cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
2488
Views
15
Helpful
8
Replies

L2TP PPP lab scenario issue based on CSR1000V

Omar El-Mohri
Level 1
Level 1

Hellow everyone,

I'm building a topology to simulate the following:

(Customer)===[PPPoE]====(LAC)====[L2TP]====(LNS-RADIUS)

Here is my current configuration based on IOS-XE CSR 1000V:

Client#sh run
!
hostname Client
!
subscriber templating
!
multilink bundle-name authenticated
!
license udi pid CSR1000V sn 93PPFPXCV57
license boot level ax
spanning-tree extend system-id
!
interface GigabitEthernet1
ip address 192.168.0.100 255.255.255.0
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 1
ip virtual-reassembly
!
interface Dialer1
ip address negotiated
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap
ppp pap sent-username dsl@zam.com password 0 dsl
!
virtual-service csr_mgmt
!
ip forward-protocol nd
!
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 Dialer1
!
control-plane
!

LAC configuration:

LAC#sh run
!
aaa new-model
!
subscriber templating
!
multilink bundle-name authenticated
vpdn enable
vpdn search-order domain
!
vpdn-group zam
request-dialin
protocol l2tp
domain zam.com
initiate-to ip 10.0.0.1
local name LAC
l2tp tunnel password 0 pass
!
bba-group pppoe global
virtual-template 1
!
interface GigabitEthernet1
ip address 10.0.0.2 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
ip address 192.168.0.1 255.255.255.0
negotiation auto
pppoe enable group global
!
interface Virtual-Template1
ip unnumbered GigabitEthernet2
ppp authentication pap
!
virtual-service csr_mgmt
!
ip forward-protocol nd
!
end

And the LNS configuration:

LNS#sh run
!
hostname LNS
!
aaa new-model
!
aaa authentication login default group radius local
aaa authentication ppp default local
aaa authorization network default local
aaa accounting network default start-stop group radius
!
subscriber templating
!
multilink bundle-name authenticated
vpdn enable
vpdn multihop
!
vpdn-group zam
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname LAC
source-ip 10.0.0.1
lcp renegotiation always
l2tp tunnel password 0 pass
!
username omar privilege 15 password 0 omar
username dsl password 0 dsl
!
redundancy
mode none
!
bba-group pppoe global
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
!
interface GigabitEthernet1
ip address 10.0.0.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
ip address 10.3.3.2 255.255.255.0
negotiation auto
!
interface GigabitEthernet3
no ip address
shutdown
negotiation auto
!
interface Virtual-Template1
ip unnumbered GigabitEthernet1
ip mtu 1480
peer default ip address pool pool1
ppp authentication pap
!
!
virtual-service csr_mgmt
!
ip local pool pool1 172.16.0.100 172.16.0.110
ip forward-protocol nd
!
no ip http server
ip http secure-server
!
radius-server configure-nas
!
radius server dalo
address ipv4 10.3.3.13 auth-port 1812 acct-port 1813
automate-tester username test probe-on
key Z@Mradius
!
control-plane
!
end

This setup is giving me the following debug at the LAC (and nothing happening at the LNS):

LAC#pp159 PPP: Session handle[6000009F] Session id[159]
*Dec 7 02:37:00.334: [159]PPPoE 159: State LCP_NEGOTIATION Event PPP DISCONNECT
*Dec 7 02:37:00.334: [159]PPPoE 159: O PADT R:0050.5687.5cc0 L:0050.5687.195b Gi2
*Dec 7 02:37:00.334: [159]PPPoE 159: Destroying R:0050.5687.5cc0 L:0050.5687.195b Gi2
*Dec 7 02:37:00.334: [159]PPPoE 159: AAA get dynamic attrs
*Dec 7 02:37:00.334: [159]PPPoE 159: AAA account stopped
*Dec 7 02:37:00.334: [159]PPPoE 159: Segment (SSS class): UNPROVISION
*Dec 7 02:37:00.338: PPPoE 159: I PADT R:0050.5687.5cc0 L:0050.5687.195b Gi2
*Dec 7 02:37:20.516: PPPoE 0: I PADI R:0050.5687.5cc0 L:ffff.ffff.ffff Gi2
*Dec 7 02:37:20.516: Service tag: NULL Tag
*Dec 7 02:37:20.516: PPPoE 0: O PADO, R:0050.5687.195b L:0050.5687.5cc0 Gi2
*Dec 7 02:37:20.516: Service tag: NULL Tag
*Dec 7 02:37:22.564: PPPoE 0: I PADR R:0050.5687.5cc0 L:0050.5687.195b Gi2
*Dec 7 02:37:22.564: Service tag: NULL Tag
*Dec 7 02:37:22.564: PPPoE : encap string prepared
*Dec 7 02:37:22.564: [160]PPPoE 160: Access IE handle allocated
*Dec 7 02:37:22.564: [160]PPPoE 160: AAA get retrieved attrs
*Dec 7 02:37:22.564: [160]PPPoE 160: AAA get nas port details
*Dec 7 02:37:22.564: [160]PPPoE 160: Error adjusting nas port format did
*Dec 7 02:37:22.564: AAA/BIND(000000AC): Bind i/f Virtual-Template1
*Dec 7 02:37:22.564: [160]PPPoE 160: AAA get dynamic attrs
*Dec 7 02:37:22.564: [160]PPPoE 160: AAA unique ID AC allocated
*Dec 7 02:37:22.564: [160]PPPoE 160: No AAA accounting method list
*Dec 7 02:37:22.564: [160]PPPoE 160: Service request sent to SSS
*Dec 7 02:37:22.564: [160]PPPoE 160: Created, Service: None R:0050.5687.195b L:0050.5687.5cc0 Gi2
*Dec 7 02:37:22.564: [160]PPPoE 160: State NAS_PORT_POLICY_INQUIRY Event SSS MORE KEYS
*Dec 7 02:37:22.564: [160]PPPoE 160: data path set to PPP
*Dec 7 02:37:22.564: [160]PPPoE 160: Segment (SSS class): PROVISION
*Dec 7 02:37:22.564: [160]PPPoE 160: State PROVISION_PPP Event SSM PROVISIONED
*Dec 7 02:37:22.564: [160]PPPoE 160: O PADS R:0050.5687.5cc0 L:0050.5687.195b Gi2
*Dec 7 02:37:22.565: [160]PPPoE 160: Unable to Add ANCP Line attributes to the PPPoE Authen attributes
*Dec 7 02:37:22.565: ppp160 PPP: Using vpn set call direction
*Dec 7 02:37:22.565: ppp160 PPP: Treating connection as a callin
*Dec 7 02:37:22.565: ppp160 PPP: Session handle[3A0000A0] Session id[160]
*Dec 7 02:37:22.621: [160]PPPoE 160: State LCP_NEGOTIATION Event PPP DISCONNECT
*Dec 7 02:37:22.621: [160]PPPoE 160: O PADT R:0050.5687.5cc0 L:0050.5687.195b Gi2
*Dec 7 02:37:22.621: [160]PPPoE 160: Destroying R:0050.5687.5cc0 L:0050.5687.195b Gi2
*Dec 7 02:37:22.621: [160]PPPoE 160: AAA get dynamic attrs
*Dec 7 02:37:22.621: [160]PPPoE 160: AAA account stopped
*Dec 7 02:37:22.621: [160]PPPoE 160: Segment (SSS class): UNPROVISION
*Dec 7 02:37:22.625: PPPoE 160: I PADT R:0050.5687.5cc0 L:0050.5687.195b Gi2

THANKS FOR YOUR HELP

1 Accepted Solution

Accepted Solutions

Manuel Rodriguez
Cisco Employee
Cisco Employee

Hi Omar,

From the debugs I see that the session is terminated by the LAC:

*Dec 7 02:37:22.564: [160]PPPoE 160: O PADS R:0050.5687.5cc0 L:0050.5687.195b Gi2
*Dec 7 02:37:22.565: [160]PPPoE 160: Unable to Add ANCP Line attributes to the PPPoE Authen attributes
*Dec 7 02:37:22.565: ppp160 PPP: Using vpn set call direction
*Dec 7 02:37:22.565: ppp160 PPP: Treating connection as a callin
*Dec 7 02:37:22.565: ppp160 PPP: Session handle[3A0000A0] Session id[160]
*Dec 7 02:37:22.621: [160]PPPoE 160: State LCP_NEGOTIATION Event PPP DISCONNECT
*Dec 7 02:37:22.621: [160]PPPoE 160: O PADT R:0050.5687.5cc0 L:0050.5687.195b Gi2

Was 'debug ppp negotiation' enabled here? If not, can you enable it and collect the outputs?

Also, I don't see any AAA config in the LAC. You will need this to trigger VPDN. PPP authentication and network authorization list should be defined.

Regards.

View solution in original post

8 Replies 8

Manuel Rodriguez
Cisco Employee
Cisco Employee

Hi Omar,

From the debugs I see that the session is terminated by the LAC:

*Dec 7 02:37:22.564: [160]PPPoE 160: O PADS R:0050.5687.5cc0 L:0050.5687.195b Gi2
*Dec 7 02:37:22.565: [160]PPPoE 160: Unable to Add ANCP Line attributes to the PPPoE Authen attributes
*Dec 7 02:37:22.565: ppp160 PPP: Using vpn set call direction
*Dec 7 02:37:22.565: ppp160 PPP: Treating connection as a callin
*Dec 7 02:37:22.565: ppp160 PPP: Session handle[3A0000A0] Session id[160]
*Dec 7 02:37:22.621: [160]PPPoE 160: State LCP_NEGOTIATION Event PPP DISCONNECT
*Dec 7 02:37:22.621: [160]PPPoE 160: O PADT R:0050.5687.5cc0 L:0050.5687.195b Gi2

Was 'debug ppp negotiation' enabled here? If not, can you enable it and collect the outputs?

Also, I don't see any AAA config in the LAC. You will need this to trigger VPDN. PPP authentication and network authorization list should be defined.

Regards.

Here is my debug ppp negociation:

LAC#
*Dec 8 13:39:19.395: PPP: Alloc Context [7FF182848680]
*Dec 8 13:39:19.395: ppp815 PPP: Phase is ESTABLISHING
*Dec 8 13:39:19.395: ppp815 PPP: Using vpn set call direction
*Dec 8 13:39:19.396: ppp815 PPP: Treating connection as a callin
*Dec 8 13:39:19.396: ppp815 PPP: Session handle[A70006BC] Session id[815]
*Dec 8 13:39:19.396: ppp815 LCP: Event[OPEN] State[Initial to Starting]
*Dec 8 13:39:19.396: ppp815 PPP LCP: Enter passive mode, state[Stopped]
*Dec 8 13:39:19.403: ppp815 LCP: I CONFREQ [Stopped] id 1 len 14
*Dec 8 13:39:19.403: ppp815 LCP: AuthProto PAP (0x0304C023)
*Dec 8 13:39:19.403: ppp815 LCP: MagicNumber 0x3543946F (0x05063543946F)
*Dec 8 13:39:19.403: ppp815 LCP: O CONFREQ [Stopped] id 1 len 18
*Dec 8 13:39:19.403: ppp815 LCP: MRU 1492 (0x010405D4)
*Dec 8 13:39:19.403: ppp815 LCP: AuthProto PAP (0x0304C023)
*Dec 8 13:39:19.403: ppp815 LCP: MagicNumber 0x2B5DFFE3 (0x05062B5DFFE3)
*Dec 8 13:39:19.403: ppp815 LCP: O CONFNAK [Stopped] id 1 len 9
*Dec 8 13:39:19.403: ppp815 LCP: AuthProto CHAP (0x0305C22305)
*Dec 8 13:39:19.403: ppp815 LCP: Event[Receive ConfReq-] State[Stopped to REQsent]
*Dec 8 13:39:19.404: ppp815 LCP: I CONFNAK [REQsent] id 1 len 8
*Dec 8 13:39:19.404: ppp815 LCP: MRU 1500 (0x010405DC)
*Dec 8 13:39:19.404: ppp815 LCP: O CONFREQ [REQsent] id 2 len 18
*Dec 8 13:39:19.404: ppp815 LCP: MRU 1500 (0x010405DC)
*Dec 8 13:39:19.404: ppp815 LCP: AuthProto PAP (0x0304C023)
*Dec 8 13:39:19.404: ppp815 LCP: MagicNumber 0x2B5DFFE3 (0x05062B5DFFE3)
*Dec 8 13:39:19.404: ppp815 LCP: Event[Receive ConfNak/Rej] State[REQsent to REQsent]
*Dec 8 13:39:19.404: ppp815 LCP: I CONFREQ [REQsent] id 2 len 14
*Dec 8 13:39:19.404: ppp815 LCP: AuthProto PAP (0x0304C023)
*Dec 8 13:39:19.404: ppp815 LCP: MagicNumber 0x3543946F (0x05063543946F)
*Dec 8 13:39:19.404: ppp815 LCP: O CONFNAK [REQsent] id 2 len 9
*Dec 8 13:39:19.404: ppp815 LCP: AuthProto CHAP (0x0305C22305)
*Dec 8 13:39:19.404: ppp815 LCP: Event[Receive ConfReq-] State[REQsent to REQsent]
*Dec 8 13:39:19.405: ppp815 LCP: I CONFACK [REQsent] id 2 len 18
*Dec 8 13:39:19.405: ppp815 LCP: MRU 1500 (0x010405DC)
*Dec 8 13:39:19.405: ppp815 LCP: AuthProto PAP (0x0304C023)
*Dec 8 13:39:19.405: ppp815 LCP: MagicNumber 0x2B5DFFE3 (0x05062B5DFFE3)
*Dec 8 13:39:19.405: ppp815 LCP: Event[Receive ConfAck] State[REQsent to ACKrcvd]
*Dec 8 13:39:19.405: ppp815 LCP: I CONFREQ [ACKrcvd] id 3 len 14
*Dec 8 13:39:19.405: ppp815 LCP: AuthProto PAP (0x0304C023)
*Dec 8 13:39:19.405: ppp815 LCP: MagicNumber 0x3543946F (0x05063543946F)
*Dec 8 13:39:19.405: ppp815 LCP: O CONFNAK [ACKrcvd] id 3 len 9
*Dec 8 13:39:19.405: ppp815 LCP: AuthProto CHAP (0x0305C22305)
*Dec 8 13:39:19.405: ppp815 LCP: Event[Receive ConfReq-] State[ACKrcvd to ACKrcvd]
*Dec 8 13:39:19.408: ppp815 LCP: I CONFREQ [ACKrcvd] id 4 len 14
*Dec 8 13:39:19.408: ppp815 LCP: AuthProto PAP (0x0304C023)
*Dec 8 13:39:19.408: ppp815 LCP: MagicNumber 0x3543946F (0x05063543946F)
*Dec 8 13:39:19.408: ppp815 LCP: O CONFNAK [ACKrcvd] id 4 len 9
*Dec 8 13:39:19.408: ppp815 LCP: AuthProto CHAP (0x0305C22305)
*Dec 8 13:39:19.408: ppp815 LCP: Event[Receive ConfReq-] State[ACKrcvd to ACKrcvd]
*Dec 8 13:39:19.411: ppp815 LCP: I CONFREQ [ACKrcvd] id 5 len 14
*Dec 8 13:39:19.411: ppp815 LCP: AuthProto PAP (0x0304C023)
*Dec 8 13:39:19.411: ppp815 LCP: MagicNumber 0x3543946F (0x05063543946F)
*Dec 8 13:39:19.411: ppp815 LCP: O CONFNAK [ACKrcvd] id 5 len 9

Thank you

Hi,

From the logs we see that the CPE is constantly asking PAP authentication protocol but the LAC is rejecting that and proposing CHAP:

*Dec 8 13:39:19.404: ppp815 LCP: I CONFREQ [REQsent] id 2 len 14
*Dec 8 13:39:19.404: ppp815 LCP: AuthProto PAP (0x0304C023)
*Dec 8 13:39:19.404: ppp815 LCP: MagicNumber 0x3543946F (0x05063543946F)
*Dec 8 13:39:19.404: ppp815 LCP: O CONFNAK [REQsent] id 2 len 9
*Dec 8 13:39:19.404: ppp815 LCP: AuthProto CHAP (0x0305C22305)
*Dec 8 13:39:19.404: ppp815 LCP: Event[Receive ConfReq-] State[REQsent to REQsent]
*Dec 8 13:39:19.405: ppp815 LCP: I CONFACK [REQsent] id 2 len 18
*Dec 8 13:39:19.405: ppp815 LCP: MRU 1500 (0x010405DC)
*Dec 8 13:39:19.405: ppp815 LCP: AuthProto PAP (0x0304C023)
*Dec 8 13:39:19.405: ppp815 LCP: MagicNumber 0x2B5DFFE3 (0x05062B5DFFE3)
*Dec 8 13:39:19.405: ppp815 LCP: Event[Receive ConfAck] State[REQsent to ACKrcvd]
*Dec 8 13:39:19.405: ppp815 LCP: I CONFREQ [ACKrcvd] id 3 len 14
*Dec 8 13:39:19.405: ppp815 LCP: AuthProto PAP (0x0304C023)
*Dec 8 13:39:19.405: ppp815 LCP: MagicNumber 0x3543946F (0x05063543946F)
*Dec 8 13:39:19.405: ppp815 LCP: O CONFNAK [ACKrcvd] id 3 len 9
*Dec 8 13:39:19.405: ppp815 LCP: AuthProto CHAP (0x0305C22305)
*Dec 8 13:39:19.405: ppp815 LCP: Event[Receive ConfReq-] State[ACKrcvd to ACKrcvd]
*Dec 8 13:39:19.408: ppp815 LCP: I CONFREQ [ACKrcvd] id 4 len 14
*Dec 8 13:39:19.408: ppp815 LCP: AuthProto PAP (0x0304C023)
*Dec 8 13:39:19.408: ppp815 LCP: MagicNumber 0x3543946F (0x05063543946F)
*Dec 8 13:39:19.408: ppp815 LCP: O CONFNAK [ACKrcvd] id 4 len 9
*Dec 8 13:39:19.408: ppp815 LCP: AuthProto CHAP (0x0305C22305)
*Dec 8 13:39:19.408: ppp815 LCP: Event[Receive ConfReq-] State[ACKrcvd to ACKrcvd]
*Dec 8 13:39:19.411: ppp815 LCP: I CONFREQ [ACKrcvd] id 5 len 14
*Dec 8 13:39:19.411: ppp815 LCP: AuthProto PAP (0x0304C023)
*Dec 8 13:39:19.411: ppp815 LCP: MagicNumber 0x3543946F (0x05063543946F)
*Dec 8 13:39:19.411: ppp815 LCP: O CONFNAK [ACKrcvd] id 5 len 9

The 2 points doen't seem to reach an agreement on the authentication protocol which, I assume (since whole debugs were not included), is causing the PPP LCP negotiation to fail which causes the disconnection.

Looking at the CPE config I see:

interface Dialer1
ip address negotiated
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap
ppp pap sent-username dsl@zam.com password 0 dsl
!

You are using "ppp authentication pap" and "ppp pap sent-username dsl@zam.com password 0 dsl". The second command indeed configures the credentials to be used for PAP authentication. However, by using "ppp authentication pap" you are actually configuring the CPE to authenticate the other end of the PPP connection (PPP can perform authentication on each end). Unless you really intend to authenticate the BRAS (LAC in this case) at the CPE, please remove "ppp authentication pap" from the dialer interface config in the CPE side. If you really intend to do the 2-way authentication, you will need to configure the PAP credentials on the LAC side.

Regards.

No I don't want to authenticate the LAC.

The Client will be authenticated only.

Should I remove the ppp send-username command and use a username command globally?

Hi,

"ppp send-username" should stay under dialer config. As I said, those are the credential the CPE will use to authenticate. You will only need to remove "ppp authentication pap" from the dialer interface on the CPE side.

Regards

COOL!

it is working.

Thank you very much Manuel I appreciate your support.

Hi Omar how are you? Could you please tell me how is your lab done in order to test this funcionnalities? I'm trying to do almost the same, actually just establishing pppoe association between a server and 2 clients but I'm not able to do it. I'm using 3 csr1000v in vmWare Workstation and vmWare virtual bridges in order to provide ethernet connectivity between routers. I can see in wireshark the packets sent by R2 and R3 (clients) but the server does not seem to process anything. It's weird :(

How did you set up your lab?

Thanks in advance. Regards.

Hi Luis,

Could you please provide the config of each device and also the output of the following debugs on each device:

- debug ppp negotiation

- debug pppoe packets

That should looking at what's happening.

Regards