[cisco-nas] Routing mystery
Joe Mays
jfmays at launchpad.win.net
Mon Apr 4 19:13:19 EDT 2011
Is there more information I could add here that would help make this
issue make more sense to people?
----- Original Message -----
From: "Joe Mays" <jfmays at launchpad.win.net>
To: <cisco-nas at puck.nether.net>
Cc: "Mike Andrews" <mandrews at fark.com>
Sent: Friday, April 01, 2011 5:27 AM
Subject: [cisco-nas] Routing mystery
Okay, I've almost got this whole ppp multilink over pppoe thing worked
out, but I'm dealing with one final mystery.
Without ppp multilink in the virtual template, the link comes up as a
normal ppp connection, as would be expected.
interface Virtual-Template1
ip unnumbered FastEthernet1/0.2
ip tcp adjust-mss 1360
peer default ip address pool pppoepool
ppp authentication pap chap
Show users shows --
gw1.armplc#show users
Line User Host(s) Idle Location
* 2 vty 0 admin idle 00:00:00 admin1.win.net
3 vty 1 admin 216.24.35.11 00:04:09 admin1.win.net
Interface User Mode Idle Peer Address
Vi2.1 K1.LXFU.396865..SC PPPoE 00:01:09 216.24.35.68
Vi2.2 K1.LXFU.396853..SC PPPoE 00:01:07 216.24.35.57
Vi2.3 quickcash at win.net PPPoE 00:00:08 216.24.35.11
The route to the network on the other end of the connection
(216.24.2.88/29) can be pinged fine from the 7206 through the static
route that is entered ("ip route 216.24.2.88 255.255.255.248
216.24.35.11").
gw1.armplc#ping 216.24.2.89
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.24.2.89, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/43/48
ms
>From another outside router we can see that this route is being
broadcast fine via OSPF, and pinging works fine from this location,
also...
core-gw1.noc#ping 216.24.2.89
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.24.2.89, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/44/48
ms
core-gw1.noc#show ip route 216.24.2.88
Routing entry for 216.24.2.88/29
Known via "ospf 5150", distance 110, metric 20, type extern 2,
forward metric 2
Last update from 216.24.28.246 on Serial6/1, 00:01:49 ago
Routing Descriptor Blocks:
* 216.24.28.246, from 216.24.30.16, 00:01:49 ago, via Serial6/1
Route metric is 20, traffic share count is 1
Debug IP ICMP on 216.24.35.11 (which is the wan interface of the
router the 216.24.2.89 interface is on) shows the incoming packets
being received fine from the outside router....
*Mar 1 11:48:28.837: ICMP: echo reply sent, src 216.24.2.89, dst
216.24.28.245
*Mar 1 11:48:28.877: ICMP: echo reply sent, src 216.24.2.89, dst
216.24.28.245
*Mar 1 11:48:28.925: ICMP: echo reply sent, src 216.24.2.89, dst
216.24.28.245
*Mar 1 11:48:28.969: ICMP: echo reply sent, src 216.24.2.89, dst
216.24.28.245
*Mar 1 11:48:29.013: ICMP: echo reply sent, src 216.24.2.89, dst
216.24.28.245
So everything is great. Now when I add "ppp multilink" to the virtual
template....
gw1.armplc#config t
Enter configuration commands, one per line. End with CNTL/Z.
gw1.armplc(config)#int virtual-template1
gw1.armplc(config-if)#ppp multilink
The link drops and comes back as part of a multilink bundle as it
should...
gw1.armplc#show users
Line User Host(s) Idle Location
* 2 vty 0 admin idle 00:00:00 admin1.win.net
Interface User Mode Idle Peer Address
Vi2.1 K1.LXFU.396853..SC PPPoE 00:09:01 216.24.35.57
Vi2.2 K1.LXFU.396865..SC PPPoE 00:09:01 216.24.35.68
Vi4 quickcash at win.net PPPoE 00:02:10
Vi5 quickcash at win.net MLP Bundle 00:02:10 216.24.35.11
>From the 7206 the link is terminated on, everything still works.
216.24.35.11 and 216.24.2.89 can still be pinged successfully. From
the outside router, the route is still in OSPF, but pings to
216.24.35.11 and 216.24.2.89 now fail, and nothing appears in "debug
ip icmp" on the 216.24.35.11 router, indicating the packets were never
routed down the link link at all. traceroute from the outside router
shows that the packets were sent to the 7206, but it then did not send
the packets on to the 216.24.35.11 router.
core-gw1.noc#traceroute 216.24.2.89
Type escape sequence to abort.
Tracing the route to 216-24-2-89.ip.win.net (216.24.2.89)
1 s3-0.gw1.armplc.win.net (216.24.28.246) 0 msec 0 msec 4 msec
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
This behavior makes no sense to me. The sum seems to be that when the
connection to 216.24.35.11 is not part of a multilink bundle,
everything works. When it IS part of a multilink bundle, however, the
7206 terminating the multilink bundle can send traffic down the bundle
fine, and knows to route traffic to 216.24.2.89 down the bundled link
to 216.24.35.11, but refuses to route traffic from anywhere else down
the link. The problem seems to be completely on the 7206. Perhaps I am
hitting an access list or something, but I can see no access list that
should know or care whether or not the link is in a multilink bundle
or not, and anyway if there is an access list causing the problem,
it's not keeping the 7206 itself from routing properly down the link,
it's just not routing traffic from anywhere else down the link.
Here is the complete config on the 7206....
gw1.armplc#show run
Building configuration...
Current configuration : 11250 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname gw1.armplc
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxx
!
aaa new-model
!
!
aaa group server radius WinAuthAcct
server 216.24.27.48 auth-port 1812 acct-port 1813
server 216.24.27.49 auth-port 1812 acct-port 1813
server 216.24.27.201 auth-port 1645 acct-port 1646
server 216.24.27.202 auth-port 1645 acct-port 1646
server 216.24.27.203 auth-port 1645 acct-port 1646
server 216.24.27.204 auth-port 1645 acct-port 1646
server 216.24.27.205 auth-port 1645 acct-port 1646
server 216.24.27.206 auth-port 1645 acct-port 1646
server 216.24.27.207 auth-port 1645 acct-port 1646
server 216.24.27.208 auth-port 1645 acct-port 1646
server 216.24.27.209 auth-port 1645 acct-port 1646
server 216.24.27.200 auth-port 1645 acct-port 1646
!
aaa authentication login default local
aaa authentication ppp default local group WinAuthAcct
aaa authorization exec default local none
aaa authorization network default local group WinAuthAcct
if-authenticated
aaa accounting delay-start
aaa accounting update newinfo
aaa accounting network default start-stop broadcast group WinAuthAcct
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip cef
ip telnet source-interface Loopback100
ip tftp source-interface Loopback100
ip domain list win.net
ip domain name win.net
ip name-server 216.24.27.3
ip name-server 24.235.0.25
ip name-server 216.24.27.4
!
no ip bootp server
pppoe-forwarding
!
!
!
!
!
!
!
!
!
!
!
username admin secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
controller T3 6/0
!
!
bba-group pppoe global
virtual-template 1
!
interface Loopback100
description gw1.armplc.win.net loopback interface
ip address 216.24.30.16 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface FastEthernet1/0
ip address 216.24.8.1 255.255.255.0
duplex full
!
interface FastEthernet1/0.2
encapsulation dot1Q 2
ip address 216.24.12.193 255.255.255.192
pppoe enable group global
no snmp trap link-status
!
interface FastEthernet1/0.3
encapsulation dot1Q 3
ip tcp adjust-mss 1360
pppoe enable group global1
no snmp trap link-status
!
interface FastEthernet1/0.16
encapsulation dot1Q 16
no snmp trap link-status
!
interface FastEthernet1/0.17
encapsulation dot1Q 17
no snmp trap link-status
!
interface FastEthernet2/0
no ip address
shutdown
duplex half
!
interface Serial3/0
description Armory Place CO to Heyburn
bandwidth 44210
ip address 216.24.28.246 255.255.255.252
ip route-cache flow
dsu bandwidth 44210
framing c-bit
cablelength 50
serial restart-delay 0
no cdp enable
!
interface Serial3/1
no ip address
shutdown
dsu bandwidth 44210
framing c-bit
cablelength 10
serial restart-delay 0
!
interface Serial4/0
no ip address
shutdown
dsu bandwidth 44210
framing c-bit
cablelength 10
serial restart-delay 0
!
interface ATM5/0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Virtual-Template1
ip unnumbered FastEthernet1/0.2
ip tcp adjust-mss 1360
peer default ip address pool pppoepool
ppp authentication pap chap
!
interface Virtual-TokenRing2
no ip address
ring-speed 16
!
router ospf 5150
log-adjacency-changes
area 0 authentication message-digest
summary-address 216.24.9.0 255.255.255.128
redistribute connected subnets route-map ospf-redistrib
redistribute static subnets route-map ospf-redistrib
passive-interface default
no passive-interface FastEthernet1/0
no passive-interface Serial3/0
no passive-interface Loopback100
network 24.235.0.0 0.0.31.255 area 0
network 216.24.0.0 0.0.63.255 area 0
!
ip local pool pppoepool 216.24.12.100 216.24.12.180
ip classless
ip route 0.0.0.0 0.0.0.0 Serial3/0
ip route 216.24.2.88 255.255.255.248 216.24.35.11
no ip http server
!
!
!
ip access-list standard allow-our-nets
permit 216.24.0.0 0.0.63.255
permit 24.235.0.0 0.0.31.255
!
ip access-list extended in-block-all-smtp-nb
deny tcp any any eq smtp log-input
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended in-block-nb
remark -- Same as out-block-nb
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended in-block-smtp-nb
permit tcp any 216.24.27.0 0.0.0.255 eq smtp
deny tcp any any eq smtp log-input
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended in-dangerously-allow-all
permit ip any any
ip access-list extended in-permitlog-smtp
remark -- This one is used to see who we need to not apply blocksmtp
to.
remark -- It is functionally identical to in-block-nb.
permit tcp any 216.24.27.0 0.0.0.255 eq smtp
permit tcp any any eq smtp syn log-input
permit tcp any any eq smtp
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended out-block-all-smtp-nb
deny tcp any eq smtp any log-input
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended out-block-nb
remark -- Same as in-block-nb
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended out-block-smtp-nb
permit tcp 216.24.27.0 0.0.0.255 eq smtp any
deny tcp any eq smtp any log-input
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended out-dangerously-allow-all
permit ip any any
ip access-list extended out-permitlog-smtp
permit tcp any 216.24.27.0 0.0.0.255 eq smtp
permit tcp any any eq smtp log-input
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip radius source-interface Loopback100
logging source-interface Loopback100
!
route-map ospf-redistrib permit 10
match ip address allow-our-nets
!
snmp-server trap-source Loopback100
!
radius-server attribute nas-port format c
radius-server dead-criteria tries 2
radius-server host 216.24.27.201 auth-port 1645 acct-port 1646
radius-server host 216.24.27.202 auth-port 1645 acct-port 1646
radius-server host 216.24.27.203 auth-port 1645 acct-port 1646
radius-server host 216.24.27.204 auth-port 1645 acct-port 1646
radius-server host 216.24.27.205 auth-port 1645 acct-port 1646
radius-server host 216.24.27.206 auth-port 1645 acct-port 1646
radius-server host 216.24.27.207 auth-port 1645 acct-port 1646
radius-server host 216.24.27.208 auth-port 1645 acct-port 1646
radius-server host 216.24.27.209 auth-port 1645 acct-port 1646
radius-server host 216.24.27.200 auth-port 1645 acct-port 1646
radius-server retry method reorder
radius-server transaction max-tries 3
radius-server retransmit 0
radius-server timeout 3
radius-server deadtime 2
radius-server key xxxxxxxxxxx
radius-server vsa send accounting
radius-server vsa send authentication
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 60 0
logging synchronous
transport preferred none
transport input telnet
!
!
end
Seriously, it wouldn't surprise me at all if I'm just overlooking
something simple and obvious here, but I'm stalled on what could be
happening here. Any insights anyone can offer would be hugely
appreciated.
--
"In Lancre we have what I suppose you'd call a constitutional monarchy
if we had a constitution. What this means is this: there is only one
king and more'n 500 subjects, and they all work every day at jobs
which mostly involve sharp things. It's one of those lessons that are
so obvious they don't have to be taught."
-- Terry Pratchett, "Nanny Ogg's Cookbook"
----------------------------------------------------------------------
----------
> _______________________________________________
> cisco-nas mailing list
> cisco-nas at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nas
More information about the cisco-nas
mailing list