[cisco-nas] l2tp PPP auth issue

jlewis at lewis.org jlewis at lewis.org
Thu Apr 1 15:09:30 EST 2004


We're having some difficulty with certain DSL routers authenticating
through what the telco calls "broadband gateway" or BBG.  In this setup,
customers connect to us as l2tp sessions from the telco's Shastas.  Our
prefered auth type is PAP, but as you can see in the following debug, the
customer negotiates PAP, but then sends CHAP which appears to be ignored.
Seeing this, I removed "ppp chap refuse" from the virtual-template, and
changed "ppp auth pap" to "ppp auth pap chap".  That doesn't seem to have
made a difference.  This debug was collected after making the
virtual-template changes.

Apr  1 14:48:51: Vi9 Debug: Condition 1, username anonymized at atlantic.net triggered, count 1
Apr  1 14:48:51: Vi9 PPP: Phase is DOWN, Setup [0 sess, 1 load]
Apr  1 14:48:51: %LINK-3-UPDOWN: Interface Virtual-Access9, changed state to up
Apr  1 14:48:51: Vi9 PPP: Using set call direction
Apr  1 14:48:51: Vi9 PPP: Treating connection as a callin
Apr  1 14:48:51: Vi9 PPP: Phase is ESTABLISHING, Passive Open [0 sess, 1 load]
Apr  1 14:48:51: Vi9 LCP: State is Listen
Apr  1 14:48:51: Vi9 LCP: I FORCED CONFREQ len 15
Apr  1 14:48:51: Vi9 LCP:    MagicNumber 0x0ED6A721 (0x05060ED6A721)
Apr  1 14:48:51: Vi9 LCP:    MRU 1500 (0x010405DC)
Apr  1 14:48:51: Vi9 LCP:    AuthProto CHAP (0x0305C22305)
Apr  1 14:48:51: Vi9 LCP: O CONFREQ [Listen] id 1 len 14
Apr  1 14:48:51: Vi9 LCP:    AuthProto PAP (0x0304C023)
Apr  1 14:48:51: Vi9 LCP:    MagicNumber 0x0DD8F091 (0x05060DD8F091)
Apr  1 14:48:51: Vi9 PPP: I pkt type 0xC021, datagramsize 12
Apr  1 14:48:51: Vi9 LCP: I CONFREQ [REQsent] id 96 len 8
Apr  1 14:48:51: Vi9 LCP:    MRU 1500 (0x010405DC)
Apr  1 14:48:51: Vi9 LCP: O CONFACK [REQsent] id 96 len 8
Apr  1 14:48:51: Vi9 LCP:    MRU 1500 (0x010405DC)
Apr  1 14:48:51: Vi9 PPP: I pkt type 0xC021, datagramsize 18
Apr  1 14:48:51: Vi9 LCP: I CONFACK [ACKsent] id 1 len 14
Apr  1 14:48:51: Vi9 LCP:    AuthProto PAP (0x0304C023)
Apr  1 14:48:51: Vi9 LCP:    MagicNumber 0x0DD8F091 (0x05060DD8F091)
Apr  1 14:48:51: Vi9 LCP: State is Open
Apr  1 14:48:51: Vi9 PPP: Phase is AUTHENTICATING, by this end [0 sess, 1 load]
Apr  1 14:48:54: Vi9 PPP: I pkt type 0xC223, datagramsize 55
Apr  1 14:48:54: Vi9 CHAP: I RESPONSE id 141 len 51 from "anonymized at atlantic.net"
Apr  1 14:48:54: Vi9 CHAP: Response ignored, expected id 0, got id 141
Apr  1 14:48:57: Vi9 PPP: I pkt type 0xC223, datagramsize 55
Apr  1 14:48:57: Vi9 CHAP: I RESPONSE id 141 len 51 from "anonymized at atlantic.net"
Apr  1 14:48:57: Vi9 CHAP: Response ignored, expected id 0, got id 141
Apr  1 14:49:00: Vi9 PPP: I pkt type 0xC223, datagramsize 55
Apr  1 14:49:00: Vi9 CHAP: I RESPONSE id 141 len 51 from "anonymized at atlantic.net"
Apr  1 14:49:00: Vi9 CHAP: Response ignored, expected id 0, got id 141
Apr  1 14:49:03: Vi9 PPP: I pkt type 0xC021, datagramsize 8
Apr  1 14:49:03: Vi9 LCP: I TERMREQ [Open] id 208 len 4
Apr  1 14:49:03: Vi9 LCP: O TERMACK [Open] id 208 len 4
Apr  1 14:49:03: Vi9 PPP: I pkt type 0xC021, datagramsize 12
Apr  1 14:49:03: Vi9 LCP: I CONFREQ [TERMsent] id 134 len 8
Apr  1 14:49:03: Vi9 LCP:    MRU 1500 (0x010405DC)
Apr  1 14:49:03: Vi9 LCP: Dropping packet, state is TERMsent
Apr  1 14:49:05: Vi9 LCP: TIMEout: State TERMsent
Apr  1 14:49:05: Vi9 LCP: State is Closed
Apr  1 14:49:05: Vi9 Debug: Condition 1, username anonymized at atlantic.net cleared, count 0
Apr  1 14:49:05: %LINK-3-UPDOWN: Interface Virtual-Access9, changed state to down

If I change "ppp auth pap chap" to "ppp auth chap pap", this customer is
able to connect, but I suspect others will have difficulty.

Apr  1 14:52:40: Vi36 Debug: Condition 1, username anonymized at atlantic.net triggered, count 1
Apr  1 14:52:40: Vi36 PPP: Phase is DOWN, Setup [0 sess, 1 load]
Apr  1 14:52:41: %LINK-3-UPDOWN: Interface Virtual-Access36, changed state to upApr  1 14:52:41: Vi36 PPP: Using set call direction
Apr  1 14:52:41: Vi36 PPP: Treating connection as a callin
Apr  1 14:52:41: Vi36 PPP: Phase is ESTABLISHING, Passive Open [0 sess, 1 load]
Apr  1 14:52:41: Vi36 LCP: State is Listen
Apr  1 14:52:41: Vi36 LCP: I FORCED CONFREQ len 15
Apr  1 14:52:41: Vi36 LCP:    MagicNumber 0x7E24FADB (0x05067E24FADB)
Apr  1 14:52:41: Vi36 LCP:    MRU 1500 (0x010405DC)
Apr  1 14:52:41: Vi36 LCP:    AuthProto CHAP (0x0305C22305)
Apr  1 14:52:41: Vi36 PPP: Phase is AUTHENTICATING, by this end [0 sess, 1 load]Apr  1 14:52:41: Vi36 CHAP: O CHALLENGE id 1 len 34 from "gsvlflma-br-1"
Apr  1 14:52:41: Vi36 PPP: I pkt type 0xC223, datagramsize 55
Apr  1 14:52:41: Vi36 CHAP: I RESPONSE id 156 len 51 from "anonymized at atlantic.net"
Apr  1 14:52:41: Vi36 CHAP: O SUCCESS id 156 len 4
Apr  1 14:52:41: Vi36 PPP: Phase is UP [0 sess, 1 load]
Apr  1 14:52:41: Vi36 IPCP: O CONFREQ [Closed] id 1 len 10
Apr  1 14:52:41: Vi36 IPCP:    Address 209.208.6.225 (0x0306D1D006E1)
Apr  1 14:52:41: Vi36 PPP: I pkt type 0x8021, datagramsize 26
Apr  1 14:52:41: Vi36 IPCP: I CONFREQ [REQsent] id 235 len 22
Apr  1 14:52:41: Vi36 IPCP:    Address 0.0.0.0 (0x030600000000)
Apr  1 14:52:41: Vi36 IPCP:    PrimaryDNS 0.0.0.0 (0x810600000000)
Apr  1 14:52:41: Vi36 IPCP:    SecondaryDNS 0.0.0.0 (0x830600000000)
Apr  1 14:52:41: Vi36 AAA/AUTHOR/IPCP: Start.  Her address 0.0.0.0, we want 0.0.0.0
Apr  1 14:52:41: Vi36 AAA/AUTHOR/IPCP: Done.  Her address 0.0.0.0, we want 209.208.X.Y
Apr  1 14:52:41: Vi36 IPCP: O CONFNAK [REQsent] id 235 len 22
Apr  1 14:52:41: Vi36 IPCP:    Address 209.208.X.Y (0x0306D1D02255)
Apr  1 14:52:41: Vi36 IPCP:    PrimaryDNS 209.208.0.2 (0x8106D1D00002)
Apr  1 14:52:41: Vi36 IPCP:    SecondaryDNS 209.208.0.3 (0x8306D1D00003)
Apr  1 14:52:41: Vi36 PPP: I pkt type 0x8021, datagramsize 14
Apr  1 14:52:41: Vi36 IPCP: I CONFACK [REQsent] id 1 len 10
Apr  1 14:52:41: Vi36 IPCP:    Address 209.208.6.225 (0x0306D1D006E1)
Apr  1 14:52:41: Vi36 PPP: I pkt type 0x8021, datagramsize 26
Apr  1 14:52:41: Vi36 IPCP: I CONFREQ [ACKrcvd] id 188 len 22
Apr  1 14:52:41: Vi36 IPCP:    Address 209.208.X.Y (0x0306D1D02255)
Apr  1 14:52:41: Vi36 IPCP:    PrimaryDNS 209.208.0.2 (0x8106D1D00002)
Apr  1 14:52:41: Vi36 AAA/AUTHOR/IPCP: Start.  Her address 209.208.X.Y, we wangsvlflma-br-1#
gsvlflma-br-1#t 209.208.X.Y
Apr  1 14:52:41: Vi36 AAA/AUTHOR/IPCP: Done.  Her address 209.208.X.Y, we want 209.208.X.Y
Apr  1 14:52:41: Vi36 IPCP: O CONFACK [ACKrcvd] id 188 len 22
Apr  1 14:52:41: Vi36 IPCP:    Address 209.208.X.Y (0x0306D1D02255)
Apr  1 14:52:41: Vi36 IPCP:    PrimaryDNS 209.208.0.2 (0x8106D1D00002)
Apr  1 14:52:41: Vi36 IPCP:    SecondaryDNS 209.208.0.3 (0x8306D1D00003)
Apr  1 14:52:41: Vi36 IPCP: State is Open
Apr  1 14:52:41: Vi36 IPCP: Install route to 209.208.X.Y

Anyone know why this is happening?  The routers that we're having this
problem with are an older version of iBlitz DSL router.  The latest
version (which apparently uses a differente chipset) doesn't seem to have
this problem.

----------------------------------------------------------------------
 Jon Lewis *jlewis at lewis.org*|  I route
 Senior Network Engineer     |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________


More information about the cisco-nas mailing list