Home » Cisco Manuals » Hubs & Switches » Cisco N5K-C5010P-BF » Manual Viewer

Cisco N5K-C5010P-BF Troubleshooting Guide - Page 133

Unable to decode content of packets with Wireshark, Role assignment fails when user logs

UPC - 882658212208

View all Cisco N5K-C5010P-BF manuals

Add to My Manuals
Save this manual to your list of manuals

Page 133 highlights

Chapter 6 Troubleshooting Security Issues AAA Send document comments to [email protected]. Possible Cause AAA server is not accessable in network. Solution If the problem persists after correcting the VRF association and correcting the user-account credentials, then perform the following: • If the test aaa command returns the error, "error authenticating to server", the route to the server might be missing in the configuration. Use the ping command, if the AAA server is associated with the default VRF. If it is associated with VRF management, use the ping vrf management command. • If the message "No route to host" appears, then the static route to the server is not configured properly. Reconfigure the IP route in the corresponding VRF context. • Enter the ping command again. If the command is successful, then use the test aaa group command. • If the ping command is unsuccessful, then check the network connectivity, such as if the ARP entry of the nexthop router is displayed in the show ip arp [vrf management] command or if the ARP entry of the Nexus 5000 switch exists in the nexthop router's ARP table. Unable to decode content of packets with Wireshark AAA packets were captured from the network, but Wireshark was unable to decode the content of the packets. Possible Cause AAA packets are encrypted while the host key is enabled. Solution Perform the following steps to decode the content: • Use the no tacacs-server command to delete the TACACS server configuration. • Reconfigure the TACACS server without specifying any key. • Reconfigure the AAA client for the Nexus 5000 switch on the Network Configuration page in ACS while removing the host key. • Re-do the wire tapping. The captured packetsnow should not be encrypted and the data content should be decoded properly by Wireshark. • After the packet capturing, the administrator should revert to the host key configuration for better security. Role assignment fails when user logs in Role assignment fails when the user logs in. (From the perspective of the Nexus 5000 switch AAA.) Possible Cause Assuming that the ACS or TACACS+ and RADIUS has the Cisco av pair configured correctly, then the problem might be that the internal or local VRF assignment for the user login is not working correctly. Solution OL-25300-01 Cisco Nexus 5000 Series Troubleshooting Guide 6-5

Section	Page
Cisco Nexus 5000 Series Troubleshooting Guide	1
Contents	3
Preface	5
Audience	5
Organization	5
Document Conventions	6
Related Documentation	7
Troubleshooting Overview	9
Troubleshooting Basics	9
Troubleshooting a Switch Crash	9
Best Practices	11
Common Terms	11
Fabric Manager Tools and CLI Commands	12
NX-OS Tips	12
Displaying what is required from the configuration	12
Displaying within Config Mode	12
Pipe command	12
Using the pipe command to only display required keyword	13
Copy command	13
Redirecting output	13
Redirecting output of the show tech-support details command	13
NX-OS command listing	14
Narrowing scope of keywords	14
Logging	14
Ethanalyzer and SPAN	15
Ethanalyzer	15
SPAN	17
Source Ports	18
SPAN Destinations	18
Characteristics of Destination Ports	18
Monitor Caveats	19
SPAN Configuration	19
Verifying the SPAN Session	19
Suspending the SPAN Session	20
Debugging	20
Command-Line Debugging	20
Debug Logging	20
Debugs to the Direct Telnet Window	21
Cisco Discover Protocol	21
Failover	22
FCoE Traffic	22
Non-FCoE traffic	22
LAN Traffic	23
Troubleshooting FCoE Issues	25
Data Center Bridging	25
VFC (FCoE) interface not online	25
General troubleshooting	25
Nexus 5548 Troubleshooting	30
FIP	31
VFC down due to FIP failure	31
VFC down due to FIP solicitation failure	31
VFC down because VLAN response not received by CNA	32
VFC down because no active STP port-state on the bound Ethernet interface	32
VFC down due to FIP keepalive misses	32
CNA	33
Best practice topology for CNA	33
Troubleshooting with Host tools	34
CNA not recognized by Host OS	34
PFC	35
Standard pause frames	35
PFC not negotiated with FCOE-capable adapters (CNA)	35
Switch Interface connected to CNA receives constant pause frames (PFC)	36
Check if switch is sending pause frames or getting paused	37
Switch ports err-disabled due to pause rate-limit	38
How to enable link pause (flow control) on switch that connects DCBX capable devices	39
How to clear PFC counters	39
Registers and Counters	39
Interface level errors	39
Packet byte counts	40
Verification of SNMP readouts	41
Traffic rates	41
Troubleshooting Layer 2 Switching Issues	43
MAC Address Table	43
Data traffic is flooding	43
MAC address not learned	44
Traffic flooding in a VPC setup	45
Spanning Tree Protocol	45
HIFs go down with the BPDUGuard errDisable message	45
FWM-2-STM_LOOP_DETECT detected on switch, dynamic learning disabled	45
Port stuck in STP blocking state with BLK*(Type_Inc)	46
Port stuck in STP blocking state with BLK*(PVID_Inc)	46
Port stuck in STP blocking state with BLK*(Loop_Inc)	46
Multicast	47
Source MAC addresses of IGMP joins are learned	47
Multicast data traffic not received by host	47
Multicast data traffic not received when host is registered for group	47
Multicast traffic is being flooded in a VPC setup	48
VLANs	48
Nexus 5000 does not have the same VLANs as switch running VTP server	48
VLAN cannot be created	48
Interface VLAN is down	49
Configuring interface to access port does not allow VLAN <###> to go through	50
Cannot create VLAN	50
Cannot create SVI	51
Cannot create private VLAN (PVLAN)	51
Registers and Counters	52
Identifying drops	52
Expected/Logical drops	52
Queue is full	53
MTU violation	54
Handling CRC errors	54
MAC Statistics	54
Troubleshooting QoS Issues	59
Policy Maps	59
Improper Configurations	60
Cannot pass frame size larger than 2300 bytes through switch	60
MTU for “class-default” value is 1500 when jumbo MTU configured	61
Traffic not queued or prioritized correctly on Nexus 2148, Nexus 2232, and Nexus 2248	61
PFC	66
Link pause (flow control) not enabled on back to back Nexus 5000 switch links	66
Cannot enable “pause no-drop” on more than one ethernet class	66
Changing no-drop configuration causes VPC peer-link to go down and FEX to go offline	67
Pause enabled on all cos values when no-drop enabled on class-ip-multicast	67
No drop class not created on N2K-C2148T/N2K-C2248TP-1GE based FEX with default QoS configuration	68
How to enable link pause (flow control) on Nexus 5000 interface	68
Registers and Counters	68
Nexus 5000 10G PFC	69
Nexus 5000 1G storm control	69
Nexus 5000 10G storm control	69
Nexus 5000 storm control counter	69
afm-related CLI commands and tools	69
FEX qosctrl debug commands	70
N2K-C2148T FEX counters	70
Nexus 5000 multicast-optimization	71
Nexus 5000 FCoE classification	71
Nexus 5000 MTU programming	71
Nexus 5000 interrupt	71
Untagged COS	72
Buffer usage and packet drop debugging on N2K-C2232P FEX	72
Troubleshooting SAN Switching Issues	73
Overview	73
General SAN troubleshooting steps	74
NPV	74
NP Uplink ports on NPV edge switch are stuck in initializing state	74
Server interface does not come up and “NPV upstream port not available” message appears	75
Uneven load balancing on the NPV NP ports	75
Server on downstream NPV edge switch does not login to the fabric	76
Locating exact port that server is physically attached to	77
VSANs stuck in initializing state after configuring the 4.2(1)N1 F_Port trunking feature	78
Zoning	79
Cannot activate zoneset and cannot configure zoning in enhanced zoning mode	79
Host cannot communicate with storage	80
Zone merge failure when two switches connect using E or TE port	82
Zone set activation failure	83
Full zone database synchronization failure across two switches	84
Mismatched default zone policy in switches in VSAN causes unexpected results when accessing storage	84
SAN Port Channels	85
Fibre channel port is down when trying to connect switches via SAN Port Channel	85
Newly added Fibre Channel interface does not come online in a SAN Port Channel	86
Cannot configure trunking	86
VSAN traffic does not traverse trunk	86
xE port is isolated in a specific VSAN under interface of SAN Port Channel	87
Cannot create a san-port-channel interface	87
FC Services	88
Overview	88
Fibre channel port remains in initializing state	89
Specific VSAN traffic is not being routed through SAN fabric	90
Fibre channel port is suspended due to too many invalid FLOGIs	95
Having stale FCNS entries for Fibre Channel nodes	98
Interface is isolated because of FC Domain ID overlap	100
Cisco Fabric Services	103
Overview	103
Verifying CFS using CLI	103
Merge failure troubleshooting	106
Recovering from a Merge Failure with the CLI	107
Lock failure troubleshooting	108
Resolving lock failure issues using the CLI	109
System state inconsistent and locks being held	110
Clearing locks using the CLI	110
Distribution status verification	110
Verifying distribution using the CLI	110
CFS regions troubleshooting	110
Distribution failure	111
Regions for conditional service	112
Changing regions	112
VSANs	112
Overview	112
VSAN Troubleshooting Activities	113
Common troubleshooting tools in Fabric Manager	113
Common troubleshooting CLI commands	113
Checklist	113
Nexus 5000 trunk port does not connect to upstream SAN switch	114
Nexus 5000 E port (non-trunking) does not connect to upstream SAN switch	116
Communication problem between host and storage devices	118
VSAN is down between switches	118
Registers and Counters	120
Identifying physical layer issues	120
Displaying FcoE bound Ethernet interface counters	121
Understanding Fibre Channel interface counters	124
Troubleshooting Fibre Channel MAC issues	125
Troubleshooting Fibre Channel forwarding issues	126
Troubleshooting Security Issues	129
Roles	129
Role assignment fails when user logs in	129
Rules for Role's permit/deny action do not work correctly	130
Role's interface or VLAN policy does not appear to work correctly	131
Assigning multiple roles to single user does not seem to work correctly	131
Change to role configuration does not get applied	131
CLI rejects feature-group removal	132
AAA	132
User cannot login through TACACS+ or RADIUS authentication	132
Unable to decode content of packets with Wireshark	133
Role assignment fails when user logs in	133
No command accounting logs on ACS server when TACACS+ accounting enabled	134
PAP authentication does not work for RADIUS	134
Authentication fallback method appears inoperable	135
Troubleshooting System Management Issues	137
SNMP	137
SNMP memory usage continuously increasing	137
SNMP not responding	138
SNMP not responding and show snmp command reports SNMP has timed out	138
Not able to perform SNMP SET operation	138
SNMP on BRIDGE-MIB	139
Logging	139
System is not responsive	139
Syslog server not getting messages from DUT	139
Traps	140
Traps not received	140
DNS	140
DNS resolution not working correctly	140
Specified domain not removed from domain-list	141
Troubleshooting Virtual Port Channel Issues	143
Improper Configurations	143
vPC fails to start	143
Unable to configure vPC	143
vPC in blocking state	144
vPC domain ids	144
Connectivity issues	145
Peer-link issues	147
vPC Consistency parameter issues	149
Troubleshooting Config-Sync Issues	151
Commit Failure	151
Command Parsing Failed	151
Verify failed	152
Commands that failed commit	152
Another session in progress	152
Import Failure	153
Failed to collect running-config	154
Command does not exist in global-db	154
Mutual exclusion check failed on peer	155
Merge Failure	155
First time merge failure	156
Merge after peers that were in sync previously	156
Merge after reload	156
Switch-profile Deletion Failure	156
Application failure	157
Failure from dependent commands	157
Application does not respond	157
Verify Failure	158
Mutual exclusion check under local information	158
Mutual exclusion check under peer information	158
Rollback/ISSU in progress	158
Global-db modification in progress	159
Peer unable to accept lock request	159

Match case Limit results 1 per page

Send document comments to [email protected].

6-5

Cisco Nexus 5000 Series Troubleshooting Guide

OL-25300-01

Chapter 6

Troubleshooting Security Issues

AAA

Possible Cause

AAA server is not accessable in network.

Solution

If the problem persists after correcting the VRF association and correcting the user-account credentials,

then perform the following:

•

If the

test aaa

command returns the error, "error authenticating to server", the route to the server

might be missing in the configuration. Use the

ping

command, if the AAA server is

associated with the default VRF. If it is associated with VRF management, use the

ping

vrf management

command.

•

If the message "No route to host" appears, then the static route to the server is not configured

properly. Reconfigure the IP route in the corresponding VRF context.

•

Enter the

ping

command again. If the command is successful, then use the

test aaa group

command.

•

If the

ping

command is unsuccessful, then check the network connectivity, such as if the

ARP entry of the nexthop router is displayed in the

show ip arp [vrf management]

command or if

the ARP entry of the Nexus 5000 switch exists in the nexthop router's ARP table.

Unable to decode content of packets with Wireshark

AAA packets were captured from the network, but Wireshark was unable to decode the content of the

packets.

Possible Cause

AAA packets are encrypted while the host key is enabled.

Solution

Perform the following steps to decode the content:

•

Use the no tacacs-server command to delete the TACACS server configuration.

•

Reconfigure the TACACS server without specifying any key.

•

Reconfigure the AAA client for the Nexus 5000 switch on the Network Configuration page in ACS

while removing the host key.

•

Re-do the wire tapping. The captured packetsnow should not be encrypted and the data content

should be decoded properly by Wireshark.

•

After the packet capturing, the administrator should revert to the host key configuration for better

security.

Role assignment fails when user logs in

Role assignment fails when the user logs in. (From the perspective of the Nexus 5000 switch AAA.)

Possible Cause

Assuming that the ACS or TACACS+ and RADIUS has the Cisco av pair configured correctly, then the

problem might be that the internal or local VRF assignment for the user login is not working correctly.

Solution