Troubleshooting guide

ManualsBrandsCisco ManualsComputer equipmentOL-4015-08

181

182

183

184

185

186

187

188

189

190

6-6

Cisco Broadband Local Integrated Services Solution Troubleshooting Guide

OL-5169-01

Chapter 6 Troubleshooting MTAs

Troubleshooting EMTA Provisioning

MTA does not accept DHCP

offer (continually cycles thru

DHCP steps)

a. Invalid DHCP options

configured

b. Offer came from DHCP

server other than indicated

in CM portion’s Option 122

suboption 1

a. Check that scope policy includes DNS server

option, and/or check cnr_ep.properties file

includes entry for primary and secondary dns

servers

b. Check cnr_ep.properties - ensure that primary and

secondary dhcp servers are set correctly

MTA never contacts KDC

(as indicated by KDC.log, or

ethereal trace

a. Incorrect DNS server is

specified in

cnr_ep.properties and/or

MTA scope policy

b. Missing or incorrect setup of

zone for Kerberos realm

c. Missing or incorrect ‘A’

record entry for KDC

d. Cannot resolve FQDN of

provisioning server

a. Check /correct cnr_ep.properties dns servers

b. Make sure zone with same name as realm is

created and contains an ‘SRV’ record of format

‘_kerberos._udp 0 0 88 <KDC FQDN>’

c. Ensure that an ‘A’ record exists for the FQDN

contained in the Kerberos zone’s ‘SRV’ record

d. Ensure that dpe.properties provFQDNs entry has

correct FQDN and IP of provisioning server

(DPE)

KDC reports failure at Step 9

(Kerberos AS-Request)

a. MTA cert mismatch with

MTA root used by KDC

b. FQDN lookup by KDC to

Prov Server failed

c. Clock Skew error

d. Keys mismatch between

KDC and provisioning

server.

Note If other devices are

provisioning correctly,

d is not likely the cause

of the problem.

a. Check that MTA_Root.cer is correct – compare

against that used on a working system. If correct,

then MTA itself could have a cert problem (which

is very rare); contact the manufacturer.

b. Device may not yet be provisioned in BACC.

Make sure device shows up and is given a

Class of Service and DHCP criteria.

c. Ensure that all BACC network elements are clock

synced via NTP.

d. Check that $BPR_HOME/kdc/solaris/keys

directory contains at least the following 3 entries:

• mtafqdnmap,dpe.abc.com@DEF.COM

• mtaprovsrvr,dpe.abc.com@DEF.COM

• krbtgt,DEF.COM@DEF.COM

Your system will have the DPE FQDN, and

Realname different from this example. Contents of

these entries must match the entry in

dpe.properties ‘KDCServiceKey’ entry, or the

keys generated using the keygen utility.

Table 6-1 Trobleshooting Scenarios (continued)

Problem Possible Causes Remedies