common Causes
The IP address assigned by the RADIUS server to a user has already been used.
Procedure
Re-plan an IP address for this user on the RADIUS server.
Display
IPv6 address conflicts too much times
Common Causes
There are attack devices on the network, causing more than three address conflicts.
Display
L2TP cut command
Common Causes
The reset tunnel command is run on the access device.
Feature Type
L2TP
Display
L2TP peer cleared tunnel
Common Causes
The LAC or LNS detects user logouts, and therefore tears down the tunnel (between the LAC
and LNS) for the logout users.
Feature Type
L2TP
Solution
Contact Huawei technical support personnel.
Display
L2TP remote slot
Common Causes
A board for L2TP user access is faulty, causing users that have gone online from the board to
be logged out.
Feature Type
L2TP
Display
L2TP request offline
Common Causes
An L2TP user sends a logout request.
Feature Type
L2TP
Solution
Contact Huawei technical support personnel.
Display
L2TP service is unavailable
Common Causes
L2TP is not enabled on the access device.
Feature Type
L2TP
Display
L2TP sessionlimit
Common Causes
The number of users whose services are transmitted using the same L2TP tunnel reaches the
upper limit that is configured on the access device or delivered by the RADIUS server.
Feature Type
L2TP
Display
LAC clear session
Common Causes
When the LAC is faulty or detects that L2TP users are offline, the LAC sends requests to log
out related users to the LNS.
Feature Type
L2TP
Solution
"LAC clear session" is displayed on the LNS that runs properly. Run the display aaa offline-
record, display aaa online-fail-record, and display aaa abnormal-offline-record commands
on the LAC to check the offline reason. Then, further locate the fault based on the offline reason
and troubleshooting manuals.
Display
LAC clear tunnel
Common Causes
The LAC detects a user logout, and therefore tears down the tunnel for the user.
Feature Type
L2TP
Message
LAM access type is no match
Common Causes
The login user type and locally configured user type do not match.
Troubleshooting Procedure
1. Run the display local-user user-name command to check whether the configured user type
(the Service-type value) is the same as the login user type.
2. If the user types are not the same, run the local-user user-name service-type { ftp | ppp |
ssh | telnet | terminal | mml | qx } * command to set the local user type to be the same as
the login user type.
Message
LAM authentication fail
Common Causes
The local authentication password is incorrect.
Troubleshooting Procedure
1. Run the display local-user user-name command to check whether the local user's password
(the Password value) is the same as the login password.
2. If the local user's password is not same as the login password, run the undo local-user
user-name command to delete the local user and run the local-user user-name password
{ cipher cipher-password | irreversible-cipher irreversible-password } command to
recreate a local user and password.
Message
LAM user does not exist
Common Causes
The local user does not exist.
Troubleshooting Procedure
1. Run the display local-user command to check whether the local user exists.
2. If no such local user exists, run the local-user user-name password { cipher cipher-
password | irreversible-cipher irreversible-password } command to create such a local
user.
Message
LAM user state is block
Common Causes
The number of times that incorrect passwords are entered exceeds the threshold.
Troubleshooting Procedure
1. Run the display local-user user-name command to check whether the local user is blocked.
2. If the local user is blocked, the user will automatically be unblocked after the interval
specified by the local-user user-name state block fail-times interval interval command
expires. Alternatively, run the local-user user-name state active command to manually
unblock the user.
Display
LNS clear session
Common Causes
The LNS is faulty or detects that an L2TP user logs out, and therefore sends a request to log out
the user to the LAC.
Feature Type
L2TP
Solution
"LNS clear session" is displayed on the LAC that runs properly. Run the display aaa offline-
record, display aaa online-fail-record, and display aaa abnormal-offline-record commands
on the LNS to check the offline reason. Then, further locate the fault based on the offline reason
and troubleshooting manuals.
Common Causes
The LNS detects local user logouts, and therefore tears down the corresponding tunnels.
Feature Type
L2TP
Common Causes
The number of multicast users that apply for downstream CAR resources exceeds the LNS-side
board specification.
Troubleshooting Procedure
A maximum of 32,768 (32K) multicast users are allowed to apply for downstream CAR
resources on an LNS-side board. If the number of users exceeds the specification, contact Huawei
technical support personnel.
Message
Local authen reject
Common Causes
The login password is incorrect.
Troubleshooting Procedure
1. If the password is in plaintext, re-log in with the password.
2. If the password is in ciphertext, run the local-user user-name password { cipher cipher-
password | irreversible-cipher irreversible-password } command to reconfigure a
password.
Message
local no this user
Common Causes
The local user is not configured on the device.
Troubleshooting Procedure
1. Run the display local-user command to check all local users.
2. If no such local user exists, run the local-user user-name password { cipher cipher-
password | irreversible-cipher irreversible-password } command to create such a local
user.
Display
Mac-user ppp-preferred
Common Causes
PPP take precedence over DHCP when users attempt to get online from the access device.
Therefore, when a user uses PPP to get online after getting online using DHCP, it is logged out
as a DHCP user.
Message
ND Detect Fail
Common Causes
Common causes are as follows:
Troubleshooting Procedure
Contact Huawei technical support personnel.
Message
ND Repeat Request
Common Causes
A device receives an online user's ND login request.
Troubleshooting Procedure
1. Check whether the user has roamed.
l If the user has not roamed, the ND login request may be an attack. Contact Huawei
technical support personnel to resolve this problem.
l If the user has roamed, go to Step 2.
2. Run the display access-user mac-address mac-address command to check whether there
is information about the online ND user.
l If there is information, the roaming user has re-logged in, and no action is required.
l If there is no information, go to Step 3.
3. Run the dhcp session-mismatch action offline command in the BAS interface view to
enable the interface to log out the online user when the user resends DHCP or ND login
requests.
Common Causes
The RADIUS server mistakenly delivers the IP address of the access device to a PPPoE user.
Common Causes
The IPv6 address (consisting of an interface ID delivered by the RADIUS server and an IP
address prefix) has been assigned to another user.
Solution
Contact Huawei technical support personnel.
Common Causes
No IP address can be assigned.
Solution
Contact Huawei technical support personnel.
Display
No prefix available
Common Causes
No IP address prefix can be assigned.
Solution
Contact Huawei technical support personnel.
Display
No response of control packet from peer
Common Causes
The remote end fails to respond to all protocol packets along the L2TP tunnel. And then the
tunnel goes Down. The problem may be caused by a link failure, performance fault of the remote
end, or packet loss due to the CAR on the NE80E/40E.
Feature Type
L2TP
Message
Not bind IPv6 pool or ip alloc fail
Common Causes
No IPv6 address pools are configured in the domain, or the DHCPv6 server fails to assign IPv6
addresses.
Troubleshooting Procedure
1. Run the display domain domain-name command to check whether IPv6 address pools (the
IPv6-Pool-name value) are configured in the domain.
2. If no IPv6 address pools are configured, run the ipv6-pool pool-name command in the
domain view to configure an IPv6 address pool.
3. If the DHCPv6 server fails to assign IPv6 addresses, reapply for addresses.
Display
Online user number exceed GTL license limit
Common Causes
The number of online users exceeds the limit allowed by the GTL license.
Display
Packet Authenticator Error
Fault Symptom
In Web authentication mode, a user fails to be authenticated.
Common Causes
l The key in an authentication packet sent by the portal server is different from the key
calculated by the HUAWEI NetEngine80E/40E.
Procedure
Check whether the key configured on the HUAWEI NetEngine80E/40E is the same as that
configured on the portal server.
l If the keys are different, run the web-auth-server server-ip [ vpn-instance instance-
name ] [ port portnum [ all ] ] [ key key ] [ NAS-ip-address ] command to change the key
to the same as that on the portal server.
l If the keys are the same, check whether the user can be authenticated successfully. If the
authentication is successful, no action is required.
Display
PPP negotiate fail
Common Causes
PPP negotiation is interrupted.
Solution
Mirror on the interface from which the user gets online. Check PPP packets, and locate the fault
based on interaction packets.
NOTE
l If the user sends the same type of PPP negotiation packet many times, check whether the access device
supports this type of PPP negotiation.
l Check the type and content of the negotiation packet that the user sends before the LCP or PPPoE
termination packet to confirm whether the access device supports this type of PPP negotiation.
Display
PPP up recv lcp again
Common Causes
A user tears down and re-initiates a connection, and therefore the access device receives LCP
negotiation packets.
Feature Type
PPP
Display
PPP user over LNS request
Common Causes
A user fails to set up a session, and therefore the user fails to get online.
Feature Type
PPP
Solution
Contact Huawei technical support personnel.
Display
PPP user request
Common Causes
A PPP user sends a logout request.
Feature Type
PPP
Display
PPP with authentication fail
Common Causes
l Too many users attempt to get online in a specified period of time.
l The CPU usage is too high (remaining above than 95%).
Feature Type
PPP
Solution
Run the display this command in the AAA view to check whether the access speed command
has been configured. If the access speed command has been configured, check whether the user
access rate exceeds the upper limit.
Run the display cpu-usage command to check the CPU usage. If the CPU usage remains above
than 95%, locate and resolve this problem.
Display
PPP with echo fail
Common Causes
l The intermediate transmission device discards or modifies probe packets.
l Fibers or optical modules are improperly installed or a link fault occurs.
Solution
Run the display aaa offline-record command to check the user login time and logout time.
Run the display this command in the virtual template (VT) view to check the interval at which
PPP Keepalive packets are sent.
l If the difference between the user login time and logout time is equal to the interval, user
packets are properly transmitted but no response to KeepAlive packets is received. Get
packets head on the downstream device to check where the response packets are discarded
and rectify the fault.
l If the difference between the user login time and logout time is unequal to the interval,
KeepAlive packets can be received and there are responses to KeepAlive packets. In this
situation, check whether the user functions properly and rectify any detected fault.
Display
Pre-authentication domain has value-added-service
Common Causes
l Value-added-service (VAS) cannot be bound to the pre-authentication domain. If VAS is
configured in the pre-authentication domain, web users cannot be switched to the
authentication domain and fail to log in.
Solution
l Run the display this command in the pre-authentication domain to view whether VAS is
bound to the pre-authentication domain.
– If VAS is bound to the pre-authentication domain, run the undo value-added-service
policy command to delete VAS from the pre-authentication domain.
– If VAS is not bound to the pre-authentication domain, contact Huawei technical support
personnel.
Display
RADIUS alloc incorrect IP
Common Causes
The address pool containing the IP address that the RADIUS server assigns to an IPoE user
cannot be found on the access device.
Message
RADIUS authentication reject
Common Causes
The user name or password is different from that on the RADISU server.
Troubleshooting Procedure
Check whether the login user name or password and that on the RADIUS server are the same.
If not the same, change them to be the same and reapply for login.
Common Cause
The AC sends a request to the RADIUS server to log out the user.
Message
RADIUS decode packet fail
Common Causes
The device-delivered RADIUS attribute or format is different from that defined in the RADIUS
attribute document.
Troubleshooting Procedure
1. Run the debugging radius packet command to enable the debugging on RADIUS packets
and check the device-delivered RADIUS attribute or format.
2. Contact Huawei technical support personnel to check whether the device-delivered
RADIUS attribute or format is the same as that defined in the RADIUS attribute document.
If not the same, contact Huawei technical support personnel for modification.
Common Causes
A user does not extend the short lease of an IP address, or the link at the user side is faulty so
that the packets for requesting the extension of the short lease are lost. As a result, the short lease
of the IP address expires.
Display
RUI request cold backup user offline for slave
Common Causes
In the dual-system hot backup scenario, when the remote backup template on the master access
device becomes backup, the users that do not support dual-system host backup are logged out.
The possible cause is that VRRP tracked by the remote backup profile on the local access device
detects a fault on a network-side port, or a fault of peer VRRP that has a higher priority than
VRRP on the local access device is rectified.
Display
RUI request offline
Common Causes
RUI triggers a user logout.
Display
Sending RADIUS packets failed due to speed-limit
Common Causes
The user access rate exceeded the threshold.
Procedure
1. Check the CPU usage of the router and neighboring NEs, such as the RADIUS server and
DHCP server. If their CPU usage is high, the user access rate limit is proper. Adjusting the
user access rate is not recommended.
2. Check the performance of the router and neighboring NEs. If their performance is adequate
for higher user access rate, run the access-speed command in the AAA view to set a higher
user access rate.
Display
Service unavailable
Common Causes
An L2TP user attempts to log in to the access device where L2TP is disabled.
Display
Session time out
Common Causes
A user has no remaining online time.
Message
Session timeout
Common Causes
The duration quota that a RADIUS delivers to a user is exhausted.
Troubleshooting Procedure
After the user's duration quota is exhausted, if the user needs to re-log in, the user must renew
the fee or apply for a new duration quota.
Message
Soft-GRE active user over limit
Common Causes
The number of active soft-GRE users exceeds the maximum number supported by a device.
Troubleshooting Procedure
l Log out idle active users.
Display
Srvcfg cut command
Common Causes
A command is run to delete leased-line users.
Display
SRVCFG failed to process
Common Causes
The access device fails to select a user authentication type.
Solution
Contact Huawei technical support personnel.
Message
TACACS authentication reject
Common Causes
The user name or password is different from that on the TACACS server.
Troubleshooting Procedure
Check whether the login user name or password and that on the TACACS server are the same.
If not the same, change them to be the same and reapply for login.
Display
The domain does not bind IPv6 pool
Common Causes
No IPv6 address pool is bound to a user domain, and therefore IPv6 users in the domain cannot
get online.
Common Causes
No address pool is bound to a user domain, and therefore users in the domain cannot get online.
Common Causes
l The RADIUS server fails.
l The RADIUS server is unreachable to the router at the IP layer, which may be caused by
an intermediate device failure.
Procedure
1. Run the ping command to check whether the RADIUS server is reachable to the router at
the IP layer. If the RADIUS server is unreachable to the router, check whether an
intermediate device fails. If so, rectify the fault. If the RADIUS server is reachable to the
router, go to Step 2.
2. Check whether the RADIUS server is working properly. If the RADIUS server is not
working properly, rectify the server fault.
Common Causes
l The VPN instance configured in an AAA domain is different from that configured in any
address pool bound to the AAA domain.
l A device is configured to trust the VPN instance bound to a BAS interface in the AAA
domain view, but the VPN instance on the BAS interface is different from that configured
in any IP address pool bound to the AAA domain.
Troubleshooting Procedure
1. Run the display this command in the AAA domain view to check whether a device is
configured to trust the VPN instance bound to the BAS interface through which Layer 2
Message
Up to user max session
Common Causes
The number of access sessions set up by users with the same user name exceeds the upper limit.
Troubleshooting Procedure
1. Run the display domain domain-name command to check the upper limit of the access
sessions set up by users with the same user name.
2. If the number of access sessions set up by users with the same user name exceeds the upper
limit, run the user-max-session max-session-number [ case-insensitive local-user-
name ] command to increase the upper limit.
Common Causes
The user access speed is too fast.
Display
User info is conflict with rui user
Common Causes
A fault occurs at the network side in the dual-system hot backup networking, causing the users
of the master device to get offline. Online users, however, are not synchronized to the backup
device. As a result, RUI forces these online users to go offline.
Message
User's password expired
Common Causes
A user's password expires.
Troubleshooting Procedure
1. Run the display local-user user name user-name command to check whether the user's
password expires.
l If Password expired is displayed as no, the password has not expired. In this situation,
contact Huawei technical support personnel.
l If Password expired is displayed as yes, the password expires. In this situation, go to
Step2.
2. Run the local-user user-name password { cipher cipher-password | irreversible-cipher
irreversible-password } command in the AAA view to re-create a password.
3. To modify the password lifetime, run the user-password expire expire-time prompt
prompt days command in the AAA view to set a password lifetime and enable a device to
prompt users to change the password n days (specified by prompt days) before the
password expires.
Message
VPDN license not enable
Common Causes
The GTL license file does not contain the L2TP function.
Troubleshooting Procedure
Run the display license command to check whether LCR5L2TP00 Function YES LNS<S
Function is displayed in the command output.
l If LCR5L2TP00 Function YES LNS<S Function is displayed, the GTL license file
contains the L2TP function. In this situation, contact Huawei technical support personnel.
l If LCR5L2TP00 Function YES LNS<S Function is not displayed, the GTL license
file does not contain the L2TP function. In this situation, reapply for a GTL license file that
contains the L2TP function.
Common Causes
A Web user sends a logout request.
Feature Type
Web
1.3 IPv4
Typical Networking
I n t e rn e t
subscriber Router
I n t e rnet
I n t e rn et
subscriber LAN Switch LAN Switch Router
Internet
DSLAM Router
Troubleshooting Flowchart
Yes
Yes
No Technical
Fault removed?
support
Yes
End
Troubleshooting Procedure
Procedure
Step 1 Check whether the user passes authentication.
l If user authentication fails, check the authentication domain and pre-authentication domain
configurations based on the authentication mode.
l If user authentication is successful, go to Step 2.
Step 2 Check whether the user has obtained an IP address.
The IP addresses of IPoX users can be assigned by the local router or the remote DHCP server:
l If the IP address is assigned by the local device, check the configuration of the local address
pool.
l If the IP address is assigned by the remote DHCP server, check the communication between
the local device and the DHCP server.
Step 3 Enable service tracing to locate the fault through the login process.
Step 4 Enable debugging.
The output information of debugging is more specific than the service tracing information. It
helps you locate the fault.
If the fault persists, contact Huawei engineers.
NOTE
----End
Typical Networking
I n t e rnet
subscriber Router
I nt e r net
I nt e rnet
subscriber LAN Switch LAN Switch Router
Internet
DSLAM Router
Troubleshooting Flowchart
No Remove
Configuration
proper? configuration fault
Yes
Display tracing
information
No
Tracing info Remove
displayed? device fault
Yes
LCP Yes
negotiation Authentication No Remove
successful? successful? authentication failure
No Yes
No
Remove NCP negotiation Remove IP address
device fault successful? allocation failure
Yes
Remove
accounting failure
No
Fault removed? Technical
support
Yes
End
Troubleshooting Procedure
Procedure
Step 1 Run the display aaa online-fail-record command to display the cause of online failure.
<HUAWEI> display aaa online-fail-record username test@hauwei
-------------------------------------------------------------------
Here, User online fail reason indicates why the user fails to go online. From the information,
you can judge the fault and find out how to locate the fault.
Radius authentication send fail Indicates the failure to send the RADIUS
authentication request.
Local Authentication user type not match Indicates that the user type does not match
with the local domain.
Local Authentication user block Indicates that the account is not activated
in the local authentication.
NOTE
If the service tracing function outputs no information, it indicates that the user sends no packets to the
router. The possible causes are as follows:
l User access type is incorrect.
l The authentication method is incorrect.
l The physical port is not bound to any VT.
l The physical connections on the device are incorrect.
l The layer 2 devices are configured incorrectly.
Step 6 Obtain the packets at the client to check whether the LCP negotiation is complete.
By obtaining packets, you can learn whether the LCP negotiation failure is caused by the NE80E/
40E, the client, or the improper interoperation between them.
1. A non-standard PPPoE client sends the config-request packet to the NE80E/40E. The
NE80E/40E responds with a config-nak/config-reject packet. If the client keeps the
attributes in the config-request packet unmodified, the LCP negotiation fails.
2. The NE80E/40E is configured with the Challenge-Handshake Authentication Protocol
(CHAP) authentication while the client is configured with the PAP authentication. The LCP
negotiation fails.
If the local authentication for some reasons, for example, invalid local account, inactive domain,
inactive account, inconsistent account type, or access limit, you can see the cause of the failure
in authentication messages.
In case of RADIUS authentication, the service tracing function also outputs the information that
can help you locate the fault.
The failure may be caused by the RADIUS server, because the RADIUS server fails to respond
to the router. If you cannot judge the fault from the output, check the RADIUS server.
The key of PPPoE NCP negotiation is the IP address, and therefore NCP negotiation equals the
address negotiation..
If the user is still offline, it indicates that a fault has occurred on the accounting.The common
fault is "Start accounting fail."
NOTE
If the RADIUS accounting or HWTACACS accounting fails, the NE80E/40E stores the accounting data
locally and generates CDRs. When the accounting server recovers, the NE80E/40E sends the CDRs to the
accounting server. If the local storage space is full, while the accounting server does not recover, the
NE80E/40E discards the latter accounting data.
----End
Follow-up Procedure
If the fault persists, contact Huawei engineers.
Typical Networking
As shown in Figure 1-11, the layer-2 leased line user accesses the NE80E/40E through a LAN
switch.
I n t e r ne t
LAN
User Router
Switch
As shown in Figure 1-12, the layer-3 leased line user accesses the VLAN on an interface or sub-
interface of the NE80E/40E through a router.
I n t e rnet
L3
User Router
Switch
Troubleshooting Flowchart
A layer- 2 leased
line user cannot
go online
No
Sub-interface Configure the sub
Up? - interface to Up
Yes
BAS No
configuration Configure BAS
proper?
Yes
Domain Configure
configuration No authentication /
proper ? accounting /RADIUS
servers
Yes
Yes
No
IP address of Exclude the IP
static user address from
excluded ? address pool
Yes
Enable service
tracing
Fault No Technical
?
removed support
Yes
End
Configure an IP
No
Sub- interface Up? address for the
interface
Yes
BAS No
configuration Configure BAS
proper ?
Yes
Configure
Domain No
authentication /
configured properly ? accounting /RADIUS
servers
Yes
No
Technical
Fault removed ?
support
Yes
End
Troubleshooting Procedure
Procedure
Step 1 Run the display interface command to check whether the sub-interface of the leased line user
is Up.
Step 2 Run the display bas-interface command to check the BAS configuration on the interface. Make
sure that the leased line type is configured properly.
Step 3 Run the display domain command to check the configuration of the domain, including
authentication mode and accounting mode. Make sure that the NE80E/40E and the RADIUS
server can communicate with each other.
Step 4 Run the display domain command to check whether the address pool is configured in the domain
of the layer-2 leased line user.
Step 5 Check whether the IP address of the static user is excluded from the address pool.
Step 6 For the layer-3 leased line user, check the IP address of the interface, and the route of the user.
----End
Follow-up Procedure
If the fault persists, contact Huawei engineers.
Typical Networking
Figure 1-15 shows the typical networking of L3 users. The troubleshooting procedure is based
on this networking.
Internet
l The ordinary L3 user configures an IP address or obtains an IP address from the DHCP
server.
l The user accesses the Internet through the router, and the router should manage the user.
Troubleshooting Flowchart
No
Is the
physical status of No Rectify the fault on
the Layer 3 interface the interface
normal?
Yes
Yes
Enable service
tracking to locate the
fault
Yes
End
Troubleshooting Procedure
Procedure
Step 1 Check the record of login failure.
Run the display aaa online-fail-record command to check the record of login failure.
l The authentication fails. That is, the authentication packets cannot be sent or start-accounting
fails. Check the home domain of the L3 access user. The authentication mode and accounting
mode of the domain should be none authentication and none accounting.
l The Virtual Private Network(VPN) configuration is inconsistent. Check whether the
configuration of VPN instance in the domain is consistent with the VPN configuration on
the interface.
Run the display interface command to check the status of the physical interface. Check whether
the interface and the protocol are up and the packets are sent and received on the interface.
<HUAWEI> display interface gigabitethernet 1/0/0
GigabitEthernet1/0/0 current state : UP
Line protocol current state : UP
Description : HUAWEI, GigabitEthernet1/0/0 Interface, Route Port
The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)
Internet Address is 192.168.1.2/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc87-f1b9
the Vendor PN is HFBR-5710L
Port BW:1G, Transceiver max BW:1G, Transceiver Modes: MutipleMode
WaveLength:850nm,Transmission Distance:550m
Loopback:none, full-duplex mode, negotiation: disable
Statistics last cleared:2006-09-15 17:50:54
Last 5 minutes input rate: 0 bits/sec, 0 Packets/sec
Last 5 minutes output rate: 0 bits/sec, 0 Packets/sec
Input: 0 Bytes, 0 Packets
Output: 0 Bytes, 0 Packets
Input:
Unicast : 0, Multicast : 0
Broadcast : 0, JumboOctets : 0
CRC : 0, Symbol : 0
Overrun : 0, InRangeLength : 0
LongPacket: 0, Jabber : 0, Alignment: 0
Fragment : 0, Undersized Frame: 0
RxPause : 0
Output:
Unicast : 0, Multicast : 0
Broadcast : 0, JumboOctets: 0
Lost : 0, Overflow : 0, Underrun: 0
TxPause : 0
For details, refer to section 1.3.4 Troubleshooting L3 Access Check whether the route in the
network segment of the L3 access user is added.
Perform service tracing based on the IP address of the user. Collect the tracing information to
locate the fault. For example, if "fail to get domain of layer3 user" is displayed in the tracing
information, check whether the VPN configuration of the user is consistent with the VPN
configuration on the interface.
----End
Follow-up Procedure
If the fault persists, contact Huawei technical personnel.
Typical Networking
802.1X access networking is similar to IPoE networking, IPoEoVLAN networking, and IPoEoQ
networking. The EAP packet can be encapsulated into an EAPoL packet on the Ethernet interface
of a PC. The EAPoL packet is then sent to the BRAS directly. Alternately, the EAPoL packet
can be attached with a VLAN tag by a LAN switch or be encapsulated through AAL5 by a
DSLAM before it arrives at the BRAS.
By decapsulating packets and identifying VLAN IDs of packets, the BRAS obtains physical
information about users, and user names and passwords. The BRAS then provides data for the
access authentication of users based on the obtained information.
Internet
subscriber BRAS
Internet
Internet
Troubleshooting Flowchart
802.1X
authentication
fails
EAPtermination
No configured?
Yes
User
RADIUS information
server correctly correctly
configured? Yes configured?
Seek
No technical No
support
Configure
user Is fault Yes
End
information rectified?
correctly
No
Seek
technical
support
Troubleshooting Procedure
Procedure
Step 1 Check that the BAS interface is correctly configured.
Enter the BAS interface view and then run the display this command to view the configuration.
l Check whether the access type is Layer 2 access and whether a VLAN is configured for a
sub-interface. No VLAN configuration is required for the access through a main interface.
l Check whether an authentication domain is configured and whether dot1x authentication is
adopted as the authentication method.
l If the configuration is correct, proceed to Step 2.
Enter the AAA view and then run the display this command to view the configuration about
the AAA domain.
l The domain must be bound to an address pool and the authentication, authorization, and
accounting templates.
l A RADIUS server group must be bound to the domain if RADIUS authentication is adopted.
l The dot1x-template must be bound to the domain.
l If the configuration is correct, proceed to Step 3.
Enter the view of the dot1x-template bound to the AAA domain from the system view, and then
run the display this command to view configurations of the dot1x-template.
Step 4 Check that user information is correctly configured on the authentication server.
l If termination authentication is adopted, check that user information is correctly configured
on the associated authentication server.
l If relay authentication is adopted, check that user information is correctly configured on the
RADIUS server that supports 802.1X authentication.
l If the configuration is correct, proceed to Step 5.
Step 5 Check that the NE80E/40E is correctly configured for user access.
l In the case of the wired access to the NE80E/40E, Web authentication and 802.1X
authentication cannot be configured on a BAS interface at the same time; EAP authentication
cannot be triggered by sending ARP, IP, or DHCP packets; users must pass the 802.1X
authentication before they can obtain IP addresses.
l In the case of the wireless access to the NE80E/40E, check whether WLAN is correctly
configured.
l If the configuration is correct whereas the fault persists, contact Huawei technical personnel.
----End
Common Causes
Troubleshooting Flowchart
The default user offline speed is 256 users per second on a BRAS. If users go offline at a speed
lower than 256 users per second, the user offline speed is low. To monitor the user offline speed,
run the display access-user online-total-number command repeatedly.
Figure 1-21 Troubleshooting flowchart for the problem that users go offline at low speed
Contact Huawei
technical support End
personnel.
Troubleshooting Procedure
Before you perform the following steps, run the display aaa configuration command to check
whether a smaller value is configured for the user offline speed. The default user offline speed
is 256 users per second.
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check the current user offline speed.
Run the display access-user online-total-number command repeatedly to estimate the current
user offline speed.
l If the user offline speed is about 256 users per second, the users go offline at a normal
speed.
l If the user offline speed is far less than 256 users per second, the users go offline at a low
speed. Go to step 2.
Step 2 Check whether a limit is configured for the user offline speed.
Run the display aaa configuration command in the user view to check the user offline speed
configured on the device.
l If the configured user offline speed is less than 256 users per second, go to Step 3.
l If the configured user offline speed is 256 users per second, go to Step 4.
Step 4 Collect the following information and contact Huawei technical support personnel.
l Result of the preceding procedure
l Trap, log, and configuration information
----End
Relevant Alarms
None
Relevant Logs
None
Common Causes
Troubleshooting Flowchart
When the NE80E/40E functions as a BRAS, EAP-PEAP and EAP-SIM/AKA users cannot go
online.
The troubleshooting roadmap is as follows:
l Check whether the AC group is correctly configured globally.
l Check whether the BAS interface is enabled to send PMK to the specified AC.
l Check whether the configuration of the other devices on the link is correct.
l Check whether the physical link is faulty.
Figure 1-22 shows the troubleshooting flowchart.
Figure 1-22 Troubleshooting flowchart for the problem that EAP-PEAP and EAP-SIM/AKA
users cannot go online
EAP-PEAP and EAP-
SIM/AKA users cannot
go online.
No
Yes
Yes No
The
configurations No Configure the other Yes
of other devices The fault is rectified.
devices correctly.
are correct.
Yes No
No
Yes
Contact Huawei
technical support End
personnel.
Troubleshooting Procedure
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check whether the AC group is correctly configured globally.
Run the display current-configuration | include ac-group command to check whether the AC
group is correctly configured globally.
Step 2 Check whether the BAS interface is enabled to send PMK to the specified AC.
l If no information is displayed, the BAS interface is disabled from sending PMK to the
specified AC. Run the authorization-pmk-send ac-group group-name command in the
BAS interface view to enable the BAS interface to send PMK to the specified AC. The
group-name parameter must be the same as that in the ac-group group-name command.
l If information is displayed, check whether the group-name parameter is the same as that
in the ac-group group-name command.
– If this parameter is different, run the authorization-pmk-send ac-group group-name
command in the BAS interface view to reconfigure it.
– If this parameter is the same, go to Step 3.
Step 3 Check whether the configuration of the other devices on the link is correct.
Check whether the configurations are correct based on the manuals of the related devices. If the
configurations are incorrect, modify the relevant configurations. If the CPE client traffic still
cannot be forwarded, go to Step 4.
Step 5 Collect the following information and contact Huawei technical support personnel.
----End
Relevant Alarms
None
Relevant Logs
None
1.4 IPv6
Common Causes
Troubleshooting Flowchart
This section describes the troubleshooting flowchart for the fault that the user cannot get online
when the NE80E/40E is configured with IPoE stateful PD.
Figure 1-23 Troubleshooting flowchart for the fault that the user cannot get online in the case
of IPoE stateful PD
The stateful PD
user cannot get
online
No Yes
The IPv6 function is Globally enable
Is fault rectified?
globally enabled? the IPv6 function
Yes No
No Yes
s the DUID function Globally enable
Is fault rectified?
globally enabled? the DUID function
Yes No
No
Yes
No Yes
The IPv6 protocol Ensure that the
is up on the user- IPv6 protocol is up Is fault rectified?
side interface? on the interface
Yes No
No Yes
Configure the M/O Configure the M/O
vaule on the interface vaule on the Is fault rectified?
interface
Yes No
No Yes
Bind authentication has Configure bind
been configured on the Is fault rectified?
user-side interface with authentication
the BAS?
No
Yes
No Yes
Are the local address Correctly configure
pool and the delegation Is fault rectified?
address pools
address pool
configured?
Issue 02 (2014-09-30) Yes
Huawei Proprietary and Confidential 68
No
Copyright © Huawei Technologies Co., Ltd.
No Yes
HUAWEI NetEngine80E/40E Router
Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting
Troubleshooting Procedure
Before performing the following steps, you can refer to Common Causes for Failing to Get
Online and correct the fault according to prompts displayed by the device.
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check that the IPv6 function is globally enabled.
Run the display this command in the system view to check whether the IPv6 function is globally
enabled. The IPv6 function is disabled by default.
l If ipv6 is not displayed, the IPv6 function is not globally enabled. Run the ipv6 command
in the system view.
l If ipv6 is displayed, the IPv6 function is globally enabled. Go to step 2.
Run the display this command in the system view to check whether the DUID function is
enabled. The DUID function is disabled by default.
l If dhcpv6 duid is not displayed, the DUID function is disabled. Run the dhcpv6 duidduid-
value command in the system view to enable the DUID function.
l If dhcpv6 duid is displayed, go to step 3.
Run the display this ipv6 interface command in the user-side interface view to check whether
the interface is physically Up.
l If current state is down, the physical link is faulty. Remove the link fault.
l If current state is up, the physical link is working properly. Go to step 4.
Run the display this ipv6 interface command in the user-side interface view to check whether
the IPv6 protocol is Up.
l If IPv6 protocol current state is down, check whether the configured link-local address
conflicts with that of the peer device.
l If IPv6 protocol current state is up, go to step 5.
Step 5 Check that the M/O value has been correctly configured on the user-side interface. That is, check
what the ipv6 nd autoconfig managed-address-flag or ipv6 nd autoconfig other-flag
command is displayed.
Run the display this command in the user-side interface view to check whether the M/O value
has been configured.
Step 6 Check that bind authentication has been configured on the user-side interface with the BAS.
Run the display this command on the user-side interface with the BAS to check whether bind
authentication has been configured.
Run the display ipv6 pool [ pool-name ] command in the system view to check whether a local
address pool and a delegation address pool already associated with prefix pools have been
configured.
l If one of the two address pools is missing, refer to the configuration manual to properly
configure the address pool.
l If both address pools have been configured, go to step 8.
Step 8 Check that the authentication domain has been correctly configured.
Run the display this command in the AAA domain view to check whether the authentication
domain has been correctly configured.
l If the local address pool or the delegation pool is not configured, run the ipv6-pool pool-
name command to configure the pool.
l If the configuration is correct, go to step 9.
Step 9 Check that there are assignable IPv6 addresses in the address pool.
Run the display ipv6 prefix prefix-name command in the system view to view the Free Prefix
Count field. This field displays the number of assignable addresses in the prefix pool.
Step 10 Collect the following information and contact Huawei technical support personnel.
l Results of the preceding troubleshooting procedure.
l Configuration files, log files, and alarm files of the devices.
----End
Relevant Alarms
None.
Relevant Logs
None.
Common Causes
Troubleshooting Flowchart
This section describes the troubleshooting flowchart for the fault that the user cannot get online
when the NE80E/40E is configured with IPoE stateless PD.
Figure 1-24 Troubleshooting flowchart for the fault that the user cannot get online in the case
of IPoE stateless PD
The stateless PD
user cannot get
online
No Yes
Globally
The IPv6 function is enable the Is fault rectified?
globally enabled? IPv6 function
Yes No
No Yes
Is the DUID function Globally enable
Is fault rectified?
globally enabled? the DUID function
Yes No
No
Yes
No
Yes
No Yes
Bind authentication
has been configured Configure bind
Is fault rectified?
on the user-side authentication
interface with the
BAS?
No
Yes
No
Yes
Yes
No
Yes No
HUAWEI NetEngine80E/40E Router
Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting
Troubleshooting Procedure
Before performing the following steps, you can refer to Common Causes for Failing to Get
Online and correct the fault according to prompts displayed by the device.
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check that the IPv6 function is globally enabled.
Run the display this command in the system view to check whether the IPv6 function is globally
enabled. The IPv6 function is disabled by default.
l If ipv6 is not displayed, the IPv6 function is not globally enabled. Run the ipv6 command
to enable the IPv6 function in the system view.
l If ipv6 is displayed, the IPv6 function is globally enabled. Go to step 2.
Run the display this command in the system view to check whether the DUID function is
enabled. The DUID function is disabled by default.
l If dhcpv6 duid is not displayed, the DUID function is disabled. Run the dhcpv6 duidduid-
value command in the system view to enable the DUID function.
l If dhcpv6 duid is displayed, go to step 3.
Run the display this ipv6 interface command in the user-side interface view to check whether
the interface is physically Up.
l If current state is down, the physical link is faulty. Remove the link fault.
l If current state is up, the physical link is working properly. Go to step 4.
Run the display this ipv6 interface command in the user-side interface view to check whether
the IPv6 protocol is Up.
l If IPv6 protocol current state is down, check whether the configured link-local address
conflicts with that of the peer device.
l If IPv6 protocol current state is up, go to step 5.
Step 5 Check that bind authentication has been configured on the user-side interface with the BAS.
Run the display this command on the user-side interface with the BAS to check whether bind
authentication has been configured.
Step 6 Check that a correct ND-unshared prefix pool has been configured.
Run the display ipv6 prefix [ prefix-name [ all | used ] ] command in the system view to check
whether a correct ND-unshared prefix pool has been configured.
Run the display ipv6 pool [ pool-name ] command in the system view to check whether a correct
PD prefix pool has been configured.
l If pd-unshare-only is FALSE, run the pd-unshare-only command in the address pool view
to correct the configuration.
l If pd-unshare-only is TRUE, go to step 8.
Step 8 Check that the authentication domain has been correctly configured.
Run the display this command in the AAA domain view to check whether the authentication
domain has been correctly configured.
Step 9 Check that there are assignable IPv6 addresses in the address pool.
Run the display ipv6 prefixprefix-name command in the system view to view the Free Prefix
Count field. This field displays the number of assignable addresses in the prefix pool.
Step 10 Collect the following information and contact Huawei technical support personnel.
l Results of the preceding troubleshooting procedure
l Configuration files, log files, and alarm files of the devices
----End
Relevant Alarms
None.
Relevant Logs
None.
1.4.3 User Cannot Get Online in IPv6 IPoE Stateful Access Mode
with a DSLAM Serving as the LDRA
A digital subscriber line access multiplexer (DSLAM) can serve as a layer 2 (L2) forwarding
device capable of handling DHCPv6 relay packets to encapsulate device information in the
header of a DHCPv6 relay packet to be sent to the server. This section describes the
troubleshooting flowchart and provides a step-by-step troubleshooting procedure for the fault
that the user cannot get online or the user's access status type is incorrect when the NE80E/
40E is configured with IPv6 stateful access and a DSLAM serves as the LDRA.
Common Causes
Troubleshooting Flowchart
This section describes the troubleshooting flowchart for the fault that the user cannot get online
when the NE80E/40E is configured with IPv6 IPOE stateful access.
Figure 1-25 Troubleshooting flowchart for the fault that the user cannot get online or the address
allocation mode is incorrect in the case of IPv6 IPOE stateful access
Yes No
No
Yes
No
Yes
No
Yes
No
Yes
End
Troubleshooting Procedure
Before performing the following steps, you can refer to Common Causes for Failing to Get
Online and correct the fault according to prompts displayed by the device.
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check that the IPv6 function is globally enabled.
Run the display this command in the system view to check whether the IPv6 function is globally
enabled. The IPv6 function is disabled by default.
l If ipv6 is not displayed, the IPv6 function is not globally enabled. Run the ipv6 command
in the system view.
l If ipv6 is displayed, the IPv6 function is globally enabled. Go to step 2.
Step 2 Check that the DHCPv6 DUID generation mode is globally enabled.
Run the display this command in the system view to check whether the DHCPv6 DUID function
is globally enabled.
l If dhcpv6 duid is not displayed, run the dhcpv6 duid llt command in the system view.
l If dhcpv6 duid is displayed, go to step 3.
Step 3 Check that an IPv6 address pool has been correctly configured.
Run the display this command in the AAA domain view to check whether a correct IPv6 address
pool has been configured.
l If the configured IPv6 address pool is incorrect, configure a correct IPv6 address pool in the
AAA domain.
l If the IPv6 address pool has been correctly configured, go to step 4.
Step 4 Check that bind authentication has been configured on the user-side interface.
Run the display this command in the user-side interface view to check whether bind
authentication has been configured. That is, check whether authentication-method-ipv6
bind is displayed.
Step 5 Check that the address allocation mode has been configured in the domain view.
Run the display access-user user-iduser-id [ verbose ] command after the user gets online. If
the command output indicates that the user address is not obtained using DHCP, enter the user-
side interface view and run the display this command to check whether the address allocation
mode has been configured. If the ipv6 nd autoconfig managed-address-flag command is
displayed, the address allocation mode has been configured.
l If the address allocation mode is not configured, run the ipv6 nd autoconfig managed-
address-flag command in the user-side interface view to configure the address allocation
mode.
Step 6 Collect the following information and contact Huawei technical support personnel.
l Results of the preceding troubleshooting procedure
l Configuration files, log files, and alarm files of the devices
----End
Relevant Alarms
None.
Relevant Logs
None.
Common Causes
Troubleshooting Flowchart
This section describes the troubleshooting flowchart for the fault that the user cannot get online
in DHCPv6 remote address pool mode through the NE80E/40E.
l Check that the remote address pool has been correctly configured.
l Check that the remote server has been correctly configured.
l Check that bind authentication has been configured on the user-side interface.
l Check that the address allocation mode has been correctly configured on the user-side
interface.
Figure 1-26 Troubleshooting flowchart for the fault that the user cannot get online in DHCPv6
remote address pool mode
Addresses cannot be
obtained from the DHCPv6
remote address pool
No Yes
The IPv6 function is Globally enable
Is fault rectified?
globally enabled? the IPv6 function
Yes No
No Yes
The DHCPv6 DUID Globally enable
function is globally the DHCPv6 Is fault rectified?
enabled? DUID function
Yes
No
Yes No
No Yes
The remote server Correctly
has been correctly configure the Is fault rectified?
configured? remote server
Yes No
No Yes
Bind configuration
Configure bind
has been configured Is fault rectified?
configuration
on the user-side
interface
No
Yes
Yes
The M value has No
Correctly
been correctly
configured on configure the M Is fault rectified?
the user-side value
interface
Yes
No
Contact Huaweri
technical support End
engineers
Troubleshooting Procedure
Before performing the following steps, you can refer to Common Causes for Failing to Get
Online and correct the fault according to prompts displayed by the device.
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check that the IPv6 function is globally enabled.
Run the display current-configuration command to check whether the IPv6 function is globally
enabled. The IPv6 function is disabled by default.
l If ipv6 is not displayed, the IPv6 function is not globally enabled. Run the ipv6 command
in the system view to enable the IPv6 function.
l If ipv6 is displayed, the IPv6 function is globally enabled. Go to step 2.
Run the display this command to check whether the DHCPv6 DUID function is globally
enabled.
l If dhcpv6 duid is not displayed, run the dhcpv6 duid { duid-value | llt } command in the
system view.
l If dhcpv6 duid is displayed, go to step 3.
Step 3 Check that the remote address pool has been correctly configured.
Verify that a remote prefix pool is configured. Run the display this command in the remote
prefix pool view to check whether a correct link address has been configured.
Step 4 Check that the remote server has been correctly configured.
Run the display dhcpv6-server group group-name command in the system view to check the
status of the remote server.
l If the remote server is not Up, correctly configure the remote server group and associate the
group with the remote address pool.
l If the remote server is Up, go to step 5.
Step 5 Check that bind authentication has been configured on the user-side interface.
Run the display this command in the user-side interface view to check whether bind
authentication has been configured. If the authentication-method-ipv6 bind command is
displayed, bind authentication has been configured.
Step 6 Check that the M value has been correctly configured on the interface.
Run the display this command in the user-side interface view to check whether the address
allocation mode has been configured. If the ipv6 nd autoconfig managed-address-flag
command is displayed, the address allocation mode has been configured.
l If the address allocation mode is not configured, run the ipv6 nd autoconfig managed-
address-flag command to configure the address allocation mode in the user-side interface
view.
l If the address allocation mode has been configured, go to step 7.
Step 7 Collect the following information and contact Huawei technical support personnel.
l Results of the preceding troubleshooting procedure
l Configuration files, log files, and alarm files of the devices
----End
Relevant Alarms
None.
Relevant Logs
None.
Typical Networking
Figure 1-27 shows the typical networking of PPPoE access. PPPoE access troubleshooting is
based on this networking.
l The user is connected to the NE80E/40E through a Layer 2 network, and the user gets online
by dialing in through PPP.
l The NE80E/40E is connected to the RADIUS server to implement authentication and
accounting for users.
l The NE80E/40E is connected to an IPv6 DNS server.
The user accesses the NE80E/40E through PPPoE. The NE80E/40E assigns an IPv6 address to
the user and manages the user.
Troubleshooting Flowchart
On the network shown in Typical Networking, a user accesses the router through PPPoE;
however, the user cannot obtain an IPv6 address and therefore fails to get online. You can locate
the fault based on the following troubleshooting flowchart.
Does the
No Check the Yes
physical connection
physical connection Is fault
between the client and the
between the client and rectified?
server work
the server
normally?
Yes No
Yes No
Is the prefix
No Configure a prefix
pool configured Yes
address and configure Is fault
and Is a prefix address
a prefix address for rectified?
configured for
the pool
the pool?
No
Yes
Is an
No Configure an address Yes
address pool Is fault
pool and bind some
configured and some rectified?
addresses to the
addresses bound to this
address pool
address pool?
No
Yes
Yes No
Does
the address No Configure a new Yes
pool have an available address pool, prefix Is fault
address to be allocated pool, and prefix rectified?
to the client? addressed
Yes No
Troubleshooting Procedure
Procedure
Step 1 Check that the physical connection between the client and server works properly.
Check whether the client and server can ping through each other. If they can ping through each
other, the physical connection between them works properly. If they fail to ping through each
other, rectify the fault on the physical connection, and then check whether the problem persists.
If the problem persists, go to Step 2.
Step 2 Check that the configuration of the interface connecting the server to the client is correct.
Run the display this command in the interface view to check whether the configuration of the
interface is correct. For the correct interface configuration, refer to the chapter "Configuring the
IPv6 Access Service" in the Configuration Guide - BRAS.
l If the interface configuration is incorrect, modify the interface configuration to be correct.
For details, refer to the chapter "Configuring the IPv6 Access Service" in the Configuration
Guide - BRAS.
l If the interface configuration is correct, go to Step 3.
Run the display ipv6 prefix command in the system view to check whether an IPv6 prefix pool
is configured.
l If there is no IPv6 prefix pool, run the ipv6 prefix prefix-name local command to create the
local prefix pool, enter the prefix pool view, and then run the prefix prefix-address prefix-
length command to configure an IPv6 prefix address.
l If there is an IPv6 prefix pool, run the ipv6 prefix prefix-name command to enter the prefix
pool view, and then run the display this command to check whether an IPv6 prefix address
is configured in this prefix pool. If no IPv6 prefix address is configured in this prefix pool,
run the prefix prefix-address prefix-length command to configure an IPv6 prefix address.
Run the display ipv6 pool command in the system view to check whether an IPv6 address pool
is configured.
l If there is no IPv6 address pool, run the ipv6 pool pool-name bas local command to create
the local address pool, enter the address pool view, and then run the prefix prefix-name
command to bind the prefix pool in Step 3 to this address pool.
l If there is an IPv6 address pool, run the ipv6 pool pool-name command to enter the address
pool view, and then run the display this command to check whether this address pool is
bound to the prefix pool in Step 3. If they are not bound, run the prefix prefix-name command
to bind the prefix pool in Step 3 to this address pool.
Step 5 Check that the user domain is bound to the IPv6 address pool.
Run the display this command in the AAA view to check whether the user domain is bound to
an IPv6 address pool.
l If the user domain is not bound to the IPv6 address pool, run the ipv6-pool pool-name
command in the domain view to bind the user domain to the IPv6 address pool.
l If the user domain is bound to the IPv6 address pool, go to Step 6.
Step 6 Check that there are assignable IPv6 addresses in the address pool.
Run the display ipv6 prefix prefix-name all command in the system view to check whether the
number of online users in the prefix pool reaches 1024.
l If the value of the Online-user field is displayed as 1024, there are no assignable addresses
in this prefix pool. In this case, configure a new prefix pool and a new address pool and then
bind the new address pool to the user domain.
l If the value of the Online-user field is less than 1024, there are assignable addresses in this
prefix pool.
If the client still cannot obtain an IPv6 address, contact Huawei technical personnel.
Step 7 Check that the system is not suppressed from advertising RA messages.
Run the display this command in the AAA domain view to check whether the router is
suppressed from sending RA messages in the user domain.
If the client needs to obtain IPv6 addresses using stateless address autoconfiguration, the router
cannot be suppressed from sending RA messages. If the router is not suppressed from sending
RA messages and the client still cannot obtain an IPv6 address, contact Huawei technical support
personnel.
----End
1.4.6 User Cannot Get Online or the User's Access Type Is Incorrect
in the Case of PPPoE IPv6 Stateful Access
This section describes the troubleshooting flowchart and provides a step-by-step troubleshooting
procedure for the fault that the user cannot get online or the user's access type is incorrect when
the NE80E/40E is configured with PPPoE IPv6 stateful access.
Common Causes
Troubleshooting Flowchart
The user information indicates that the user cannot get online when the NE80E/40E is configured
with PPPoE IPv6 stateful access.
Figure 1-29 Troubleshooting flowchart for the fault that the user cannot get online or the address
allocation mode is incorrect in the case of IPv6 PPPoE stateful access
The user cannot get
online in the case of
PPPoE IPv6 stateful
access
No
The IPv6 function is Globally enable the Yes
Is fault rectified?
globally enabled? IPv6 function
No
Yes
No Yes
The DUID function is Globally enable the
Is fault rectified?
globally enabled? DUID function
No
Yes
No
Yes
The IPv6 address pool has Correctly configure
Is fault rectified?
been correctly configured? the IPv6 address pool
No
Yes
No Yes
The M value has been Configure the M value
Is fault rectified?
configured in the and stateful access
domain view?
No
Yes
Seek technical
support End
Troubleshooting Procedure
Before performing the following steps, you can refer to Common Causes for Failing to Get
Online and correct the fault according to prompts displayed by the device.
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check that the IPv6 function is globally enabled.
Run the display current-configuration command to check whether the IPv6 function is globally
enabled. The IPv6 function is disabled by default.
l If ipv6 is not displayed, the IPv6 function is not globally enabled. Run the ipv6 command
in the system view to enable the IPv6 function.
l If ipv6 is displayed, the IPv6 function is globally enabled. Go to step 2.
Step 2 Check that the DHCPv6 DUID function is globally enabled.
Run the display current-configuration command to check whether the DHCPv6 DUID
function is globally enabled.
l If dhcpv6 duid is not displayed, run the dhcpv6 duid llt command in the system view.
l If dhcpv6 duid is displayed, go to step 3.
Step 3 Check that the IPv6 address pool has been correctly configured.
Run the display this command in the authentication domain view to check whether a correct
IPv6 address pool has been configured.
l If the configured IPv6 address pool is incorrect, configure a correct IPv6 address pool in the
authentication domain view.
l If the IPv6 address pool has been correctly configured, go to step 4.
Step 4 Check that the authentication mode has been set to PPP on the BAS interface.
Run the display this command on the user access interface to check whether the authentication
mode has been set to PPP on the interface with the BAS.
l If the authentication mode is not ppp, run the authentication-method-ipv6 ppp command
on the interface with the BAS to change the authentication mode to PPP.
l If authentication-method-ipv6 is not displayed, the authentication mode is PPP by default.
Go to step 5.
Step 5 Check that the address allocation mode has been configured in the domain view.
If the user properly gets online, run the display access-user user-id user-id command. If the
display information indicates that the way to obtain the user address is incorrect, check whether
the address allocation mode has been configured in the domain view. If the ipv6 nd autoconfig
managed-address-flag command is displayed, the address allocation mode has been
configured.
l If the address allocation mode is not configured, run relevant commands to correctly
configure it.
l If the address allocation mode has been configured, go to step 6.
Step 6 Collect the following information and contact Huawei technical support personnel.
l Results of the preceding troubleshooting procedure
l Configuration files, log files, and alarm files of the devices
----End
Relevant Alarms
None.
Relevant Logs
None.
Typical Networking
Figure 1-30 shows the typical networking of ND access. ND access troubleshooting is based
on this networking.
The user accesses the NE80E/40E in ND mode. The NE80E/40E assigns an IPv6 prefix to the
user and manages the user.
Troubleshooting Flowchart
On the network shown in Typical Networking, after a local address pool is configured, the user
cannot obtain an IPv6 address and therefore fails to get online. You can locate the fault based
on the following troubleshooting flowchart.
Yes No
No
Yes
No
Is the IPv6 address Bind the IPv6 address Yes
Is fault rectified?
pool bound to the user pool to the user domain
domain?
Yes No
Troubleshooting Procedure
Procedure
Step 1 Check that the physical connection between the client and server works properly.
Check whether the client and server can ping through each other. If they can ping through each
other, it indicates that the physical connection between them works properly. If they fail to ping
through each other, you need to rectify the fault on the physical connection, and then check
whether the problem persists. If the problem persists, go to Step 2.
Step 2 Check that the configuration of the interface connecting the server to the client is correct.
Run the display this command in the interface view to check whether the configuration of the
interface is correct. For the correct interface configuration, refer to the chapter "Configuring the
IPv6 Access Service" in the Configuration Guide - BRAS.
l If the interface configuration is incorrect, you need to modify the interface configuration to
be correct. For details, refer to the chapter "Configuring the IPv6 Access Service" in the
Configuration Guide - BRAS.
l If the interface configuration is correct, go to Step 3.
Run the display ipv6 prefix command in the system view to check whether an IPv6 prefix pool
is configured.
l If there is no IPv6 prefix pool, run the ipv6 prefix prefix-name delegation command to create
a delegation prefix pool, enter the prefix pool view, and then run the prefix prefix-address
delegating-prefix-length command to configure an IPv6 prefix address.
l If there is an IPv6 prefix pool, run the ipv6 prefix prefix-name command to enter the prefix
pool view, and then run the display this command to check whether an IPv6 prefix address
is configured in this prefix pool. If no IPv6 prefix address is configured in this prefix pool,
run the prefix prefix-address delegating-prefix-length command to configure an IPv6 prefix
address.
Run the display this command to view configurations. Check whether the slaac-unshare-
only command is displayed. If the command is not displayed, run the slaac-unshare-only
command.
Run the display ipv6 pool command in the system view to check whether an IPv6 address pool
is configured.
l If there is no IPv6 address pool, run the ipv6 pool pool-name bas delegation command to
create the delegation address pool, enter the address pool view, and then run the prefix prefix-
name command to bind the prefix pool in Step 3 to this address pool.
l If there is an IPv6 address pool, run the ipv6 pool pool-name command to enter the address
pool view, and then run the display this command to check whether this address pool is
bound to the prefix pool in Step 3. If they are not bound, run the prefix prefix-name command
to bind the prefix pool in Step 3 to this address pool.
Step 5 Check that the user domain is bound to an IPv6 address pool.
Run the display this command in the AAA view to check whether the user domain is bound to
an IPv6 address pool.
l If the user domain is not bound to the IPv6 address pool, run the ipv6-pool pool-name
command in the domain view to bind the user domain to the IPv6 address pool.
l If the user domain is bound to the IPv6 address pool, go to Step 6.
Step 6 Check that there are assignable IPv6 addresses in the address pool.
Run the display ipv6 prefix prefix-name used command in the system view to check whether
the number of assignable IPv6 prefixes is 0.
l If the value of the Free Prefix Count field is displayed as 0, there is no assignable address in
this prefix pool. In this case, configure a new prefix pool and a new address pool and then
bind the new address pool to the domain to which the client belongs.
l If the value of the Free Prefix Count field is not displayed as 0, there are assignable addresses.
If the client still cannot obtain an IPv6 address, contact Huawei technical personnel.
----End
Common Causes
Troubleshooting Flowchart
This section describes the troubleshooting flowchart for the fault that the user cannot get online
when the NE80E/40E is configured with ND-unshared access.
l Check that bind authentication has been configured on the interface with the BAS.
l Check that a correct prefix pool has been configured.
l Check that the unshared mode of prefix assignment has been configured in the domain
view.
Figure 1-32 Troubleshooting flowchart for the fault that the ND-unshared user cannot get online
The ND-unshared
user cannot get
online
Yes
No
The IPv6 function is Globally enable
Is fault rectified?
globally enabled? the IPv6 function
Yes No
Yes
No
Yes No
Yes No
Yes
Bind authentication No
has been configured Configure bind
on the user-side Is fault rectified?
authentication
interface with the
BAS?
No
Yes
Yes No
Troubleshooting Procedure
Before performing the following steps, you can refer to Common Causes for Failing to Get
Online and correct the fault according to prompts displayed by the device.
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check that the IPv6 function is globally enabled.
Run the display this command in the system view to check whether the IPv6 function is globally
enabled. The IPv6 function is disabled by default.
l If ipv6 is not displayed, the IPv6 function is not globally enabled. Run the ipv6 command
in the system view.
l If ipv6 is displayed, the IPv6 function is globally enabled. Go to step 2.
Run the display this interface command in the user-side interface view to check whether the
interface is physically Up.
l If current state is down, the physical link is faulty. Remove the link fault.
l If current state is up, the physical link is working properly. Go to step 3.
Run the display this ipv6 interface command in the user-side interface view to check whether
the IPv6 protocol is Up.
l If IPv6 protocol current state is down, check whether the configured link-local address
conflicts with that of the peer device.
l If IPv6 protocol current state is up, go to step 4.
Step 4 Check that the M/O value is disabled on the user-side interface.
Run the display this command in the user-side interface view to check whether the M/O value
is configured. If ipv6 nd autoconfig managed-address-flag or ipv6 nd autoconfig other-
flag is displayed, the M/O value is configured.
Step 5 Check that bind authentication has been configured on the user-side interface with the BAS.
Run the display this command on the user-side interface with the BAS to check whether bind
authentication has been configured.
Run the display ipv6 prefix [ prefix-name [ all | used ] ] command in the system view to check
whether a correct prefix pool has been configured.
Step 7 Check that the unshared mode of prefix assignment has been configured in the authentication
domain view.
Run the display this command in the AAA domain view to check whether the authentication
domain has been correctly configured.
Step 8 Collect the following information and contact Huawei technical support personnel.
l Results of the preceding troubleshooting procedure
l Configuration files, log files, and alarm files of the devices
----End
Relevant Alarms
None.
Relevant Logs
None.
Common Causes
Troubleshooting Flowchart
This section describes the troubleshooting flowchart for the fault that the user cannot get online
when the NE80E/40E is configured with QinQ and as a network-side relay agent.
l Check that QinQ has been correctly configured on the inbound interface of the relay agent.
l Check that a correct IPv6 global unicast address has been configured for the inbound
interface of the relay agent.
l Check that an outbound interface has been configured for the inbound interface of the relay
agent.
l Check that the address allocation mode has been configured.
l Check that the IPv6 address configured for the outbound interface of the relay agent and
that configured for the BAS interface of the directly-connected server are within the same
network segment.
l Check that an IPv6 relay address pool has been configured on the server.
Troubleshooting Procedure
Before performing the following steps, you can refer to Common Causes for Failing to Get
Online and correct the fault according to prompts displayed by the device.
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check that the IPv6 function is globally enabled.
Run the display this command in the system view to check whether the IPv6 function is globally
enabled. The IPv6 function is disabled by default.
l If ipv6 is not displayed, the IPv6 function is not globally enabled. Configure the ipv6 function
in the system view.
l If ipv6 is displayed, the IPv6 function is globally enabled. Go to step 2.
Step 2 Check that the inbound interface of the relay agent is physically up.
Run the display this interface command in the inbound interface view of the IPv6 relay agent
to check whether the interface is physically up.
l If current state is down, the physical link is faulty. Remove the link fault.
l If current state is up, the physical link is working properly. Go to step 3.
Step 3 Check that QinQ has been configured on the inbound interface of the relay agent.
If users are Layer 3 users, configure the termination mode. Run the mode user-termination
command on a main interface, and run the control-vid vid qinq-termination command on its
sub-interface.
Run the display this command in the inbound interface view of the relay agent to check whether
QinQ has been correctly configured. That is, check whether qinq termination pe-vid pe-vid
ce-vid { low-ce-vid [ to high-ce-vid ] } [ sub-group groupname ] is displayed.
l If QinQ is incorrectly configured on the interface, run relevant commands to correctly
configure QinQ.
l If QinQ is correctly configured, go to step 4.
Step 4 Check that a correct IPv6 address has been configured for the inbound interface of the relay
agent.
Run the display this command in the inbound interface view of the relay agent to check whether
a correct IPv6 global unicast address has been configured. That is, check whether ipv6 address
{ ipv6-address prefix-length | ipv6-address/prefix-length } is displayed.
l If the IPv6 global unicast address is not configured, run relevant commands to configure a
correct IPv6 global unicast address.
l If a correct IPv6 address has been configured, go to step 5.
Step 5 Check that an outbound interface has been configured for the inbound interface of the relay
agent.
Run the display this command in the inbound interface view of the relay agent to check whether
an outbound interface has been configured for the relay agent. That is, check whether dhcpv6
relay interface is displayed.
l If the outbound interface of the relay agent is not configured, run relevant commands to
configure the outbound interface.
l If the outbound interface of the relay agent has been configured, go to step 6.
Step 6 Check that the address allocation mode has been configured on both the inbound interface and
the outbound interface of the relay agent.
Run the display this command in the inbound interface view and outbound interface view of
the relay agent to check whether the address allocation mode has been configured. If ipv6 nd
autoconfig managed-address-flag is displayed, the address allocation mode is configured.
l If the address allocation mode is not configured, run relevant commands to configure the
mode.
l If the address allocation mode has been configured, go to step 7.
Step 7 Check that the IPv6 address configured for the outbound interface of the relay agent and that
configured for the inbound interface of the directly-connected server are within the same network
segment.
Run the display this command in the outbound interface view of the relay agent to check whether
the IPv6 address configured for the outbound interface of the relay agent and that configured
for the inbound interface of the directly-connected server are within the same network segment.
l If the two addresses are not within the same network segment, reconfigure them so that they
are within the same network segment.
l If the two addresses are within the same network segment, go to step 8.
Step 8 Check that layer 3 access has been configured on the BAS interface of the server.
Run the display this command on the BAS interface view of the server to check whether L3
access has been configured on the BAS interface of the server.
l If L3 access is not configured on the BAS interface of the server, configure L3 access for the
BAS interface. For details, refer to the configuration manual.
l If L3 access has been configured on the BAS interface of the server, go to step 10.
Step 9 Check that a relay address pool has been configured on the server.
Run the display ipv6 pool [ pool-name ] command on the system view of the server to check
whether a relay address pool has been configured.
l If the relay address pool is not configured, configure an IPv6 address pool of the relay type.
l If the relay address pool has been configured, go to step 11.
Step 10 Collect the following information and contact Huawei technical support personnel.
l Results of the preceding troubleshooting procedure
l Configuration files, log files, and alarm files of the devices
----End
Relevant Alarms
None.
Relevant Logs
None.
Common Causes
Troubleshooting Flowchart
This section describes the troubleshooting flowchart for the fault that the user cannot get online
when the NE80E/40E is configured with Layer 3 leased line access.
l Check that the physical connection of the interface configured with the Layer 3 leased line
service is normal. If the interface is a trunk interface, check that the member interfaces of
the trunk interface are normal.
l Check that an IPv6 address has been correctly configured on the user access interface.
l Check that the IPv6 function is globally enabled in the system view.
l Check that correct Layer 3 leased line user information has been configured on the interface
with the BAS.
Figure 1-33 Troubleshooting flowchart for the fault that the user cannot get online in the case
of IPv6 Layer 3 leased line access
No
The IPv6 function is The IPv6 function is Yes
Is fault rectified?
globally enabled? globally enabled?
No
Yes
No
Yes
No Yes
A correct IPv6 address Correctly configure the
Is fault rectified?
has been configured? IPv6 address
No
Yes
No
Yes
No
Yes
No Yes
The authentication domain has Correctly specify the
Is fault rectified?
been specified? authentication domain
Yes
No
Seek technical
support
End
Troubleshooting Procedure
Before performing the following steps, you can refer to Common Causes for Failing to Get
Online and correct the fault according to prompts displayed by the device.
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check that the IPv6 function is globally enabled.
Run the display current-configuration command to check whether the IPv6 function is globally
enabled. The IPv6 function is disabled by default.
l If ipv6 is not displayed, the IPv6 function is not globally enabled. Run the ipv6 command
in the system view to enable the IPv6 function.
l If ipv6 is displayed, the IPv6 function is globally enabled. Go to step 2.
Step 2 Check that the user-side interface is physically Up.
Run the display this interface command on the interface configured with the IPv6 Layer 3
leased line service to check whether the interface is physically Up.
l If current state is down, the physical link is faulty. Remove the link fault.
l If current state is up, the physical link is working properly. Go to step 3.
Step 3 Check that the IPv6 address has been correctly configured.
Run the display this command on the interface configured with the IPv6 Layer 3 leased line
service to check whether a correct IPv6 global unicast address has been configured.
l If the global unicast IPv6 address is not configured, run relevant commands to configure a
correct IPv6 global unicast address.
l If a correct IPv6 global unicast address has been configured, go to step 4.
Step 4 Check that the user name and password in Layer 3 leased line configuration information are
correct.
Run the display this command on the interface configured with the IPv6 Layer 3 leased line
service to check whether the user name and password in IPv6 Layer 3 leased line configuration
information are consistent with the plan.
l If the user name and password are inconsistent with the plan, run the access-type layer3-
leased-line user-name uname password { cipher | simple } password [ default-domain
authentication dname ] command to correct the configuration information about the user
name and password of the leased line user.
l If the user name and password are consistent with the plan, go to step 5.
Step 5 Check that the authentication domain has been correctly configured.
Run the display this command on the interface configured with the IPv6 Layer 3 leased line
service to check whether the configured authentication domain is correct.
l If the authentication domain is incorrectly configured, run the undo access-type to delete
the Layer 3 leased line user, and then run the access-type layer3-leased-line user-name
uname password { cipher | simple } password [ default-domain authentication dname ]
command to reconfigure the authentication domain for the Layer 3 leased line user.
l If the authentication domain has been correctly configured, go to step 6.
Step 6 Collect the following information and contact Huawei technical support personnel.
l Results of the preceding troubleshooting procedure
l Configuration files, log files, and alarm files of the devices
----End
Relevant Alarms
None.
Relevant Logs
None.
Common Causes
l The source address of the packet from the user is not the configured static user address.
l The address of the PD access user does not match the PD prefix configured for static users.
l For an L2 static user, if detect is configured, the NE80E/40E will initiate an NS packet,
and the user will return an NA packet in the normal case. The user, however, may fail to
get online or may fail to return the NA packet for reasons such as line faults or firewall
protection, causing a probe failure.
l If the access user is an L2 static user, the L2 information about the user, such as the source
MAC address and VLAN ID, is different from the L2 information configured through the
command line.
l The user access interface is not the interface configured for static users.
l The ARP/ND Trigger is not configured or does not act when the NE80E/40E needs to
initiate an ND packet to trigger user access; or the IPv4/v6 Trigger is not configured or
does not act when NE80E/40E needs to initiate an IPv4/IPv6 packet to trigger user access.
Troubleshooting Flowchart
This section describes the troubleshooting flowchart for the fault that a Layer 2 or Layer 3 static
user cannot get online through IPv4/IPv6 or ND packet triggering.
l Check that the source address of the request packet from the IPv6 or PD user is consistent
with the configured static user address or PD prefix.
l If the user to get online is a Layer 2 static user, check that the Layer 2 information about
the user, such as the source MAC address and VLAN ID, is consistent with the Layer 2
information configured through the command line.
l Check that the user access interface is the interface configured for static users.
l Check that ARP/ND Trigger or IPv4/v6 Trigger has been configured.
l Check that the detect keyword has been configured in the buildrun information about static
users.
Figure 1-34 Troubleshooting flowchart for the fault that a Layer 2 static user cannot get online
No
Yes
No
Yes
No
Yes
No
Yes
No Correctly configure
Are ND Trigger and IPv6 Yes
them against the Is fault rectified?
Trigger correctly configured?
configuration manual
No
Yes
No Yes
The detect keyword has been Correctly configure
Is fault rectified?
configured? the detect keyword
No
Yes
Issue 02 (2014-09-30) Huawei Proprietary and Confidential 106
Copyright © Huawei Technologies Co., Ltd.
Seek technical
End
support
HUAWEI NetEngine80E/40E Router
Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting
Troubleshooting Procedure
Before performing the following steps, you can refer to Common Causes for Failing to Get
Online and correct the fault according to prompts displayed by the device.
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check that the source address of the request packet from the IPv6 or PD user is the IPv6 address
or PD prefix configured for the static user.
l If the IPv6 address or PD prefix is not configured, run relevant commands to correctly
configure the IPv6 address or PD prefix.
l If the IPv6 address or PD prefix has been configured, go to step 2.
Step 2 Check that the Layer 2 information about the access user matches the Layer 2 information
configured for static users.
Run the display this command in the system view of the HUAWEI NetEngine80E/40E to check
buildrun information about static users and the user's Layer 2 information, including whether
the source MAC address and VLAN ID configured for the user are correct.
NOTE
The Layer 2 information is optional. If configured, however, it must match the user's configuration
information.
l If the Layer 2 information about static users does not match the user's Layer 2 information,
run the undo static-user { start-ip-address [ end-ip-address ]| start-ipv6-address [ end-ipv6-
address ] | [ delegation-prefixstart-ipv6-prefix [ end-ipv6-prefix ] prefix-length ] } [ vpn-
instanceinstance-name ] command to cancel the configuration, and then configure correct
static user information.
l If the Layer 2 information about static users matches the user's Layer 2 information, go to
step 3.
Step 3 Check that the address pools, authentication scheme, and accounting scheme have been correctly
configured in the domain view.
Run the aaa command in the system view to enter the AAA view, and then run the display
this command to check configuration information about the domain to which the access user
belongs.
Step 4 Check that the authentication mode configured on the interface with the BAS is correct.
Enter the user access interface, and then run the display this command to check whether the
authentication mode configured on the interface with the BAS is bind authentication.
Step 5 Check that ND Trigger and IPV6 Trigger have been correctly configured.
Enter the user access interface, and then run the display this command to check whether the
BAS interface configuration information is correct. That is, whether access-typelayer2-
subscriber [ default-domain { [ authentication [ force | replace ] dname ] [ pre-
authenticationpredname ] } | bas-interface-namebname | accounting-copyRADIUS-
serverrd-name ]* and authentication-method-ipv6 bind is displayed. Ensure that at least one
of ND Trigger and IPV6 Trigger has been configured.
l If ND Trigger and IPV6 Trigger are not configured, run relevant commands to correctly
configure them.
l If the configuration is correct, go to step 6.
Step 6 Check that the detect keyword has been configured through the command line.
Enter the system view, and then run the display this command to check whether the detect
keyword has been configured in the buildrun information about static users.
l If the detect keyword is not configured, run the undo static-user { start-ip-address [ end-
ip-address ]| start-ipv6-address [ end-ipv6-address ] | [ delegation-prefixstart-ipv6-prefix
[ end-ipv6-prefix ] prefix-length ] } [ vpn-instanceinstance-name ] command to delete the
static user, and then run the static-user[description ] { start-ip-address [ end-ip-address ]
gatewayip-address| start-ipv6-address [ end-ipv6-address ] [ delegation-prefixstart-ipv6-
prefix [ end-ipv6-prefix ] prefix-length ] ipv6-gatewayipv6-address } *[ vpn-
instanceinstance-name ] [ domain-namedomain-name | interfaceinterface-typeinterface-
number [ vlanvlan-id [ qinqqinq-vlan ] | pvcvpi/vci ] | mac-addressmac-address | detect ]
* command to configure the detect keyword.
Step 7 Collect the following information and contact Huawei technical support personnel.
l Results of the preceding troubleshooting procedure
----End
Relevant Alarms
None.
Relevant Logs
None.
Common Causes
l The share-key configured on the device is inconsistent with the share-key configured on
the RADIUS server.
l The physical network between the device and the RADIUS server fails.
l The RADIUS server becomes faulty.
l The user information sent by the device to the RADIUS server is incorrect, causing an
authentication failure.
l Network access server (NAS) records on the RADIUS server do not contain any
information about the device.
Troubleshooting Flowchart
If the user cannot get online after the RADIUS authentication policy and the RADIUS server
group are configured in the domain view, run the display aaa offline-record command to check
the item User offline reason.
The interconnection between the RADIUS server and the device fails if User offline reason is
displayed as one of the following:
l If the failure cause is displayed as RADIUS authentication request send fail, run the
ping command to check the connectivity of the physical network between the device and
the RADIUS server.
l If the failure cause is displayed as RADIUS authentication reject, check the reply message
returned by the RADIUS server to determine the fault cause. Alternatively, run the test-
aaa user-name password RADIUS-group group-name [ chap | pap ] [ test-group test-
group-name ] command with user access attributes to locate the server reject cause.
Figure 1-35 Troubleshooting flowchart for the interconnection failure between the RADIUS
server and the device
The RADIUS
user cannot get
online
No
No
Troubleshooting Procedure
Before performing the following steps, you can refer to Common Causes for Failing to Get
Online and correct the fault according to prompts displayed by the device.
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 If the user cannot get online, run the display aaa offline-fail-record command to check the
failure record about the user.
l If the failure cause is displayed as RADIUS authentication request send fail, go to step 2.
l If the failure cause is displayed as RADIUS authentication reject, go to step 6.
l If the failure cause is neither of the two, refer to other sections in this manual to find the
solution.
Step 2 Run the ping command to check the connectivity of the physical network between the device
and the RADIUS server.
l If the ping operation fails, check the physical network between the device and the RADIUS
server. For details, refer to the HUAWEI NetEngine80E/40E Router Troubleshooting - IP
Forwarding and Routing.
l If the ping operation succeeds, go to step 3.
Step 3 Check that the RADIUS server information configured on the device is correct.
Run the display RADIUS-server configuration [group groupname ] command in the system
view to check whether the port number of the RADIUS authentication and accounting server
configured in the RADIUS server group view on the device is the same as the actual monitoring
port of the RADIUS server and whether the RADIUS server is Up.
l If the RADIUS server is Up but the port number of the RADIUS server is incorrectly
configured, run the RADIUS-server group groupname command to enter the RADIUS
group view, and then run the RADIUS-server accounting ip-address port or RADIUS-
server authentication ip-address port command to modify the port number of the RADIUS
server.
l If the RADIUS server is Down, wait for a moment for the RADIUS server to automatically
become Up before performing the preceding operations.
If the user can get online, the fault is corrected; otherwise, go to step 4.
Step 4 Check that the RADIUS server is working properly.
l If the RADIUS server is not working properly, contact engineers of the RADIUS server
provider for a solution.
l If the RADIUS server is working properly, go to step 5.
Step 5 Check the settings of the RADIUS server.
Run the display this command on the device interface connecting the RADIUS server to check
the NAS IP address of the device. Run the display RADIUS-server configuration [group
groupname] command in the system view to check the share-key of the device. Configure a
share-key on the RADIUS server, and ensure that the share-key is consistent with the share-key
configured on the device.
If the user can get online, the fault is corrected; otherwise, go to step 8.
Step 6 Run the display aaa offline-fail-record command to check the reply message in the failure
record.
Determine the reason that the user's authentication request is denied by the RADIUS server
according to the reply message returned by the RADIUS server.
NOTE
A common user name error is that the user name configured on the RADIUS server is inconsistent with
the user name sent by the device. For example, the user name configured on the device does not carry any
domain name, but the user name sent by the device may carry a domain name. In that case, run the RADIUS-
server group groupname command to enter the RADIUS group view and then run the RADIUS-server
user-name { domain-included | original } command to set whether to carry a domain name in the user
name. If you run the undo RADIUS-server user-name domain-included command, the user name in a
RADIUS packet will not include any domain name. If you run the RADIUS-server user-name domain-
included command, the user name will include a domain name. If you run the RADIUS-server user-
name original command, the original user name will be carried.
Run the trace command to view the access attributes in the user's RADIUS authentication
packets, configure access attributes in RADIUS-test-group mode, and change the values of these
access attributes. Then run the test-aaa user-name password RADIUS-group group-name
[ chap | pap ] [ test-group test-group-name ] command to check whether the RADIUS
authentication packets are authenticated by the RADIUS server to locate the fault cause.
If the user can get online, the fault is corrected; otherwise, go to step 8.
Step 8 Collect the following information and contact Huawei technical support personnel.
l Results of the preceding troubleshooting procedure
l Configuration files, log files, and alarm files of the devices
----End
Relevant Alarms
None.
Relevant Logs
None.
1.5 L2TP
Common Causes
Troubleshooting Flowchart
After L2TP is configured, it is found that L2TP users cannot get online.
1. Check the Layer 3 connectivity between the LAC and the LNS.
2. Check that L2TP configurations are correct and attributes are matched.
3. Check other features relevant to the L2TP networking.
Figure 1-36 Troubleshooting flowchart for the failure of the L2TP user to get online
An L2TP user
fails to get online
Yes
No
Yes
No
Is L2TP enabled on the LAC and the Enable L2TP Is fault rect
LNS?
No
Yes
No
Are the L2TP group and its attributes Correctly configure the L2TP
correctly configured for the LAC and the Is fault rect
group and its attributes
LNS?
No
Yes
No
Yes
No
Correctly configure the LNS
Is the LNS group correctly configured? Is fault rect
group and its attributes
No
Yes
No
Is the PPPoX service normal? Correctly configure user access Is fault rect
No
Yes
No
Yes
HUAWEI NetEngine80E/40E Router
Troubleshooting - User Access 1 User Fails to Get Online Troubleshooting
Troubleshooting Procedure
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check that the LAC can ping the LNS successfully.
If the ping operation succeeds, it indicates that the Layer 3 forwarding between the LAC and
the LNS is normal. Then, go to Step 2.
If the ping operation fails, you need to check the Layer 3 connectivity between the LAC and the
LNS. For details, refer to the HUAWEI NetEngine80E/40E Router Troubleshooting - IP
Forwarding and Routing.
Step 2 Check that L2TP is enabled on the LAC and the LNS.
Run the display current-configuration | include l2tp command on the LAC and the LNS.
If the command output shows l2tp enable, it indicates that L2TP is correctly enabled on the
LAC and the LNS. In this case, go to Step 3.
If the command output does not show l2tp enable, you need to configure the l2tp enable
command to enable L2TP. After the configuration, if the fault persists, go to Step 3.
Step 3 Check that the L2TP group attributes of the LAC and the LNS are correctly configured.
l On the LAC
Run the display l2tp-group group-name command and check whether the LNS address
specified by the LnsIPAddress field is the same as the actual LNS address. If they are
different, run the start l2tp command to set them the same.
l On the LNS
Run the display l2tp-group group-name command to check the following fields.
– Check the RemoteName field to see whether the tunnel name specified on the LNS is
the same as the tunnel name specified on the LAC.
– Check the VTNum field to see whether the bound VT is the same as the VT of the tunnel
interface.
NOTE
The name of the remote tunnel end, that is, remote-name, must be specified for the L2TP group (except
the default L2TP group, default-lns) when the L2TP tunnel is configured on the LNS.
If the specified remote tunnel end is inconsistent with the actual remote tunnel end, you need
to run the allow l2tp virtual-template virtual-template-number remote remote-name
command to make them the same.
If the L2TP group attributes are correctly configured but the fault persists, go to Step 4.
Step 4 Check that the LNS group is correctly configured.
Run the display lns-group name lns-name command on the LNS to check the Slot and
Interface fields to see whether the tunnel group is bound to the tunnel board and loopback
interface. If the tunnel group is not bound to the tunnel board and loopback interface, run the
bind slot slot-id and the bind source interface-type interface-number commands in the LNS
group view to bind them.
If the LNS group is correctly configured but the fault persists, go to Step 5.
Step 5 Check that consistent tunnel authentication scheme and password are configured on the LAC
and the LNS.
Run the display l2tp-group group-name command on the LAC and the LNS to check the
TunnelAuth, Tunnel aaa Auth, and RADIUS-auth fields. These fields show whether the
authentication schemes of both the LAC and the LNS are the same. If these fields indicate that
the authentication schemes are different, you need to set them the same. For details, refer to
"L2TP Configuration" in the HUAWEI NetEngine80E/40E Router Configuration Guide - User
Access.
If the tunnel authentication scheme is configured, you need to check whether the tunnel
authentication passwords configured on the LAC and the LNS are the same. If they are different,
run the tunnel password { simple | cipher } password command to set the same password.
NOTE
The tunnel authentication request can be initiated by the LAC or the LNS. As long as one end is enabled
with tunnel authentication, the authentication is performed in the tunnel setup process. The tunnel can be
set up only if the passwords of both ends are the same and not vacant.
If the authentication schemes and passwords are the same on both tunnel ends but the fault
persists, go to Step 6.
Step 6 Check that strict tunnel authentication is configured for the LAC, and the remote tunnel name
configured on the LAC is consistent with the tunnel name configured on the LNS.
Run the display l2tp-group group-name command on the LAC. If Use tunnel authentication
strict is displayed in the TunnelAuth field, strict tunnel authentication is configured for the
LAC.
l If strict tunnel authentication is used, check that the remote tunnel name configured on the
LAC is consistent with the tunnel name configured on the LNS.
– If they are inconsistent, run the start l2tp [ ip ip-address [ weight lns-weight ] ] & <1-8>
command on the LAC and run the tunnel name tunnel-name command on the LNS to
change the remote tunnel name on the LAC and the tunnel name on the LNS to be
consistent.
– If they are consistent, go to Step 7.
l If strict tunnel authentication is not configured, go to Step 7.
Step 7 Check that the PPPoX service is normal.
For details, refer to "A PPPoX User Fails to Get Online" in the HUAWEI NetEngine80E/40E
Router Troubleshooting - User Access.
If the PPPoX service is normal but the fault persists, go to Step 7.
Step 8 Check that the L2TP user is assigned an IP address.
If the user is not assigned an IP address, you need to correctly configure the IP address pool on
the LNS. For details, refer to "Locating the Fault that a Client Fails to Obtain an IP Address" in
the HUAWEI NetEngine80E/40E Router Troubleshooting - User Access
If the user is assigned a correct IP address but the fault persists, go to Step 8.
If the L2TP user accesses the VPN, run the display current-configuration command to check
the following:
If the VPN instance is correctly configured but the fault persists, go to Step 9.
Step 10 Collect the following information and contact Huawei technical support personnel.
l Results of the preceding troubleshooting procedure
l Configuration files, log files, and alarm files of the devices
----End
Relevant Alarms
L2TP_1.3.6.1.4.1.2011.5.25.40.3.2.2.0.1 hwL2tpTunnelUpOrDown
Relevant Logs
None.
NOTE
See Roadmap for Locating L2TP Users Login Failure.
Common Causes
l The IPv6 function is disabled on the source interface of the L2TP tunnel on the LNS.
l The IPv6 address pool is not configured or incorrectly configured.
Troubleshooting Flowchart
This section describes the troubleshooting flowchart for the fault that an L2TP user cannot obtain
an IPv6 address and cannot get online when the user attempts to access the IPv6 network.
l Check that both L2TP tunnels and sessions can be properly established.
l Check that an IPv6 address pool has been correctly configured.
l Check that other IPv6-related information has been correctly configured.
Figure 1-37 Troubleshooting flowchart for the fault that L2TP IPv6 users cannot get online
The user cannot
get online in the
case of L2TP
IPv6 access
Yes
No Yes
The IPv6 function is Enable the IPv6
Is fault rectified?
globally enabled? function globally
Yes
Yes
Yes
Yes
Seek technical
support
End
Troubleshooting Procedure
Before performing the following steps, you can refer to Common Causes for Failing to Get
Online and correct the fault according to prompts displayed by the device.
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
NOTE
Before performing the following steps, ensure that GTL is enabled, and L2TP is enabled globally.
Procedure
Step 1 Check that both L2TP tunnels and sessions can be properly established.
Run the test l2tp-tunnel l2tp-group group-name ip-address ip-address command in the user
view to check whether L2TP tunnels and sessions can be properly established.
l If Test L2TP tunnel connectivity success is displayed, L2TP tunnels and sessions can be
properly established. Go to step 2.
l If Test L2TP tunnel connectivity fail is displayed, L2TP tunnels or sessions cannot be
properly established. Refer to the section about the failure of L2TP users to get online.
Step 2 Check that the IPv6 function is globally enabled.
Run the display current-configuration command on the LNS to check whether the IPv6
function is globally enabled.
l If the IPv6 function is globally enabled, go to step 3.
l If the IPv6 function is not globally enabled, globally enable the IPv6 function. If the fault
persists, go to step 3.
Step 3 Check that the IPv6 function is enabled on the source interface of the L2TP tunnel on the LNS.
Run the display this command in the interface view to check whether the IPv6 function is
enabled and whether the IPv6 link-local address has been configured.
l If the IPv6 function is enabled and the IPv6 link-local address has been configured, go to
step 4.
l If the IPv6 function is disabled, run the ipv6 enable command to enable the IPv6 function,
and then run the ipv6 address auto link-local command to configure the IPv6 link-local
address.
Step 4 Check that an IPv6 address pool has been correctly configured.
Check whether the corresponding IPv6 prefix pool and address pool have been configured, and
whether the domain is associated with the IPv6 address pool. If VPNs have been configured,
ensure that the VPN configured for the domain and the VPN configured for the IPv6 address
pool are the same.
l If the IPv6 address pool has been correctly configured, go to step 5.
l If the IPv6 address pool is incorrectly configured, modify the address pool configuration
information.
Step 5 Check that the address allocation mode and DUID have been correctly configured, including
whether the configuration is necessary.
The address allocation mode of an L2TP user is configured in the domain view. If IPv6 addresses
are obtained through the DHCPv6 protocol, the address allocation mode and DHCPv6 DUID
must be configured; otherwise, they do not need to be configured.
Run the display this command in the domain view to check whether the address allocation mode
value has been correctly configured. If ipv6 nd autoconfig managed-address-flag is displayed,
the address allocation mode has been configured.
Run the display this command in the system view to check whether the DUID function has been
correctly configured. If dhcpv6 duid duid-value is displayed, the DUID function has been
configured.
l If the M value and the DUID function have been correctly configured, go to step 6.
l If the configuration is incorrect, correctly configure the M value and the DUID function.
Step 6 Collect the following information and contact Huawei technical support personnel.
l Results of the preceding troubleshooting procedure
l Configuration files, log files, and alarm files of the devices
----End
Relevant Alarms
L2TP_1.3.6.1.4.1.2011.5.25.40.3.2.2.0.1 hwL2tpTunnelUpOrDown
Relevant Logs
None.
\
Typical Networking
Figure 1-38 shows the typical networking of L2TP access. L2TP access troubleshooting is based
on this networking.
Headquarter
PSTN/ISDN
GE1/0/1 Tunnel
GE1/0/2 GE2/0/1 GE2/0/2
subscriber
RouterA RouterB
@isp1 (LAC) (LNS)
l The NE80E/40E functions as an L2TP Access Concentrator (LAC) or L2TP network server
(LNS).
l The client is connected to the LAC through an access network.
l The NE80E/40E is connected to the RADIUS server to implement authentication and
accounting for the user.
The user accesses the LAC in L2TP mode. The LNS assigns an IPv6 address to the user and
manages the user.
Troubleshooting Flowchart
On the network shown in Typical Networking, after an L2TP server is configured, the user
cannot get online. You can locate the fault based on the following troubleshooting flowchart.
No Yes
Is the Check the
Is fault
configuration of user access configuration of the
rectified?
correct? interface
Yes No
No Check the physical Yes
Can the
connection and the Is fault
LAC and the LNS ping
route between the rectified?
through each other?
LAC and the LNS
Yes No
Is L2TP No Yes
Is fault
enabled on the LAC and Enable L2TP
rectified?
the LNS?
Yes No
Are the
configuration of the No Yes
Correctly configure the
L2TP groups on the LAC and Is fault
L2TP groups and the
the LNS and attributes of the rectified?
attributes
L2TP groups
correct?
Yes No
Yes No
No Yes
Is the configuration Correctly configure Is fault
of PPPOX correct? user access rectified?
No
Yes
No Correctly configure the Yes
Is the configuration Is fault
LNS group and its
of the LNS correct? rectified?
attributes
Yes No
Troubleshooting Procedure
Procedure
Step 1 Check that the configuration of the interface connecting the server to the client is correct.
Run the display this command in the interface view to check whether the configuration of the
interface is correct. For the correct interface configuration, refer to the chapter "Configuring the
IPv6 Access Service" in the Configuration Guide - BRAS.
l If the interface configuration is incorrect, you need to modify the interface configuration to
be correct. For details, refer to the chapter "Configuring the IPv6 Access Service" in the
Configuration Guide - BRAS.
l If the interface configuration is correct, go to Step 2.
Step 2 Check that there are reachable routes between the LAC and LNS.
Ping the LNS from the LAC to check whether the ping operation succeeds.
l If the ping succeeds, it indicates that there are reachable routes between them.
l If the ping fails, it indicates that there are no reachable routes between them. In this case, you
need to ensure that there are reachable routes between them.
Step 3 Check that L2TP is enabled on the LAC and the LNS.
Run the display this command in the system views of the LAC and the LNS to check whether
L2TP is enabled.
l If l2tp enable is not displayed in the command output, it indicates that L2TP is not enabled
on the LAC or the LNS. You need to run the l2tp enable command in the system views of
the LAC and the LNS to enable L2TP.
l If L2TP is enabled, go to 4.
Step 4 Check that the L2TP group of the LAC and attributes of the L2TP group are correctly configured.
Run the display this command in the L2TP group view of the LAC to check whether the LNS
address configured in the L2TP group is consistent with the address configured on the LNS.
l If they are inconsistent, run the start l2tp ip ip address command in the L2TP group view
of the LAC to configure an LNS address to be consistent with the address configured on the
LNS.
l If they are consistent, go to Step 5.
Step 5 Check that the L2TP group of the LNS and attributes of the L2TP group are correctly configured.
Run the display this command in the L2TP group view of the LNS to check whether the
configured tunnel name and VT are correct.
l If they are incorrect, run the allow l2tp virtual-template virtual-template-number remote
lac-name command to configure a correct tunnel name and a VT. Ensure that the tunnel name
configured on the LNS is the same as that configured on the LAC.
l If they are correct, go to Step 6.
Step 6 Check that the LAC and the LNS are configured with the same tunnel authentication mode and
authentication password.
Run the display this command in the L2TP group views of the LAC and the LNS to check
whether they are configured with the same tunnel authentication mode and authentication
password.
If they are configured with different authentication modes or authentication passwords, modify
the configuration of one end to be the same as the configuration of the other end.
If the client still cannot obtain an IPv6 address, contact Huawei technical personnel.
----End
Common Causes
l The RBPs bound to interfaces on the master and slave devices are not the same.
l User entries of the MPU and LPU on the slave device are not associated.
Troubleshooting Flowchart
A user attempts to go online but fails after data is backed up on the slave device.
l Check whether backup-ids of the RBP bound to interfaces on the master and slave devices
are the same.
l Check whether L2TP configurations on the slave device are the same with those on the
master device.
l Check whether user entries of the MPU and LPU on the slave device are associated.
Troubleshooting Procedure
Before performing the following steps, users can check the Common Causes for Failure in
Going Online to correct the fault according to the prompts.
NOTE
Saving the results of each troubleshooting step is recommended. If troubleshooting fails to correct the fault,
you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check whether the RBP is bound to BAS interfaces on the master and slave devices.
Run the display remote-backup-profile command to check whether the RBP is configured at
BAS interfaces.
l If yes, go to Step 2.
l If no, run the remote-backup-profile command to configure the RBP at BAS interfaces in
the BAS interface view. If the fault is not corrected, go to Step 2.
Step 2 Check whether backup-ids of the RBP bound to interfaces on the master and slave devices are
the same.
Run the display remote-backup-profile command to check whether backup-ids of the RBP
bound to interfaces on the master and slave devices are the same.
l If yes, go to Step 3.
l If no, run the backup-id backup-id remote-backup-service name command to configure
the two devices with the same backup-id in the RBP view. If the fault is not corrected, go to
Step 3.
Step 3 Check whether L2TP configurations on the slave device and those on the master device are the
same.
l If no, modify L2TP configurations on the slave device to be the same with those on the master
device. See L2TP Users Fail to Go Online for detailed troubleshooting methods.
l If yes, go to Step 4.
Step 4 Check whether entries of the MPU and LPU on the slave device are associated.
Step 5 Collect the following information and contact Huawei technical support personnel.
l Results of the preceding troubleshooting procedure;
l Configuration files, log files, and alarm files of the devices.
----End
Alarms
L2TP_1.3.6.1.4.1.2011.5.25.40.3.2.2.0.1 hwL2tpTunnelUpOrDown
Logs
None
2.5 Troubleshooting in the Scenario Where the NE80E/40E Functions as a Local DHCPv6
Server
This section describes the notes about configuring the NE80E/40E as a local DHCPv6 server,
and provides the troubleshooting flowchart and the troubleshooting procedure in a networking
where the NE80E/40E functions as a local DHCPv6 server.
2.6 Troubleshooting in the Scenario Where the NE80E/40E Functions as a Delegating Router
This section describes the notes about configuring the NE80E/40E as a delegating server, and
provides the troubleshooting flowchart and the troubleshooting procedure in a networking where
the NE80E/40E functions as a delegating server.
2.7 Troubleshooting in the Scenario Where the NE80E/40E Functions as a DHCPv6 Relay Agent
This section describes the notes about configuring the NE80E/40E as a DHCPv6 relay agent,
and provides the troubleshooting flowchart and the troubleshooting procedure in a networking
where the NE80E/40E functions as a DHCPv6 relay agent.
2.8 User Cannot Obtain an Address from the Address Pool According to the Pool ID Delivered
by the RADIUS Server
This section describes the troubleshooting flowchart and provides a step-by-step troubleshooting
procedure for the fault that the NE80E&40E cannot allocate an address from the corresponding
address pool to the user after the RADIUS server delivers No.100 attribute Framed-IPv6-
Pool or HUAWEI No.191 attribute Delegated-IPv6-Prefix-Pool.
Figure 2-1 Troubleshooting flowchart for the fault that an Ethernet client fails to obtain an IP
address (the HUAWEI NetEngine80E/40E functions as the DHCP server)
No
Is DHCP enabled? Enable DHCP Is fault rectified?
Yes
No
Yes
No
Yes
No Create an IP address
Does an IP address pool Is fault rectified?
pool
exist? Yes
No
Yes
No
Yes
Before performing the following procedure, you can also refer to common causes for users fail
to get online to solve this fault.
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check that the DHCP function is enabled.
Run the display current-configuration | include undo dhcp enable command to check whether
the DHCP function is enabled. By default, the DHCP function is enabled.
l If the command output shows undo dhcp enable, it indicates that the DHCP function is
disabled, and you need to run the dhcp enable command to enable the DHCP function.
l If there is no command output, it indicates that the DHCP function is enabled. Then, go to
Step 2.
Step 2 Check that the interface connecting to the client is configured with a correct IP address.
Run the display this command in the view of the interface connecting to the client to check
whether an IP address is configured for the interface.
l If the IP address is incorrect or no IP address is configured, run the ip address ip-
address command to correctly configure an IP address.
l If the IP address is correct, go to Step 3.
Run the display current-configuration filter gateway ip-address mask command to check
whether there is a local IP address pool whose IP addresses belong to the same network segment
with the gateway (relay access) or with the IP address of an interface (non-relay access).
l If there is no command output, it indicates that the IP address pool does not exist. In this
case, run the following commands.
– Run the ip pool pool-name server command to create an IP address pool.
– Run the gateway ip-address { mask | mask-length } command to create the gateway of
the IP address pool.
– Run the section section-num start-ip-address [ end-ip-address ] to configure the range
of assignable IP addresses.
For detailed configurations of the IP address pool, refer to the HUAWEI NetEngine80E/
40E Configuration Guide - User Access.
l If the correct IP address pool exists, go to Step 4.
Step 4 Check that the IP address pool is correctly configured and IP addresses can be assigned.
Run the display ip pool name pool-name command to check whether the corresponding fields
have the correct values based on the following check steps. If any field has an incorrect value,
rectify the fault based on the following rectification procedure.
After the preceding steps, if the client still cannot acquire an IP address, go to Step 5.
Step 5 Check that the link between the DHCP server and the client is normal.
On the client, configure an IP address to make the client and the IP address pool of the DHCP
server on the same network segment (note that the IP address of the client cannot conflict with
an assigned IP address). Then, ping the IP address on the DHCP server to check whether the
link between the DHCP server and the client is normal.
l If the ping operation fails, it indicates that a routing fault occurs between the DHCP server
and the client, and you need to rectify the fault immediately.
l If the ping operation succeeds, go to Step 6.
Step 6 Check that the configurations of other devices along the link are correct, including the DHCP
relay, DSLAM, LAN switch, and the client.
Check whether the configurations of these devices are correct based on the device manuals. If
not, modify the configurations. After the preceding steps, if the client still cannot acquire an IP
address, go to Step 7.
Step 7 Collect the following information and contact Huawei technical support personnel.
l Results of the preceding troubleshooting procedure
l Configuration files, log files, and alarm files of the devices
----End
Relevant Alarms
None.
Relevant Logs
None.
When the HUAWEI NetEngine80E/40E functions as the DHCP relay, an Ethernet client enabled
with DHCPv4 cannot obtain an IP address.
l Check the link connectivity between the DHCP relay and the DHCP server or between the
DHCP relay and the client.
l Check that other devices along the link are correctly configured.
l Check whether the VLAN segment configured on the DHCP relay-enabled interface is one
of the VLAN segments configured on the sub-interface for dot1q or qinq VLAN tag
termination. If the VLAN segment configured on the DHCP relay-enabled interface is one
of the VLAN segments configured on the sub-interface for dot1q or qinq VLAN tag
termination, check whether the dhcp relay userinfo enable command is used.
Figure 2-2 Troubleshooting flowchart for the fault that an Ethernet client fails to obtain an IP
address (the HUAWEI NetEngine80E/40E functions as the DHCP relay)
No
Is DHCP enabled? Enable DHCP Is fault rectified?
Yes
Yes No
No
Is DHCP relay enabled? Enable DHCP relay Is fault rectified?
Yes
Yes No
No Correctly configure
Are DHCP relay
DHCP relay Is fault rectified?
attributes correct?
attributes Yes
No
Yes
Yes No
Before performing the following procedure, you can also refer to common causes for users fail
to get online to solve this fault.
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check that the DHCP function is enabled.
Run the display current-configuration | include undo dhcp enable command to check whether
the DHCP function is enabled. By default, the DHCP function is enabled.
l If the command output shows undo dhcp enable, it indicates that the DHCP function is
disabled, and you need to run the dhcp enable command to enable the DHCP function.
l If there is no command output, it indicates that the DHCP function is enabled. Then, go to
step 2.
Step 2 Check that the DHCP relay function is enabled and correct attributes are configured.
Run the display dhcp relay address interface interface-type interface-number command.
l If there is no command output, it indicates that the DHCP relay function is disabled or the
IP address of the DHCP server is not configured. Therefore, run the dhcp select relay
command to enable the DHCP relay function, and then run the ip relay address command
to configure the IP address of the DHCP server.
l If the field, Dhcp Option (DHCP option number), Relay Agent IP (IP address of the relay
agent), or Server IP (IP address of the DHCP server), is incorrectly displayed, run the ip
relay address command to modify the relevant attribute.
l If all these fields are correctly displayed, go to step 2.
Step 3 Check that the link between the DHCP relay and the DHCP server is normal.
Run the ping -a source-ip-address destination-ip-address command on the DHCP relay. source-
ip-address indicates the IP address of the interface on the DHCP relay connecting to a client,
and destination-ip-address indicates the IP address of the DHCP server.
l If the ping operation fails, it indicates that a routing fault occurs between the DHCP relay
and the DHCP server, and you need to rectify the fault immediately.
l If the ping operation succeeds, go to step 3.
Step 4 Check that the link between the DHCP relay and the client is normal.
On the client end, configure an IP address to make the client and the DHCP relay on the same
network segment (note that the IP address of the client cannot conflict with an assigned IP
address). Then, ping the IP address on the DHCP relay to check whether the link between the
DHCP relay and the client is normal.
l If the ping operation fails, it indicates that a routing fault occurs between the DHCP relay
and the client, and you need to rectify the fault immediately.
l If the ping operation succeeds, go to step 5.
Step 5 Check whether the DHCP relay-enabled interface is the sub-interface for dot1q or qinq VLAN
tag termination and a VLAN segment is configured on the VLAN of the interface.
l If the DHCP relay-enabled interface is the sub-interface for dot1q or qinq VLAN tag
termination and a VLAN segment is configured on the VLAN of the interface, check whether
the dhcp relay userinfo enable command is used. If the dhcp relay userinfo enable
command is not used, run the dhcp relay userinfo enable command in the system view.
l If the DHCP relay-enabled interface is not the sub-interface for dot1q or qinq VLAN tag
termination on which a VLAN segment is configured, go to step 6.
Step 6 Check that configurations of other devices along the link are correct, including the DHCP server,
DSLAM, LAN switch, and the client.
Check whether the configurations of these devices are correct based on the device manuals. If
not, modify the configurations. After the preceding steps, if the client still cannot acquire an IP
address, go to step 7.
Step 7 Collect the following information and contact Huawei technical support personnel.
l Results of the preceding troubleshooting procedure.
l Configuration files, log files, and alarm files of the devices.
----End
Relevant Alarms
None.
Relevant Logs
None.
l The link between the DHCP server and the client is faulty.
l Another device along the link is incorrectly configured.
Figure 2-3 Troubleshooting flowchart for the fault that a PPPoX/IPoX client cannot obtain an
IP address (the HUAWEI NetEngine80E/40E functions as the DHCP server)
No
Is the interface bound Bind the correct domain
Is fault rectified?
to a correct domain? to the interface
Yes
Yes No
No
Is the domain bound to Bind a correct IP address
Is fault rectified?
a correct IP address? to the domain
Yes
No
Yes
End
Seek technical support
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check that the interface connecting to the client is bound to the correct domain.
Run the display this command on the interface to check whether the interface is bound to the
correct domain.
Run the display domain domain-name command to check the IP-address-pool-name field to
see whether the correct IP address pool is bound.
l If the incorrect IP address pool is bound, run the ip-pool pool-name command to bind the
domain to the correct IP address pool.
NOTE
The IP address pool specified by pool-name must be created in advance. Details are as follows:
l Run the ip pool pool-name local command to create an IP address pool.
l Run the gateway ip-address { mask | mask-length } command to create the gateway of the IP address
pool.
l Run the section section-num start-ip-address [ end-ip-address ] to configure the range of assignable
IP addresses.
For detailed configurations of the IP address pool, refer to the HUAWEI NetEngine80E/40E Configuration
Guide - User Access.
l If the correct IP address pool is bound, go to Step 3.
Step 3 Check that the IP address pool is correctly configured and IP addresses can be assigned.
Run the display ip pool name pool-name command to check whether the corresponding fields
have the correct values based on the following check steps. If any field has the incorrect value,
rectify the fault based on the following procedure.
After the preceding steps, if the client still cannot acquire an IP address, go to Step 4.
Step 4 Check that the interface at the client side and BAS are correctly configured.
Step 5 Check that the link between the DHCP server and the client is normal.
On the client, configure an IP address to make the client and the IP address pool of the DHCP
server on the same network segment (note that the IP address of the client cannot conflict with
an assigned IP address). Then, ping the IP address on the DHCP server to check whether the
link between the DHCP server and the client is normal.
l If the ping operation fails, it indicates that a routing fault occurs between the DHCP server
and the client, and you need to rectify the fault immediately.
l If the ping operation succeeds, go to Step 6.
Step 6 Check that the configurations of other devices along the link are correct, including the DHCP
relay, DSLAM, LAN switch, and the client.
Check whether the configurations of these devices are correct. If not, modify the configurations.
After the preceding steps, if the client still cannot acquire an IP address, go to Step 7.
Step 7 Collect the following information and contact Huawei technical support personnel.
l Results of the preceding troubleshooting procedure
l Configuration files, log files, and alarm files of the devices
----End
Relevant Alarms
None.
Relevant Logs
None.
Figure 2-4 Troubleshooting flowchart for the fault that a PPPoX/IPoX client cannot obtain an
IP address (the HUAWEI NetEngine80E/40E functions as the DHCP relay)
No
Is the domain bound to a Bind a correct IP address
Is fault rectified?
correct IP address pool? pool to the domain
Yes
Yes
No
Yes No
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check that the interface on the user end is bound to the correct domain.
Run the display this command on the interface to check whether the interface is bound to the
correct domain.
Run the display domain domain-name command to check the IP-address-pool-name field to
see whether the bound IP address pool is correct.
l If the incorrect IP address pool is bound, run the ip-pool pool-name command to bind the
domain to the correct IP address pool.
NOTE
The IP address pool specified by pool-name must be created in advance. Details are as follows:
l Run the ip pool pool-name remote command to create an IP address pool.
l Run the gateway ip-address { mask | mask-length } command to create the gateway of the IP address
pool.
l Run the dhcp-server group group-name command to configure the DHCP server group.
For detailed configurations of the IP address pool, refer to the HUAWEI NetEngine80E/40E Configuration
Guide - User Access.
l If the correct IP address pool is bound, go to Step 3.
Step 3 Check that the IP address pool and the IP address of the DHCP server are correctly configured.
Run the display ip pool name pool-name command to check whether values of the
corresponding fields are correct. If any field is displayed with an incorrect value, rectify the fault
based on the following rectification procedure.
Check whether the IP 1. Run the display Correct DHCP server l If the DHCP
address pool is ip pool name name and address server group is
configured with an pool-name incorrectly
correct DHCP server command to view configured for the
address. the DHCP-Group IP address pool,
field. configure it
2. Then, run the correctly by
display dhcp- running the
server group dhcp-server
group-name group group-
command to view name command.
the Primary- l If the DHCP
Server and server address is
Secondary- incorrectly
Server fields. configured for the
IP address pool,
configure it
correctly by
running the
dhcp-server ip-
address
command.
After the preceding steps, if the client still cannot acquire an IP address, go to Step 4.
Step 4 Check that the interface at the client side and BAS are correctly configured.
For detailed configurations of BAS, refer to the HUAWEI NetEngine80E/40E Configuration
Guide - User Access. After the preceding steps, if the client still cannot acquire an IP address,
go to Step 5.
Step 5 Check that the links between the DHCP relay and the DHCP server and between the DHCP relay
and the client are normal.
Run the ping command on the DHCP relay to check whether the route between the DHCP server
and the client is normal.
NOTE
Since the client cannot acquire an IP address automatically, you need to first assign IP addresses of the same
network segment to the interfaces between the client and the DHCP relay (note that the configured IP addresses
cannot conflict with existing IP addresses).
l If the ping operation fails, it indicates that a routing fault occurs, and you need to rectify
the fault immediately.
l If the ping operation succeeds, go to Step 6.
Step 6 Check that the configurations of other devices along the link are correct, including the DHCP
relay, DSLAM, LAN switch, and the client.
Check whether the configurations of these devices are correct. If not, modify the configurations.
After the preceding steps, if the client still cannot acquire an IP address, go to Step 7.
Step 7 Collect the following information and contact Huawei technical support personnel.
l Results of the preceding troubleshooting procedure
l Configuration files, log files, and alarm files of the devices
----End
Relevant Alarms
None.
Relevant Logs
None.
Figure 2-5 Typical networking where the NE80E/40E functions as a local DHCPv6 server
DNS server RADIUS server
3002:3101::2:2 129.6.55.55
l A client is a Layer 2 access user and needs to apply to the NE80E/40E for an IPv6 address
to get online.
l The NE80E/40E is connected to the RADIUS server to implement authentication and
accounting for clients.
l The NE80E/40E is connected to an IPv6 DNS server.
The NE80E/40E functions as a local DHCPv6 server to allocate IPv6 addresses to clients and
manage clients.
Figure 2-6 Troubleshooting flowchart for the scenario where the NE80E/40E functions as a
local DHCPv6 server
A Client cannot
obtain an IPv6
address
No
Yes
No Yes
Is the configuration of the Check the configuration
interface correct? of the interface Is fault recified?
No
Yes
No
Yes
Yes No
No Yes
Is the IPv6 address pool Bind the IPv6 address
Is fault recified?
bound to the user domain? pool to the user domain
No
Yes
No
Yes
Seek technical
End
support
Procedure
Step 1 Check that the physical connection between the client and server works properly.
Check whether the client and server can ping through each other. If they can ping through each
other, it indicates that the physical connection between them works properly; otherwise, you
need to rectify the fault on the physical connection, and then check whether the problem persists.
If the problem persists, go to Step 2.
Run the display ipv6 prefix command in the system view to check whether an IPv6 prefix pool
is configured.
l If there is no IPv6 prefix pool, run the ipv6 prefix prefix-name local command to create a
local prefix pool, enter the local prefix pool view, and then run the prefix prefix-address
prefix-length command to configure an IPv6 prefix address.
l If there is an IPv6 prefix pool, run the ipv6 prefix prefix-name command to enter the prefix
pool view, and then run the display this command to check whether an IPv6 prefix is
configured in this prefix pool. If no IPv6 prefix address is configured in this prefix pool, run
the prefix prefix-address prefix-length command to configure an IPv6 prefix address.
Run the display ipv6 pool command in the system view to check whether an IPv6 address pool
is configured.
l If there is no IPv6 address pool, run the ipv6 pool pool-name bas local command to create
a local address pool, enter the local address pool view, and then run the prefix prefix-name
command to bind the prefix pool in Step 3 to this address pool.
l If there is an IPv6 address pool, run the ipv6 pool pool-name command to enter the address
pool view, and then run the display this command to check whether this address pool is
bound to the prefix pool in Step 3. If they are not bound, run the prefix prefix-name command
to bind the prefix pool in Step 3 to this address pool.
Step 5 Check that the user domain is bound to an IPv6 address pool.
Run the display this command in the AAA view to check whether the user domain is bound to
an IPv6 address pool.
l If the user domain is not bound to the IPv6 address pool, run the ipv6-pool pool-name
command in the domain view to bind the domain to an IPv6 address pool.
l If the user domain is bound to an IPv6 address pool, go to Step 6.
Step 6 Check that IPv6 is enabled on the DHCPv6 server and the server DUID is set.
Run the display this command in the system view to check configurations.
l If the command output shows "ipv6", it indicates that the IPv6 function is enabled; otherwise,
run the ipv6 command to enable IPv6.
l If the command output shows "dhcpv6 duid", it indicates that the server DUID is set;
otherwise, run the dhcpv6 duid command to set the server DUID.
Step 7 Check that there are assignable IPv6 addresses in the address pool.
Run the display ipv6 prefix prefix-name used command in the system view to check whether
the number of assignable IPv6 prefixes is 0.
l If the value of the Free Prefix Count field is displayed as 0, there is no assignable address in
this prefix pool. In this case, configure a new prefix pool and a new address pool and then
bind the new address pool to the domain to which the client belongs.
l If the value of the Free Prefix Count field is not displayed as 0, there are assignable addresses.
If the client still cannot obtain an IPv6 address, contact Huawei technical personnel.
----End
Figure 2-7 Typical networking where the NE80E/40E functions as a delegating router
Requesting Router
Figure 2-7 is a typical networking of DHCPv6 prefix delegation (PD). In this networking:
l The requesting router obtains an IPv6 address from the delegating router.
l The NE80E/40E is connected to the RADIUS server to implement authentication and
accounting for clients.
l The NE80E/40E is connected to an IPv6 DNS server.
The NE80E/40E is responsible for allocating IPv6 prefixes for requesting routers and managing
requesting routers.
Figure 2-8 Troubleshooting flowchart for the scenario where the NE80E/40E functions as a
delegating router
A re q u e stin g ro u te r
ca n n o t o b ta in a n
IP v6 p re fix
D o e s th e p h ysica l C h e ck th e co n n e ctio n
co n n e ctio n b e tw e e n th e No Yes
b e tw e e n th e re q u e stin g
R e q u e stin g ro u te r a n d d e le g a tin g ro u te r Is fa u lt re cifie d ?
ro u te r a n d d e le g a tin g
w o rk
N o rm a lly? ro u te r
No
Yes
See “ PPPoE
No T ro u b le sh o o tin g ” o r“ IP Yes
Is th e clie n t a L a ye r 2
a cce ss u se r? o E T ro u b le sh o o tin g ” to Is fa u lt re cifie d ?
so lve th e a cce ss
p ro b le m
No
Yes
No Yes
Is th e co n fig u ra tio n o f th e C h e ck th e co n fig u ra tio n
in te rfa ce co rre ct? o f th e in te rfa ce Is fa u lt re cifie d ?
No
Yes
No
Yes
Is a n a d d re s s p o o l C o n fig u re a n a d d re ss
No p o o l a n d b in d so m e Yes
c o n fig u re d a n d a re s o m e Is fa u lt re cifie d ?
a d d re s s e s b o u n d to th is a d d re sse s to th e a d d re ss
A d d re s s p o o l? pool
No
Yes
Is th e IP v6 a d d re ss p o o l No B in d th e IP v6 a d d re ss Yes
Is fa u lt re cifie d ?
b o u n d to th e u se r d o m a in ? p o o l to th e u se r d o m a in
No
Yes
Is th e se rve r e n a b le d No E n a b le IP v6 o n th e Yes
W ith IP v6 a n d is a se rve r se rve r a n d se t a D U ID Is fa u lt re cifie d ?
D U ID se t? fo r th e se rve r
No
Yes
D o e s th e a d d re ss p o o l No C o n fig u re a n e w a d d re ss Yes
h a ve a n a va ila b le a d d re ss p o o l, p re fix p o o l, a n d Is fa u lt re cifie d ?
to b e a llo ca te d to th e p re fix a d d re sse d
C lie n t?
No
Yes
S e e k te ch n ica l
su p p o rt End
Procedure
Step 1 Check that the physical connection between the client and server works properly.
Check whether the client and server can ping through each other. If they can ping through each
other, it indicates that the physical connection between them works properly; otherwise, you
need to rectify the fault on the physical connection, and then check whether the problem persists.
If the problem persists, go to Step 2.
Step 2 Check that the requesting router can normally get online through PPPoE or IPoE.
Check whether the requesting router can obtain an IPv6 address from the delegating router and
get online normally.
l If the requesting router fails to get online, refer to PPPoE troubleshooting procedure or IPoE
troubleshooting procedure in the Troubleshooting - BRAS and ensure that the requesting
router can access the delegating router.
l If the requesting router can normally get online, go to Step 3.
Run the display ipv6 prefix command in the system view to check whether an IPv6 prefix pool
is configured.
l If there is no IPv6 prefix pool, run the ipv6 prefix prefix-name delegation command to create
a delegation prefix pool, enter the delegation prefix pool view, and then run the prefix prefix-
address prefix-length command to configure an IPv6 prefix address.
l If there is an IPv6 prefix pool, run the ipv6 prefix prefix-name command to enter the prefix
pool view, and then run the display this command to check whether an IPv6 prefix is
configured in this prefix pool. If no IPv6 prefix address is configured in this prefix pool, run
the prefix prefix-address prefix-length command to configure an IPv6 prefix address.
Run the display ipv6 pool command in the system view to check whether an IPv6 address pool
is configured.
l If there is no IPv6 address pool, run the ipv6 pool pool-name bas delegation command to
create a delegation address pool, enter the local address pool view, and then run the prefix
prefix-name command to bind the prefix pool in Step 3 to this address pool.
l If there is an IPv6 address pool, run the ipv6 pool pool-name command to enter the address
pool view, and then run the display this command to check whether this address pool is
bound to the prefix pool in Step 3. If they are not bound, run the prefix prefix-name command
to bind the prefix pool in Step 3 to this address pool.
Step 6 Check that the user domain is bound to an IPv6 address pool.
Run the display this command in the AAA view to check whether the user domain is bound to
an IPv6 address pool.
l If the user domain is not bound to the IPv6 address pool, run the ipv6-pool pool-name
command in the domain view to bind the domain to an IPv6 address pool.
l If the user domain is bound to an IPv6 address pool, go to Step 7.
Step 7 Check that IPv6 is enabled on the DHCPv6 server and the server DUID is set.
Run the display this command in the system view to check configurations.
l If the command output shows "ipv6", it indicates that the IPv6 function is enabled; otherwise,
run the ipv6 command to enable IPv6.
l If the command output shows "dhcpv6 duid", it indicates that the server DUID is set;
otherwise, run the dhcpv6 duid command to set the server DUID.
Step 8 Check that there are assignable IPv6 addresses in the address pool.
Run the display ipv6 prefix prefix-name used command in the system view to check whether
the number of assignable IPv6 prefixes is 0.
l If the value of the Free Prefix Count field is displayed as 0, there is no assignable address in
this prefix pool. In this case, configure a new prefix pool and a new address pool and then
bind the new address pool to the domain to which the client belongs.
l If the value of the Free Prefix Count field is not displayed as 0, there are assignable addresses.
If the client still cannot obtain an IPv6 address, contact Huawei technical personnel.
----End
Figure 2-9 Typical networking where the NE80E/40E functions as a DHCPv6 relay agent
DNS server RADIUS server
3002:3101::2:2 129.6.55.55
Users can access the network through one or multiple relay agents. In the preceding figure, the
NE80E/40E (Router B) functions as a DHCPv6 relay agent.
Figure 2-10 Troubleshooting flowchart for the scenario where the NE80E/40E functions as a
local DHCPv6 server
A client cannot obtain an IPv6
address
Does
the physical
connection between the client No Check the physical
Yes
and the DHCPv6 relay agent connection between Is fault
and the connection between the the client and the rectified?
DHCPv6 relay agent and server
the DHCPv6 server
work normally?
Yes No
Is the
No Check the Yes
configuration of the Is fault
inbound/outbound Interface of configuration of the
rectified?
the DHCPv6 relay agent interface
correct?
Yes No
No
Yes
Yes No
No Yes
Does other Is fault
Check other devices
devices work normally? rectified?
Yes No
Procedure
Step 1 Check that the physical connections work properly.
Check whether the connection between the DHCPv6 relay agent and the client (or the superior
relay agent) and the connection between the DHCPv6 relay agent and the DHCPv6 server (or
the subordinate relay agent) work normally. If the connection fails, you need to rectify the fault
on the physical connection and then check whether the problem persists. If the problem persists,
go to Step 2.
Step 2 Check that the inbound and outbound interfaces of the DHCPv6 relay agent are correctly
configured.
Run the display this command in the inbound interface view to check the following:
If the DHCPv6 relay agent is a first relay agent, the IPv6 address assigned to the relay agent must be on the
same network segment with the addresses in the address pool configured on the DHCPv6 server. If the
DHCPv6 relay agent is not a first relay agent, any IPv6 address can be assigned to the relay agent based on
the network planning.
l Whether DHCPv6 is enabled
l Whether the relay function is enabled and the address of the DHCPv6 server or outbound
interface of DHCPv6 packet is set
Run the display this command in the outbound interface view to check the following:
Run the display interface interface-type interface-number command in the system view to check
whether the inbound interface has received packets and view statistics on input packets.
NOTE
If the DHCPv6 relay agent is a first relay agent, check whether the statistics on multicast packets increase;
if the DHCPv6 relay agent is not a first relay agent, check whether the statistics on unicast packets increase.
l If the inbound interface of the DHCPv6 relay agent receives no packets (that is, the "Input"
field is displayed as 0), check the connection between the relay agent and the superior device
and then check whether the superior device can forward packets normally.
l If the inbound interface of the DHCPv6 relay agent has received packets, go to Step 4.
Run the display interface interface-type interface-number command in the system view to check
whether the outbound interface has forwarded packets and view statistics on the output packets.
l If packet forwarding on the outbound interface fails (that is, the "Output" field is displayed
as 0), check the physical connection between the DHCPv6 relay agent and the subordinate
device and check whether the IPv6 address of this interface is on the same network segment
with that of the inbound interface of the superior device.
l If packet forwarding succeeds, it indicates that the DHCPv6 relay agent works normally.
Then, check whether other devices work normally.
If the client still cannot get online, contact Huawei technical support personnel.
Step 5 Check whether the number of access users exceeds the maximum number allowed by the
DHCPv6 relay agent.
Run the display dhcpv6 relay userinfo table [ { interface interface-type interface-number
[.subinterface-number ] [ pevlan pevlan-id [ end-pevlan-id ] [ cevlan cevlan-id [ end-cevlan-
id ] ] ] | slot slot-id [ card card-id ] } | mac-address mac-address | index index | client-duid
client-duid | server-duid server-duid | server-address ipv6-address [ vpn-instance vpn-
instance-name ] | client-address ipv6-address [ vpn-instance vpn-instance-name ] ]
[ statistics ] command in the system view to check whether the number of access users exceeds
the maximum number allowed by the DHCPv6 relay agent.
l If the number of access users exceeds the maximum number allowed by the DHCPv6 relay
agent, log out some users based on the situations on the live network.
l If the number of access users does not exceed the maximum number allowed by the DHCPv6
relay agent, go to Step 6.
l If the DHCPv6 server allocates conflicted IPv6 addresses or prefixes or responds with a
Reply packet whose lifetime is 0 or status is not Success, rectify any faults on the DHCPv6
server.
l If the client does not receive a Reply packet from the DHCPv6 server within the timeout
period, rectify any faults on the DHCPv6 server.
l If the DHCPv6 relay agent does not receive a packet from the client within the timeout period,
rectify any faults on the client.
After the preceding steps, if the client still cannot acquire an IP address, go to Step 7.
Step 7 Collect the following information and contact Huawei technical support personnel.
l Results of the preceding troubleshooting procedure
l Configuration files, log files, and alarm files of the devices
----End
l The address pool with the specified pool ID is not configured on the device.
l The address pool type does not match the pool ID delivered by the RADIUS server. If the
RADIUS server delivers No.100 attribute Framed-IPv6-Pool, the address pool can be a
local or delegation address pool. If the RADIUS server delivers HUAWEI No.191 attribute
Delegated-IPv6-Prefix-Pool, the address pool can be a delegation address pool only.
l No prefixes are available in the prefix pool.
This section describes the troubleshooting flowchart for the fault that the user cannot obtain an
address from the address pool after the RADIUS server delivers the pool ID.
l Check that the address pool with the specified pool ID has been configured on the device.
l Check that the address pool type matches the pool ID delivered by the RADIUS server.
l Check that no prefixes are available in the prefix pool.
Before performing the following steps, you can refer to Common Causes for Failing to Get
Online and correct the fault according to prompts displayed by the device.
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check that an address pool with the specified pool ID has been configured on the device.
Run the display ipv6 pool pool-name command in the system view to check whether an address
pool with the specified pool ID has been configured on the device.
l If This pool does not exist is displayed, the address pool is not configured. Run the ipv6
pool pool-name { bas { local | delegation } } command on the device to configure the address
pool.
l If information about the address pool is displayed, the address pool has already been
configured. Go to step 2.
Step 2 Check that the address pool type configured on the device matches the pool ID delivered by the
RADIUS server.
Run the display ipv6 pool pool-name command in the system view to check whether the pool
type indicated in the command output information matches the pool ID delivered by the RADIUS
server. If the RADIUS server delivers No.100 attribute Framed-IPv6-Pool, the address pool
can be a local or delegation address pool. If the RADIUS server delivers HUAWEI No.191
attribute Delegated-IPv6-Prefix-Pool, the address pool can be a delegation address pool only.
l If the pool type does not match the pool ID delivered by the RADIUS server, reconfigure
the address pool type. If the RADIUS server delivers HUAWEI No.191 attribute Delegated-
IPv6-Prefix-Pool, run the ipv6 pool pool-name bas delegation command to configure the
address pool as a delegation address pool. If the RADIUS server delivers No.100 attribute
Framed-IPv6-Pool, the address pool can be a local or delegation address pool.
l If the pool type matches the pool ID delivered by the RADIUS server, go to step 3.
If the address pool is a delegation address pool, run the display ipv6 prefix prefix-name used
command in the system view to check whether the value of Free Prefix Count is 0.
l If the value of Free Prefix Count is 0, no prefixes are available in the prefix pool. Run the
ipv6 prefix prefix-name [ local | delegation ] command in the system view to enter the prefix
pool view, and then run the prefix prefix-address/prefix-length [ delegating-prefix-length
length ] command to configure the address pool.
l If the value of Free Prefix Count is not 0, go to step 4.
Step 4 Collect the following information and contact Huawei technical support personnel.
l Results of the preceding troubleshooting procedure
l Configuration files, log files, and alarm files of the devices
----End
Relevant Alarms
None.
Relevant Logs
None.
3 RADIUS Troubleshooting
3.1 The Dynamic ACL Delivered by the RADIUS Server Does Not Take Effect
This section describes the troubleshooting flowchart and provides a step-by-step troubleshooting
procedure for the fault that the dynamic ACL delivered by the RADIUS server does not take
effect.
Figure 3-1 Troubleshooting flowchart for the fault that the ACL delivered by the RADIUS
server does not take effect
ACL delivered by
the RADIUS
server does not
take effect
Is RADIUS No Yes
Reconfigure the Is the fault
configuration
RADIUS server rectified?
correct?
No
Yes
Configure the
Can RADIUS No RADIUS server to Is the fault Yes
dynamically deliver dynamically deliver rectified?
ACLs? ACLs
No
Yes
No
Yes
Contact Huawei
technical support End
personnel
Context
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check that the RADIUS server configuration on the NE80E/40E is correct.
Run the test-aaa user-name password radius-group group-name command to check whether
the RADIUS server works properly.
l If the RADIUS server does not work properly, reconfigure the RADIUS server based on the
guide. For configuration details, see Configuring the RADIUS Server.
l If the RADIUS server works properly, go to step 2.
Step 2 Check that the HW-Data-Filter attribute is configured on the RADIUS server.
The RADIUS server can dynamically deliver ACLs only after the HW-Data-Filter attribute is
configured on the RADIUS server.
l If the HW-Data-Filter attribute is not configured on the RADIUS server, configure the HW-
Data-Filter attribute on the RADIUS server.
l If the HW-Data-Filter attribute is configured on the RADIUS server, go to step 3.
Step 3 Check that the RADIUS server is configured to dynamically deliver ACLs on the NE80E/40E.
Run the display this command in the system view to check whether the remote-download acl
enable command is configured.
NOTE
If the traffic classifier carried in the HW-Data-Filter attribute contains the name of a user group that does
not exist on the NE80E/40E, enable the RADIUS server to dynamically create user groups.
l If the RADIUS server is not configured to dynamically deliver ACLs on the NE80E/40E,
run the remote-download acl enable command in the AAA view to enable the RADIUS
server to dynamically deliver ACLs. To enable the RADIUS server to dynamically create
user groups, run the remote-download user-group enable command in the AAA view.
l If the RADIUS server is configured to dynamically deliver ACLs on the NE80E/40E, go to
step 4.
Step 4 Check that the number of traffic classifier-behavior pairs dynamically delivered by the RADIUS
server does not exceed the specification supported by the NE80E/40E.
Run the display aaa remote-download acl item command to check whether the number of
traffic classifier-behavior pairs delivered by the RADIUS server exceeds the specification
supported by the NE80E/40E, or run the display alarm active command to check whether a
hwRemoteDownloadAclThresholdAlarm alarm is generated.
NOTE
The NE80E/40E supports a maximum number of 1024 traffic classifier-behavior pairs. If the number of
traffic classifier-behavior pairs delivered by the RADIUS server exceeds 1024, subsequent pairs fail to be
delivered.
l If the number of traffic classifier-behavior pairs delivered by the RADIUS server exceeds
1024, run the recycle remote-download acl classifier command to reclaim the idle
classifier-behavior pairs.
l If the number of traffic classifier-behavior pairs delivered by the RADIUS server does not
exceed 1024, go to step 5.
Step 5 Check that the number of rules does not exceed the specification supported by the NE80E/
40E.
NOTE
A traffic classifier-behavior pair can contain multiple rules. If the number of rules, including those carried
in the dynamically delivered traffic classifier-behavior pairs and those configured using commands,
exceeds the specification supported by the NE80E/40E, subsequent rules cannot take effect.
l If a hwXQoSRuleFaileAlarm alarm is generated, reclaim some rules.
l If a hwXQoSRuleFaileAlarm alarm is not generated, go to step 6.
Step 6 Check that rules are correctly delivered in the traffic classifier-behavior pairs.
Run the display aaa remote-download acl item verbose command to check detailed
information about traffic classifier-behavior pairs and determine whether rules are correctly
delivered.
l If no rules are delivered or rules are incorrectly delivered, configure the RADIUS server to
deliver correct rules in the HW-Data-Filter attribute of the RADIUS Access-Accept packets
or CoA packets.
l If rules are correct, go to step 7.
Step 7 Collect the following information and contact Huawei technical support personnel.
l Results of the troubleshooting procedure
l Configuration files, log files, and alarm files from the devices
l Debugging information about the devices
----End
Relevant Alarms
AAA_1.3.6.1.4.1.2011.5.2.2.2.0.29 hwRemoteDownloadAclThresholdAlarm
NE5KQOS_1.3.6.1.4.1.2011.5.25.32.4.1.11.11 hwXQoSRuleFaileAlarm
Relevant Logs
None
NOTE
Hybrid Access enables two GRE tunnels to be bundled on the HG and Hybrid Access device. One is the
priority tunnel, and the other is the overflow tunnel. Unless otherwise specified in this chapter, a DSL
tunnel is used as the priority tunnel, and an LTE tunnel is used as the overflow tunnel.
4.8 The Upstream Bonding Bandwidth Is Far Lower Than the Sum of LTE and DSL Link
Bandwidth
NOTE
T2 address: IP address of a Hybrid Access, which is used as the destination IP address carried in a tunnel
establishment request initiated by an HG. Each Hybrid Access pool uses the same address.
AVP: information that is carried in a request packet and is used to establish a tunnel.
Figure 4-1 Troubleshooting flowchart for the failure to establish an overflow tunnel
No
No
Is the destination IP
address the T2 address?
Yes
Is the tunnel
reestablished? Is the T3 No
address used? Is the
session ID carried?
Yes
Yes
Is the CIN No
Carried in the allowed
list?
Yes
Context
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check that Hybrid Access is correctly configured.
Run the display this command in the tunnel interface view to check whether Hybrid Access is
correctly configured.
l If Hybrid Access is not correctly configured, configure Hybrid Access correctly according
to the configuration guide.
l If Hybrid Access is correctly configured, go to Step 2.
Step 2 Check that the protocol status of the tunnel interface is Up.
Run the display this interface or display this ipv6 interface command in the tunnel interface
view to check whether the IPv4 or IPv6 status of the tunnel interface is Up.
l If the IPv4 or IPv6 status of the tunnel interface is Up, go to Step 3.
l If the IPv4 or IPv6 status of the tunnel interface is not Up, check whether the source interface
of the tunnel interface is correctly configured. If the source interface of the tunnel interface
is not correctly configured, configure the source interface of the tunnel interface correctly
according to the configuration guide.
Run the debug tunnel all command to enable tunnel debugging and obtain the source IP address
of the request packet. Run the display hybrid-access tunnel all | include X.X.X.X command to
check whether the same entry exists.
Run the debug tunnel all command to enable tunnel debugging and obtain the destination IP
address of the request packet. Check whether the destination IP address of the request packet is
the T2 or T3 address.
l If the destination IP address of the request packet is the T2 address, the overflow tunnel is
not reestablished. Go to Step 5.
l If the destination IP address of the request packet is the T3 address, the overflow tunnel is
reestablished. Check whether the debugging information contains the session ID. If the
debugging information contains the session ID and the display hybrid-access user-info
user-id user-id command output shows that a prior tunnel exists, the session ID is correct.
Go to Step 5.
l If the destination IP address of the request packet is neither the T2 nor T3 address, the
destination IP address of the request packet is incorrect and the request packet is discarded.
NOTE
The value of user-id in the display hybrid-access user-info user-id user-id command is the session ID in
the debugging information.
For details about how to configure T2 and T3 addresses, see Configuring T2 and T3 Addresses in HUAWEI
NetEngine80E/40E Router Configuration Guide - User Access.
Step 5 Check that the AVPs carried in the request packet are correct.
Run the debug tunnel all command to enable tunnel debugging and obtain the AVPs carried in
the request packet.
l If the CIN and IPv6 prefix carried in the request packet are correct, go to Step 6.
l If the CIN and IPv6 prefix carried in the request packet are incorrect, this is not a fault. The
request packet is discarded.
Step 6 Check that the CIN is in the allowed list.
Run the debug tunnel all command to enable tunnel debugging and obtain the CIN carried in
the request packet.
l If the CIN is in the allowed list, go to Step 7.
l If the CIN is not in the allowed list, this is not a fault. The request packet is discarded.
Step 7 Check that the HASM configuration is correct.
For troubleshooting details, see 4.4 Hybrid Access Users Fail to Go Online. If the fault persists,
go to Step 8.
Step 8 Collect the following information and contact Huawei technical support personnel:
l Results of the troubleshooting procedure
l Configuration, log, and alarm files of the devices
l Device debugging information
----End
Relevant Alarms
None
Relevant Logs
None
T3 address: source IP address used for a Hybrid Access to establish a GRE tunnel.
Figure 4-2 Troubleshooting flowchart for the failure to establish a priority tunnel
No
Is the No
destination IP address
the T3 address?
Yes
Is the Session No
ID carried in the request
packet?
Yes
Does the No
corresponding overflow
tunnel exist?
Yes
Yes
Context
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check that Hybrid Access is correctly configured.
Run the display this command in the tunnel interface view to check whether Hybrid Access is
correctly configured.
l If Hybrid Access is not correctly configured, configure hybrid access correctly according to
the configuration guide.
l If Hybrid Access is correctly configured, go to Step 2.
Step 2 Check that the protocol status of the tunnel interface is Up.
Run the display this interface or display this ipv6 interface command in the tunnel interface
view to check whether the IPv4 or IPv6 status of the tunnel interface is Up.
l If the IPv4 or IPv6 status of the tunnel interface is Up, the protocol status of the tunnel
interface is correct, go to Step 3.
l If the IPv4 or IPv6 status of the tunnel interface is not Up, check whether the source interface
of the tunnel interface is correctly configured.
– If the source interface of the tunnel interface is not correctly configured, configure the
source interface of the tunnel interface correctly according to the configuration guide.
– If the source interface of the tunnel interface is correctly configured, go to Step 3.
Run the debug tunnel all command to enable tunnel debugging and obtain the source IP address
of the request packet. Run the display hybrid-access tunnel all | include X.X.X.X command to
check whether the same entry exists.
Step 4 Check that the destination IP address of the request packet is the T3 address.
Run the debug tunnel all command to enable tunnel debugging and obtain the destination IP
address of the request packet. Check whether the destination IP address of the request packet is
the T3 address.
For details about how to configure a T3 address, see Configuring T2 and T3 Addresses in HUAWEI
NetEngine80E/40E Router Configuration Guide - User Access.
Step 5 Check that the request packet contains the session ID.
Run the debug tunnel all command to enable tunnel debugging and obtain the AVPs carried in
the request packet. Check whether the session ID exists.
NOTE
The value of user-id in the display hybrid-access user-info user-id user-id command is the session ID in
the debugging information.
l If the corresponding overflow tunnel does not exist, establish an overflow tunnel first.
l If the corresponding overflow tunnel exists, go to Step 5.
Step 7 Check that the AVPs carried in the request packet are correct.
Run the debug tunnel all command to enable tunnel debugging and obtain the AVPs carried in
the request packet.
l If the session ID and IPv6 prefix carried in the request packet are correct, go to Step 6.
l If the session ID and IPv6 prefix carried in the request packet are incorrect, this is not a fault.
The request packet is discarded.
Step 8 Check that the HASM configuration is correct.
For troubleshooting details, see 4.4 Hybrid Access Users Fail to Go Online. If the fault persists,
go to Step 7.
Step 9 Collect the following information and contact Huawei technical support personnel:
l Results of the troubleshooting procedure
l Configuration, log, and alarm files of the devices
l Device debugging information
----End
Relevant Alarms
None
Relevant Logs
None
Yes No
Yes No
Does SOAP
No The SOAP service is working Yes
messages fail to be sent Is the fault
properly. Analyze the failure for
or parsed? Does SOAP rectified?
a specific cause description.
responses expire?
No
Yes
No
Yes
Yes No
Yes No
Context
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check that the SOAP server group is correctly configured in a domain.
Run the display this command in the AAA domain view to check whether the SOAP server
group is correctly configured.
l If the SOAP server group is not correctly configured, configure the SOAP server group
correctly according to the configuration guide.
l If the SOAP server group is correctly configured, go to Step 2.
Step 2 Check that the SOAP server group is correctly configured in the SOAP view.
Run the display this command in the SOAP view to check whether the SOAP server group is
correctly configured.
l If the SOAP server group is not correctly configured, configure the SOAP server group
correctly according to the configuration guide.
l If the SOAP server group is correctly configured, go to Step 3.
Run the display hybrid-access online-fail-record command to check the cause of the
authentication or authorization failure.
l If the cause is that the authentication or authorization message fails to be sent or parsed or
that the timer for waiting for a response from the SOAP server expires, go to Step 4.
l If the cause is others, the SOAP service is working properly. Analyze the failure for a specific
cause description.
Step 4 Check that the device communicates properly with the SOAP server.
Run the ping command to check whether the device communicates properly with the SOAP
server.
l If the device does not communicate properly with the SOAP server, run the display
interface command to check whether the interface connected to the SOAP server is Up. If
the interface connected to the SOAP server is Up, check whether the SOAP service on the
SOAP server is working and whether the SOAP service listening port is enabled.
l If the fault persists, go to Step 5.
Obtain the packet headers and check whether the SOAP request message received by the SOAP
server and its sent response messages are correct.
l If these messages are incorrect, check whether the WSDL file on the device or SOAP server
is correct.
– If the WSDL file is incorrect, ensure that the WSDL file is correct.
– If the WSDL file is correct, go to Step 6.
l If these messages are correct, go to Step 6.
Step 6 Collect the following information and contact Huawei technical support personnel:
l Results of the troubleshooting procedure
l Configuration, log, and alarm files of the devices
l Device debugging information
----End
Relevant Alarms
HASM_1.3.6.1.4.1.2011.5.25.324.2.2.0.5 hwHAAPSOAPServerTimeout
Relevant Logs
None
l No T2 address is configured.
l The service board's type is not set to hybrid-access.
l The domain to which Hybrid Access users belong is not configured.
l The authentication or authorization mode in the domain is not correctly configured.
l No SOAP server group or SOAP server address is configured during SOAP authentication
and authorization.
l No SOAP server group is bound to the domain during SOAP authentication and
authorization.
l The route to the authentication or authorization server is unreachable.
Figure 4-4 Troubleshooting flowchart for hybrid access users' failure to go online
Configure hybrid-access-
Is the T2 address No Is the fault Yes
service enable and the IP
configured? address on the loopback rectified?
interface.
Yes No
Is
No Is the fault Yes
hybrid-access-service Configure hybrid-access-
enable configured in the service enable in the domain. rectified?
domain?
No
Yes
Are the
authentication and No Yes
Configure none or soap in the Is the fault
authorization modes domain. rectified?
configured correctly in
the domain?
No
Yes
No Yes
Is the SOAP server group Bind the SOAP server group to Is the fault
bound to the domain? the domain. rectified?
No
Yes
Yes No
Context
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check that the T2 address has been configured.
Run the display this command on the loopback interface to check whether hybrid-access-
service enable and the IPv4/IPv6 address are configured.
l If hybrid-access-service enable and the IP address are not configured, configure them.
l If hybrid-access-service enable and the IPv4/IPv6 address are configured, go to Step 2.
Run the display board-type slot command in the user view to check whether the service board's
type is set to hybrid-access.
l If the service board's type is not set to hybrid-access, run the set board-type slot slot-id
hybrid-access command in the user view.
l If the service board's type is set to hybrid-access, go to Step 3.
Step 3 Check whether the hybrid-access-service enable command is configured in the domain to
which Hybrid Access users belong.
Run the display this command in the AAA view to check whether hybrid-access-service
enable is configured in the domain.
Step 4 Check that the authentication and authorization modes configured in the domain to which Hybrid
Access users belong are correct.
The authentication and authorization modes for Hybrid Access users are classified as non-
authentication or SOAP authentication and authorization.
Run the display this command in the view of the domain to which Hybrid Access users belong
to obtain the bound authentication and authorization templates. Then run the display this
command in the authentication and authorization template views to check whether the
authentication and authorization modes are none or soap and whether they are consistent.
l If the authentication and authorization modes are not none or soap, configure
authentication-mode { soap | none } in the authentication template and authorization-
mode { soap | none } in the authorization template.
l If the authentication and authorization modes are none or soap and they are consistent, go
to Step 5.
Step 5 Check that the SOAP authentication and authorization server addresses and SOAP server group
are configured during SOAP authentication and authorization.
Run the display soap-instance all command in the system view to check whether the SOAP
authentication and authorization server address instances are configured. Run the display
l If the SOAP authentication and authorization server address instances are not configured,
run the soap-instance instance-name tcp-domain local-site ip-address tcp-port port-id
target-host address ip-address tcp-port port-id command in the SOAP server group view
to configure them. Run the soap-server group group-name command to create a SOAP
server group, and then run the soap-server authentication instance soap-instance-name
and soap-server authorization instance soap-instance-name commands in the SOAP server
group view to specify the SOAP authentication and authorization server instances.
l If the SOAP authentication and authorization server instances are configured, go to Step 6.
Step 6 Check that the SOAP server group is bound to the domain during SOAP authentication and
authorization.
Run the display this command in the view of the domain to which Hybrid Access users belong
to check whether soap-server group group-name is configured.
l If the SOAP authentication and authorization servers cannot be pinged, check whether the
server addresses are correctly configured, whether the servers are working properly, and
whether the routes to the server addresses exist. If the next hop addresses to the servers are
not configured, configure them.
l If the SOAP authentication and authorization servers can be pinged, go to Step 8.
Step 8 Collect the following information and contact Huawei technical support personnel:
l Results of the troubleshooting procedure
l Configuration, log, and alarm files of the devices
l Device debugging information
----End
Relevant Alarms
HASM_1.3.6.1.4.1.2011.5.25.324.2.2.0.5 hwHAAPSOAPServerTimeout
HASM_1.3.6.1.4.1.2011.5.25.324.2.2.0.6 hwHAAPOnlineFailAlarm
HASM_1.3.6.1.4.1.2011.5.25.324.2.2.0.11 hwHAAPServerRejectAlarm
Relevant Logs
None
Figure 4-5 Troubleshooting flowchart for Hybrid Access users' failure to obtain IPv4 addresses
Yes No
No
Yes
Are there idle addresses No Add an IPv4 bas local address Is the fault Yes
in the address pool? pool and bind it to the domain. rectified?
No
Yes
No Yes
Do hybrid access users Ensure that hybrid access Is the fault
successfully go online? users successfully go online. rectified?
No
Yes
Context
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check that the IPv4 bas local address pool is configured and that the gateway and section are
configured in the address pool.
Run the display ip pool command in the system view to check whether the IPv4 bas local address
pool is configured. Then run the display ip pool name pool-name command to check whether
the gateway and section are configured in the address pool.
l If the IPv4 bas local address pool is not configured, run the ip pool pool-name bas local
command in the system view to configure it. Then run the gateway ip-address mask and
section section-id start-ip-address end-ip-address commands to configure the gateway and
section in the address pool.
l If the IPv4 bas local address pool is configured and the gateway and section are configured
in the address pool, go to Step 2.
Step 2 Check that the IPv4 bas local address pool is bound to the domain to which Hybrid Access users
belong.
Run the display this command in the view of the domain to which Hybrid Access users belong
to check whether ip-pool pool-name is configured.
l If ip-pool pool-name is not configured, run the ip-pool pool-name command to bind the IPv4
bas local address pool to the domain.
l If ip-pool pool-name is configured correctly, go to Step 3.
Step 3 Check that the hybrid-access-service enable command is configured in the domain to which
Hybrid Access users belong.
Run the display this command in the AAA view to check whether hybrid-access-service
enable is configured in the domain.
Step 4 Check that addresses in the address pool bound to the domain are not completely assigned.
Run the display ip pool name pool-name command in the system view to check whether the
number of idle addresses is 0.
l If the number of idle addresses is 0, create an IPv4 bas local address pool and bind it to the
domain (see Steps 1 and 2).
l If the number of idle addresses is not 0, go to step 5.
Run the display hybrid-access user-info all command in the system view to check whether the
corresponding Hybrid Access users are online.
l If the corresponding Hybrid Access users are offline, rectify the fault according to 4.4 Hybrid
Access Users Fail to Go Online.
l If the corresponding Hybrid Access users are online, go to Step 6.
Step 6 Collect the following information and contact Huawei technical support personnel:
l Results of the troubleshooting procedure
l Configuration, log, and alarm files of the devices
l Device debugging information
----End
Relevant Alarms
AM_1.3.6.1.4.1.2011.6.8.2.2.0.14 hwUsedIPExhaust
Relevant Logs
None
Figure 4-6 Troubleshooting flowchart for Hybrid Access users' failure to obtain IPv6 PD
prefixes
Yes No
No
Yes
No
Yes
No
Yes
Do hybrid access users No Ensure that hybrid access users Is the fault Yes
successfully go online? successfully go online. rectified?
No
Yes
Context
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check that a DHCPv6 DUID is configured in the system view.
Run the display current-configuration | include duid command in the system view to check
whether a DHCPv6 DUID is configured.
l If a DHCPv6 DUID is not configured, run the dhcpv6 duid { llt | duid-value } command to
configure it.
l If a DHCPv6 DUID is configured, go to Step 2.
Step 2 Check that the IPv6 bas delegation address pool is configured and that the delegation prefix pool
with 56-bit prefixes is bound to the address pool.
Run the display ipv6 pool command in the system view to check whether the IPv6 bas delegation
address pool is configured. Run the display ipv6 pool pool-name command to check whether
the delegation prefix pool is bound to the address pool. Then run the display ipv6 prefix prefix-
name command to check whether the PD prefix length in the bound prefix pool is 56 bits.
l If the IPv6 bas delegation address pool and delegation prefix pool are not configured, perform
the following operations:
1. Run the ipv6 prefix prefix-name delegation command in the system view to create an
IPv6 prefix pool.
2. Run the prefix X:X::X:X/M delegating-prefix-length 56 command in the IPv6 prefix
pool view to configure an IPv6 address prefix.
3. Return to the system view and run the ipv6 pool pool-name bas delegation command
to create an IPv6 address pool.
4. Run the prefix prefix-name command in the IPv6 address pool view to bind the
configured prefix pool.
l If the IPv6 bas delegation address pool and delegation prefix pool are correctly configured,
go to Step 3.
Step 3 Check that the IPv6 bas delegation address pool is bound to the domain to which Hybrid
Access users belong.
Run the display this command in the view of the domain to which Hybrid Access users belong
to check whether ipv6-pool pool-name is configured.
l If ipv6-pool pool-name is not configured, run the ipv6-pool pool-name command to bind
the IPv6 bas delegation address pool to the domain.
l If ipv6-pool pool-name is configured, go to Step 4.
Step 4 Check that PD prefixes in the IPv6 address pool bound to the domain are not completely assigned.
Run the display ipv6 prefix prefix-name command in the system view to check whether the
number of free prefixes is 0.
l If the number of free prefixes is 0, create an IPv6 bas delegation address pool and bind it to
the domain (see Steps 2 and 3).
l If the number of free prefixes is not 0, go to Step 5.
Run the display hybrid-access user-info all command in the system view to check whether the
corresponding Hybrid Access users are online.
l If the corresponding Hybrid Access users are offline, rectify the fault according to 4.4 Hybrid
Access Users Fail to Go Online.
l If the corresponding Hybrid Access users are online, go to Step 6.
Step 6 Collect the following information and contact Huawei technical support personnel:
l Results of the troubleshooting procedure
l Configuration, log, and alarm files of the devices
l Device debugging information
----End
Relevant Alarms
AM_1.3.6.1.4.1.2011.6.8.2.2.0.20 hwIPv6AddressExhaustAlarm
Relevant Logs
None
Figure 4-7 Flowchart for troubleshooting FTP upload and download failures
FTP upload
and download
fail for IPv6
users.
Yes
Yes
Are the other Correctly
No Is the fault Yes
devices correctly configure the
rectified?
configured? other devices.
No
Yes
Contact End
Huawei.
Context
NOTE
Save the results of each troubleshooting step. If the fault persists after following this procedure, Huawei
will need these results for further troubleshooting.
Procedure
Step 1 Check that FTP ALG is enabled in the Hybrid Access view.
Run the display this command and check whether the nat66 alg ftp command configuration
exists in the hybrid-access view.
l If the nat66 alg ftp command configuration exists in the Hybrid Access view, FTP ALG is
enabled. Go to Step 2.
l If the nat66 alg ftp command configuration does not exist in the Hybrid Access view, run
the nat66 alg ftp command in the Hybrid Access view.
Step 2 Check that other devices on the link are correctly configured.
Check whether the configurations are correct based on the manuals of the related devices. If the
configurations are incorrect, modify the relevant configurations. If FTP upload and download
still fail for IPv6 users, go to Step 3.
----End
Relevant Alarms
None
Relevant Logs
None
A fault occurs if the upstream bonding bandwidth is lower than or equal to 80% of the sum of LTE and
DSL link bandwidth.
Figure 4-8 Flowchart for troubleshooting the problem that the upstream Bonding bandwidth is
far lower than the sum of LTE and DSL link bandwidth
Upstream Bonding
bandwidth is far
lower than the sum
of the LTE and DSL
link bandwidth.
Check whether the Yes Set the packet ordering Is the fault Yes
packet ordering cache cache time to a proper
rectified?
time is 0. value.
No No
No
Check whether delay Yes Set the cache time to a Is the fault Yes
difference is higher than value higher than the
rectified?
the cache time? delay difference.
No
No
No
No
Context
NOTE
Save the results of each troubleshooting step. If the fault persists after following this procedure, Huawei
will need these results for further troubleshooting.
Procedure
Step 1 Check that the packet ordering configurations for upstream traffic on the Hybrid Access are
correct.
Run the display this command in the hybrid-access view to check whether the keep-order
cache-time value is 0.
l If the keep-order cache-time value is 0, packet ordering configurations for upstream traffic
are incorrect. In this case, run the keep-order cache-time command in the hybrid-access
view to set a proper cache time.
l If the keep-order cache-time value is not 0, packet ordering configurations for upstream
traffic are correct. In this case, go to Step 2.
Run the display hybrid-access ordering-board statistics flow slot slot-id command to check
the Transmit GRE Data Packet Unorderly value of the packet ordering board.
l If the Transmit GRE Data Packet Unorderly value is quite small (the GRE Packet
Unorder Percentage value is lower than 10%), go to Step 4.
l If the Transmit GRE Data Packet Unorderly value is quite large (the GRE Packet
Unorder Percentage value is higher than 10%) and keeps increasing, go to Step 3.
Step 3 Check the packet delay on the LTE and DSL links.
Check the packet delay on the LTE and DSL links on the HG and compare the difference between
them with the configured packet ordering cache time.
l If the difference between LTE and DSL link delay is higher than the packet ordering cache
time, run the keep-order cache-time command in the hybrid-access view to set a packet
ordering cache time that is higher than the difference between LTE and DSL link delay.
l If the difference between LTE and DSL link delay is lower than the packet ordering cache
time, go to Step 4.
Step 4 Check that no severe packet loss occurs on the LTE link.
Run the display hybrid-access ordering-board statistics flow slot slot-id command to check
whether the GRE Packet Discard In Tunnel value rapidly increases.
l If the GRE Packet Discard In Tunnel value rapidly increases, the LTE link is unstable and
encounters severe packet loss. In this case, check the LTE link status.
l If the GRE Packet Discard In Tunnel value is normal (the GRE Packet Discard
Percentage value is lower than 10%), go to Step 5.
----End
Relevant Alarms
None
Relevant Logs
None