典型AC-FIT ap组网,配合我司IMC做portal认证
现场portal认证,每天上午上班终端首次认证关联时候会出现偶发性认证失败
1、imc上显示是服务器发送给ac的portal认证报文,设备侧无响应;
2、ac上配合抓包和debug发现,ac物理口收到报文之后,portal处理模块超时导致认证失败;
3、进一步查看配置发现现场单独放行了如下几个portal free 的域名:
configuration.ls.apple.com
init.push-apple.com.aka.***.***
init.push-apple.com.aka.net
init.push.apple.com
init.push.apple.com
4、通过dis dns host命令发现这几个域名对应多个ip地址
<AC>dis dns host
Type:
D: Dynamic S: Static
Total number: 9
No. Host name Type TTL Query type IP addresses
1 albert.apple.com D 35 A 17.84.106.123
2 ***.*** D 17 A 17.84.106.123
3 configuration.ls.apple. D 0 A 23.77.215.48
com
4 configuration.ls.apple. D 11 AAAA 2600:1417:76:79D::29
com 03
2600:1417:76:780::29
03
2600:1417:76:792::29
03
2600:1417:76:798::29
03
2600:1417:76:797::29
03
5 ***.*** D 30 A 10.8.0.210
6 init.push-apple.com.aka D 5 A 17.188.168.161
***.***
17.188.171.138
17.188.172.72
17.188.171.202
17.188.170.135
17.188.172.10
17.188.170.10
17.188.170.72
7 init.push-apple.com.aka D 20 AAAA 2620:149:208:306::1D
***.***
2620:149:208:306::1E
2620:149:F9:1026::4
2620:149:F9:101E::4
2620:149:208:305::1E
2620:149:208:305::1D
2620:149:F9:101F::4
2620:149:F9:1027::4
8 init.push.apple.com D 3 A 17.188.172.72
17.188.168.161
17.188.170.135
17.188.171.138
17.188.172.10
17.188.171.202
17.188.170.10
17.188.170.72
9 init.push.apple.com D 3 AAAA 2620:149:208:306::1E
2620:149:F9:1026::4
2620:149:F9:1027::4
2620:149:F9:101F::4
2620:149:208:305::1D
2620:149:208:306::1D
2620:149:208:305::1E
2620:149:F9:101E::4
<B1-WLAN-AC-4>
<B1-WLAN-AC-4>
<B1-WLAN-AC-4>
<B1-WLAN-AC-4>rep
<B1-WLAN-AC-4>repeat 5
<B1-WLAN-AC-4>scr dis
<B1-WLAN-AC-4>dis process cpu
CPU utilization in 5 secs: 18.8%; 1 min: 21.3%; 5 mins: 21.4%
JID 5Sec 1Min 5Min Name
[migration/12]
40 0.0% 0.0% 0.0% [ksoftirqd/12]
41 0.0% 0.0% 0.0% [watchdog/12]
42 0.0% 0.0% 0.0% [migration/13]
43 0.0% 0.0% 0.0% [ksoftirqd/13]
44 0.0% 0.0% 0.0% [watchdog/13]
45 0.0% 0.0% 0.0% [migration/14]
46 0.0% 0.0% 0.0% [ksoftirqd/14]
47 0.0% 0.0% 0.0% [watchdog/14]
48 0.0% 0.0% 0.0% [migration/15]
49 0.0% 0.0% 0.0% [ksoftirqd/15]
50 0.0% 0.0% 0.0% [watchdog/15]
51 0.0% 0.0% 0.0% [migration/16]
52 0.0% 0.0% 0.0% [ksoftirqd/16]
53 0.0% 0.0% 0.0% [watchdog/16]
54 0.0% 0.0% 0.0% [migration/17]
55 0.0% 0.0% 0.0% [ksoftirqd/17]
56 0.0% 0.0% 0.0% [watchdog/17]
57 0.0% 0.0% 0.0% [migration/18]
58 0.0% 0.0% 0.0% [ksoftirqd/18]
59 0.0% 0.0% 0.0% [watchdog/18]
60 0.0% 0.0% 0.0% [migration/19]
61 0.0% 0.0% 0.0
5、现场这几个域名TTL时间太短,20几秒,每个域名都对应多个IP,这些信息需要下发到每个BSS,涉及内核操作,所以比较耗时,导致认证报文得不到及时处理。
客户现场这几个域名非必要配置,现场删除放通配置后问题解决
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作