Solved: Re: Cisco 837 Wan issue

jcbryan11 · ‎12-10-2010

I have a 837 that I can run "ping atm interface atm 0 0 35 seg-loopback" with 5/5 success. BUT when it test the aggregate with "ping atm interface atm 0 0 35 end-loopback" I get 0/5.

Ugh!

I have a carrier detect light on and need to get this going to verify my other settings. I assume the ISP doesn't need mt user and passwd to perform this function? Please note my ISP gave me the PVC's and added that thhis was the end of their part of anything CIsco. Man, gotta love rural ISP's!

Any ideas for the new guy trying to use CLI?

Config is below if needed.

Best, John

This is the running config of the router: 10.10.10.1
----------------------------------------------------------------------------
!version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 warnings
enable secret 5 $1$MeFQ$9tWMAI6L04F303lKANLvt.
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -6
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.26 10.10.10.254
!
ip dhcp pool sdm-pool1
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
!
!
ip cef
ip domain name yourdomain.com
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-1475291674
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1475291674
revocation-check none
rsakeypair TP-self-signed-1475291674
!
!
crypto pki certificate chain TP-self-signed-1475291674
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
311BA89831
7BLAH BLAH BLAH HERE quit
username john privilege 15 secret 5 $1$PKYL$R4vPtFHBCL3Ys1cP80wvP1
!

!
interface Ethernet0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ES_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
hold-queue 100 out
!
interface Ethernet2
no ip address
shutdown
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxx
ppp chap password 0 xxxxxxx
ppp pap sent-username xxxxxxxxxx password 0 xxxxxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.10.10.26 80 interface Dialer0 80
!
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end

Shelley Bhalla · ‎12-14-2010

Ok so in this case,

Run

conf t

in fa4

shut

end

debug pppoe error

debug pppoe event

debug ppp nego

debug ppp authentication

conf t

int fa 4

no shut

end

Get outputs and see if there are any errors in authentication or not. If not then authentication is the least of your worries. If there are other errors then that has to be investigated.

Get show atm pvc x/y once the AMT interface is up as well. This will shouw you the DSL speed and pvc details.

Also if the 837 is terminating the DSL connection then enable training logs:

interface atm0
     dsl enable-training-log

This will helpful to understand how strong/weak the signal is. If the signal is low, we can expect many kinds of issues.

Can you get their end of the config (even if not cisco we can still make out what they have)

Shelley.

View solution in original post

Shelley Bhalla · ‎12-15-2010

If you work with the service provider, this can be a quick fix. You are failing authentication. Debugs show they are certainly doing CHAP authentication and expect you to have a username "Blnc-Redback" configured on your router to authenticate their side and expect a specific user/pass to be sent to them for authentication..

The commands for that are

ppp chap username

ppp chap password

They go under the dialer interface.

Read these :

http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml

http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4130.shtml

Best of luck.

Shelley.

View solution in original post

paolo bevilacqua · ‎12-16-2010

Just ask ISP, what is my username and password?

They don't know about PAP, CHAP and stuff, because consumer-grade routers handle that automatically.

Also they are likely to get confused by trace output, that is for 2nd or 3rd level support only.

Unrelated to the failure, you should configure "mtu 1492" on dialer itnerface.

View solution in original post

paolo bevilacqua · ‎12-18-2010

Ask ISP for a password reset, and configure CHAP accordingly. The problem is there.

View solution in original post

Nikita Singh · ‎12-19-2010

The NAT and routing looks fine. Please check if you can do the following:

ping 4.2.2.2

ping 4.2.2.2 so ethernet 0

View solution in original post

Nikita Singh · ‎12-19-2010

what is the ip address and default gateway of the device from which your are trying to reach internet ?

can u ping 4.2.2.2 from that device ?

do a tracert 4.2.2.2 and see where it drops

also send "show ip nat trans" from the router.

View solution in original post

paolo bevilacqua · ‎12-19-2010

Set a DNS server of you liking in the PC (Internet Protocol)

Change ip tcp mss-adjust to 1452.

You also don't need the hold-queue commands.

Please remember to rate useful posts clicking on the stars below.

View solution in original post

Nikita Singh · ‎12-19-2010

Looks like you have an issue with DNS.

On the PC, go to the connection properties>> internetprotocol(TCP/IP)>>Properties>> use the following DNS server: set it to 4.2.2.2 and see if you can browse

the NAT and routing is working fine.

View solution in original post

Nikita Singh · ‎12-19-2010

I do not see DNS configured on the router.

router#config t

router(config)#ip name-server 4.2.2.2

router(config)#ip dhcp pool sdm-pool1

Router(dhcp-config)#dns-server 4.2.2.2

If you have any other DNS server , include that as well.This should help!

View solution in original post

paolo bevilacqua · ‎12-10-2010

You can disregard atm ping results.

All what matters, is if it works, or not.

jcbryan11 · ‎12-10-2010

Shouldn't I be able to ping, say, cisco.com, via the console? I understand that takes the router out of the equation and is a direct ping??

Thanks for the reply by the way.

John

paolo bevilacqua · ‎12-10-2010

Currently, cisco.com does not responds to pings.

You have first to find out if ISP uses PPPoE or not. If not, your config is wrong.

jcbryan11 · ‎12-10-2010

Let me try to get them to tell me, if they know. I need the enapsulation, pvc and dns's. anything else? I maybe monday before I get back with the info...

Best, John

tstamatopoulos · ‎12-12-2010

Hello there,

you need ofcource the encapsulation, a sample for ADSL2+ is

try this on the console

conf t

interface ATM0.1 point-to-point

pvc 0/35

encapsulation aal5mux ppp dialer

ctrl+z

for DNS you can try the google one's to configure it:

conf t

ip dhcp pool sdm-pool1

dns-server 8.8.8.8 8.8.4.4

ctrl+z

and please provide us a sh int d0 command output

HTH

jcbryan11 · ‎12-12-2010

I did a debug atm events and it appears the modem is getting replies from the iSP("Modem state = 0x10)

Here's the sh int d0

yourname#sh int d0

Dialer0 is up (spoofing), line protocol is up (spoofing)

Hardware is Unknown

MTU 1500 bytes, BW 56 Kbit, DLY 20000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation HDLC, loopback not set

DTR is pulsed for 1 seconds on reset

Last input never, output never, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: weighted fair

Output queue: 0/1000/64/0 (size/max total/threshold/drops)

Conversations 0/0/16 (active/max active/max total)

Reserved Conversations 0/0 (allocated/max allocated)

Available Bandwidth 42 kilobits/sec

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes

0 packets output, 0 bytes

Thank your for your help, this learning curve is pretty steep!!

John

paolo bevilacqua · ‎12-13-2010

Once again, if you ISP does not uses PPPoE, and it seems it does not, your config is wrong.

jcbryan11 · ‎12-13-2010

I spoke to my ISP and they do PPPOE, with a PVC 0/35. Whehn I asked about CHAP or PAP, I got a silent nothing!

With the SDM i can get interface status OK, DNS Settings OK (8.8.8.8) and fail on the interface IP address, which is negotiated.

I appreciate your patience on thsi project!

Best, John

Shelley Bhalla · ‎12-14-2010

Ok so in this case,

Run

conf t

in fa4

shut

end

debug pppoe error

debug pppoe event

debug ppp nego

debug ppp authentication

conf t

int fa 4

no shut

end

Get outputs and see if there are any errors in authentication or not. If not then authentication is the least of your worries. If there are other errors then that has to be investigated.

Get show atm pvc x/y once the AMT interface is up as well. This will shouw you the DSL speed and pvc details.

Also if the 837 is terminating the DSL connection then enable training logs:

interface atm0
     dsl enable-training-log

This will helpful to understand how strong/weak the signal is. If the signal is low, we can expect many kinds of issues.

Can you get their end of the config (even if not cisco we can still make out what they have)

Shelley.

jcbryan11 · ‎12-14-2010

Shelley,

I've attached the outputs of the given commands. Appears to be a CHAP Authentication issue?? (Like I know!)

Is it etter for me to copy & paste or attach this type of stuff? Yes, I'm the new guy.

yourname#show atm pvc 0/35
Description: N/A
ATM0.2: VCD: 1, VPI: 0, VCI: 35
UBR, PeakRate: 0 (0 cps)
AAL5-LLC/SNAP, etype:0x0, Flags: 0xC20, VCmode: 0x0, Encapsize: 12
OAM frequency: 10 second(s), OAM retry frequency: 1 second(s)
OAM up retry count: 3, OAM down retry count: 5
OAM END CC Activate retry count: 3, OAM END CC Deactivate retry count: 3
OAM END CC retry frequency: 30 second(s),
OAM SEGMENT CC Activate retry count: 3, OAM SEGMENT CC Deactivate retry count: 3
OAM SEGMENT CC retry frequency: 30 second(s),
OAM Loopback status: OAM Sent
OAM VC Status: Not Verified
ILMI VC status: Not Managed
VC is managed by OAM.
InARP frequency: 15 minutes(s)
InPkts: 6, OutPkts: 2, InBytes: 386, OutBytes: 146
InPRoc: 1, OutPRoc: 2
InFast: 5, OutFast: 0, InAS: 0, OutAS: 0
Giants: 0
Out CLP=1 Pkts: 0
OAM cells received: 0
F5 InEndloop: 0, F5 InSegloop: 0,
F5 InEndcc: 0, F5 InSegcc: 0, F5 InAIS: 0, F5 InRDI: 0
F4 InEndloop: 0, F4 InSegloop: 0, F4 InAIS: 0, F4 InRDI: 0
OAM cells sent: 84
F5 OutEndloop: 84, F5 OutSegloop: 0,
F5 OutEndcc: 0, F5 OutSegcc: 0, F5 OutRDI: 0
F4 OutEndloop: 0, F4 OutSegloop: 0, F4 OutRDI: 0
OAM cell drops: 0
Status: DOWN, State: NOT_VERIFIED
PPPOE enabled. Current number of pppoe sessions: 1

yourname#
*Dec 13 22:23:36.143: %LINK-3-UPDOWN: Interface ATM0, changed state to down
*Dec 13 22:23:37.143: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM0, changed state to down
*Dec 13 22:24:17.419: Sending PADI: vc=0/35
*Dec 13 22:24:17.479: PPPoE 0: I PADO R:0030.8812.6660 L:0011.208d.fb78 0/35 ATM0.2
*Dec 13 22:24:18.143: %LINK-3-UPDOWN: Interface ATM0, changed state to up
*Dec 13 22:24:19.143: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM0, changed state to up
*Dec 13 22:24:19.467: PPPOE: we've got our pado and the pado timer went off
*Dec 13 22:24:19.467: OUT PADR from PPPoE Session
*Dec 13 22:24:19.619: PPPoE 4127: I PADS R:0030.8812.6660 L:0011.208d.fb78 0/35 ATM0.2
*Dec 13 22:24:19.623: IN PADS from PPPoE Session
*Dec 13 22:24:19.631: %DIALER-6-BIND: Interface Vi1 bound to profile Di1
*Dec 13 22:24:19.631: PPPoE: Virtual Access interface obtained.
*Dec 13 22:24:19.631: PPPoE : encap string prepared
*Dec 13 22:24:19.635: [0]PPPoE 4127: data path set to Virtual Acess
*Dec 13 22:24:19.635: Vi1 PPP: Phase is DOWN, Setup
*Dec 13 22:24:19.635: Vi1 PPP: Using dialer call direction
*Dec 13 22:24:19.635: Vi1 PPP: Treating connection as a callout
*Dec 13 22:24:19.635: Vi1 PPP: Session handle[21000004] Session id[0]
*Dec 13 22:24:19.635: Vi1 PPP: Phase is ESTABLISHING, Active Open
*Dec 13 22:24:19.635: Vi1 PPP: Authorization required
*Dec 13 22:24:19.639: Vi1 PPP: No remote authentication for call-out
*Dec 13 22:24:19.675: Vi1 LCP: O CONFREQ [Closed] id 1 len 10
*Dec 13 22:24:19.679: Vi1 LCP:    MagicNumber 0x11327413 (0x050611327413)
*Dec 13 22:24:19.679: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
*Dec 13 22:24:19.743: Vi1 LCP: I CONFREQ [REQsent] id 202 len 19
*Dec 13 22:24:19.743: Vi1 LCP:    MRU 1492 (0x010405D4)
*Dec 13 22:24:19.743: Vi1 LCP:    AuthProto CHAP (0x0305C22305)
*Dec 13 22:24:19.743: Vi1 LCP:    MagicNumber 0x664E304D (0x0506664E304D)
*Dec 13 22:24:19.743: Vi1 LCP: O CONFNAK [REQsent] id 202 len 8
*Dec 13 22:24:19.743: Vi1 LCP:    MRU 1500 (0x010405DC)
*Dec 13 22:24:19.747: Vi1 LCP: I CONFACK [REQsent] id 1 len 10
*Dec 13 22:24:19.747: Vi1 LCP:    MagicNumber 0x11327413 (0x050611327413)
*Dec 13 22:24:19.803: Vi1 LCP: I CONFREQ [ACKrcvd] id 203 len 19
*Dec 13 22:24:19.807: Vi1 LCP:    MRU 1500 (0x010405DC)
*Dec 13 22:24:19.807: Vi1 LCP:    AuthProto CHAP (0x0305C22305)
*Dec 13 22:24:19.807: Vi1 LCP:    MagicNumber 0x664E304D (0x0506664E304D)
*Dec 13 22:24:19.807: Vi1 LCP: O CONFACK [ACKrcvd] id 203 le
yourname#n 19
*Dec 13 22:24:19.807: Vi1 LCP:    MRU 1500 (0x010405DC)
*Dec 13 22:24:19.807: Vi1 LCP:    AuthProto CHAP (0x0305C22305)
*Dec 13 22:24:19.807: Vi1 LCP:    MagicNumber 0x664E304D (0x0506664E304D)
*Dec 13 22:24:19.811: Vi1 LCP: State is Open
*Dec 13 22:24:19.811: Vi1 PPP: No authorization without authentication
*Dec 13 22:24:19.811: Vi1 PPP: Phase is AUTHENTICATING, by the peer
*Dec 13 22:24:19.871: Vi1 CHAP: I CHALLENGE id 1 len 33 from "Blnc-Redback"
*Dec 13 22:24:19.879: Vi1 CHAP: Using hostname from interface CHAP
*Dec 13 22:24:19.879: Vi1 CHAP: Using password from interface CHAP
*Dec 13 22:24:19.879: Vi1 CHAP: O RESPONSE id 1 len 37 from "xxxxxx@xxxi.net"
*Dec 13 22:24:21.059: Vi1 CHAP: I FAILURE id 1 len 42 msg is "CHAP authentication failure, unit 6356"
*Dec 13 22:24:21.059: Vi1 LCP: I TERMREQ [Open] id 204 len 4
*Dec 13 22:24:21.059: Vi1 LCP: O TERMACK [Open] id 204 len 4
*Dec 13 22:24:21.059: Vi1 PPP: Sending Acct Event[Down] id[3]
*Dec 13 22:24:21.063: Vi1 PPP: Phase is TERMINATING
*Dec 13 22:24:23.047: Vi1 LCP: TIMEout: State TERMsent
*Dec 13 22:24:23.047: Vi1 LCP: State is Closed
*Dec 13 22:24:23.047: Vi1 PPP: Phase is DOWN
*Dec 13 22:24:23.047: PPPoE : Shutting down client session
*Dec 13 22:24:23.047: %DIALER-6-UNBIND: Interface Vi1 unbound from profile Di1
*Dec 13 22:24:23.051: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down

And as always, thanks to the forum for the help!

Best, John

Shelley Bhalla · ‎12-15-2010

If you work with the service provider, this can be a quick fix. You are failing authentication. Debugs show they are certainly doing CHAP authentication and expect you to have a username "Blnc-Redback" configured on your router to authenticate their side and expect a specific user/pass to be sent to them for authentication..

The commands for that are

ppp chap username

ppp chap password

They go under the dialer interface.

Read these :

http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml

http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4130.shtml

Best of luck.

Shelley.

jcbryan11 · ‎12-15-2010

Shelley and Forum, I've sent the "denied" section to my local friendly ISP techies. No reply as of this writing. Any idea what the ""Blnc-Redback" config might be? Just wanting to know how it works and yes, I've read the Cisco links (Thanks) I looked at my Zhone modem they supplied with a USB cable and don't see anything obvious as far as this host appears?

I will keep updated.

Thnaks again, John

paolo bevilacqua · ‎12-16-2010

Just ask ISP, what is my username and password?

They don't know about PAP, CHAP and stuff, because consumer-grade routers handle that automatically.

Also they are likely to get confused by trace output, that is for 2nd or 3rd level support only.

Unrelated to the failure, you should configure "mtu 1492" on dialer itnerface.

jcbryan11 · ‎12-16-2010

I have the given username and password in the dialer task above with the xxx's. I have written them again,as the phone help doesn't seem to be very helpful at this point. (But they do know how to setup an X-Box...)

I have changed the MTU's to 1492, thanks for noticing.

Will update as they rendermy support!

Best, John