для Cisco Cisco IOS Software Release 12.4(15)T

SSG always proxies accounting-on-off packets received from client GGSNs. These packets are used to 
signal that the client GGSN has just rebooted (or is about to be rebooted). When SSG receives the 
packets, SSG destroys all host objects associated with the specified client GGSN before forwarding the 
packet. SSG uses the NAS IP address in the accounting-on-off packets to determine the affected GGSN. 
Determining the affected GGSN enables multiple tunnel interfaces to exist between the GGSN and SSG. 
Although there are multiple RADIUS clients configured at SSG, only a single accounting-on-off packet 
is generated by the GGSN. As part of the normal SSG functionality, SSG sends accounting-start-stop 
records for both the active host objects and for any services to which they are connected.

Consider the following scenario in a load-balancing environment. Assume that there are 10 GGSNs and 
10 SSGs in the system. In this case, when the GGSN fails, there will be 10 accounting-off packets sent 
to the RADIUS load balancing (RLB) server farm. The RLB server farm replicates each accounting-off 
packet to the 10 SSGs. Each SSG in turn forwards these accounting-off packets to the AAA server. So 
there is a total of 100 accounting-off packets in a short period of time. For some customers the AAA 
server often has problems handling this high rate of accounting on and off packets, which increases the 
possibility of a system failure.

In a Cisco Mobile Exchange (CMX) solution, you can enable a server to stop forwarding the 
accounting-off packets in all the routers except for two or three routers. Enabling the server in this way 
ensures that the AAA server will not receive the accounting-off packets from every SSG in the system.

Before Cisco IOS Release 12.4(15)T, the default behavior of the session-identifier msid command for 
SSG is to disconnect a host object if a second accounting-start packet is received for a Mobile Station 
Identifier (MSID) address with a different IP address. However, this behavior can cause a problem 
especially in the Public Wireless Local Area Network (PWLAN) space for clients with multiple 
interfaces (that is, wireless and Ethernet interfaces), which can result in packets sent from a single 
interface with multiple source IP addresses.

This enhancement to the session-identifier msid unique ip command instructs SSG to discard the 
subsequent accounting-start records with the same MSID but a different IP address.

When SSG, acting as a RADIUS proxy, receives the Packet of Disconnect (PoD) from a RADIUS server, 
it cleans up the corresponding host object but does not forward the PoD to NAS. As a result, the NAS is 
not informed about the RADIUS server’s decision to disconnect the user session.

This enhancement disconnects the host object when the PoD is received from the AAA server and also 
forwards it to a downstream device. When SSG forwards the PoD to the downstream NAS, the NAS will 
send a PoD-ACK/NAK back to SSG. Previously, SSG would have deleted the host object for that 
particular user at this point. Therefore, this enhancement ensures that SSG ignores the PoD-ACK/NAKs 
and accounting-stop packets sent by the NAS in response to the forwarded PoD. 

On receiving the POD request with radius code 40, SSG disconnects the user by deleting all host-related 
information maintained by SSG. The following points summarize the PoD support by SSG:

The host is identified by the following properties:

Attribute 8: framed IP address 

SSG account-info VSA: port bundle information present with S subattribute

On finding the host, SSG deletes the host and connections made by the host.