Slow passthrough RADIUS request VX9000

  • 0
  • 1
  • Problem
  • Updated 2 months ago
  • Solved
  • (Edited)
Hi all,

We use a VX9000 with 1200+ AP7522.
RADIUS requests go to a Aruba RADIUS server.
The Proxy mode for RADIUS requests is: "through-centralized-controller" so the VX9000 sends the requests to the RADIUS server.

In a attempt to use a captive portal to authenticate guest users on a guest vlan we noticed that there is a lag.
It takes the VX9000 a minimal of 50 seconds to send the request after the user entered his user/password. 

Can anyone shed a light on this. We are stuck.
Photo of Erwin

Erwin

  • 100 Points 100 badge 2x thumb

Posted 3 months ago

  • 0
  • 1
Photo of Andrew Webster

Andrew Webster

  • 1,746 Points 1k badge 2x thumb
Just a thought, but how have you defined the hosts in the AAA policy?  
If by hostname, maybe its a DNS failure of some sort?
If by IP address, is the RADIUS server attempting to do some sort of reverse-IP lookup and that is failing?
Have you taken some packet captures at the AP and the VX to see the progression of the RADIUS messages to identify where it is slowing down?
Photo of Andrew Webster

Andrew Webster

  • 1,746 Points 1k badge 2x thumb
You might want to have a look at 'service show process' cli to see if something is maxing out the CPU on the VX and it is slow to respond, also check 'show event-history' and 'show logging' to see if any errors are getting logged.
Photo of Erwin

Erwin

  • 100 Points 100 badge 2x thumb
Thanks Andrew,
Two commands where new to me.
I had the same idea. I build an extra VX9000 controller to check if there is a resource problem. (not expecting that, we have a VX9000 with enough oempf to run nsight but it is still off). Only need to adopt our test AP's.
Photo of Doug Hyde

Doug Hyde, Technical Support Manager

  • 20,038 Points 20k badge 2x thumb
Erwin, 

How are you making out with this issue? Are you all set at this point? 
Photo of Erwin

Erwin

  • 100 Points 100 badge 2x thumb
Hello Doug,

Thank you for asking and sorry i did not respond earlier.

Status:
We updated our AP's to 5.8.6.8 and used the extra VX9000 which has a minimal amount of adopted AP's. We stil have the slow response.

We used the toubleshoot / Debug Captive Portal Clients.
That gave us no new knowledge.

show event-history
gives only the association and authentication info.

Nothing in the log. 

I am out of options. :-(
Photo of Doug Hyde

Doug Hyde, Technical Support Manager

  • 20,038 Points 20k badge 2x thumb
Have you opened a ticket with GTAC? That's probably the next step here. 

Thanks, 
Doug