Unfortunately I didn't see any debugs on the console.

debug dialer

debug ppp negotiation

debug ppp authentication

debug isdn q931

debug isdn q921

Hello,

the 'multiple frame established' means there is a data connection with the Telco switch. Maybe you are missing something else...can you post the full running configuration ?

Ya..I see layer1,layer2 is up but on layer 3 its not forwarding the traffic.

Attached config.

Hello,

make the changes marked in bold. Also, where are the source host specified in the NAT access lists, how are they connected to your router ?

ip access-list extended to_provider1
permit ip host 10.128.1.8 host 10.0.12.201
permit ip host 10.128.1.12 host 10.0.12.201
permit ip host 10.128.1.20 host 10.0.12.201
permit ip host 10.128.1.26 host 10.0.12.201
permit ip host 10.128.1.11 host 10.0.12.201
permit ip host 10.128.1.35 host 10.0.12.201
permit ip host 10.128.1.36 host 10.0.12.201
ip access-list extended to_provider2
permit ip host 10.128.1.8 host 10.0.8.1
permit ip host 10.128.1.12 host 10.0.8.1
permit ip host 10.128.1.20 host 10.0.8.1
permit ip host 10.128.1.26 host 10.0.8.1
permit ip host 10.128.1.11 host 10.0.8.1
permit ip host 10.128.1.35 host 10.0.8.1
permit ip host 10.128.1.36 host 10.0.8.1

Also, your default route is pointing towards a private IP address, but your outside interfaces are set to 'ip negotiated' ? Which IP addresses are actually assigned to the outside interfaces ?

Current configuration : 8419 bytes
!
! Last configuration change at 16:16:05 JST Thu May 28 2020 by root
! NVRAM config last updated at 16:16:10 JST Thu May 28 2020 by root
!
version 16.8
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname <removed>
!
boot-start-marker
boot-end-marker
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 51200 warnings
enable secret 5 <removed>
!
no aaa new-model
clock timezone JST 9 0
clock calendar-valid
no ip source-route
!
no ip domain lookup
ip domain name yourdomain.com
ip address-pool local
!
subscriber templating
!
multilink bundle-name authenticated
!
isdn switch-type ntt
!
crypto pki trustpoint TP-self-signed-2100035517
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2100035517
revocation-check none
rsakeypair TP-self-signed-2100035517
!
crypto pki certificate chain TP-self-signed-2100035517
!
license udi pid ISR4321/K9 sn FDO2347004C
no license smart enable
hw-module subslot 0/1 shutdown unpowered
!
object-group network admin-zones
description All admin zones
10.1.7.0 255.255.255.0
10.1.71.0 255.255.255.0
10.1.130.0 255.255.255.0
10.4.12.0 255.255.254.0
10.4.76.0 255.255.254.0
10.24.7.0 255.255.255.0
10.26.12.0 255.255.254.0
10.128.7.0 255.255.255.0
!
object-group network peer-interfaces
host 10.128.255.20
host 10.128.255.6
host 10.128.255.71
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
redundancy
mode none
!
interface Loopback0
ip address 10.128.255.19 255.255.255.255
!
interface GigabitEthernet0/0/0
description neighbor:gi-0/0/0
ip address 10.128.255.70 255.255.255.254
media-type rj45
negotiation auto
!
interface GigabitEthernet0/0/1
description layer2_switch-ge-0-0-10
ip address 10.128.255.9 255.255.255.240
ip nat inside
standby 10 ip 10.128.255.7
standby 10 timers 2 6
standby 10 priority 110
standby 10 preempt
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface BRI0/2/0:0
description Provider1
ip address negotiated
ip nat outside
encapsulation ppp
dialer rotary-group 1
dialer-group 1
no cdp enable
isdn switch-type ntt
isdn point-to-point-setup
ppp ipcp address accept
ip virtual-reassembly
!
interface BRI0/2/1:0
description Provider2
ip address negotiated
ip nat outside
encapsulation ppp
dialer rotary-group 2
--> dialer-group 1
no cdp enable
isdn switch-type ntt
isdn point-to-point-setup
ppp ipcp address accept
ip virtual-reassembly
!
interface BRI0/2/2:0
description provider3
ip address negotiated
ip nat outside
encapsulation ppp
dialer rotary-group 2
--> dialer-group 1
no cdp enable
isdn switch-type ntt
isdn point-to-point-setup
ppp ipcp address accept
ip virtual-reassembly
!
interface BRI0/2/3:0
no ip address
encapsulation hdlc
shutdown
isdn switch-type ntt
isdn point-to-point-setup
!
interface Dialer1
ip address negotiated
ip nat outside
encapsulation ppp
dialer in-band
dialer idle-timeout 30
dialer map ip 10.0.12.201 class dial1 <removed>
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname <removed>
ppp chap password 7 <removed>
ip virtual-reassembly
!
interface Dialer2
ip address negotiated
ip nat outside
encapsulation ppp
dialer in-band
dialer idle-timeout 30
dialer map ip 10.0.8.1 name sq-2 class dial1 <removed>
--> dialer-group 1
no cdp enable
ppp callback request
ppp ipcp address accept
ip virtual-reassembly
!
interface Dialer3
ip address negotiated
encapsulation ppp
dialer in-band
dialer map ip 192.51.47.223 class dial3 <removed>
dialer map ip 192.51.47.1 class dial3 <removed>
--> dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname <removed>
ppp chap password 7 <removed>
ip virtual-reassembly
!
ip nat inside source list to_provider1 interface Dialer1 overload
ip nat inside source list to_provider2 interface Dialer2 overload
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 10.128.255.1
ip route 10.0.8.1 255.255.255.255 Dialer2
ip route 10.0.12.201 255.255.255.255 Dialer1
ip route 192.51.47.0 255.255.255.0 Dialer3
!
ip ssh version 2

ip scp server enable
!
ip access-list extended sshprotect
permit tcp object-group admin-zones any
permit tcp object-group peer-interfaces any
ip access-list extended to_provider1
permit ip host 10.128.1.8 host 10.0.12.201
permit ip host 10.128.1.12 host 10.0.12.201
permit ip host 10.128.1.20 host 10.0.12.201
permit ip host 10.128.1.26 host 10.0.12.201
permit ip host 10.128.1.11 host 10.0.12.201
permit ip host 10.128.1.35 host 10.0.12.201
permit ip host 10.128.1.36 host 10.0.12.201
ip access-list extended to_provider2
permit ip host 10.128.1.8 host 10.0.8.1
permit ip host 10.128.1.12 host 10.0.8.1
permit ip host 10.128.1.20 host 10.0.8.1
permit ip host 10.128.1.26 host 10.0.8.1
permit ip host 10.128.1.11 host 10.0.8.1
permit ip host 10.128.1.35 host 10.0.8.1
permit ip host 10.128.1.36 host 10.0.8.1
!
--> dialer-list 1 protocol ip permit
!
map-class dialer dial1
dialer callback-server username
!
map-class dialer dial2
dialer callback-server dial-string
!
map-class dialer dial3
dialer callback-server username
logging facility local4
access-list 101 permit icmp any any
access-list 101 permit tcp any any
access-list 102 permit icmp any any
access-list 102 permit tcp any any
access-list 103 permit icmp any any
access-list 103 permit tcp any any
--> no dialer-list 1 protocol ip list 101
dialer-list 2 protocol ip list 102
dialer-list 3 protocol ip list 103
!
control-plane
!
privilege exec level 0 show inventory raw
privilege exec level 0 show inventory
privilege exec level 0 show running-config view full
privilege exec level 0 show running-config view
privilege exec level 0 show running-config
privilege exec level 0 show
!
line con 0
exec-timeout 15 0
login local
transport input none
stopbits 1
line aux 0
exec-timeout 0 1
no exec
transport output none
stopbits 1
line vty 0 4
exec-timeout 60 0
privilege level 15
logging synchronous
login local
transport preferred ssh
transport input ssh
transport output telnet ssh
escape-character 3
line vty 5 15
access-class sshprotect in
exec-timeout 60 0
privilege level 15
logging synchronous
login local
transport preferred ssh
transport input ssh
transport output telnet ssh
escape-character 3
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
end

Think of it as, hosts are connected to top of racks switches and routing is configured in a way that for the destination IP address in the access-list it comes to this router and forwarded through ISDN connections.

Each ISDN connects to a partner, It gets IP address from the provider?

Only interesting traffic should go to the ISDN connections and rest all to the inside network/reverse traffic.

Modified the access-list and applied to all Dialer and BRI interfaces but no luck.

Same configs works fine on 2901 router.

Thanks for the additional information. It is interesting that same configs work on a different platform/different code. I wonder what the difference is here?

I continue to wonder about having no debug output. You are running appropriate debugs and I would have expected output. With the severity level for logging buffered set to warning I can understand having no debug output in those logs. But I would have expected the console to get output. Would you post the output of show logging (probably the first couple of pages would be enough) so that we can see a more complete view of how logging is operating.

#Show debugging
Dial on demand:
Dial on demand events debugging is on
IOSXE Conditional Debug Configs:

Conditional Debug Global State: Stop

IOSXE Packet Tracing Configs:

PPP:
PPP authentication debugging is on
Packet Infra debugs:

Ip Address Port
------------------------------------------------------|----------

The following ISDN debugs are enabled on all DSLs:

debug isdn error is ON.
debug isdn q921 is ON. (filter is OFF)
debug isdn q931 is ON. (filter is OFF)

#show logging
Syslog logging: enabled (0 messages dropped, 2 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

Console logging: level debugging, 1690 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 46 messages logged, xml disabled,
filtering disabled
Buffer logging: level warnings, 79 messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled

No active filter modules.

Trap logging: level informational, 264 message lines logged

show users
Line User Host(s) Idle Location
* 0 con 0 root idle 00:00:00

Only messages I see are with NT for layer2.

May 30 23:41:14.767: ISDN BR0/2/2:0 Q921: User RX <- RRp sapi=0 tei=73 nr=0
May 30 23:41:14.768: ISDN BR0/2/2:0 Q921: User TX -> RRf sapi=0 tei=73 nr=0
May 30 23:41:15.235: ISDN BR0/2/1:0 Q921: User TX -> RRp sapi=0 tei=71 nr=9
May 30 23:41:15.235: ISDN BR0/2/1:0 Q921: User RX <- RRp sapi=0 tei=71 nr=9
May 30 23:41:15.236: ISDN BR0/2/1:0 Q921: User TX -> RRf sapi=0 tei=71 nr=9
May 30 23:41:15.252: ISDN BR0/2/1:0 Q921: User RX <- RRf sapi=0 tei=71 nr=9
May 30 23:41:20.735: ISDN BR0/2/0:0 Q921: User RX <- RRp sapi=0 tei=73 nr=11
May 30 23:41:20.735: ISDN BR0/2/0:0 Q921: User TX -> RRf sapi=0 tei=73 nr=9
May 30 23:41:24.767: ISDN BR0/2/2:0 Q921: User RX <- RRp sapi=0 tei=73 nr=0
May 30 23:41:24.767: ISDN BR0/2/2:0 Q921: User TX -> RRf sapi=0 tei=73 nr=0
May 30 23:41:25.236: ISDN BR0/2/1:0 Q921: User RX <- RRp sapi=0 tei=71 nr=9
May 30 23:41:25.236: ISDN BR0/2/1:0 Q921: User TX -> RRf sapi=0 tei=71 nr=9
May 30 23:41:30.736: ISDN BR0/2/0:0 Q921: User RX <- RRp sapi=0 tei=73 nr=11
May 30 23:41:30.736: ISDN BR0/2/0:0 Q921: User TX -> RRp sapi=0 tei=73 nr=9
May 30 23:41:30.736: ISDN BR0/2/0:0 Q921: User TX -> RRf sapi=0 tei=73 nr=9
May 30 23:41:30.754: ISDN BR0/2/0:0 Q921: User RX <- RRf sapi=0 tei=73 nr=11
May 30 23:41:34.767: ISDN BR0/2/2:0 Q921: User TX -> RRp sapi=0 tei=73 nr=0
May 30 23:41:34.767: ISDN BR0/2/2:0 Q921: User RX <- RRp sapi=0 tei=73 nr=0
May 30 23:41:34.768: ISDN BR0/2/2:0 Q921: User TX -> RRf sapi=0 tei=73 nr=0
May 30 23:41:34.784: ISDN BR0/2/2:0 Q921: User RX <- RRf sapi=0 tei=73 nr=0
May 30 23:41:35.236: ISDN BR0/2/1:0 Q921: User TX -> RRp sapi=0 tei=71 nr=9
May 30 23:41:35.236: ISDN BR0/2/1:0 Q921: User RX <- RRp sapi=0 tei=71 nr=9
May 30 23:41:35.236: ISDN BR0/2/1:0 Q921: User TX -> RRf sapi=0 tei=71 nr=9
May 30 23:41:35.253: ISDN BR0/2/1:0 Q921: User RX <- RRf sapi=0 tei=71 nr=9
May 30 23:41:40.736: ISDN BR0/2/0:0 Q921: User RX <- RRp sapi=0 tei=73 nr=11

Thanks for the additional information. It confirms that the logging buffer would not see debug messages. But the console, or a telnet/SSH connection (which had done terminal monitor) should have seen debug. And then you post some debug messages. So where did they come from?

I am wondering about your comment that you generated interesting traffic but do not see activity on ISDN and am wondering if it is possible that your interesting traffic is not getting to this router. I see that your Lan interface is running HSRP. Is it possible that this router is in standby and not the active router?

Yes, whenever I want to test, I am increasing the HSRP priority on this one and it will become HSRP master.

I am sure that the traffic is reaching the router but it is not getting forwarded, earlier I have seen the packets reaching the box based on some debugs.

Can we apply a filter and confirm the traffic is reaching the router?

Someone in the discussion(link below) mentioned that NAT over Dialer interfaces is not supported, is it True?

https://community.cisco.com/t5/routing/issues-with-nat-on-a-brand-new-isr4321/td-p/2814990

One difference I could see, on 2901 I see NVI(nat virtual interface) and not  on ISR 4321; is it something needs to be investigated or expected behaviour?

2901#show ip int brief | in NVI
NVI0 10.128.255.19 YES unset up up

I see NAT translation hits on 2901

show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 3, occurred 6d02h ago
Outside interfaces:
BRI0/1/0, BRI0/2/0, BRI0/1/0:1, BRI0/1/0:2, BRI0/2/0:1, BRI0/2/0:2, Dialer1
Dialer2
Inside interfaces:
GigabitEthernet0/1
Hits: 13585 Misses: 0
CEF Translated packets: 12655, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list to_MIZUHO interface Dialer1 refcount 0
[Id: 2] access-list to_SMBC interface Dialer2 refcount 0

Zero hits on ISR 4321

show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
BRI0/2/0:0, BRI0/2/0:1, BRI0/2/0:2, BRI0/2/1:0, BRI0/2/1:1, BRI0/2/1:2
Dialer1, Dialer2
Inside interfaces:
GigabitEthernet0/0/1
Hits: 0 Misses: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list to_MIZUHO interface Dialer1 refcount 0
[Id: 2] access-list to_SMBC interface Dialer2 refcount 0
nat-limit statistics:
max entry: max allowed 0, used 0, missed 0
In-to-out drops: 0 Out-to-in drops: 0
Pool stats drop: 0 Mapping stats drop: 0
Port block alloc fail: 0
IP alias add fail: 0
Limit entry add fail: 0

Hello,

can you check if the exec command:

isdn call interface bri 0/2/0 5551111

generates any debug output ?

I got these logs when I have executed the command.

Shouldn't we receive similar exchange logs when interesting traffic that suppose to go through the ISDN connection and the circuit will be set up? I have generated some interesting traffic and see nothing on the device.

May 30 23:43:13.747: ISDN BR0/2/0:0 Q931: SETUP pd = 8 callref = 0x0B
Bearer Capability i = 0x8890
Standard = CCITT
Transfer Capability = Unrestricted Digital
Transfer Mode = Circuit
Transfer Rate = 64 kbit/s
Channel ID i = 0x81
Preferred, B1
Called Party Number i = 0x80, '5551111'
Plan:Unknown, Type:Unknown