05-21-2013 12:14 AM - edited 03-04-2019 07:57 PM
Hello,
please we need help :
we have made migration from CISCO 2821 to ASR1002-X.
Cisco router is used as LNS for our ADSL links, using L2TP protocol. On 2821, everything worked fine. Migrating with same config on ASR1002-X, everything worked except L2P sessions.
We wanted to debug but no debug is displayed about L2TP or PPP in console with commands :
- debug aaa authentication
- debug aaa authorization
- debug radius
- debus vpdn l2x-events
- debus vpdn l2x-errors
- debus vpdn l2x-packet
- debug ppp negotiation
- debug ppp authentication
We don't understand why no debug log ??? Is it a bug in IOS XE ?
show vpdn session all and show vpdn tunnel all gave "%No active L2TP tunnels"
Thanks a lot for help !!
----------------------------------
Here our configuration :
sh ver
Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 1
5.2(4)S1, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Sat 06-Oct-12 13:03 by mcpre
IOS XE Version: 03.07.01.S
License Level: ipbase
License Type: Permanent
Next reload license Level: ipbase
cisco ASR1002-X (2RU-X) processor with 1156257K/6147K bytes of memory.
Processor board ID SSI16450ENF
6 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
6684671K bytes of eUSB flash at bootflash:.
Here our LNS/L2TP configuration :
aaa new-model
!
!
aaa group server radius Telco-RADIUS
server-private x.x.x.x auth-port 1812 acct-port 1813 key secret
server-private y.y.y.y auth-port 1812 acct-port 1813 key secret
!
aaa authentication ppp Telco-DSL-AAA group Telco-RADIUS
aaa authorization network Telco-DSL-AAA group Telco-RADIUS
aaa accounting network Telco-DSL-AAA
action-type start-stop
group Telco-RADIUS
!
aaa session-id common
!
vpdn enable
vpdn history failure table-size 50
vpdn search-order multihop-hostname domain dnis
!
vpdn-group ADSL
accept-dialin
protocol l2tp
virtual-template 2
terminate-from hostname bas1
local name LNS1
lcp renegotiation always
no l2tp tunnel authentication
ip mtu adjust
!
interface Virtual-Template1 type serial
description VT1
mtu 1460
ip unnumbered Loopback0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1420
ip policy route-map INTERNET_VT1
timeout absolute 1800 0
no peer default ip address
ppp authentication chap pap Telco-DSL-AAA
ppp authorization Telco-DSL-AAA
ppp accounting Telco-DSL-AAA
ppp ipcp address required
ppp ipcp address accept
05-22-2013 11:36 AM
Hello, no problem, thanks for reply.
in fact, asr1k is now unplugged because we had to remount adsl links, so it is today 2821 that is connected. We are asking for LAC logs to our LAC provider. We will do some more tests soon.
When asr1k was plugged, "show l2tp tunnel all" gave also "No active tunnels".
Do you think asr1k can refuse Radius query because of unsupported attribute value pairs that worked fine with 2821 ?
Regards.
05-22-2013 11:40 AM
In response to your question about logs : That logs appeared only when we modified configuration with "conf term" then "exit". There were not another logs when we were waiting for LAC or RADIUS queries.. so we thought there was a problem with vpdn debug log whereas you say it is perhaps a connectivity problem with LAC.We are checking that..
05-22-2013 11:46 AM
Hi,
"Do you think asr1k can refuse Radius query because of unsupported attribute value pairs that worked fine with 2821 ?"
Even if ASR refuses it, we should still see those interactions in the logs which currently we're not seeing. As for checking the absence of logs on ASR, i think it's good idea to check the logs on the LAC when the ASR is connected.
Out of curosity, with ASR, i hope you're able to ping the LAC just to check the physical connectivity is all right.
Regards,
Subeh
05-22-2013 12:37 PM
I think we had pinged successfully the LAC, but we will retry.
We will give you soon tests results. Thanks
Regards
05-28-2013 03:44 PM
Hello,
some news :
After re-plugging the asr, we hav tested ping to LAC and RADIUS : OK.
show bgp was also OK.
We hav enabled port mirroring and we saw that ASR1K receive SCCRQ from LAC but doesn't respond. (perhaps a port number problem ??)
312.193595 X.Y.Z.LAC -> A.B.C.LNS L2TP 162 Control Message - SCCRQ (tunnel id=0, session id=0)
313.201694 X.Y.Z.LAC -> A.B.C.LNS L2TP 162 Control Message - SCCRQ (tunnel id=0, session id=0)
After replugging 2821, Response of LNS is immediate
360.695021 X.Y.Z.LAC -> A.B.C.LNS L2TP 162 Control Message - SCCRQ (tunnel id=0, session id=0)
360.703111 A.B.C.LNS -> X.Y.Z.LAC L2TP 139 Control Message - SCCRP (tunnel id=5136, session id=0)
361.703349 X.Y.Z.LAC -> A.B.C.LNS L2TP 162 Control Message - SCCRQ (tunnel id=0, session id=0)
We saw that : We are missing 2 parameters in vpdn-group, are parameters "initiate-to ip" and "source-ip" are required ? Or is it only for LAC ?
05-28-2013 04:05 PM
Is there a command to bind vpdn listening for L2TP request to a specific gigabitethernet interface on ASR 1002-X ? Is there a default gigabitethernet for L2TP on ASR 1002-X ?
Thanks
05-28-2013 11:18 PM
Hi,
"We saw that : We are missing 2 parameters in vpdn-group, are parameters "initiate-to ip" and "source-ip" are required ? Or is it only for LAC ?": "Initiate to' is only for LAC but 'Source-ip' can be for both.
"Is there a command to bind vpdn listening for L2TP request to a specific gigabitethernet interface on ASR 1002-X ? "Well, its pretty starightforward, the gig connected to the LAC is the only one which gets binds to a virtual-template defined under 'vpdn-group <>' config.
Regards,
Subeh
06-01-2013 06:32 AM
Hello,
some news :
we have made some interesting tests : We have plugged GigabitEthernet0 (Management interface) and do some L2TP tunnels establishment tests on this interface with or without Loopback interface : it works : We see some VPDN logs of connection (We see SCCRQ initial packet in ASR1K logs)
So the question is : why VPN service works on GigabitEthernet0 but not on GigabitEthernet0/0/0 ?
Thanks
06-04-2013 02:33 AM
Any ideas ?
Thanks a lot
11-19-2013 10:46 AM
FWIW: I had what I think is a similar issue, and it turned out to be licensing-related. As soon as I upgraded the license level, everything started to work.
11-19-2013 11:20 AM
Thanks a lot for pointing this aspect !
We have an IP BASE licence. What licence do you hav for L2TP/VPDN ? Thanks
11-20-2013 01:22 AM
It was actually a CSR1000V that I observed it on - and I put the premium license, and it seemed to get happy. (You can verify with eval license which one works for you and then get the real one).
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: