[c-nsp] Strange VPDN Behaviour

Alex Foster afoster at gammatelecom.com
Fri Apr 21 08:24:25 EDT 2006


All,

I have a 7206VXR (NPE-G1) running c7200-jk9o3s-mz.124-1a - the router is
primarily acting as an LNS L2TP concentrator.

I having a few issues establishing L2TP tunnels - I seem to be able to
establish 5 or 6 but any additional ones fail.  The PPP session for the
L2TP tunnels are being authenticated using Radius and as I say for the
bulk of the tunnels this works successfully.   

For the tunnels that fail - the LNS appears to be trying to athorize the
tunnels using the 'local-list' - but this shouldn't happen as the PPP
sessions should always be authenticated/authorised by Radius - see
config and VPDN debug.

The L2TP tunnels are established through either g 0/1 or g 0/3 on the
7206 - there are a couple of access-lists on each interface - but
they're pretty much self explainable.  I tried using two different VPDN
groups (with source-ip of the individual interface on each group), but
the tunnels appeared to use the default VPDN group - I guess this must
be the normal behaviour.  The devices originating the tunnels are
Telindus 1221 ADSL routers - all are configured using a default
configuration - save username/password kind of stuff.  

Any help - as usual - is appreciated

Alex

Apr 21 04:08:55: L2X: Parse  AVP 0, len 8, flag 0x8000 (M)
*Apr 21 04:08:55: L2X: Parse SCCRQ
*Apr 21 04:08:55: L2X: Parse  AVP 2, len 8, flag 0x8000 (M)
*Apr 21 04:08:55: L2X: Protocol Ver 256
*Apr 21 04:08:55: L2X: Parse  AVP 7, len 40, flag 0x8000 (M)
*Apr 21 04:08:55: L2X: Hostname LNPOP_A05_0002 at vs.gammatelecom.c...
*Apr 21 04:08:55: L2X: Parse  AVP 3, len 10, flag 0x8000 (M)
*Apr 21 04:08:55: L2X: Framing Cap 0x1
*Apr 21 04:08:55: L2X: Parse  AVP 9, len 8, flag 0x8000 (M)
*Apr 21 04:08:55: L2X: Assigned Tunnel ID 43141
*Apr 21 04:08:55: L2X: Parse  AVP 5, len 14, flag 0x0
*Apr 21 04:08:55: L2X: No missing AVPs in SCCRQ
*Apr 21 04:08:55: L2X: I SCCRQ, flg TLS, ver 2, len 100, tnl 0, ns 0, nr
0
contiguous pak, size 100
         C8 02 00 64 00 00 00 00 00 00 00 00 80 08 00 00
         00 00 00 01 80 08 00 00 00 02 01 00 80 28 00 00
         00 07 4C 4E 50 4F 50 5F 41 30 35 5F 30 30 30 32
         40 76 73 2E 67 61 6D 6D 61 74 65 6C 65 63 6F 6D
         2E 63 6F 6D 80 0A 00 00 ...
*Apr 21 04:08:55: L2TP: I SCCRQ from LNPOP_A05_0002 at vs.gammatelecom.com
tnl 4314
1
*Apr 21 04:08:55: AAA/BIND(000005A1): Bind i/f
*Apr 21 04:08:55: AAA/AUTHOR (0x5A1): Pick method list 'local-list'
*Apr 21 04:08:55:  Tnl 25511 L2TP: Tunnel Authorization started for host
LNPOP_A05_0002 at vs.gammatelecom.com
*Apr 21 04:08:55:  Tnl 25511 L2TP: New tunnel created for remote
LNPOP_A05_0002 at vs.gammatelecom.com, address 88.215.17.130 - FAIL
*Apr 21 04:08:55:  Tnl 25511 L2TP: O SCCRP  to
LNPOP_A05_0002 at vs.gammatelecom.com tnlid 43141
*Apr 21 04:08:55:  Tnl 25511 L2TP: Parse  AVP 0, len 8, flag 0x8000 (M)
*Apr 21 04:08:55:  Tnl 25511 L2TP: Parse SCCRP
*Apr 21 04:08:55:  Tnl 25511 L2TP: Parse  AVP 2, len 8, flag 0x8000 (M)
*Apr 21 04:08:55:  Tnl 25511 L2TP: Protocol Ver 256
*Apr 21 04:08:55:  Tnl 25511 L2TP: Parse  AVP 6, len 8, flag 0x0
*Apr 21 04:08:55:  Tnl 25511 L2TP: Firmware Ver 0x1120
*Apr 21 04:08:55:  Tnl 25511 L2TP: Parse  AVP 7, len 20, flag 0x8000 (M)
*Apr 21 04:08:55:  Tnl 25511 L2TP: Hostname HexLNS-R7206-1
*Apr 21 04:08:55:  Tnl 25511 L2TP: Parse  AVP 8, len 25, flag 0x0
*Apr 21 04:08:55:  Tnl 25511 L2TP: Vendor Name Cisco Systems, Inc.
*Apr 21 04:08:55:  Tnl 25511 L2TP: Parse  AVP 10, len 8, flag 0x8000 (M)
*Apr 21 04:08:55:  Tnl 25511 L2TP: Rx Window Size 20050
*Apr 21 04:08:55:  Tnl 25511 L2TP: Parse  AVP 9, len 8, flag 0x8000 (M)
*Apr 21 04:08:55:  Tnl 25511 L2TP: Assigned Tunnel ID 25511
*Apr 21 04:08:55:  Tnl 25511 L2TP: Parse  AVP 3, len 10, flag 0x8000 (M)
*Apr 21 04:08:55:  Tnl 25511 L2TP: Framing Cap 0x0
*Apr 21 04:08:55:  Tnl 25511 L2TP: Parse  AVP 4, len 10, flag 0x8000 (M)
*Apr 21 04:08:55:  Tnl 25511 L2TP: Bearer Cap 0x0
*Apr 21 04:08:55:  Tnl 25511 L2TP: O SCCRP, flg TLS, ver 2, len 117, tnl
43141,
ns 0, nr 1
         C8 02 00 75 A8 85 00 00 00 00 00 01 80 08 00 00
         00 00 00 02 80 08 00 00 00 02 01 00 00 08 00 00
         00 06 11 20 80 14 00 00 00 07 48 65 78 4C 4E 53
         2D 52 37 32 30 36 2D 31 00 19 00 00 00 08 43 69
         73 63 6F 20 53 79 73 ...
*Apr 21 04:08:55:  Tnl 25511 L2TP: Control channel retransmit delay set
to 1 sec
onds
*Apr 21 04:08:55:  Tnl 25511 L2TP: Tunnel state change from idle to
wait-ctl-rep
ly
*Apr 21 04:08:56:  Tnl 25511 L2TP: O Resend SCCRP, flg TLS, ver 2, len
117, tnl
43141, ns 0, nr 1
*Apr 21 04:08:56:  Tnl 25511 L2TP: Control channel retransmit delay set
to 2 sec
onds
*Apr 21 04:08:56: L2X: Parse  AVP 0, len 8, flag 0x8000 (M)
*Apr 21 04:08:56: L2X: Parse SCCRQ
*Apr 21 04:08:56: L2X: Parse  AVP 2, len 8, flag 0x8000 (M)
*Apr 21 04:08:56: L2X: Protocol Ver 256
*Apr 21 04:08:56: L2X: Parse  AVP 7, len 40, flag 0x8000 (M)
*Apr 21 04:08:56: L2X: Hostname LNPOP_A05_0002 at vs.gammatelecom.c...
*Apr 21 04:08:56: L2X: Parse  AVP 3, len 10, flag 0x8000 (M)
*Apr 21 04:08:56: L2X: Framing Cap 0x1
*Apr 21 04:08:56: L2X: Parse  AVP 9, len 8, flag 0x8000 (M)
*Apr 21 04:08:56: L2X: Assigned Tunnel ID 43141
*Apr 21 04:08:56: L2X: Parse  AVP 5, len 14, flag 0x0
*Apr 21 04:08:56: L2X: No missing AVPs in SCCRQ
*Apr 21 04:08:56: L2X: I SCCRQ, flg TLS, ver 2, len 100, tnl 0, ns 0, nr
0
contiguous pak, size 100
         C8 02 00 64 00 00 00 00 00 00 00 00 80 08 00 00
         00 00 00 01 80 08 00 00 00 02 01 00 80 28 00 00
         00 07 4C 4E 50 4F 50 5F 41 30 35 5F 30 30 30 32
         40 76 73 2E 67 61 6D 6D 61 74 65 6C 65 63 6F 6D
         2E 63 6F 6D 80 0A 00 00 ...
*Apr 21 04:08:56: L2TP: I SCCRQ from LNPOP_A05_0002 at vs.gammatelecom.com
tnl 4314
1
*Apr 21 04:08:58:  Tnl 25511 L2TP: O Resend SCCRP, flg TLS, ver 2, len
117, tnl
43141, ns 0, nr 1
*Apr 21 04:08:58:  Tnl 25511 L2TP: Control channel retransmit delay set
to 4 sec
onds
*Apr 21 04:08:58: L2X: Parse  AVP 0, len 8, flag 0x8000 (M)
*Apr 21 04:08:58: L2X: Parse SCCRQ
*Apr 21 04:08:58: L2X: Parse  AVP 2, len 8, flag 0x8000 (M)
*Apr 21 04:08:58: L2X: Protocol Ver 256
*Apr 21 04:08:58: L2X: Parse  AVP 7, len 40, flag 0x8000 (M)
*Apr 21 04:08:58: L2X: Hostname LNPOP_A05_0002 at vs.gammatelecom.c...
*Apr 21 04:08:58: L2X: Parse  AVP 3, len 10, flag 0x8000 (M)
*Apr 21 04:08:58: L2X: Framing Cap 0x1
*Apr 21 04:08:58: L2X: Parse  AVP 9, len 8, flag 0x8000 (M)
*Apr 21 04:08:58: L2X: Assigned Tunnel ID 43141
*Apr 21 04:08:58: L2X: Parse  AVP 5, len 14, flag 0x0
*Apr 21 04:08:58: L2X: No missing AVPs in SCCRQ
*Apr 21 04:08:58: L2X: I SCCRQ, flg TLS, ver 2, len 100, tnl 0, ns 0, nr
0
contiguous pak, size 100
         C8 02 00 64 00 00 00 00 00 00 00 00 80 08 00 00
         00 00 00 01 80 08 00 00 00 02 01 00 80 28 00 00
         00 07 4C 4E 50 4F 50 5F 41 30 35 5F 30 30 30 32
         40 76 73 2E 67 61 6D 6D 61 74 65 6C 65 63 6F 6D
         2E 63 6F 6D 80 0A 00 00 ...
*Apr 21 04:08:58: L2TP: I SCCRQ from LNPOP_A05_0002 at vs.gammatelecom.com
tnl 4314
1
*Apr 21 04:09:02:  Tnl 25511 L2TP: O Resend SCCRP, flg TLS, ver 2, len
117, tnl
43141, ns 0, nr 1
*Apr 21 04:09:02:  Tnl 25511 L2TP: Control channel retransmit delay set
to 8 sec
onds
*Apr 21 04:09:03: L2X: Parse  AVP 0, len 8, flag 0x8000 (M)
*Apr 21 04:09:03: L2X: Parse SCCRQ
*Apr 21 04:09:03: L2X: Parse  AVP 2, len 8, flag 0x8000 (M)
*Apr 21 04:09:03: L2X: Protocol Ver 256
*Apr 21 04:09:03: L2X: Parse  AVP 7, len 40, flag 0x8000 (M)
*Apr 21 04:09:03: L2X: Hostname LNPOP_A05_0002 at vs.gammatelecom.c...
*Apr 21 04:09:03: L2X: Parse  AVP 3, len 10, flag 0x8000 (M)
*Apr 21 04:09:03: L2X: Framing Cap 0x1
*Apr 21 04:09:03: L2X: Parse  AVP 9, len 8, flag 0x8000 (M)
*Apr 21 04:09:03: L2X: Assigned Tunnel ID 43141
*Apr 21 04:09:03: L2X: Parse  AVP 5, len 14, flag 0x0
*Apr 21 04:09:03: L2X: No missing AVPs in SCCRQ
*Apr 21 04:09:03: L2X: I SCCRQ, flg TLS, ver 2, len 100, tnl 0, ns 0, nr
0
contiguous pak, size 100
         C8 02 00 64 00 00 00 00 00 00 00 00 80 08 00 00
         00 00 00 01 80 08 00 00 00 02 01 00 80 28 00 00
         00 07 4C 4E 50 4F 50 5F 41 30 35 5F 30 30 30 32
         40 76 73 2E 67 61 6D 6D 61 74 65 6C 65 63 6F 6D
         2E 63 6F 6D 80 0A 00 00 ...
*Apr 21 04:09:03: L2TP: I SCCRQ from LNPOP_A05_0002 at vs.gammatelecom.com
tnl 43141


Config :

aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default group radius
aaa authorization network default group radius
!
aaa session-id common
!
!
vpdn enable
vpdn ip udp ignore checksum
!
vpdn-group Access
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication

!
class-map match-all 5to1Cont
 match access-group 110
class-map match-all 1to1Cont
 match access-group 115
class-map match-all SDSLCont
 match access-group 120
!
!
policy-map ADSL_Contention
 class 5to1Cont
  set ip dscp 37
 class 1to1Cont
  set ip dscp 55
 class SDSLCont
  set ip dscp 47
!
interface Loopback0
 ip address 10.50.254.254 255.255.255.255
!
interface GigabitEthernet0/1
 ip address 83.245.x.x 255.255.255.240
 ip access-group 101 in
 duplex auto
 speed auto
 media-type rj45
 no negotiation auto
!
interface GigabitEthernet0/2
 ip address 10.50.64.247 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
 no negotiation auto
!
interface GigabitEthernet0/3
 ip address 88.215.x.x 255.255.255.248
 ip access-group 102 in
 duplex auto
 speed auto
 media-type rj45
 no negotiation auto
 service-policy output ADSL_Contention
!
interface Virtual-Template1
 ip unnumbered Loopback0
 no peer default ip address
 ppp authentication chap
!
ip classless
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 83.245.x.x
ip route 10.50.32.0 255.255.255.0 GigabitEthernet0/2 10.50.64.254
ip route 88.215.0.0 255.255.0.0 GigabitEthernet0/3 88.215.x.x
!
no ip http server
no ip http secure-server
!
!
access-list 10 permit 10.50.32.0 0.0.0.255
access-list 101 permit udp any host x.x.x.x eq 1701
access-list 101 deny   ip any any
access-list 102 permit udp any host x.x.x.x eq 1701
access-list 102 permit icmp any host x.x.x.x echo
access-list 102 permit icmp any host x.x.x.x echo-reply
access-list 102 deny   ip any any
access-list 110 permit ip any 88.215.x.x 0.0.7.255
access-list 115 permit ip any 88.215.x.x 0.0.7.255
access-list 120 permit ip any 88.215.x.x 0.0.7.255
!
!
!
radius-server host 10.50.64.249 auth-port 1812 acct-port 1813
radius-server host 10.50.64.250 auth-port 1812 acct-port 1813
radius-server key 7 110D1C134443071E572E7A7D7866
!
end !!!


The information in this e-mail and any attachments is confidential and may be subject to legal professional privilege. It is intended solely for the attention and use of the named addressee(s). If you are not the intended recipient, or person responsible for delivering this information to the intended recipient, please notify the sender immediately. Unless you are the intended recipient or his/her representative you are prohibited from, and therefore must not, read, copy, distribute, use or retain this message or any part of it. The views expressed in this e-mail may not represent those of Gamma Telecom.

This message has been scanned for viruses by MailController


More information about the cisco-nsp mailing list