[cisco-nas] routing problems on 3640 terminating l2tp tunnels todsl users

Dave [Hawk-Systems] dave at hawk-systems.com
Thu Nov 6 09:42:33 EST 2003


Thanks for the questions Dennis.  Have inserted answers below.

>> have a 3640 which terminates a number of l2tp tunnels from bell.  DSL
>> connections from their redbacks are piped over these tunnels to the router.
>> Connections are made fine, RADIUS responds with teh IP address assignment,
>> assigned to the virtual interface, and our test user is connected to the
>> internet happily.
>>
>> We are having a problem every X number of hours, the routing simply drops for
>> that user.  We can still log into the router
>
>the router, meaning the LNS?

on our end of things terminating all the VLANs and L2TP tunnels from Bell and
routing that to the internet.  There are no routers on the client end of things
in this situation.  Simple DSL modem with 1 IP assigned to it.  Perhaps this
diagram may help.

		Internet Cloud			Customer DSL Modem
		DataCenter(Gateway IPs)		IP addr from 69.288.227.0 block
66.199.141.33	69.28.227.1				|
		|	|					|
	-------------- our equipment -+	Bell ATM Cloud
		\	/			|		|
		Switch(66.199.141.34)	|		|
		   |					Bell 2924(ATM termination)
		Router(66.199.141.35)			|
		   |						|
		  /|\------------------------------/|\
		 / +--------------------------------+ \
		 +------------------------------------+
		VLANs with L2TP Tunnels from bell/redbacks

The switch, router, and our equipment are all given IP addresses from the 66.199
block.  As such, even if the entire 69.28 block wasn't routable, we could still
log into the router/switch using the assigned 66.199 address.

All the Customer DSL connections are assigned IP addresses from the 69.28 block.
This entire block is only for assigning to end user DSL modems.  This is the
block that after the X hours stops routing.

>> and access it remotely, but it is answering on another IP block.
>
>You mean you can ping the user from the LNS? And what do you mean by
>it is answering on another IP block. Could you make the example more
>concrete?

See above for layout, but yes, we can log into the router/LNS using its
66.199.141.35 address.  do a "sh user" see the user still connected at Vi2(or
whatever) with IP address 69.28.227.5(or whatever the user was assigned from
RADIUS).  From the router, we can ping that IP address successfully.

>> from the router, we can ping the gateway for the block, and we can
>>ping the end user modem IP.
>
>Is the user's modem the gateway for the block?

No, we can ping 69.28.227.1, which is the datacenter gateway IP for the
69.28.227.1 netblock they assigned us.  We can also ping the IP address
69.28.227.5 assigned to the user by RADIUS.

>> from the internet we can ping the gateway ip for the block, but
>>cannot ping the modem.

from internet we can ping 69.28.227.1 (datacenter gateway for that block) but
not the end user modem IP.

>> user still shows as connected, sh int looks pristine, and if we dump the user
>> (cleat int virtual #), or if the user reboots the modem, the user
>>reconnects and routes again in most cases.
>
>Is the route for the user/subnet in the routing table?

sh ip route
     69.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       69.28.227.0/25 is directly connected, FastEthernet3/1
C       69.28.227.5/32 is directly connected, Virtual-Access1
     66.0.0.0/28 is subnetted, 1 subnets
C       66.199.141.32 is directly connected, FastEthernet3/0
     10.0.0.0/27 is subnetted, 7 subnets
C       10.20.109.96 is directly connected, FastEthernet3/1.93
C       10.20.109.64 is directly connected, FastEthernet3/1.92
C       10.20.109.32 is directly connected, FastEthernet3/1.91
C       10.20.108.0 is directly connected, FastEthernet3/1.1
C       10.20.109.0 is directly connected, FastEthernet3/1.90
C       10.20.109.160 is directly connected, FastEthernet3/1.95
C       10.20.109.128 is directly connected, FastEthernet3/1.94
S*   0.0.0.0/0 [1/0] via 66.199.141.33


config and other details left below

Dave

>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++
>> IP Information
>> we have two IP subnets allocated to us from the datacenter, along with the
>> gatewat IP addresses for each that the datacenter has in place for each IP
>> address.
>> IP Block 1 - Equipment/Use
>> 	Network: 66.199.141.32	255.255.255.240
>> 	Gateway: 66.199.141.33
>> 	We have a switch b/t router the internet with IP .34
>> 	router is assigned .35, which is how we connect remotely
>>
>> IP Block 2 - DSL/LANex Users
>> 	Network: 69.28.227.0	255.255.255.128
>> 	Gateway: 69.28.227.1
>>
>>
>> rtr1#sh ver
>> rtr1 uptime is 4 days, 23 hours, 1 minute
>> System returned to ROM by reload
>> System restarted at 19:08:27 EST Wed Oct 29 2003
>> System image file is "flash:c3640-jk9o3s-mz.122-19.bin"
>>
>> <cisco copyright/crypto notices clipped>
>>
>> cisco 3640 (R4700) processor (revision 0x00) with 125952K/5120K
>bytes of memory.
>> Processor board ID 14827691
>> R4700 CPU at 100Mhz, Implementation 33, Rev 1.0
>> Bridging software.
>> X.25 software, Version 3.0.0.
>> SuperLAT software (copyright 1990 by Meridian Technology Corp).
>> TN3270 Emulation software.
>> 2 FastEthernet/IEEE 802.3 interface(s)
>> DRAM configuration is 64 bits wide with parity disabled.
>> 125K bytes of non-volatile configuration memory.
>> 16384K bytes of processor board System flash (Read/Write)
>>
>> Configuration register is 0x2102
>>
>> rtr1#sh run
>> Building configuration...
>>
>> Current configuration : 15170 bytes
>> !
>> ! Last configuration change at 13:40:01 EST Mon Nov 3 2003 by user
>> ! NVRAM config last updated at 13:40:02 EST Mon Nov 3 2003 by user
>> !
>> version 12.2
>> service timestamps debug datetime
>> service timestamps log datetime
>> service password-encryption
>> no service dhcp
>> !
>> hostname rtr1
>> !
>> boot system flash:c3640-jk9o3s-mz.122-19.bin
>> logging buffered 12000 debugging
>> aaa new-model
>> aaa authentication login default local
>> aaa authentication login no_radius enable
>> aaa authentication ppp default group radius local
>> aaa authentication ppp vpdn group radius
>> aaa authorization network default group radius
>> aaa authorization network vpdn group radius
>> aaa accounting network default start-stop group radius
>> aaa accounting network vpdn start-stop group radius
>> enable password 7 XXXXXXXXXXXXXXXXXXXX
>> !
>> username user password 7 XXXXXXXXXXXXXXXXXXXX
>> clock timezone EST -5
>> clock summer-time EDT recurring
>> ip subnet-zero
>> !
>> !
>> no ip domain-lookup
>> ip host sw1 66.199.141.34
>> ip name-server XXX.XXX.XXX.XX
>> ip name-server XXX.XXX.XXX.XX
>> !
>> ip audit notify log
>> ip audit po max-events 100
>> vpdn enable
>> !
>> vpdn-group 1
>>  accept-dialin
>>   protocol l2tp
>>   virtual-template 1
>>  terminate-from hostname nexxia3
>>  local name someuser
>>  lcp renegotiation always
>>  l2tp tunnel password 7 XXXXXXXXXXXXXXXX
>> !
>> vpdn-group 100
>>  accept-dialin
>>   protocol l2tp
>>   virtual-template 1
>>  terminate-from hostname nexxia100
>>  local name someuser
>>  lcp renegotiation always
>>  l2tp tunnel password 7 XXXXXXXXXXXXXXXXXXXX
>> !
>> ! REMOVED A BUNCH MORE OF THESE FOR THE VARIOUS LOCATIONS
>> !
>> !
>> no call rsvp-sync
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> interface Loopback1
>>  ip address 69.28.227.1 255.255.255.128
>> !
>> interface FastEthernet3/0
>>  description physical connection to Internet
>>  ip address 66.199.141.35 255.255.255.240
>>  speed 100
>>  full-duplex
>> !
>> interface FastEthernet3/1
>>  description endpoint for DSL customers
>>  no ip address
>>  no ip route-cache
>>  no ip mroute-cache
>>  speed 100
>>  full-duplex
>>  no cdp enable
>> !
>> interface FastEthernet3/1.93
>>  description nexxia somelocation 91-105
>>  encapsulation isl 361
>>  ip address 10.20.109.97 255.255.255.224
>>  no ip redirects
>>  no ip route-cache
>>  no ip mroute-cache
>>  no cdp enable
>> !
>> ! DELETED A NUMBER OF OTHER FE3/1.## INTERFACES FOR OTHER LOCATIONS
>> !
>> interface Virtual-Template1
>>  ip unnumbered Loopback1
>>  peer default ip address pool COMP-hs
>>  ppp authentication pap chap
>>  ppp ipcp mask 255.255.255.128
>> !
>> ip local pool COMP-hs 69.28.227.2 69.28.227.126
>> ip classless
>> ip route 0.0.0.0 0.0.0.0 66.199.141.33
>> ip route 69.28.227.0 255.255.255.128 FastEthernet3/1
>> no ip http server
>> !
>> !
>> !
>> radius-server host XXX.XXX.XXX.XX auth-port 1645 acct-port 1646
>> radius-server key 7 XXXXXXXXXXXXXXXXXXXXXXXXX
>> !
>> dial-peer cor custom
>> !
>> !
>> line con 0
>>  stopbits 1
>> line aux 0
>> line vty 0 4
>>  session-timeout 30
>> line vty 5 15
>> !
>> ntp broadcastdelay 1
>> ntp clock-period 17179910
>> ntp server XXX.XXX.XXX.XX prefer
>> end
>>
>> rtr1#




More information about the cisco-nas mailing list