cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1864
Views
5
Helpful
6
Replies

Another problem with VDSL on 887 router

Jeroen Janssens
Level 1
Level 1

After all the issues with the first 887 VDSL router configuration (see https://community.cisco.com/t5/routing/problem-with-vdsl-on-887/m-p/3404697), I have now configured the second one with a similar configuration but this time PPP doesn't come up.

 

Debug info:

 

*Aug 3 07:50:25.602: %DIALER-6-BIND: Interface Vi2 bound to profile Di0
*Aug 3 07:50:25.606: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Aug 3 07:50:25.606: Vi2 PPP: Sending cstate UP notification
*Aug 3 07:50:25.606: Vi2 PPP: Processing CstateUp message
*Aug 3 07:50:25.606: PPP: Alloc Context [10569548]
*Aug 3 07:50:25.606: ppp33 PPP: Phase is ESTABLISHING
*Aug 3 07:50:25.606: Vi2 PPP: Using dialer call direction
*Aug 3 07:50:25.606: Vi2 PPP: Treating connection as a callout
*Aug 3 07:50:25.606: Vi2 PPP: Session handle[46000021] Session id[33]
*Aug 3 07:50:25.606: Vi2 LCP: Event[OPEN] State[Initial to Starting]
*Aug 3 07:50:25.606: Vi2 PPP: No remote authentication for call-out
*Aug 3 07:50:25.606: Vi2 LCP: O CONFREQ [Starting] id 1 len 14
*Aug 3 07:50:25.606: Vi2 LCP: MRU 1400 (0x01040578)
*Aug 3 07:50:25.606: Vi2 LCP: MagicNumber 0x90B547FA (0x050690B547FA)
*Aug 3 07:50:25.606: Vi2 LCP: Event[UP] State[Starting to REQsent]
*Aug 3 07:50:25.626: Vi2 LCP: I CONFREQ [REQsent] id 69 len 19
*Aug 3 07:50:25.626: Vi2 LCP: MRU 1492 (0x010405D4)
*Aug 3 07:50:25.626: Vi2 LCP: AuthProto CHAP (0x0305C22305)
*Aug 3 07:50:25.626: Vi2 LCP: MagicNumber 0x67F01806 (0x050667F01806)
*Aug 3 07:50:25.626: Vi2 LCP: O CONFACK [REQsent] id 69 len 19
*Aug 3 07:50:25.626: Vi2 LCP: MRU 1492 (0x010405D4)
*Aug 3 07:50:25.626: Vi2 LCP: AuthProto CHAP (0x0305C22305)
*Aug 3 07:50:25.626: Vi2 LCP: MagicNumber 0x67F01806 (0x050667F01806)
*Aug 3 07:50:25.626: Vi2 LCP: Event[Receive ConfReq+] State[REQsent to ACKsent]
*Aug 3 07:50:25.626: Vi2 LCP: I CONFACK [ACKsent] id 1 len 14
*Aug 3 07:50:25.626: Vi2 LCP: MRU 1400 (0x01040578)
*Aug 3 07:50:25.626: Vi2 LCP: MagicNumber 0x90B547FA (0x050690B547FA)
*Aug 3 07:50:25.626: Vi2 LCP: Event[Receive ConfAck] State[ACKsent to Open]
*Aug 3 07:50:25.634: Vi2 PPP: No authorization without authentication
*Aug 3 07:50:25.634: Vi2 PPP: Phase is AUTHENTICATING, by the peer
*Aug 3 07:50:25.634: Vi2 LCP: State is Open
*Aug 3 07:50:25.650: Vi2 CHAP: I CHALLENGE id 1 len 31 from "SSR91GEN02"
*Aug 3 07:50:25.650: Vi2 PPP: Sent CHAP SENDAUTH Request
*Aug 3 07:50:25.650: Vi2 PPP: Received SENDAUTH Response FAIL
*Aug 3 07:50:25.650: Vi2 CHAP: Using hostname from interface CHAP
*Aug 3 07:50:25.650: Vi2 CHAP: Using password from interface CHAP
*Aug 3 07:50:25.650: Vi2 CHAP: O RESPONSE id 1 len 36 from "fc369683@skynet"
*Aug 3 07:50:25.838: Vi2 CHAP: I SUCCESS id 1 len 43 msg is "CHAP authentication success, unit 68207"
*Aug 3 07:50:25.838: Vi2 PPP: Phase is FORWARDING, Attempting Forward
*Aug 3 07:50:25.842: Vi2 PPP: Phase is ESTABLISHING, Finish LCP
*Aug 3 07:50:25.842: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
*Aug 3 07:50:25.842: Vi2 PPP: Phase is UP
*Aug 3 07:50:25.842: Vi2 IPCP: Protocol configured, start CP. state[Initial]
*Aug 3 07:50:25.842: Vi2 IPCP: Event[OPEN] State[Initial to Starting]
*Aug 3 07:50:25.842: Vi2 IPCP: O CONFREQ [Starting] id 1 len 10
*Aug 3 07:50:25.842: Vi2 IPCP: Address 87.66.7.232 (0x0306574207E8)
*Aug 3 07:50:25.842: Vi2 IPCP: Event[UP] State[Starting to REQsent]
*Aug 3 07:50:25.862: Vi2 IPCP: I CONFREQ [REQsent] id 81 len 10
*Aug 3 07:50:25.862: Vi2 IPCP: Address 81.247.224.1 (0x030651F7E001)
*Aug 3 07:50:25.862: Vi2 IPCP: O CONFACK [REQsent] id 81 len 10
*Aug 3 07:50:25.862: Vi2 IPCP: Address 81.247.224.1 (0x030651F7E001)
*Aug 3 07:50:25.862: Vi2 IPCP: Event[Receive ConfReq+] State[REQsent to ACKsent]
*Aug 3 07:50:25.862: Vi2 IPCP: I CONFNAK [ACKsent] id 1 len 10
*Aug 3 07:50:25.862: Vi2 IPCP: Address 87.64.214.195 (0x03065740D6C3)
*Aug 3 07:50:25.862: Vi2 IPCP: O CONFREQ [ACKsent] id 2 len 4
*Aug 3 07:50:25.862: Vi2 IPCP: Event[Receive ConfNak/Rej] State[ACKsent to ACKsent]
*Aug 3 07:50:25.886: Vi2 IPCP: I CONFNAK [ACKsent] id 2 len 10
*Aug 3 07:50:25.886: Vi2 IPCP: Address 87.64.214.195 (0x03065740D6C3)
*Aug 3 07:50:25.886: Vi2 IPCP: O CONFREQ [ACKsent] id 3 len 4
*Aug 3 07:50:25.886: Vi2 IPCP: Event[Receive ConfNak/Rej] State[ACKsent to ACKsent]
*Aug 3 07:50:27.874: Vi2 IPCP: O CONFREQ [ACKsent] id 4 len 4
*Aug 3 07:50:27.874: Vi2 IPCP: Event[Timeout+] State[ACKsent to ACKsent]
*Aug 3 07:50:27.894: Vi2 LCP: I TERMREQ [Open] id 70 len 4
*Aug 3 07:50:27.894: Vi2 PPP DISC: Received LCP TERMREQ from peer
*Aug 3 07:50:27.894: PPP: NET STOP send to AAA.
*Aug 3 07:50:27.894: Vi2 PPP: Phase is TERMINATING
*Aug 3 07:50:27.894: Vi2 IPCP: Event[DOWN] State[ACKsent to Starting]
*Aug 3 07:50:27.894: Vi2 IPCP: Event[CLOSE] State[Starting to Initial]
*Aug 3 07:50:27.894: Vi2 LCP: O TERMACK [Open] id 70 len 4
*Aug 3 07:50:27.894: Vi2 LCP: Event[Receive TermReq] State[Open to Stopping]
*Aug 3 07:50:28.762: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di0
*Aug 3 07:50:28.762: Vi2 PPP: Block vaccess from being freed [0x10]
*Aug 3 07:50:28.762: Vi2 LCP: Event[DOWN] State[Stopping to Starting]
*Aug 3 07:50:28.762: Vi2 PPP: Unlocked by [0x10] Still Locked by [0x0]
*Aug 3 07:50:28.762: Vi2 PPP: Free previously blocked vaccess
*Aug 3 07:50:28.762: Vi2 PPP: Phase is DOWN
*Aug 3 07:50:28.766: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down
*Aug 3 07:50:28.766: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down

 

Current config:

 


Current configuration : 6105 bytes
!
version 15.5
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname BKOFRWL003
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret 5 ***************
enable password 7 ***************
!
no aaa new-model
ethernet lmi ce
clock timezone pctime 1 0
clock summer-time pctime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-372889659
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-372889659
revocation-check none
rsakeypair TP-self-signed-372889659
!
!
crypto pki certificate chain TP-self-signed-372889659
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373238 38393635 39301E17 0D313531 32303331 32353430
335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3337 32383839
36353930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
AE294AF5 4B3E652D 48B86C3E 8C55D813 0A77BCD7 FC443B6A F36562D3 2FE47AE8
C6FE44CC 45794852 07D468A0 0565092B 28D1C523 76A7ADD4 116C43EC DF14197E
298E8325 28A205D2 BF337E5C C34BA2D9 E3002988 A5B0577D B1AC6AA6 98F5CB6D
04FA3C1D 28AC01FA 96A86A2D E2499661 F30B1557 E1AC389C B35CA150 5683ED9B
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 16801419 13E44CE2 D16FB24C FF626FD0 1B5FDF0A 84468F30 1D060355
1D0E0416 04141913 E44CE2D1 6FB24CFF 626FD01B 5FDF0A84 468F300D 06092A86
4886F70D 01010505 00038181 008181CD 80376437 DB3B6DF0 2F75F47D A280C0A2
90E9FEB5 D59651BA 5D54CECE B16082DB B53DA7F7 2C40EF4B 7ACD7A42 4DA65F41
8C3680AB A5EC820D 07FD6C91 5CBC62B0 4E3E8F5C A5445FFC 2ABAE60E 56D24EBA
C5A2974C EA63DBB9 F567BC9E 843CAB45 203E0955 53B3B475 673D5589 987013EF
5E19E7CD AEEF039C 1FAB582B 36
quit
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!


!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.60.17
!
ip dhcp pool sdm-pool
import all
network 10.0.60.16 255.255.255.248
default-router 10.0.60.17
dns-server 10.0.12.32 10.0.12.16
lease 0 2
!
!
!
ip name-server 195.238.2.21
ip name-server 195.238.2.22
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VAM-K9 sn FCZ222012JL
!
!
username janssens.j privilege 15 secret 5 ***************
!
!
!
!
!
controller VDSL 0
firmware filename flash:VA_A_39d_B_38h3_24h.bin
no cdp run
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key *************** address 194.78.59.5
crypto isakmp fragmentation
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 194.78.59.5
set peer 194.78.59.5
set transform-set ESP-3DES-SHA
set pfs group2
match address 100
!
!
!
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
!
interface Ethernet0.10
encapsulation dot1Q 10
ip nat outside
ip virtual-reassembly in
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 10.0.60.17 255.255.255.248
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface Dialer0
mtu 1400
ip address 87.66.7.232 255.255.255.0
ip nat outside
ip virtual-reassembly in max-reassemblies 1024
ip virtual-reassembly out max-reassemblies 1024
encapsulation ppp
ip tcp adjust-mss 1360
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname ***************
ppp chap password 7 ***************
no cdp enable
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
!
ip forward-protocol nd
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 8640 requests 10000
!
!
ip nat inside source list 101 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
!
dialer-list 1 protocol ip permit
!
route-map SDM_RMAP_1 permit 1
match ip address 101
match interface Dialer0
!
snmp-server community public RO
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.7
access-list 2 remark SDM_ACM Category=2
access-list 2 permit 10.0.60.16 0.0.0.7
access-list 23 permit 10.0.60.16 0.0.0.7
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.0.60.16 0.0.0.7 10.0.4.0 0.0.0.255
access-list 100 permit ip 10.0.60.16 0.0.0.7 10.0.10.0 0.0.0.255
access-list 100 permit ip 10.0.60.16 0.0.0.7 10.0.11.0 0.0.0.255
access-list 100 permit ip 10.0.60.16 0.0.0.7 10.0.12.0 0.0.0.255
access-list 100 permit ip 10.0.60.16 0.0.0.7 10.0.13.0 0.0.0.255
access-list 100 permit ip 10.0.60.16 0.0.0.7 10.0.14.0 0.0.0.255
access-list 100 permit ip 10.0.60.16 0.0.0.7 10.0.15.0 0.0.0.255
access-list 100 permit ip 10.0.60.16 0.0.0.7 10.0.16.0 0.0.0.255
access-list 100 permit ip 10.0.60.16 0.0.0.7 10.0.17.0 0.0.0.255
access-list 100 permit ip 10.0.60.16 0.0.0.7 10.0.18.0 0.0.0.255
access-list 100 permit ip 10.0.60.16 0.0.0.7 10.0.19.0 0.0.0.255
access-list 100 remark SDM_ACM Category=4
access-list 101 remark IPSec Rule
access-list 101 remark SDM_ACM Category=2
access-list 101 deny ip 10.0.60.16 0.0.0.7 10.0.0.0 0.0.255.255
access-list 101 permit ip 10.0.60.16 0.0.0.7 any
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
exec-timeout 5 30
password 7 ***************
login
no modem enable
line aux 0
line vty 0 4
privilege level 15
password 7 ***************
login
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
!
end

1 Accepted Solution

Accepted Solutions

Hello,

 

the ISP side is most likely configured to peer, on the VPN side, with only a specified IP address, since you have set the dialer to 'ip address negotiated', there is now a mismatch, and the VPN tunnel won't come up.

 

Curious to know what the ISP has to say...

 

Which IP address does the dialer get, by the way ?

View solution in original post

6 Replies 6

Hello Jeroen,

 

welcome back !

 

Looking at your output, I am not sure where the IP addresses marked in bold come from. Check with what you got from your ISP with regard to IP addressing.

 

What happens if you set the dialer configuration to 'ip address negotiated' ?

 

interface Dialer0
mtu 1400
ip address negotiated

 

*Aug 3 07:50:25.842: Vi2 IPCP: Address 87.66.7.232 (0x0306574207E8)
*Aug 3 07:50:25.842: Vi2 IPCP: Event[UP] State[Starting to REQsent]
*Aug 3 07:50:25.862: Vi2 IPCP: I CONFREQ [REQsent] id 81 len 10
*Aug 3 07:50:25.862: Vi2 IPCP: Address 81.247.224.1 (0x030651F7E001)
*Aug 3 07:50:25.862: Vi2 IPCP: O CONFACK [REQsent] id 81 len 10
*Aug 3 07:50:25.862: Vi2 IPCP: Address 81.247.224.1 (0x030651F7E001)
*Aug 3 07:50:25.862: Vi2 IPCP: Event[Receive ConfReq+] State[REQsent to ACKsent]
*Aug 3 07:50:25.862: Vi2 IPCP: I CONFNAK [ACKsent] id 1 len 10
*Aug 3 07:50:25.862: Vi2 IPCP: Address 87.64.214.195 (0x03065740D6C3)
*Aug 3 07:50:25.862: Vi2 IPCP: O CONFREQ [ACKsent] id 2 len 4
*Aug 3 07:50:25.862: Vi2 IPCP: Event[Receive ConfNak/Rej] State[ACKsent to ACKsent]
*Aug 3 07:50:25.886: Vi2 IPCP: I CONFNAK [ACKsent] id 2 len 10
*Aug 3 07:50:25.886: Vi2 IPCP: Address 87.64.214.195 (0x03065740D6C3)

I made the adjustment and the PPP came up. VPN still down.

I contacted the ISP and the first line support has send a request to second line support to make sure the IP address 87.66.7.232 is still correct.

I was now also seeing this message over and over ...

 

*Aug 3 09:51:48.218: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 194.78.59.5 was not encrypted and it should've been.

Hello,

 

the ISP side is most likely configured to peer, on the VPN side, with only a specified IP address, since you have set the dialer to 'ip address negotiated', there is now a mismatch, and the VPN tunnel won't come up.

 

Curious to know what the ISP has to say...

 

Which IP address does the dialer get, by the way ?

The ISP changed their configuration so I now get the fixed IP address again I was expecting. Everything (PPP, VPN, ...) came up after that.

Hello Jeroen,

 

it almost certainly had to be on the ISP side. Glad that it is working !

Review Cisco Networking for a $25 gift card