[j-nsp] LCP keeps renegotiating on L2TP tunnel

Olivier Benghozi olivier.benghozi at wifirst.fr
Thu Feb 22 09:40:38 EST 2018 

You need to trace the L2TP packets on both sides.
"AVP" deals here with AVPs within L2TP control packets, not in radius.
It's about the AsyncMap missing in L2TP SIL packets (made to exchange Asyncmaps), in Asyncmode PPP/L2TP.

> On 22 feb 2018 at 07:23, Drikus Brits <Drikus.Brits at brennanit.com.au> wrote :
> 
> Heya Experts,
> 
> Need some input. We're changing houses.yeay..or not. We're in the process of changing from Cisco PE's to Juniper, and as such DSL and 4G services are first up on the migration. I'm stuck trying to get an MX104 to terminate l2tp sessions with Cisco CPEs.
> 
> We have 2x scenarios where we have Cisco & Huawei CPE's doing normal dialer sessions and Virtual-ppp interface configuration as per below to Cisco PEs within VRFs and global etc. Scenario 1 is working with just DSL dialer services terminating from carriers using L2TP tunnels from the carrier LAC/BRAS boxes to our MX104s and then terminating pppoe subscribers via the dialer interfaces. This works like a charm.
> 
> The second one isn't working so well, where we have 4g services out there on an internet facing APN with each CPE terminating individual l2tp sessions to our MX104s. On the Cisco CPE the debugs shows LCP trying to negotiate and eventually fails, however on the MX, it shows what appears to be some success. We've got radius servers pushing the AV pairs with the necessary IP's, routes & vrfs, but rad requests aren't even hitting me yet.
> 
> MX:
> 
> drikusb at SYD-BB-01> show services l2tp tunnel
>   Local ID  Remote ID  Remote IP               Sessions  State
>   7991      25256      61.41.122.32:1701             1  Established
> 
> drikusb at SYD-BB-01> show subscribers
> Interface           IP Address/VLAN ID                      User Name                      LS:RI
> si-0/0/0.3221229393                                                                   default:default
> 
> Cisco CPE:
> 
> Testing-dsltest-cpe#
> 
> 
> interface Virtual-PPP1
> ip address negotiated
> ip virtual-reassembly in
> keepalive 30
> ppp chap hostname 123456789011 at 4gL2TP
> ppp chap password keepmesecret
> no cdp enable
> pseudowire 192.168.100.10 123 encapsulation l2tpv2 pw-class pwclass1
> 
> 1187080: Feb 20 14:27:35: ppp0 PPP: Phase is ESTABLISHING
> 1187081: Feb 20 14:27:35: Vp1 PPP: Using default call direction
> 1187082: Feb 20 14:27:35: Vp1 PPP: Treating connection as a dedicated line
> 1187083: Feb 20 14:27:35: Vp1 PPP: Session handle[F200003D] Session id[0]
> 1187084: Feb 20 14:27:35: Vp1 LCP: Event[OPEN] State[Initial to Starting]
> 1187085: Feb 20 14:27:35: Vp1 LCP: O CONFREQ [Starting] id 1 len 10
> 1187086: Feb 20 14:27:35: Vp1 LCP:    MagicNumber 0x7A1DCA64 (0x05067A1DCA64)
> 1187087: Feb 20 14:27:35: Vp1 LCP: Event[UP] State[Starting to REQsent]
> 1187088: Feb 20 14:27:35: Vp1 LCP: I CONFREQ [REQsent] id 210 len 15
> 1187089: Feb 20 14:27:35: Vp1 LCP:    AuthProto CHAP (0x0305C22305)
> 1187090: Feb 20 14:27:35: Vp1 LCP:    MagicNumber 0x3F8C879E (0x05063F8C879E)
> 1187091: Feb 20 14:27:35: Vp1 LCP: O CONFACK [REQsent] id 210 len 15
> 1187092: Feb 20 14:27:35: Vp1 LCP:    AuthProto CHAP (0x0305C22305)
> 1187093: Feb 20 14:27:35: Vp1 LCP:    MagicNumber 0x3F8C879E (0x05063F8C879E)
> <<  repeated output as per above/below omitted >>
> 1187094: Feb 20 14:27:35: Vp1 LCP: Event[Receive ConfReq+] State[REQsent to ACKsent]
> 1187095: Feb 20 14:27:37: Vp1 LCP: O CONFREQ [ACKsent] id 2 len 10
> 1187096: Feb 20 14:27:37: Vp1 LCP:    MagicNumber 0x7A1DCA64 (0x05067A1DCA64)
> 1187097: Feb 20 14:27:37: Vp1 LCP: Event[Timeout+] State[ACKsent to ACKsent]
> 1187160: Feb 20 14:27:54: Vp1 LCP: O CONFACK [ACKsent] id 216 len 15
> 1187161: Feb 20 14:27:54: Vp1 LCP:    AuthProto CHAP (0x0305C22305)
> 1187162: Feb 20 14:27:54: Vp1 LCP:    MagicNumber 0x3F8C879E (0x05063F8C879E)
> 1187163: Feb 20 14:27:54: Vp1 LCP: Event[Receive ConfReq+] State[ACKsent to ACKsent]
> 1187164: Feb 20 14:27:55: Vp1 PPP DISC: LCP failed to negotiate
> 1187165: Feb 20 14:27:55: Vp1 PPP: Sending Acct Event[Down] id[26B]
> 1187166: Feb 20 14:27:55: PPP: NET STOP send to AAA.
> 1187167: Feb 20 14:27:55: Vp1 LCP: Event[Timeout-] State[ACKsent to Stopped]
> 1187168: Feb 20 14:27:55: Vp1 LCP: Event[DOWN] State[Stopped to Starting]
> 1187169: Feb 20 14:27:55: Vp1 PPP: Phase is DOWN
> Testing-dsltest-cpe #
> 
> 
> MXConfig:
> set interfaces si-0/0/0 hierarchical-scheduler
> set interfaces si-0/0/0 encapsulation generic-services
> set interfaces si-0/0/0 unit 0 family inet
> set chassis fpc 0 pic 0 inline-services bandwidth 10g
> set dynamic-profiles dyn-lns-profile routing-instances "$junos-routing-instance" interface "$junos-interface-name"
> set dynamic-profiles dyn-lns-profile routing-instances "$junos-routing-instance" routing-options access route $junos-framed-route-ip-address-prefix next-hop "$junos-framed-route-nexthop"
> set dynamic-profiles dyn-lns-profile routing-instances "$junos-routing-instance" routing-options access route $junos-framed-route-ip-address-prefix metric "$junos-framed-route-cost"
> set dynamic-profiles dyn-lns-profile routing-instances "$junos-routing-instance" routing-options access route $junos-framed-route-ip-address-prefix preference "$junos-framed-route-distance"
> set dynamic-profiles dyn-lns-profile routing-instances "$junos-routing-instance" routing-options access-internal route $junos-subscriber-ip-address qualified-next-hop "$junos-interface-name"
> set dynamic-profiles dyn-lns-profile interfaces "$junos-interface-ifd-name" interface-mib
> set dynamic-profiles dyn-lns-profile interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" dial-options l2tp-interface-id l2tp-encapsulation
> set dynamic-profiles dyn-lns-profile interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" dial-options dedicated
> set dynamic-profiles dyn-lns-profile interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" routing-services
> set dynamic-profiles dyn-lns-profile interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" keepalives interval 5
> set dynamic-profiles dyn-lns-profile interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet unnumbered-address "$junos-loopback-interface"
> set services l2tp tunnel-group tg_dynamic l2tp-access-profile cpe_l2tp_profile
> set services l2tp tunnel-group tg_dynamic aaa-access-profile RADIUS-GROUP-01
> set services l2tp tunnel-group tg_dynamic local-gateway address 192.168.100.10
> set services l2tp tunnel-group tg_dynamic service-interface si-0/0/0
> set services l2tp tunnel-group tg_dynamic dynamic-profile dyn-lns-profile
> set access-profile RADIUS-GROUP-01
> set access group-profile l2tp_group_profile ppp idle-timeout 200
> set access group-profile l2tp_group_profile ppp ppp-options pap
> set access group-profile l2tp_group_profile ppp ppp-options chap
> set access group-profile l2tp_group_profile ppp keepalive 30
> set access profile cpe_l2tp_profile client default l2tp interface-id l2tp-encapsulation
> set access profile cpe_l2tp_profile client default l2tp lcp-renegotiation
> set access profile cpe_l2tp_profile client default l2tp shared-secret "$9$m5T30OReK8RheWx7sYfTz36AO1h"
> set access profile cpe_l2tp_profile client default user-group-profile l2tp_group_profile
> set access profile RADIUS-GROUP-01 authentication-order radius
> set access profile RADIUS-GROUP-01 radius authentication-server 10.10.10.100
> set access profile RADIUS-GROUP-01 radius accounting-server 10.10.10.100
> set access profile RADIUS-GROUP-01 radius-server 10.10.10.100 port 1812
> set access profile RADIUS-GROUP-01 radius-server 10.10.10.100 secret "$9$AiHTt0IKMXdVYyl7VbwJZ36/t01SyKvLN24UHk.zFRhSe87wsgUi.ev"
> set access profile RADIUS-GROUP-01 radius-server 10.10.10.100 timeout 10
> set access profile RADIUS-GROUP-01 radius-server 10.10.10.100 retry 3
> set access profile RADIUS-GROUP-01 radius-server 10.10.10.100 source-address 10.2.50.60
> set access profile RADIUS-GROUP-01 accounting order radius
> 
> Traceoptions on the MX indicate something maybe with inter-op variable being sent from the Cisco or something missing.
> 
> Feb 20 15:40:19.288330 receive: Discarding incoming payload from 1 0x0 61.41.122.3261.14.103.110 - header not control len 22
> Feb 20 15:40:19.842444 processIfdNotifyMsg: received state sync IFD notify , action = 1 ifdIndex = 168 ifdBbeIndex = 26 ifdName = xe-2/0/1 ifdFlags = c000
> Feb 20 15:40:19.842547 processIfdNotifyMsg: Dropping the received state sync IFD notify , action = 1 ifdIndex = 168 ifdBbeIndex = 26 ifdName = xe-2/0/1 ifdFlags = c000
> Feb 20 15:40:19.842590 processIfdNotifyMsg: received state sync IFD notify , action = 1 ifdIndex = 178 ifdBbeIndex = 27 ifdName = xe-2/0/0 ifdFlags = c000
> Feb 20 15:40:19.842628 processIfdNotifyMsg: Dropping the received state sync IFD notify , action = 1 ifdIndex = 178 ifdBbeIndex = 27 ifdName = xe-2/0/0 ifdFlags = c000
> Feb 20 15:40:21.303953 receive: Discarding incoming payload from 1 0x0 61.41.122.32192.168.100.10 - header not control len 22
> Feb 20 15:40:21.485999 receive: Discarding incoming payload from 1 0x0 61.41.122.32192.168.100.10 - header not control len 27
> Feb 20 15:40:23.321018 receive: Discarding incoming payload from 1 0x0 61.41.122.32192.168.100.10 - header not control len 22
> Feb 20 15:40:24.591129 receive: Discarding incoming payload from 1 0x0 61.41.122.32192.168.100.10 - header not control len 27
> Feb 20 15:40:25.336923 receive: Discarding incoming payload from 1 0x0 61.41.122.32192.168.100.10 - header not control len 22
> Feb 20 15:40:27.353564 receive: Discarding incoming payload from 1 0x0 61.41.122.32192.168.100.10 - header not control len 22
> Feb 20 15:40:27.688001 receive: Discarding incoming payload from 1 0x0 61.41.122.32192.168.100.10 - header not control len 27
> Feb 20 15:40:29.369324 receive: Discarding incoming payload from 1 0x0 61.41.122.32192.168.100.10 - header not control len 22
> Feb 20 15:40:30.566527 doSessionCleanUp: Session cleanup for session Uid = L2tpSession 0xf69, sdb Id = 3934, ifl Id = 0, subscriber control transferred = 1, profile de-instantiation required = 0, profile name = dyn-lns-profile, SMD cleanup required = 0
> Feb 20 15:40:30.566782 removePrivateData: sdb_remove_app_defined_data for sdb table type session, oper, uid L2tpSession 0xf69
> Feb 20 15:40:30.567113 App Def tid 3 del, mem 0x851aba88 found
> Feb 20 15:40:30.567241 removePrivateData: sdb_remove_app_defined_data for sdb table type session, config, uid L2tpSession 0xf69
> Feb 20 15:40:30.567435 App Def tid 3 del, mem 0x851ab284 found
> Feb 20 15:40:30.784101 receive: Discarding incoming payload from 1 0x0 61.41.122.32192.168.100.10 - header not control len 27
> Feb 20 15:40:31.385220 receive: Discarding incoming payload from 1 0x0 61.41.122.32192.168.100.10 - header not control len 22
> Feb 20 15:40:33.401577 receive: Discarding incoming payload from 1 0x0 61.41.122.32192.168.100.10 - header not control len 22
> Feb 20 15:40:33.883653 receive: Discarding incoming payload from 1 0x0 61.41.122.32192.168.100.10 - header not control len 27
> Feb 20 15:40:35.420128 receive: received L2TP packet type sli, from remote address 61.41.122.32, remote port  1701, for local address 192.168.100.10, local port 1701, tunnel Id 0x7991, session Id 0x32083
> Feb 20 15:40:35.420331 receive: Processing incoming in-sequence sli from 1 0x0 61.41.122.32192.168.100.10 - controlHeader.Ns = 96, nextReceiveNs = 96
> Feb 20 15:40:35.420628 load: AVP Header: type = message, length = 8, flags = M ~H
> Feb 20 15:40:35.420743 receiveSli: Remote error in incoming sli from 1 0x0 61.41.122.32192.168.100.10 - missing mandatory AVP(ACCM)
> Feb 20 15:40:35.421133 sendZLB: send L2TP packet type zlb, for remote  address 61.41.122.32, remote port 1701, from local address 192.168.100.10, local port 1701, L2tpTunnel 0x3e9, tunnel Id 25256, session Id 0, Ns 48, Nr 97
> Feb 20 15:40:35.421606 receive: received L2TP packet type sli, from remote address 61.41.122.32, remote port  1701, for local address 192.168.100.10, local port 1701, tunnel Id 0x7991, session Id 0x32083
> Feb 20 15:40:35.421731 receive: Processing incoming in-sequence sli from 1 0x0 61.41.122.32192.168.100.10 - controlHeader.Ns = 97, nextReceiveNs = 97
> Feb 20 15:40:35.421948 load: AVP Header: type = message, length = 8, flags = M ~H
> Feb 20 15:40:35.422128 receiveSli: Remote error in incoming sli from 1 0x0 61.41.122.32192.168.100.10 - missing mandatory AVP(ACCM)
> Feb 20 15:40:35.423282 sendZLB: send L2TP packet type zlb, for remote  address 61.41.122.32, remote port 1701, from local address 192.168.100.10, local port 1701, L2tpTunnel 0x3e9, tunnel Id 25256, session Id 0, Ns 48, Nr 98
> 
> I've scouted a multitude of the l2tp kb's and docs on the juniper website, but to no avail.I tried googling for information related to the missing "missing mandatory AVP(ACCM)" error , but still missing something small  me thinks.
> 
> Any ideas?
> 
> Drikus Brits
> Core Network Engineer
> T 02 8235 9578   M 0434 664 567
> E drikus.brits at brennanit.com.au
> 
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list