[cisco-nas] l2tp PPP auth issue

Tassos Chatzithomaoglou achatz at forthnet.gr
Fri Apr 2 08:43:26 EST 2004 

have you tried "lcp renog always" under the vpdn group?

jlewis at lewis.org wrote:

> We're having some difficulty with certain DSL routers authenticating
> through what the telco calls "broadband gateway" or BBG.  In this setup,
> customers connect to us as l2tp sessions from the telco's Shastas.  Our
> prefered auth type is PAP, but as you can see in the following debug, the
> customer negotiates PAP, but then sends CHAP which appears to be ignored.
> Seeing this, I removed "ppp chap refuse" from the virtual-template, and
> changed "ppp auth pap" to "ppp auth pap chap".  That doesn't seem to have
> made a difference.  This debug was collected after making the
> virtual-template changes.
> 
> Apr  1 14:48:51: Vi9 Debug: Condition 1, username anonymized at atlantic.net triggered, count 1
> Apr  1 14:48:51: Vi9 PPP: Phase is DOWN, Setup [0 sess, 1 load]
> Apr  1 14:48:51: %LINK-3-UPDOWN: Interface Virtual-Access9, changed state to up
> Apr  1 14:48:51: Vi9 PPP: Using set call direction
> Apr  1 14:48:51: Vi9 PPP: Treating connection as a callin
> Apr  1 14:48:51: Vi9 PPP: Phase is ESTABLISHING, Passive Open [0 sess, 1 load]
> Apr  1 14:48:51: Vi9 LCP: State is Listen
> Apr  1 14:48:51: Vi9 LCP: I FORCED CONFREQ len 15
> Apr  1 14:48:51: Vi9 LCP:    MagicNumber 0x0ED6A721 (0x05060ED6A721)
> Apr  1 14:48:51: Vi9 LCP:    MRU 1500 (0x010405DC)
> Apr  1 14:48:51: Vi9 LCP:    AuthProto CHAP (0x0305C22305)
> Apr  1 14:48:51: Vi9 LCP: O CONFREQ [Listen] id 1 len 14
> Apr  1 14:48:51: Vi9 LCP:    AuthProto PAP (0x0304C023)
> Apr  1 14:48:51: Vi9 LCP:    MagicNumber 0x0DD8F091 (0x05060DD8F091)
> Apr  1 14:48:51: Vi9 PPP: I pkt type 0xC021, datagramsize 12
> Apr  1 14:48:51: Vi9 LCP: I CONFREQ [REQsent] id 96 len 8
> Apr  1 14:48:51: Vi9 LCP:    MRU 1500 (0x010405DC)
> Apr  1 14:48:51: Vi9 LCP: O CONFACK [REQsent] id 96 len 8
> Apr  1 14:48:51: Vi9 LCP:    MRU 1500 (0x010405DC)
> Apr  1 14:48:51: Vi9 PPP: I pkt type 0xC021, datagramsize 18
> Apr  1 14:48:51: Vi9 LCP: I CONFACK [ACKsent] id 1 len 14
> Apr  1 14:48:51: Vi9 LCP:    AuthProto PAP (0x0304C023)
> Apr  1 14:48:51: Vi9 LCP:    MagicNumber 0x0DD8F091 (0x05060DD8F091)
> Apr  1 14:48:51: Vi9 LCP: State is Open
> Apr  1 14:48:51: Vi9 PPP: Phase is AUTHENTICATING, by this end [0 sess, 1 load]
> Apr  1 14:48:54: Vi9 PPP: I pkt type 0xC223, datagramsize 55
> Apr  1 14:48:54: Vi9 CHAP: I RESPONSE id 141 len 51 from "anonymized at atlantic.net"
> Apr  1 14:48:54: Vi9 CHAP: Response ignored, expected id 0, got id 141
> Apr  1 14:48:57: Vi9 PPP: I pkt type 0xC223, datagramsize 55
> Apr  1 14:48:57: Vi9 CHAP: I RESPONSE id 141 len 51 from "anonymized at atlantic.net"
> Apr  1 14:48:57: Vi9 CHAP: Response ignored, expected id 0, got id 141
> Apr  1 14:49:00: Vi9 PPP: I pkt type 0xC223, datagramsize 55
> Apr  1 14:49:00: Vi9 CHAP: I RESPONSE id 141 len 51 from "anonymized at atlantic.net"
> Apr  1 14:49:00: Vi9 CHAP: Response ignored, expected id 0, got id 141
> Apr  1 14:49:03: Vi9 PPP: I pkt type 0xC021, datagramsize 8
> Apr  1 14:49:03: Vi9 LCP: I TERMREQ [Open] id 208 len 4
> Apr  1 14:49:03: Vi9 LCP: O TERMACK [Open] id 208 len 4
> Apr  1 14:49:03: Vi9 PPP: I pkt type 0xC021, datagramsize 12
> Apr  1 14:49:03: Vi9 LCP: I CONFREQ [TERMsent] id 134 len 8
> Apr  1 14:49:03: Vi9 LCP:    MRU 1500 (0x010405DC)
> Apr  1 14:49:03: Vi9 LCP: Dropping packet, state is TERMsent
> Apr  1 14:49:05: Vi9 LCP: TIMEout: State TERMsent
> Apr  1 14:49:05: Vi9 LCP: State is Closed
> Apr  1 14:49:05: Vi9 Debug: Condition 1, username anonymized at atlantic.net cleared, count 0
> Apr  1 14:49:05: %LINK-3-UPDOWN: Interface Virtual-Access9, changed state to down
> 
> If I change "ppp auth pap chap" to "ppp auth chap pap", this customer is
> able to connect, but I suspect others will have difficulty.
> 
> Apr  1 14:52:40: Vi36 Debug: Condition 1, username anonymized at atlantic.net triggered, count 1
> Apr  1 14:52:40: Vi36 PPP: Phase is DOWN, Setup [0 sess, 1 load]
> Apr  1 14:52:41: %LINK-3-UPDOWN: Interface Virtual-Access36, changed state to upApr  1 14:52:41: Vi36 PPP: Using set call direction
> Apr  1 14:52:41: Vi36 PPP: Treating connection as a callin
> Apr  1 14:52:41: Vi36 PPP: Phase is ESTABLISHING, Passive Open [0 sess, 1 load]
> Apr  1 14:52:41: Vi36 LCP: State is Listen
> Apr  1 14:52:41: Vi36 LCP: I FORCED CONFREQ len 15
> Apr  1 14:52:41: Vi36 LCP:    MagicNumber 0x7E24FADB (0x05067E24FADB)
> Apr  1 14:52:41: Vi36 LCP:    MRU 1500 (0x010405DC)
> Apr  1 14:52:41: Vi36 LCP:    AuthProto CHAP (0x0305C22305)
> Apr  1 14:52:41: Vi36 PPP: Phase is AUTHENTICATING, by this end [0 sess, 1 load]Apr  1 14:52:41: Vi36 CHAP: O CHALLENGE id 1 len 34 from "gsvlflma-br-1"
> Apr  1 14:52:41: Vi36 PPP: I pkt type 0xC223, datagramsize 55
> Apr  1 14:52:41: Vi36 CHAP: I RESPONSE id 156 len 51 from "anonymized at atlantic.net"
> Apr  1 14:52:41: Vi36 CHAP: O SUCCESS id 156 len 4
> Apr  1 14:52:41: Vi36 PPP: Phase is UP [0 sess, 1 load]
> Apr  1 14:52:41: Vi36 IPCP: O CONFREQ [Closed] id 1 len 10
> Apr  1 14:52:41: Vi36 IPCP:    Address 209.208.6.225 (0x0306D1D006E1)
> Apr  1 14:52:41: Vi36 PPP: I pkt type 0x8021, datagramsize 26
> Apr  1 14:52:41: Vi36 IPCP: I CONFREQ [REQsent] id 235 len 22
> Apr  1 14:52:41: Vi36 IPCP:    Address 0.0.0.0 (0x030600000000)
> Apr  1 14:52:41: Vi36 IPCP:    PrimaryDNS 0.0.0.0 (0x810600000000)
> Apr  1 14:52:41: Vi36 IPCP:    SecondaryDNS 0.0.0.0 (0x830600000000)
> Apr  1 14:52:41: Vi36 AAA/AUTHOR/IPCP: Start.  Her address 0.0.0.0, we want 0.0.0.0
> Apr  1 14:52:41: Vi36 AAA/AUTHOR/IPCP: Done.  Her address 0.0.0.0, we want 209.208.X.Y
> Apr  1 14:52:41: Vi36 IPCP: O CONFNAK [REQsent] id 235 len 22
> Apr  1 14:52:41: Vi36 IPCP:    Address 209.208.X.Y (0x0306D1D02255)
> Apr  1 14:52:41: Vi36 IPCP:    PrimaryDNS 209.208.0.2 (0x8106D1D00002)
> Apr  1 14:52:41: Vi36 IPCP:    SecondaryDNS 209.208.0.3 (0x8306D1D00003)
> Apr  1 14:52:41: Vi36 PPP: I pkt type 0x8021, datagramsize 14
> Apr  1 14:52:41: Vi36 IPCP: I CONFACK [REQsent] id 1 len 10
> Apr  1 14:52:41: Vi36 IPCP:    Address 209.208.6.225 (0x0306D1D006E1)
> Apr  1 14:52:41: Vi36 PPP: I pkt type 0x8021, datagramsize 26
> Apr  1 14:52:41: Vi36 IPCP: I CONFREQ [ACKrcvd] id 188 len 22
> Apr  1 14:52:41: Vi36 IPCP:    Address 209.208.X.Y (0x0306D1D02255)
> Apr  1 14:52:41: Vi36 IPCP:    PrimaryDNS 209.208.0.2 (0x8106D1D00002)
> Apr  1 14:52:41: Vi36 AAA/AUTHOR/IPCP: Start.  Her address 209.208.X.Y, we wangsvlflma-br-1#
> gsvlflma-br-1#t 209.208.X.Y
> Apr  1 14:52:41: Vi36 AAA/AUTHOR/IPCP: Done.  Her address 209.208.X.Y, we want 209.208.X.Y
> Apr  1 14:52:41: Vi36 IPCP: O CONFACK [ACKrcvd] id 188 len 22
> Apr  1 14:52:41: Vi36 IPCP:    Address 209.208.X.Y (0x0306D1D02255)
> Apr  1 14:52:41: Vi36 IPCP:    PrimaryDNS 209.208.0.2 (0x8106D1D00002)
> Apr  1 14:52:41: Vi36 IPCP:    SecondaryDNS 209.208.0.3 (0x8306D1D00003)
> Apr  1 14:52:41: Vi36 IPCP: State is Open
> Apr  1 14:52:41: Vi36 IPCP: Install route to 209.208.X.Y
> 
> Anyone know why this is happening?  The routers that we're having this
> problem with are an older version of iBlitz DSL router.  The latest
> version (which apparently uses a differente chipset) doesn't seem to have
> this problem.
> 
> ----------------------------------------------------------------------
>  Jon Lewis *jlewis at lewis.org*|  I route
>  Senior Network Engineer     |  therefore you are
>  Atlantic Net                |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
> _______________________________________________
> cisco-nas mailing list
> cisco-nas at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nas
> 

-- 
***************************************
       Chatzithomaoglou Anastasios
Network Design & Development Department
              FORTHnet S.A.
          <achatz at forthnet.gr>
***************************************

More information about the cisco-nas mailing list