1. Home
  2. Cisco Systems
  3. VPN Concentrator 3000 RADIUS issue. error = -9 ("ENOBUFS")

VPN Concentrator 3000 RADIUS issue. error = -9 ("ENOBUFS")

we have a Cisco VPN3000 concentrator and a Crypto-Server radius box for authentication of the users. This setup was working fine for a number of months and is now playing up, users in existing groups (with one exception) and newly created groups will not authenticate:

I am seeing a lot of the following errors in the event log on the VPN Concentrator:

47114 10/17/2007 14:40:31.980 SEV=5 AUTH/2 RPT=42558 Unable to open socket: server = 192.168.1.50, error = -9 ("ENOBUFS")

47115 10/17/2007 14:40:31.980 SEV=4 AUTH/15 RPT=42701 Server name = 192.168.1.50, type = RADIUS, group = Group_Name, status = Not-in-service

I have spent a few hours on the phone to the guys at CryptoCard and it appears that the radius server isn't recieving any authentication requests from the VPN concentrator. none of the servers appear to be under any serious load. Has anyone come accross an issue like this before?

Cheers Guy

Reply to
Guyster
Loading thread data ...

Can the concentrator ping the radius server? Have you bounced the radius auth service or the radius server altogether? Socket issues are usually related to establishing connections between the ports/ services, so I would look at the radius server first. What is the one exception?

Reply to
Trendkill

Hi,

The concentrater is able to ping the radius box, the one exception is one group, if users are placed in this group they will successfully authenticate to the radius server - I have checked all the group settings and with the exception of the names and the address pools etc they have the same settings. I have been through the radius server settings at serious length with CryptoCard and there dont appear to be any problems, just nothing in the logs indicating an authentication request has been recieved, the radius server is also successfully authenticating a number of different services from other sources on the network. I was wondering why the groups were showing "status = not in service" but I cant find anything helpful on this.

Cheers Guy

Reply to
Guyster

Hi,

Sorry, I missed part of the error in my initial post, there are 3 events logged together for each connection attempt:

1368 10/17/2007 16:06:03.250 SEV=3 IP/60 RPT=247 Unable to accept connection: no sockets available for task.

1369 10/17/2007 16:06:03.250 SEV=5 AUTH/2 RPT=247 Unable to open socket: server = 192.168.1.50, error = -9 ("ENOBUFS")

1370 10/17/2007 16:06:03.250 SEV=4 AUTH/15 RPT=315 Server name = 192.168.1.50, type = RADIUS, group = Group_Name, status = Not-in-service
Reply to
Guyster

Generally 'socket' errors have to do with session establishment, with goes along with you not seeing the authentication requests. Are any of the 'working' IDs or groups authenticating via the vpn concentrator itself, or another network device? Have you bounced both sides (rebooted the concentrator and radius server). Since the radius is working for some things, I would lean towards a concentrator issue. Have you looked at Cisco for bugs on your code rev on the concentrator?

Reply to
Trendkill

Have you tried bouncing the radius box. Perhaps something is wrong with auth sessions, that happens to be source specific. Sockets generally mean something about the actual session establishment, and usually indicate an issue with the source or destination. Have you checked cisco for bugs for your concentrator and code rev? Bounce the concentrator and see if the session request issue disappears. Hate to suggest simple reboots, but sometimes that will restore service while you are troubleshooting software or hardware issues more in depth. Especially since you seem to have some good logs.

Reply to
Trendkill

Hi,

Sorry I didn't get back to you, I had a couple of days off at the back end of last week. I have tried rebooting both the concentrator and the radius server to no avail. I have found some further information

- there appears to be a limit of 64 authenticator sockets on the appliance, each group takes up one of these (there are a lot of groups!), I am not sure if this is configurable or what the best way around it will be though. You can get this from Status -> Memory ->

Detailed Memory Information and you will see the sockets that are currently in use displayed at the bottom of the page. I need to see if there is some way around this issue

Cheers Guy

Reply to
Guyster

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.