[j-nsp] LCP keeps renegotiating on L2TP tunnel

Drikus Brits Drikus.Brits at brennanit.com.au
Thu Feb 22 01:23:32 EST 2018


Heya Experts,

Need some input. We're changing houses.yeay..or not. We're in the process of changing from Cisco PE's to Juniper, and as such DSL and 4G services are first up on the migration. I'm stuck trying to get an MX104 to terminate l2tp sessions with Cisco CPEs.

We have 2x scenarios where we have Cisco & Huawei CPE's doing normal dialer sessions and Virtual-ppp interface configuration as per below to Cisco PEs within VRFs and global etc. Scenario 1 is working with just DSL dialer services terminating from carriers using L2TP tunnels from the carrier LAC/BRAS boxes to our MX104s and then terminating pppoe subscribers via the dialer interfaces. This works like a charm.

The second one isn't working so well, where we have 4g services out there on an internet facing APN with each CPE terminating individual l2tp sessions to our MX104s. On the Cisco CPE the debugs shows LCP trying to negotiate and eventually fails, however on the MX, it shows what appears to be some success. We've got radius servers pushing the AV pairs with the necessary IP's, routes & vrfs, but rad requests aren't even hitting me yet.

MX:

drikusb at SYD-BB-01> show services l2tp tunnel
  Local ID  Remote ID  Remote IP               Sessions  State
  7991      25256      61.41.122.32:1701             1  Established

drikusb at SYD-BB-01> show subscribers
Interface           IP Address/VLAN ID                      User Name                      LS:RI
si-0/0/0.3221229393                                                                   default:default

Cisco CPE:

Testing-dsltest-cpe#


interface Virtual-PPP1
ip address negotiated
ip virtual-reassembly in
keepalive 30
ppp chap hostname 123456789011 at 4gL2TP
ppp chap password keepmesecret
no cdp enable
pseudowire 192.168.100.10 123 encapsulation l2tpv2 pw-class pwclass1

1187080: Feb 20 14:27:35: ppp0 PPP: Phase is ESTABLISHING
1187081: Feb 20 14:27:35: Vp1 PPP: Using default call direction
1187082: Feb 20 14:27:35: Vp1 PPP: Treating connection as a dedicated line
1187083: Feb 20 14:27:35: Vp1 PPP: Session handle[F200003D] Session id[0]
1187084: Feb 20 14:27:35: Vp1 LCP: Event[OPEN] State[Initial to Starting]
1187085: Feb 20 14:27:35: Vp1 LCP: O CONFREQ [Starting] id 1 len 10
1187086: Feb 20 14:27:35: Vp1 LCP:    MagicNumber 0x7A1DCA64 (0x05067A1DCA64)
1187087: Feb 20 14:27:35: Vp1 LCP: Event[UP] State[Starting to REQsent]
1187088: Feb 20 14:27:35: Vp1 LCP: I CONFREQ [REQsent] id 210 len 15
1187089: Feb 20 14:27:35: Vp1 LCP:    AuthProto CHAP (0x0305C22305)
1187090: Feb 20 14:27:35: Vp1 LCP:    MagicNumber 0x3F8C879E (0x05063F8C879E)
1187091: Feb 20 14:27:35: Vp1 LCP: O CONFACK [REQsent] id 210 len 15
1187092: Feb 20 14:27:35: Vp1 LCP:    AuthProto CHAP (0x0305C22305)
1187093: Feb 20 14:27:35: Vp1 LCP:    MagicNumber 0x3F8C879E (0x05063F8C879E)
<<  repeated output as per above/below omitted >>
1187094: Feb 20 14:27:35: Vp1 LCP: Event[Receive ConfReq+] State[REQsent to ACKsent]
1187095: Feb 20 14:27:37: Vp1 LCP: O CONFREQ [ACKsent] id 2 len 10
1187096: Feb 20 14:27:37: Vp1 LCP:    MagicNumber 0x7A1DCA64 (0x05067A1DCA64)
1187097: Feb 20 14:27:37: Vp1 LCP: Event[Timeout+] State[ACKsent to ACKsent]
1187160: Feb 20 14:27:54: Vp1 LCP: O CONFACK [ACKsent] id 216 len 15
1187161: Feb 20 14:27:54: Vp1 LCP:    AuthProto CHAP (0x0305C22305)
1187162: Feb 20 14:27:54: Vp1 LCP:    MagicNumber 0x3F8C879E (0x05063F8C879E)
1187163: Feb 20 14:27:54: Vp1 LCP: Event[Receive ConfReq+] State[ACKsent to ACKsent]
1187164: Feb 20 14:27:55: Vp1 PPP DISC: LCP failed to negotiate
1187165: Feb 20 14:27:55: Vp1 PPP: Sending Acct Event[Down] id[26B]
1187166: Feb 20 14:27:55: PPP: NET STOP send to AAA.
1187167: Feb 20 14:27:55: Vp1 LCP: Event[Timeout-] State[ACKsent to Stopped]
1187168: Feb 20 14:27:55: Vp1 LCP: Event[DOWN] State[Stopped to Starting]
1187169: Feb 20 14:27:55: Vp1 PPP: Phase is DOWN
Testing-dsltest-cpe #


MXConfig:
set interfaces si-0/0/0 hierarchical-scheduler
set interfaces si-0/0/0 encapsulation generic-services
set interfaces si-0/0/0 unit 0 family inet
set chassis fpc 0 pic 0 inline-services bandwidth 10g
set dynamic-profiles dyn-lns-profile routing-instances "$junos-routing-instance" interface "$junos-interface-name"
set dynamic-profiles dyn-lns-profile routing-instances "$junos-routing-instance" routing-options access route $junos-framed-route-ip-address-prefix next-hop "$junos-framed-route-nexthop"
set dynamic-profiles dyn-lns-profile routing-instances "$junos-routing-instance" routing-options access route $junos-framed-route-ip-address-prefix metric "$junos-framed-route-cost"
set dynamic-profiles dyn-lns-profile routing-instances "$junos-routing-instance" routing-options access route $junos-framed-route-ip-address-prefix preference "$junos-framed-route-distance"
set dynamic-profiles dyn-lns-profile routing-instances "$junos-routing-instance" routing-options access-internal route $junos-subscriber-ip-address qualified-next-hop "$junos-interface-name"
set dynamic-profiles dyn-lns-profile interfaces "$junos-interface-ifd-name" interface-mib
set dynamic-profiles dyn-lns-profile interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" dial-options l2tp-interface-id l2tp-encapsulation
set dynamic-profiles dyn-lns-profile interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" dial-options dedicated
set dynamic-profiles dyn-lns-profile interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" routing-services
set dynamic-profiles dyn-lns-profile interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" keepalives interval 5
set dynamic-profiles dyn-lns-profile interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet unnumbered-address "$junos-loopback-interface"
set services l2tp tunnel-group tg_dynamic l2tp-access-profile cpe_l2tp_profile
set services l2tp tunnel-group tg_dynamic aaa-access-profile RADIUS-GROUP-01
set services l2tp tunnel-group tg_dynamic local-gateway address 192.168.100.10
set services l2tp tunnel-group tg_dynamic service-interface si-0/0/0
set services l2tp tunnel-group tg_dynamic dynamic-profile dyn-lns-profile
set access-profile RADIUS-GROUP-01
set access group-profile l2tp_group_profile ppp idle-timeout 200
set access group-profile l2tp_group_profile ppp ppp-options pap
set access group-profile l2tp_group_profile ppp ppp-options chap
set access group-profile l2tp_group_profile ppp keepalive 30
set access profile cpe_l2tp_profile client default l2tp interface-id l2tp-encapsulation
set access profile cpe_l2tp_profile client default l2tp lcp-renegotiation
set access profile cpe_l2tp_profile client default l2tp shared-secret "$9$m5T30OReK8RheWx7sYfTz36AO1h"
set access profile cpe_l2tp_profile client default user-group-profile l2tp_group_profile
set access profile RADIUS-GROUP-01 authentication-order radius
set access profile RADIUS-GROUP-01 radius authentication-server 10.10.10.100
set access profile RADIUS-GROUP-01 radius accounting-server 10.10.10.100
set access profile RADIUS-GROUP-01 radius-server 10.10.10.100 port 1812
set access profile RADIUS-GROUP-01 radius-server 10.10.10.100 secret "$9$AiHTt0IKMXdVYyl7VbwJZ36/t01SyKvLN24UHk.zFRhSe87wsgUi.ev"
set access profile RADIUS-GROUP-01 radius-server 10.10.10.100 timeout 10
set access profile RADIUS-GROUP-01 radius-server 10.10.10.100 retry 3
set access profile RADIUS-GROUP-01 radius-server 10.10.10.100 source-address 10.2.50.60
set access profile RADIUS-GROUP-01 accounting order radius

Traceoptions on the MX indicate something maybe with inter-op variable being sent from the Cisco or something missing.

Feb 20 15:40:19.288330 receive: Discarding incoming payload from 1 0x0 61.41.122.3261.14.103.110 - header not control len 22
Feb 20 15:40:19.842444 processIfdNotifyMsg: received state sync IFD notify , action = 1 ifdIndex = 168 ifdBbeIndex = 26 ifdName = xe-2/0/1 ifdFlags = c000
Feb 20 15:40:19.842547 processIfdNotifyMsg: Dropping the received state sync IFD notify , action = 1 ifdIndex = 168 ifdBbeIndex = 26 ifdName = xe-2/0/1 ifdFlags = c000
Feb 20 15:40:19.842590 processIfdNotifyMsg: received state sync IFD notify , action = 1 ifdIndex = 178 ifdBbeIndex = 27 ifdName = xe-2/0/0 ifdFlags = c000
Feb 20 15:40:19.842628 processIfdNotifyMsg: Dropping the received state sync IFD notify , action = 1 ifdIndex = 178 ifdBbeIndex = 27 ifdName = xe-2/0/0 ifdFlags = c000
Feb 20 15:40:21.303953 receive: Discarding incoming payload from 1 0x0 61.41.122.32192.168.100.10 - header not control len 22
Feb 20 15:40:21.485999 receive: Discarding incoming payload from 1 0x0 61.41.122.32192.168.100.10 - header not control len 27
Feb 20 15:40:23.321018 receive: Discarding incoming payload from 1 0x0 61.41.122.32192.168.100.10 - header not control len 22
Feb 20 15:40:24.591129 receive: Discarding incoming payload from 1 0x0 61.41.122.32192.168.100.10 - header not control len 27
Feb 20 15:40:25.336923 receive: Discarding incoming payload from 1 0x0 61.41.122.32192.168.100.10 - header not control len 22
Feb 20 15:40:27.353564 receive: Discarding incoming payload from 1 0x0 61.41.122.32192.168.100.10 - header not control len 22
Feb 20 15:40:27.688001 receive: Discarding incoming payload from 1 0x0 61.41.122.32192.168.100.10 - header not control len 27
Feb 20 15:40:29.369324 receive: Discarding incoming payload from 1 0x0 61.41.122.32192.168.100.10 - header not control len 22
Feb 20 15:40:30.566527 doSessionCleanUp: Session cleanup for session Uid = L2tpSession 0xf69, sdb Id = 3934, ifl Id = 0, subscriber control transferred = 1, profile de-instantiation required = 0, profile name = dyn-lns-profile, SMD cleanup required = 0
Feb 20 15:40:30.566782 removePrivateData: sdb_remove_app_defined_data for sdb table type session, oper, uid L2tpSession 0xf69
Feb 20 15:40:30.567113 App Def tid 3 del, mem 0x851aba88 found
Feb 20 15:40:30.567241 removePrivateData: sdb_remove_app_defined_data for sdb table type session, config, uid L2tpSession 0xf69
Feb 20 15:40:30.567435 App Def tid 3 del, mem 0x851ab284 found
Feb 20 15:40:30.784101 receive: Discarding incoming payload from 1 0x0 61.41.122.32192.168.100.10 - header not control len 27
Feb 20 15:40:31.385220 receive: Discarding incoming payload from 1 0x0 61.41.122.32192.168.100.10 - header not control len 22
Feb 20 15:40:33.401577 receive: Discarding incoming payload from 1 0x0 61.41.122.32192.168.100.10 - header not control len 22
Feb 20 15:40:33.883653 receive: Discarding incoming payload from 1 0x0 61.41.122.32192.168.100.10 - header not control len 27
Feb 20 15:40:35.420128 receive: received L2TP packet type sli, from remote address 61.41.122.32, remote port  1701, for local address 192.168.100.10, local port 1701, tunnel Id 0x7991, session Id 0x32083
Feb 20 15:40:35.420331 receive: Processing incoming in-sequence sli from 1 0x0 61.41.122.32192.168.100.10 - controlHeader.Ns = 96, nextReceiveNs = 96
Feb 20 15:40:35.420628 load: AVP Header: type = message, length = 8, flags = M ~H
Feb 20 15:40:35.420743 receiveSli: Remote error in incoming sli from 1 0x0 61.41.122.32192.168.100.10 - missing mandatory AVP(ACCM)
Feb 20 15:40:35.421133 sendZLB: send L2TP packet type zlb, for remote  address 61.41.122.32, remote port 1701, from local address 192.168.100.10, local port 1701, L2tpTunnel 0x3e9, tunnel Id 25256, session Id 0, Ns 48, Nr 97
Feb 20 15:40:35.421606 receive: received L2TP packet type sli, from remote address 61.41.122.32, remote port  1701, for local address 192.168.100.10, local port 1701, tunnel Id 0x7991, session Id 0x32083
Feb 20 15:40:35.421731 receive: Processing incoming in-sequence sli from 1 0x0 61.41.122.32192.168.100.10 - controlHeader.Ns = 97, nextReceiveNs = 97
Feb 20 15:40:35.421948 load: AVP Header: type = message, length = 8, flags = M ~H
Feb 20 15:40:35.422128 receiveSli: Remote error in incoming sli from 1 0x0 61.41.122.32192.168.100.10 - missing mandatory AVP(ACCM)
Feb 20 15:40:35.423282 sendZLB: send L2TP packet type zlb, for remote  address 61.41.122.32, remote port 1701, from local address 192.168.100.10, local port 1701, L2tpTunnel 0x3e9, tunnel Id 25256, session Id 0, Ns 48, Nr 98

I've scouted a multitude of the l2tp kb's and docs on the juniper website, but to no avail.I tried googling for information related to the missing "missing mandatory AVP(ACCM)" error , but still missing something small  me thinks.

Any ideas?

Drikus Brits
Core Network Engineer
T 02 8235 9578   M 0434 664 567
E drikus.brits at brennanit.com.au




More information about the juniper-nsp mailing list