For handsets that do not support mobile IP, PDIF supports proxy mobile IP. If the MS is not suitable for proxy mobile IP registration, it may still be allowed to establish a simple IP session, in which case the traffic is directly routed to the Internet or corporate network from the PDIF. This behavior is controlled through the proxy-mip-required configuration in the domain, local default subscriber, or the corresponding Diameter AVP or RADIUS Access Accept. If this is not present, establishing a simple IP session is permitted. Proxy-MIP is documented in the System Enhanced Features Configuration Guide. Although not required for Proxy-MIP, this manual documents Proxy-MIP with a custom-designed feature called multiple authentication (Multi-Auth). Instead of the more usual subscriber authentication, Multi-Auth requires both the device and the subscriber be authenticated using EAP/AKA authentication for the first stage (the device authentication) and GTC/MD5 for the second stage (the subscriber authentication). For this installation, neither GTC nor MD5 is supported, which means authentication is done using PAP/CHAP instead.
•
• System Management Cards (SMCs): SMCs provide full system control and management of all cards within the ASR 5000. Up to two SMCs can be installed; one active, one redundant.
• Packet Services Cards (PSCs/PSC2s): PSCs provide high-speed, multi-threaded PDP context processing capability. Up to 14 PSCs can be installed, allowing for multiple active and/or redundant cards.
• Switch Processor Input/Outputs (SPIOs): Installed in the upper-rear chassis slots directly behind the SMCs, SPIOs provide connectivity for local and remote management. Up to 2 SPIOs can be installed: one active, one redundant.
• Line Cards: Installed directly behind the PSCs, these cards provide the physical interfaces from the PDIF to various elements in the network. Up to 26 line cards can be installed for a fully loaded system with 13 active PSCs: 13 in the upper-rear slots and 13 in the lower-rear slots for redundancy. Redundant PSCs do not require line cards. Ethernet 10/100 Fast Ethernet and/or Gigabit Ethernet 1000 and/or four-port Quad Gig-E line cards (QGLCs) all provide redundant IP connections.
• Redundancy Crossbar Cards (RCCs): Installed in the lower-rear chassis slots directly behind the SMCs, RCCs utilize 5 Gbps serial links to ensure connectivity between Ethernet 10/100 or Ethernet 1000 line cards/QGLCs and every PSC in the system for redundancy. Two RCCs can be installed to provide redundancy for line cards and PSCs.
For full descriptions, and for more information on installing, populating, and maintaining the ASR 5000 and its hardware, refer to the Hardware Installation and Administration Guide.When the DMH successfully sets up mobile IP, it receives the home address from the HA. The DMH then establishes a second IPSec tunnel using this HA. Once the DMH successfully establishes the second IPSec tunnel with the PDIF/FA, the PDIF/FA tears down the first TIA-based IPSec tunnel to free the TIA, which then returns to the IP address pool. If required, use the no release-tia command in config-subscriber mode to prevent the TIA from returning to the pool. The DMH sends packetized voice and data through the PDIF/FA to the HA through the second IPSec tunnel.
3.
Important: Simple IP fallback is disabled by default. Use the pdif mobile-ip simple-ip-fallback command in config-subscriber mode to enable simple IP fallback.
context <pdif-in>For more information about PSC2s, see the Product Overview Guide.Important: Mobile IP registration revocation is also supported for proxy mobile IP. However, in this implementation, only the HA can initiate the revocation.
Important: For more information, see Mobile-IP Registration Revocation in the System Enhanced Feature Configuration Guide.
There are several known Denial of Service (DoS) attacks associated with IKEv2. Through a configurable option in the Config Crypto-Template mode, the PDIF can implement the IKEv2 “cookie challenge” payload method as described in [RFC 4306]. This is intended to protect against the PDIF creating too many half-opened sessions or other similar mechanisms. The default is not enabled. If the IKEv2 cookie feature is enabled, when the number of half-opened IPSec sessions exceeds the reasonable limit (or the trigger point with other detection mechanisms), the PDIF invokes the cookie challenge payload mechanism to insure that only legitimate subscribers are initiating the IKEv2 tunnel request, and not a spoofed attack.
• show crypto managers summary ikev2-stats: Shows the total number of invalid cookies per manager instance.
• show crypto managers summary npu-stats: Shows NPU statistics on each IPSec manager.
• show crypto statistics: Shows the combined data statistics for the given context name. Includes the number of cookie flows, the number of cookie flow packets, and the total number of cookie errors.
• show crypto statistics ikev2: Shows the control statistics for a given context name. Includes the output for show crypto statistics, plus Total IKEv2 Cookie Statistics, Cookie Notify Sent, Cookie Notify Received, Cookie Notify Match, Cookie Notify NOT Match, and Invalid Notify Payload Cookie.Important: See also Diameter Authentication Failure-Handling in the Command Line Interface Reference.
Important: RADIUS attributes and customizable dictionary types are described in the AAA Interface Administration and Reference. For the impact of attributes in Request and Reply messages, see also Mobile IP Native Simple IP Call Minimum Requirements. There is additional attribute information in the Session Termination section in Troubleshooting.
• 3GPP2-Serving-PCF. The generation of each new custom dictionary requires a new PDIF image. Configured in the pdif-service mode, the command aaa attribute 3gpp2-serving-pcf <ip-address> specifies the required values for the attribute without building a new software image. If configured, this attribute is sent in RADIUS accounting messages.Important: The SN-Proxy-MIP attribute is required when PDIF supports proxy mobile IP. The PDIF-Mobile-IP-Required attribute is SN1-PDIF-MIP-Required. These attributes need to be returned in a AAA response message or the mobile IP call fails, although there might be an option for simple IP call setup. See the Sample Deployments section for more information on attribute messaging.
For more information on configuring port-switch-on-l3-fail, see Ethernet Interface Configuration Commands in the Command Line Interface Reference and Creating and Configuring Ethernet Interfaces and Ports in the System Element Configuration Procedures section of the System Administration Guide.Important: For a number of failure scenarios involving Dead Peer Detection, refer to the Troubleshooting chapter.
Congestion control is an operator-configurable facility. When the PDIF chassis reaches certain limits (based on CPU utilization, port utilization, and other controls) the system enters a congested state. When in a congested state, existing calls are not impacted but new calls are potentially restricted.There is a separate subscriber-level configuration to enable/disable the feature on a per-subscriber basis. There is also a subscriber-level configurable for inactivity-time and connect-time thresholds to remove some old and abandoned calls from the system.
• If only idle-time-threshold is configured, sessions exceeding this threshold would be selected for disconnection.
• If only connect-time-threshold is configured, sessions exceeding this threshold would be selected for disconnection.
• If both idle-time-threshold and connect-time-threshold are configured, sessions with an idle-time greater than the idle-time threshold and a connect-time greater than the connect-time-threshold would be selected for disconnection.
• If neither idle-time-threshold nor connect-time-threshold is configured, sessions are sorted based on the idle-timer, and sessions with a longer idle-timer are deleted first.Important: For more configuration information, refer to Global Configuration in the Command Line Interface Reference.
Important: For more information including full definitions for each of the trigger behaviors, see Configuring Crypto Template in Configuration, and also see the Command Line Interface Reference.
Important: For detailed information on obtaining and installing licenses, refer to the Managing License Keys section of Software Management Operations in the System Administration Guide.
• The IPv4 address for the service: This is the PDIF IP address to which the MS tries to connect. The MS sends IKEv2 messages to this IP address and this address must be a valid address in the context. PDIF service will not be up and running if this IP address is not configured.
• The name of the crypto template for IKEv2: A crypto template is used to configure an IKEv2 PDIF IPSec policy. It includes most of the IPSec parameters and IKEv2 parameters for keep-alive, lifetime, NAT-T and cryptographic and authentication algorithms. There must be one crypto template per PDIF service. The PDIF service will not be up and running without a crypto-template configuration.
• The EAP profile name: This profile defines the EAP authentication methods.
• Multiple authentication support: The multiple authentication configuration is a part of the crypto template.
• IKEv2 and IPSec transform sets: These define the negotiable algorithms for IKE SA and CHILD SA setup to connect calls to the PDIF/FA.
• Configure the setup timeout value: The MS connection attempt is terminated if the MS does not establish a successful connection within the configured value.
• Mobile IP foreign agent context and foreign agent service: This defines the system context where mobile IP foreign agent functionalities are configured.
• Max-sessions: The maximum number of subscriber sessions allowed by this PDIF service.
• PDIF supports a domain template for storing domain related configuration: The domain name is taken from the received NAI and searched in the domain template database.
• 3GPP2 serving PCF address: This configurable specifies what value in the RADIUS attribute when sending authentication and accounting messages.
• Duplicate session detection parameters: PDIF supports either NAI (first phase authentication) or IMSI to be used for duplicate session detection. This configuration specifies whether duplicate session detection is based on IMSI or NAI. The default is NAI.diameter authentication <failure-handling> session-termination-requestdiameter authentication <failure-handling> session-termination-requestImportant: Refer to Configuring Diameter Authentication Failure Handling in the AAA Interface Administration and Reference and the Command Line Interface Reference for more information.
Important: Refer to the Maintenance chapter in this guide for information on how to perform the upgrade.
Important: Online upgrade requires miscellaneous internal processing that may result in intensive CPU utilization. Up to 50% CPU utilization overhead should be expected during the upgrade.
Important: Ingress and egress contexts could be the same context. The SRP context must be a separate context.
• Task recovery mode: Wherein one or more session manager failures occur and are recovered without the need to use resources on a standby PSC. In this mode, recovery is performed by using the mirrored standby-mode session manager tasks running on active PSCs. The standby-mode task is renamed, made active, and is then populated using information from other tasks such as AAA manager.
• Full PSC recovery mode: Used when a PSC hardware failure occurs, or when a PSC migration failure happens. In this mode, the standby PSC is made active and the standby-mode session manager and AAA manager tasks on the newly-activated PSC perform session recovery.Important: For more information on session recovery support, refer to Session Recovery in the System Enhanced Feature Configuration Guide.
Refer to Sample Deployments for a full description of how a variety of calls are successfullyset up (and torn down) in a variety of network scenarios.Network operators with handsets that are mobile IP capable may want the MS to be connected to the network and capable of doing data transfer even though the mobile IP registration process might fail under certain situations. If the mobile IP registration failures are due to HA reachability issues or any authentication problems, the MS should still be able to connect to the network using a simple IP connection, assuming that simple IP fallback is enabled in the PDIF configuration. See Simple IP and Simple IP Fallback in this chapter for a full description of this type of network configuration.
•
• Proxy mobile IP is configured through the proxy-mip-required configuration, or the corresponding Diameter AVP or RADIUS Access Accept messages. If neither are present, the PDIF establishes a simple IP session and the PDIF routes the call to the Internet or corporate network.Important: Even if the PDIF confirms MULTIPLE_AUTH_SUPPORTED capability in the initial IKEv2 setup response, the MS may not support multiple authentication and hence may not include a MULTIPLE_AUTH_SUPPORTED Notify payload in the subsequent IKEv2 AUTH exchange. In this case, the MS may only go through the first-phase (EAP-AKA) of device authentication.
Important: First-phase authentication refers to device authentication, and second-phase authentication refers to subscriber authentication.
When the aaa-large-configuration command is issued, this number becomes 800 AAA groups and 1600 RADIUS servers configured within the chassis.Please see the document AAA Interface and Administration for information on AAA, RADIUS, and Diameter groups.In general, session attributes during first-phase authentication are overwritten by those from second-phase authentication, unless specified separately. Exceptions to this include session-timeout and idle-timeout, when the lower values are taken.If multiple-auth-supported is not enabled on the PDIF, and the MS still sends a MULTIPLE_AUTH_SUPPORTED Notify payload marked with the critical bit set, the PDIF returns UNSUPPORTED_PAYLOAD. Otherwise, the PDIF ignores it and processes the IKE packet as if the payload was never received. This is non-standard MS behavior.Important: The multiple authentication process in a proxy mobile IP network is described in Proxy-MIP in the System Enhanced Features Guide.
![]() |
Cisco Systems Inc. |
Tel: 408-526-4000 |
Fax: 408-527-0883 |