Solved: ASR1001-X and ASR920-4SZ: PPPoE doesnt install route

spadhausen · ‎04-18-2025

Hello:

The very same issue on ASR1001-X with 16.9.8 IPBASE and ASR920-4SZ-A with 17.6.7 ADVMETROACCESS

This is the conf:

!
aaa new-model
!
!
aaa authentication password-prompt Password:
aaa authentication username-prompt Username:
aaa authentication login default local
aaa authentication ppp default group radius
aaa authorization exec default local
aaa authorization network default group radius
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
!
bba-group pppoe global
virtual-template 1
!
!
!
interface Loopback0
ip address 100.80.2.102 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface GigabitEthernet0/0/0
ip address 100.100.100.254 255.255.255.0 (fictional public ip address)
no ip redirects
no ip proxy-arp
media-type rj45
negotiation auto
pppoe enable group global
cdp enable
!

!
interface Virtual-Template1
ip unnumbered Loopback0
no ip redirects
peer default ip address pool DUMMY
ppp mtu adaptive
ppp mtu pppoe unlimited
ppp authentication chap ms-chap ms-chap-v2 pap callin
ppp ipcp dns 185.83.172.10 185.83.172.14
ppp ipcp route default
subscriber-interface

ip local pool DUMMY 10.254.254.1 10.254.254.2sh log

radius server MT_USERMANAGER
address ipv4 100.127.251.200 auth-port 1812 acct-port 1813
key ***
!

The PPPoE client connects fine, receives an IP address but the is no route to the /32 installed on the Router (ASR).

Made a lot of tests with no avail. I cannot even ping from the client, the ip unnumbered Ip address

the IP I want to assign to the client is a public IP 154.62.195.222/32

Here the logs:

Apr 18 12:07:59.473: RADIUS: NAS-IP-Address [4] 6 100.80.2.102
Apr 18 12:07:59.473: RADIUS(00000038): Sending a IPv4 Radius Packet
Apr 18 12:07:59.474: RADIUS(00000038): Started 5 sec timeout
Apr 18 12:07:59.475: RADIUS: Received from id 1645/39 100.127.251.200:1812, Access-Accept, len 94
RADIUS: authenticator 66 70 9C 32 FB 5D 77 16 - 0F 02 50 2F D7 82 4F 62
Apr 18 12:07:59.475: RADIUS: Framed-IP-Address [8] 6 154.62.195.222
Apr 18 12:07:59.475: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.255
Apr 18 12:07:59.475: RADIUS: Framed-Route [22] 34 "154.62.195.222/32 154.62.195.222"
Apr 18 12:07:59.476: RADIUS: Class [25] 10
RADIUS: 15 4B FD CC 9E F1 D7 68 [ Kh]
Apr 18 12:07:59.476: RADIUS: Message-Authenticato[80] 18
RADIUS: 9F 04 9B 7A FD 44 0D F9 00 B0 EF C4 C4 1F 05 E3 [ zD]
Apr 18 12:07:59.476: RADIUS(00000038): Received from id 1645/39
Apr 18 12:07:59.477: ppp40 PPP: Phase is FORWARDING, Attempting Forward
Apr 18 12:07:59.501: %SYS-5-CONFIG_P: Configured programmatically by process VTEMPLATE Background Mgr from console as console
Apr 18 12:07:59.506: [40]PPPoE 40: State LCP_NEGOTIATION Event SSS CONNECT LOCAL
Apr 18 12:07:59.508: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
Apr 18 12:07:59.514: [40]PPPoE 40: Segment (SSS class): UPDATED
Apr 18 12:07:59.514: [40]PPPoE 40: Segment (SSS class): BOUND
Apr 18 12:07:59.514: [40]PPPoE 40: data path set to Virtual Acess
Apr 18 12:07:59.514: [40]PPPoE 40: State LCP_NEGOTIATION Event SSM UPDATED
Apr 18 12:07:59.515: Vi3 PPP: Phase is AUTHENTICATING, Authenticated User
Apr 18 12:07:59.515: Vi3 CHAP: O SUCCESS id 1 len 4
Apr 18 12:07:59.516: Vi3 PPP: Reducing MTU to peer's MRU
Apr 18 12:07:59.522: dyn_attrs->xmit_rate: 100000000 dyn_attrs->rcv_rate: 100000000
Apr 18 12:07:59.523: [40]PPPoE 40: AAA get dynamic attrs
Apr 18 12:07:59.524: Vi3 PPP: Phase is UP
Apr 18 12:07:59.524: Vi3 IPCP: Protocol configured, start CP. state[Initial]
Apr 18 12:07:59.524: Vi3 IPCP: Event[OPEN] State[Initial to Starting]
Apr 18 12:07:59.525: Vi3 IPCP: O CONFREQ [Starting] id 1 len 10
Apr 18 12:07:59.525: Vi3 IPCP: Address 100.80.2.102 (0x030664500266)
Apr 18 12:07:59.525: Vi3 IPCP: Event[UP] State[Starting to REQsent]
Apr 18 12:07:59.525: Vi3 IPCP: I CONFREQ [REQsent] id 3 len 22
Apr 18 12:07:59.526: Vi3 IPCP: Address 0.0.0.0 (0x030600000000)
Apr 18 12:07:59.526: Vi3 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
Apr 18 12:07:59.526: Vi3 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
Apr 18 12:07:59.526: Vi3 IPCP AUTHOR: Start. Her address 0.0.0.0, we want 0.0.0.0
Apr 18 12:07:59.527: Vi3 IPCP AUTHOR: Done. Her address 0.0.0.0, we want 154.62.195.222
Apr 18 12:07:59.527: Vi3 IPCP: O CONFNAK [REQsent] id 3 len 22
Apr 18 12:07:59.527: Vi3 IPCP: Address 154.62.195.222 (0x03069A3EC3DE)
Apr 18 12:07:59.527: Vi3 IPCP: PrimaryDNS 185.83.172.10 (0x8106B953AC0A)
Apr 18 12:07:59.527: Vi3 IPCP: SecondaryDNS 185.83.172.14 (0x8306B953AC0E)
Apr 18 12:07:59.528: Vi3 IPCP: Event[Receive ConfReq-] State[REQsent to REQsent]
Apr 18 12:07:59.528: Vi3 TAGCP: I CONFREQ [UNKNOWN] id 2 len 4
Apr 18 12:07:59.528: Vi3 LCP: O PROTREJ [Open] id 2 len 10 protocol TAGCP (0x01020004)
Apr 18 12:07:59.528: Vi3 IPCP: I CONFACK [REQsent] id 1 len 10
Apr 18 12:07:59.528: Vi3 IPCP: Address 100.80.2.102 (0x030664500266)
Apr 18 12:07:59.529: Vi3 IPCP: Event[Receive ConfAck] State[REQsent to ACKrcvd]
Apr 18 12:07:59.529: RADIUS/ENCODE(00000038):Orig. component type = PPPoE
Apr 18 12:07:59.530: RADIUS(00000038): Config NAS IP: 100.80.2.102
Apr 18 12:07:59.530: vrfid: [65535] ipv6 tableid : [0]
Apr 18 12:07:59.530: idb is NULL
Apr 18 12:07:59.530: RADIUS(00000038): Config NAS IPv6: ::
Apr 18 12:07:59.530: RADIUS(00000038): sending
Apr 18 12:07:59.530: [40]PPPoE 40: State PTA_BINDING Event STATIC BIND RESPONSE
Apr 18 12:07:59.530: [40]PPPoE 40: Connected PTA
Apr 18 12:07:59.532: RADIUS(00000038): Send Accounting-Request to 100.127.251.200:1813 id 1646/76, len 179
RADIUS: authenticator 2F CF 2F F7 2A 65 BA 38 - AB C0 33 0E AA 93 A3 F3
Apr 18 12:07:59.532: RADIUS: Acct-Session-Id [44] 10 "0000002E"
Apr 18 12:07:59.532: RADIUS: Framed-Protocol [7] 6 PPP [1]
Apr 18 12:07:59.532: RADIUS: User-Name [1] 9 "utente1"
Apr 18 12:07:59.532: RADIUS: Vendor, Cisco [26] 32
Apr 18 12:07:59.532: RADIUS: Cisco AVpair [1] 26 "connect-progress=Call Up"
Apr 18 12:07:59.533: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
Apr 18 12:07:59.533: RADIUS: Acct-Status-Type [40] 6 Start [1]
Apr 18 12:07:59.533: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Apr 18 12:07:59.534: RADIUS: NAS-Port [5] 6 0
Apr 18 12:07:59.534: RADIUS: NAS-Port-Id [87] 9 "0/0/0/0"
Apr 18 12:07:59.534: RADIUS: Vendor, Cisco [26] 41
Apr 18 12:07:59.534: RADIUS: Cisco AVpair [1] 35 "client-mac-address=c4ad.34bb.dbfa"
Apr 18 12:07:59.534: RADIUS: Class [25] 10
RADIUS: 15 4B FD CC 9E F1 D7 68 [ Kh]
Apr 18 12:07:59.534: RADIUS: Service-Type [6] 6 Framed [2]
Apr 18 12:07:59.534: RADIUS: NAS-IP-Address [4] 6 100.80.2.102
Apr 18 12:07:59.535: RADIUS: Acct-Delay-Time [41] 6 0
Apr 18 12:07:59.535: RADIUS(00000038): Sending a IPv4 Radius Packet
Apr 18 12:07:59.535: RADIUS(00000038): Started 5 sec timeout
Apr 18 12:07:59.536: Vi3 IPCP: I CONFREQ [ACKrcvd] id 4 len 22
Apr 18 12:07:59.536: Vi3 IPCP: Address 154.62.195.222 (0x03069A3EC3DE)
Apr 18 12:07:59.536: Vi3 IPCP: PrimaryDNS 185.83.172.10 (0x8106B953AC0A)
Apr 18 12:07:59.536: Vi3 IPCP: SecondaryDNS 185.83.172.14 (0x8306B953AC0E)
Apr 18 12:07:59.536: Vi3 IPCP: O CONFACK [ACKrcvd] id 4 len 22
Apr 18 12:07:59.536: Vi3 IPCP: Address 154.62.195.222 (0x03069A3EC3DE)
Apr 18 12:07:59.536: Vi3 IPCP: PrimaryDNS 185.83.172.10 (0x8106B953AC0A)
Apr 18 12:07:59.536: Vi3 IPCP: SecondaryDNS 185.83.172.14 (0x8306B953AC0E)
Apr 18 12:07:59.537: Vi3 IPCP: Event[Receive ConfReq+] State[ACKrcvd to Open]
Apr 18 12:07:59.543: RADIUS: Received from id 1646/76 100.127.251.200:1813, Accounting-response, len 60
RADIUS: authenticator 89 B1 F1 90 75 8E EA A1 - 44 8C 82 75 84 57 F7 F1
Apr 18 12:07:59.543: RADIUS: User-Name [1] 9 "utente1"
Apr 18 12:07:59.543: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Apr 18 12:07:59.543: RADIUS: NAS-Port-Id [87] 9 "0/0/0/0"
Apr 18 12:07:59.544: RADIUS: NAS-IP-Address [4] 6 100.80.2.102
Apr 18 12:07:59.544: RADIUS: Acct-Session-Id [44] 10 "0000002E"
Apr 18 12:07:59.562: Vi3 IPCP: State is Open
Apr 18 12:07:59.562: ppp_session_ntfy, topswidb Vi3, va Vi3, platform notify 0
Apr 18 12:07:59.566: Vi3 IPCP: Install default route thru 154.62.195.222
Apr 18 12:07:59.566: Vi3 Added to neighbor route AVL tree: topoid 185404173, address 154.62.195.222
Apr 18 12:07:59.566: Vi3 IPCP: Route not installed to 154.62.195.222
Apr 18 12:08:00.216: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
Apr 18 12:08:00.221: PPPoE : ipfib_encapstr prepared

Dr. Spadoni

spadhausen · ‎04-30-2025

Hello, I have found the issue.

With the very same conf, I activated trial mode the ADVIPSERVICES on 16.9.8 and it worked flawlessy (1001-X)

The ASR920 with the ADVMETRO IOS dont work, maybe it is not supported.

Dr. Spadoni

View solution in original post

MHM Cisco World · ‎04-18-2025

ppp ipcp route default <<- I think this need to add in clinet side not server side

MHM

Yunus Emre DEV · ‎04-18-2025

hi,

There's a lot of reasons for that, you'll have to be more specific,
Are you using ASR as PTA?

OSPF-BGP etc. as routing protocol inside. what are you using,

Do you use subinteface in the interfaces you defined ‘pppoe enable group’?

so we need the full configuration of the router and we need details

spadhausen · ‎04-18-2025

Hello

We use BGP on this router with a basic configuration with "redistribute connected"

I am using the ASR as the PPPoE concentrator.

No subinterfaces, just a basic Gigaethernet0/0/0 with no vlans or vlan tag towards the PPPoE users.

The "WAN" part are two 10gigs:

interface TenGigabitEthernet0/0/2
description Verso SW01 porta 08
ip address 100.127.252.18 255.255.255.252
no ip redirects
no ip proxy-arp
cdp enable
ipv6 address 2A05:9D40::6015:2/125
!

interface TenGigabitEthernet0/0/3
description Verso SW02 porta 08
ip address 100.127.252.22 255.255.255.252
no ip redirects
no ip proxy-arp
cdp enable
ipv6 address 2A05:9D40::6016:2/125
service-policy output QUEUE-LIMIT
!

we have two bgp sessions between two upstream routers (they are in ibgp)

router bgp 4200002005
bgp log-neighbor-changes
neighbor RA_MIR peer-group
neighbor RA_MIR remote-as 4200002011
neighbor RA_MIR timers 10 30
neighbor RA_MIR_v6 peer-group
neighbor RA_MIR_v6 remote-as 4200002011
neighbor RA_MIR_v6 timers 10 30
neighbor 2A05:9D40::6015:1 peer-group RA_MIR_v6
neighbor 2A05:9D40::6016:1 peer-group RA_MIR_v6
neighbor 100.127.252.17 peer-group RA_MIR
neighbor 100.127.252.21 peer-group RA_MIR
!
address-family ipv4
network 0.0.0.0
redistribute connected
no neighbor 2A05:9D40::6015:1 activate
no neighbor 2A05:9D40::6016:1 activate
neighbor 100.127.252.17 activate
neighbor 100.127.252.21 activate
exit-address-family
!
address-family ipv6
neighbor 2A05:9D40::6015:1 activate
neighbor 2A05:9D40::6016:1 activate
exit-address-family

Dr. Spadoni

Yunus Emre DEV · ‎04-18-2025

hi,

it's a routing problem,
What do you see on the Sh route,

what are connect, static and bgp routes,

where the global default route goes,

When you tracert over the subscriber, where does it stay, does it not tracert at all or does it stay at a certain hop.

PTA and radius seem to be working in the debug logs,
routing at the L3 level, where the problem takes

josimaru85 · ‎04-18-2025

Hello,

It seems you're facing an issue with PPPoE on both the ASR1001-X and ASR920, where the PPPoE client connects and receives an IP but doesn't have routing or connectivity to the assigned /32 IP. The logs show that the PPPoE process is authenticating and negotiating, but the public IP (154.62.195.222/32) does not seem to route correctly.

Based on your configuration and logs, I suggest checking the following:

Route Configuration: Ensure that you have a static route for the public IP address 154.62.195.222/32 pointing to the appropriate next hop.
Example:
nginx
CopiarEditar
ip route 154.62.195.222 255.255.255.255 <next-hop-IP>
Interface and Subnet Masking: Ensure the assigned public IP (154.62.195.222) is properly handled on the virtual-template and the PPPoE interface. Double-check the subnet mask configuration. Since you're working with a /32 address, make sure your routing table is set up to handle it correctly.
NAT Configuration: If you're using NAT for PPPoE, ensure it's properly set up to allow the client’s public IP to pass through.
Check PPPoE Profile: Verify that the PPPoE profile (virtual-template) is properly associating with the correct virtual access interface.
RADIUS Server: Review the RADIUS server configuration to ensure it correctly sends the Framed-IP-Address and Framed-Route attributes, especially the route information for the /32 IP.

If you're still facing issues, I'd suggest providing additional details on the routing configuration and any possible NAT or firewall settings that may be impacting traffic.

Best regards,
Josimar Caitano (Josinfo)
CCIE | Cisco Instructor | Trading Floor

spadhausen · ‎04-19-2025

Hello, thank you for your answer:

I will try to answer to your points:

1) I dont know wich kind of route I should install on the ASR.

The ASR has a default 0.0.0.0 via eBGP.

I would like to install a static route to the pppoe user, but the system doesnt allow me to set a virtual interface as next hop.

If I ping from the router to the IP itself, no answer. The traceroute dont even start.

2) the frame ip address and the other record it seems to be set correctly since it is passed from the radius to the router.

In the log appears:

Apr 18 12:07:59.566: Vi3 IPCP: Install default route thru 154.62.195.222
Apr 18 12:07:59.566: Vi3 Added to neighbor route AVL tree: topoid 185404173, address 154.62.195.222
Apr 18 12:07:59.566: Vi3 IPCP: Route not installed to 154.62.195.222

So the router explicity dont install the route.

3) No nat involved, it is a public IP address that I give out to the client.

4) I assume yes since the settings are correctly applied (except for the route)

5) I have triple-checked the radius and correctly gives out the needed attributes.

Dr. Spadoni

MHM Cisco World · ‎04-19-2025

So IPCP is push default route from server to client.

Now' next hop of this defualt route is LO in server virtual template'

The LO IP must appear as connect in RIB of client' can you confirm that?

MHM

spadhausen · ‎04-19-2025

Hello,

yes from the client side I can see:

A) ip address 154.62.195.222/32

b) remote address: 100.80.2.102

default route through pppoe interface.

but I cannot ping the 100.80.2.102 from the client.

The issue seems to be on the ASR. On the ASR there are no routes installed for 154.62.195.222

Dr. Spadoni

MHM Cisco World · ‎04-19-2025

154.62.195.222 <<- this IP of LO you add under virtual in server or IP client get?

Use

MHM

spadhausen · ‎04-19-2025

Sorry I dont understand your question.

the 100.80.2.102 is the loopback IP of the ASR. I have set that interface as "ip unnumbered lo0" in the virtual-template.

Client side I see that Ip as the "remote address" that should be fine.

Dr. Spadoni

MHM Cisco World · ‎04-19-2025

154.62.195.222/32 <<- this IP not IP pppoe client get from pool? What is this IP?

The IPCP must push defualt route using LO IP as next hop which as ypu mention is 100.80.2.102

MHM

spadhausen · ‎04-19-2025

I have assigned the static IP address from the radius. I have read that if I assign IPs from the radius, I dont need to have a local pool. However I have also tried to use a local pool, but with no difference. the client gets the IP but the route is not installed.

In the conf I have set a pool "dummy". but even with that IP it doesnt install the route

Dr. Spadoni

MHM Cisco World · ‎04-19-2025

Now I think I get what happened here.

You config radius to push defualt via authz and radius use next-hop not reachable from pppoe client.

Try to make radius not modify defualt route' let IPCP push defualt route with next hop LO IP of pppoe server.

Note:- client not add defualt route if next hop is not reachable.

MHM

spadhausen · ‎04-19-2025

Well, wich next hop? since I have set ip unnumbered lo0 in the virtual template, I already transmit thr "remote address" to the client. How can I achieve what you write? On the radius I could remove the attribute framed route and leave only framed ip address. But the same situation happens.

Dr. Spadoni