[c-nsp] LNS Error %VPDN-3-NORESOURCE:

Brian Turnbow b.turnbow at twt.it
Fri Jun 15 10:31:39 EDT 2012 

Hi,


> Hi.
> 
> Thanks for the reply.
> 
> What I noticed today was,
> 
> I tried to authenticate one vrf-enabled l2tp session and one global (no-
> vrf).
> The one with VRF can't authenticate. Giving me the error of "LNS no
> resources for user..."
> But the one with no-vrf was able to authenticate successfully.
> 

The below config only  shows one virtual template, do you have a second for the VRF ?
I believe you need to differentiate .

Regards

Brian

> My tcpdump on the radius server says Authentication Request, and
> Authentication Accept.
> Router debug also shows CHAP login response is PASS.
> 
> I tried also using my other LNS (NPE-G1) and any vrf-enabled session is
> successful.
> Both VRF-enabled and GLobal L2tp session terminates on the same vpdn-group.
> 
> I have similar config on both LNS routers.
> 
> 
> 
> Here's my LNS config:
> 
> vpdn-group 1
>  accept-dialin
>   protocol l2tp
>   virtual-template 1
>  terminate-from hostname LNS1
>  source-ip x.x.x.x
>  local name ABC
>  lcp renegotiation on-mismatch
>  l2tp tunnel password 7 09123456
>  l2tp tunnel timeout no-session 600
>  ip tos reflect
> 
> 
> 
> 
> interface Virtual-Template1
>   mtu 1462
>  ip unnumbered Loopback0
>  ip tcp adjust-mss 1422
>  peer default ip address pool LNSPool
>  keepalive 60
>  ppp authentication chap radius-ppp
> 
> 
> 
> Here's the debug pp/aaa/vpdn output:
> 
> Jun 15 09:34:07.823: VPDN Received L2TUN socket message Incoming Jun 15
> 09:34:07.823: AAA/BIND(000001E7): Bind i/f Jun 15 09:34:07.823: VPDN
> uid:393 L2TUN socket session accept requested Jun 15 09:34:07.823: VPDN
> uid:393 Setting up dataplane for L2-L2, no idb Jun 15 09:34:07.827: VPDN
> Received L2TUN socket message Connected Jun 15 09:34:07.827:
> AAA/BIND(000001E7): Bind i/f Virtual-Template1 Jun 15 09:34:07.827: VPDN
> uid:393 VPDN session up Jun 15 09:34:07.831: AAA/AUTHEN/PPP (000001E7):
> Pick method list 'radius-ppp'
> Jun 15 09:34:07.831: ppp393 PPP: Sent CHAP LOGIN Request Jun 15
> 09:34:07.831: ppp393 PPP: Received LOGIN Response PASS Jun 15 09:34:07.835:
> VPDN uid:393 disconnect (L2X) IETF: 9/nas-error Ascend: 62/VPDN No
> Resources Jun 15 09:34:07.835: VPDN uid:393 vpdn shutdown session,
> result=4, error=4, vendor_err=0, syslog_error_code=15, syslog_key_type=1
> Jun 15 09:34:07.835: %VPDN-3-NORESOURCE: L2TP LNS  no resources for user
> xyz at test.net; Result 4, Error 4, SSS Manager disconnected session Jun 15
> 09:34:07.835: VPDN uid:393 VPDN/AAA: accounting stop sent Jun 15
> 09:34:07.835: ppp393 CHAP: O FAILURE id 1 len 26 msg is "Authentication
> failure"
> 
> 
> thanks
> 
> 
> 
> ________________________________
>  From: Oliver Boehmer (oboehmer) <oboehmer at cisco.com>
> To: ar <ar_djp at yahoo.com>; Tim Warnock <timoid at timoid.org>
> Cc: cisco-nsp <cisco-nsp at puck.nether.net>
> Sent: Friday, June 15, 2012 7:19 PM
> Subject: RE: [c-nsp] LNS Error %VPDN-3-NORESOURCE:
> 
> 
> > I tried SRE6 already.
> > I got the same error.
> > Unfortunately I dont have any TAC support for this box.
> >
> > Could this be a possible NPE-G2 problem?
> >
> >
> > #sho ver
> > Cisco IOS Software, 7200 Software (C7200P-ADVIPSERVICESK9-M), Version
> > 12.2(33)SRE6, RELEASE SOFTWARE (fc1)
> >
> >
> > Jun 14 23:10:54.455: ppp76 PPP: Sent CHAP LOGIN Request Jun 14
> > 23:10:54.455: ppp76 PPP: Received LOGIN Response PASS Jun 14
> > 23:10:54.459: %VPDN-3-NORESOURCE: L2TP LNS LNS1 no resources
> for user
> > test at xyz.net; Result 4, Error 4, SSS Manager disconnected session Jun
> > 14 23:10:54.459: ppp76 CHAP: O FAILURE id 1 len 26 msg is
> > "Authentication failure"
> 
> don't think this is related to the platform, some debugs are in order to
> find out what's happening (my l2tp/vpdn skills are a bit rusty, though
> ;-)
> 
> debug radius
> debug aaa author
> debug aaa per-user
> debug vpdn event
> debug vpdn error
> debug vpdn l2x-ev
> debug vpdn l2x-er
> debug vpdn sss err
> debug vpdn sss ev
> 
> can you share the full configs of both devices offline/unicast?
> 
>     oli
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


---
This e-mail is intended only for the addressee named above. 
As this e-mail may contain confidential or privileged information, 
if you are not the named addressee, you are not authorized to retain, read, 
copy or disseminate this message or any part of it.   
 
Please consider your environmental responsibility before printing this e-mail.

More information about the cisco-nsp mailing list