ASR1K - L2TP tunnels not working and no debug logs - Page 2

therebel22 · ‎05-21-2013

Hello,

please we need help :

we have made migration from CISCO 2821 to ASR1002-X.

Cisco router is used as LNS for our ADSL links, using L2TP protocol. On 2821, everything worked fine. Migrating with same config on ASR1002-X, everything worked except L2P sessions.

We wanted to debug but no debug is displayed about L2TP or PPP in console with commands :

- debug aaa authentication

- debug aaa authorization

- debug radius

- debus vpdn l2x-events

- debus vpdn l2x-errors

- debus vpdn l2x-packet

- debug ppp negotiation

- debug ppp authentication

We don't understand why no debug log ??? Is it a bug in IOS XE ?

show vpdn session all and show vpdn tunnel all gave "%No active L2TP tunnels"

Thanks a lot for help !!

----------------------------------

Here our configuration :

sh ver

Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 1

5.2(4)S1, RELEASE SOFTWARE (fc3)

Technical Support: http://www.cisco.com/techsupport

Compiled Sat 06-Oct-12 13:03 by mcpre

IOS XE Version: 03.07.01.S

License Level: ipbase

License Type: Permanent

Next reload license Level: ipbase

cisco ASR1002-X (2RU-X) processor with 1156257K/6147K bytes of memory.

Processor board ID SSI16450ENF

6 Gigabit Ethernet interfaces

32768K bytes of non-volatile configuration memory.

4194304K bytes of physical memory.

6684671K bytes of eUSB flash at bootflash:.

Here our LNS/L2TP configuration :

aaa new-model

!

aaa group server radius Telco-RADIUS

server-private x.x.x.x auth-port 1812 acct-port 1813 key secret

server-private y.y.y.y auth-port 1812 acct-port 1813 key secret

!

aaa authentication ppp Telco-DSL-AAA group Telco-RADIUS

aaa authorization network Telco-DSL-AAA group Telco-RADIUS

aaa accounting network Telco-DSL-AAA

action-type start-stop

group Telco-RADIUS

!

aaa session-id common

!

vpdn enable

vpdn history failure table-size 50

vpdn search-order multihop-hostname domain dnis

!

vpdn-group ADSL

accept-dialin

protocol l2tp

virtual-template 2

terminate-from hostname bas1

local name LNS1

lcp renegotiation always

no l2tp tunnel authentication

ip mtu adjust

!

interface Virtual-Template1 type serial

description VT1

mtu 1460

ip unnumbered Loopback0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1420

ip policy route-map INTERNET_VT1

timeout absolute 1800 0

no peer default ip address

ppp authentication chap pap Telco-DSL-AAA

ppp authorization Telco-DSL-AAA

ppp accounting Telco-DSL-AAA

ppp ipcp address required

ppp ipcp address accept

therebel22 · ‎05-22-2013

Hello, no problem, thanks for reply.

in fact, asr1k is now unplugged because we had to remount adsl links, so it is today 2821 that is connected. We are asking for LAC logs to our LAC provider. We will do some more tests soon.

When asr1k was plugged, "show l2tp tunnel all" gave also "No active tunnels".

Do you think asr1k can refuse Radius query because of unsupported attribute value pairs that worked fine with 2821 ?

Regards.

therebel22 · ‎05-22-2013

In response to your question about logs : That logs appeared only when we modified configuration with "conf term" then "exit". There were not another logs when we were waiting for LAC or RADIUS queries.. so we thought there was a problem with vpdn debug log whereas you say it is perhaps a connectivity problem with LAC.We are checking that..

Subeh Sharma · ‎05-22-2013

Hi,

"Do you think asr1k can refuse Radius query because of unsupported attribute value pairs that worked fine with 2821 ?"

Even if ASR refuses it, we should still see those interactions in the logs which currently we're not seeing. As for checking the absence of logs on ASR, i think it's good idea to check the logs on the LAC when the ASR is connected.

Out of curosity, with ASR, i hope you're able to ping the LAC just to check the physical connectivity is all right.

Regards,

Subeh

therebel22 · ‎05-22-2013

I think we had pinged successfully the LAC, but we will retry.

We will give you soon tests results. Thanks

Regards

therebel22 · ‎05-28-2013

Hello,

some news :

After re-plugging the asr, we hav tested ping to LAC and RADIUS : OK.

show bgp was also OK.

We hav enabled port mirroring and we saw that ASR1K receive SCCRQ from LAC but doesn't respond. (perhaps a port number problem ??)

312.193595 X.Y.Z.LAC -> A.B.C.LNS L2TP 162 Control Message - SCCRQ (tunnel id=0, session id=0)

313.201694 X.Y.Z.LAC -> A.B.C.LNS L2TP 162 Control Message - SCCRQ (tunnel id=0, session id=0)

After replugging 2821, Response of LNS is immediate

360.695021 X.Y.Z.LAC -> A.B.C.LNS L2TP 162 Control Message - SCCRQ (tunnel id=0, session id=0)

360.703111 A.B.C.LNS -> X.Y.Z.LAC L2TP 139 Control Message - SCCRP (tunnel id=5136, session id=0)

361.703349 X.Y.Z.LAC -> A.B.C.LNS L2TP 162 Control Message - SCCRQ (tunnel id=0, session id=0)

We saw that : We are missing 2 parameters in vpdn-group, are parameters "initiate-to ip" and "source-ip" are required ? Or is it only for LAC ?

therebel22 · ‎05-28-2013

Is there a command to bind vpdn listening for L2TP request to a specific gigabitethernet interface on ASR 1002-X ? Is there a default gigabitethernet for L2TP on ASR 1002-X ?

Thanks

Subeh Sharma · ‎05-28-2013

Hi,

"We saw that : We are missing 2 parameters in vpdn-group, are parameters "initiate-to ip" and "source-ip" are required ? Or is it only for LAC ?": "Initiate to' is only for LAC but 'Source-ip' can be for both.

"Is there a command to bind vpdn listening for L2TP request to a specific gigabitethernet interface on ASR 1002-X ? "Well, its pretty starightforward, the gig connected to the LAC is the only one which gets binds to a virtual-template defined under 'vpdn-group <>' config.

Regards,

Subeh

therebel22 · ‎06-01-2013

Hello,

some news :

we have made some interesting tests : We have plugged GigabitEthernet0 (Management interface) and do some L2TP tunnels establishment tests on this interface with or without Loopback interface : it works : We see some VPDN logs of connection (We see SCCRQ initial packet in ASR1K logs)

So the question is : why VPN service works on GigabitEthernet0 but not on GigabitEthernet0/0/0 ?

Thanks

therebel22 · ‎06-04-2013

Any ideas ?

Thanks a lot

Andrew Yourtchenko · ‎11-19-2013

FWIW: I had what I think is a similar issue, and it turned out to be licensing-related. As soon as I upgraded the license level, everything started to work.

therebel22 · ‎11-19-2013

Thanks a lot for pointing this aspect !

We have an IP BASE licence. What licence do you hav for L2TP/VPDN ? Thanks

Andrew Yourtchenko · ‎11-20-2013

It was actually a CSR1000V that I observed it on - and I put the premium license, and it seemed to get happy. (You can verify with eval license which one works for you and then get the real one).