topic Re: PPPoE not working with ASA 5508-X in Network Security

PPPoE not working with ASA 5508-X

Brendan Wood — Fri, 21 Feb 2020 16:10:58 GMT

Hello,

I currently have the ASA 5505 firewall set up to login through a DSL modem (passthrough mode). On the 5505, I set up my outside interface and vlan to connect via PPPoE and it seems to work fine.

I recently purchased an ASA 5508 and I've tried to set up PPPoE client on the GigaBitEthernet 0.1

In brief, when the DSL negotiates, I don't see any attempts for the ASA 5508 to connect. It just doesn't budge.

I don't have any routes defined, but I assume it should still connect even without a route?

And, is there something different now because the PPPoE is not being defined on a vlan?

Perhaps I'm new to the 5508-x and I don't understand some basic fundamentals.

Any suggestions are welcome.

Thanks.

Re: PPPoE not working with ASA 5508-X

Ajay Saini — Mon, 03 Sep 2018 06:44:31 GMT

Hello,

If you follow the document below, you should be fine:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110322-asa-pppoe-00.html

The command that needs to be added for getting a route is ip address pppoe setroute

Make sure that username and password are correct.

If you still does not get an ip address, try following debugs:

debug pppoe {event | error | packet}

HTH

Re: PPPoE not working with ASA 5508-X

Brendan Wood — Thu, 06 Sep 2018 05:30:17 GMT

Hello,

Thanks so much, I've followed your guides, but it is still not working.

I've tried:

1. Connect with ASA-5505 (other machine) - Connect ok.

2. Connect with a Windows machine and create a PPPoE diaup connection - Connects OK.

The debug keeps showing this over and over:

PPPoE: send_padi:(Snd) Dest:ffff.ffff.ffff Src:003a.7df3.de1c Type:0x8863=PPPoE-Discovery
PPPoE: Ver:1 Type:1 Code:09=PADI Sess:0 Len:12
PPPoE: Type:0101:SVCNAME-Service Name Len:0
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000001
PPPoE: padi timer expired

My config looks like this:

ASA Version 9.5(2) 
!
hostname ciscoasa
enable password ***** encrypted
names
!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 pppoe client vpdn group Acanac
 ip address pppoe setroute 
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
pager lines 24
logging enable
logging asdm informational
logging class auth asdm debugging 
mtu outside 1492
mtu inside 1500
no failover
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
 nat (any,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group Acanac request dialout pppoe
vpdn group Acanac localname x@acanac.net
vpdn group Acanac ppp authentication pap
vpdn username x@acanac.net password ***** store-local

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username ciscouser password **** encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
 message-length maximum client auto
 message-length maximum 512
policy-map global_policy
 class inspection_default
 inspect dns preset_dns_map 
 inspect ftp 
 inspect h323 h225 
 inspect h323 ras 
 inspect rsh 
 inspect rtsp 
 inspect esmtp 
 inspect sqlnet 
 inspect skinny 
 inspect sunrpc 
 inspect xdmcp 
 inspect sip 
 inspect netbios 
 inspect tftp 
 inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:*******
: end
no asdm history enable

This should connect right? I'm just missing the natting from inside to outside but I can do that once I get pppoe to connect.

This is frustrating for me, not sure what to look at next, seems I've set everything correctly. Any suggestions are welcome.

Re: PPPoE not working with ASA 5508-X

Ajay Saini — Thu, 06 Sep 2018 06:28:22 GMT

The debugs clearly show that there is no response to the initial pppoe discovery packet sent by the ASA. Looks like the modem is expecting something else. Maybe the ISP is expecting more info like vlan tag, could you please check with ISP.

One more thing you can do is to get the debugs from ASA 5505, we can compare the working and non working debugs and see if there is anything additional info is required.

Regards,

Re: PPPoE not working with ASA 5508-X

Brendan Wood — Sat, 15 Sep 2018 05:10:44 GMT

I've looked at my documentation for my provider much more in depth and I can see that there are two settings related to VLAN for PPPoE setup (see attached bridge mode instructions from the ISP).

Set the 802.1P Priority field to 1.
Set the 802.1Q VLAN ID field to 35.

Would this have anything to do with the reason my 5508x will not connect via pppoe?

If so, why did the 5505 connect? I never specified vlan 35 anywhere in the 5505 setup. I know if I look at the VLAN ID of my 5505 outside it is set to 2.

I've attached the PDF to show instructions from my ISP on how to connect with a router thru the modem using username and password.

This is certainly very confusing compared to my original ASA!

Re: PPPoE not working with ASA 5508-X

Ajay Saini — Sun, 16 Sep 2018 07:00:44 GMT

Hello,

You can achieve vlan id 35 by creating subinterface with vlan id 35. It will send and receive vlan id 35 tagged packets for pppoe negotiation. Not sure about the priority field, not even sure if ASA supports that field.

Can you try this vlan id using subinterface and see if it helps.

HTH

Re: PPPoE not working with ASA 5508-X

Brendan Wood — Sun, 14 Oct 2018 21:39:13 GMT

The problem is fixed, I just wanted to mention it here.

I switched provider to another provider (another reseller that sells Bell DSL), and guess what it just worked. I put in the new username and password, and it instantly connected.

It remains a mystery why the 5508x didn't connect.

Thanks for help.