Solved: Issue with L2TPV3

Star_blazer · ‎08-01-2019

Hello,

On our side we using:

Cisco IOS Software, 3700 Software (C3725-ADVENTERPRISEK9-M), Version 12.4(15)T7, RELEASE SOFTWARE (fc3)

Config:

!
pseudowire-class ether-pw
encapsulation l2tpv3
ip local interface FastEthernet0/0
ip pmtu
!

!
interface FastEthernet0/1.111
encapsulation dot1Q 111
ip virtual-reassembly max-fragments 64 max-reassemblies 1024
no cdp enable
xconnect 193.193.***.*** 123 encapsulation l2tpv3 pw-class ether-pw
end

!
interface FastEthernet0/1
no ip address
ip access-group 101 in
no ip proxy-arp
ip accounting output-packets
ip virtual-reassembly max-fragments 64 max-reassemblies 1024
load-interval 30
duplex auto
speed auto
no keepalive
no cdp enable
end

CiscoRouter#show l2tun session

%No active L2F tunnels

L2TP Session Information Total tunnels 1 sessions 1

LocID RemID TunID Username, Intf/ State Last Chg Uniq ID
Vcid, Circuit
296** 171699**** 542** 123, Fa0/1.111:111 est 00:24:47 3**

%No active PPTP tunnels

So the thing is other side can ping my host, but with huge loss (8 packets lost, 1 ok) and have some pure access to http.

But i can't ping host on their side(double checked firewalls etc) .

ip cef enabled.

I tried to attach xconnect to Fa0/1 which is the interface that look into LAN. But it is the same.

Can someone help me?

Star_blazer · ‎08-05-2019

Ok, this problem resolved.

Steps:

1) We changed ios from other side 15 -> 12.xx (CIsco 2800).

2) I changed configuration to forward traffic through Loopback interfaces. So there are GRE Tunnel to provide connection between them.

This works pretty ok.

-------------------------------------------------
Our GW

-------------------------------------------------
Tunnel to loopbacks
-------------------------------------------------

!
interface Tunnel5
ip address 192.168.50.1 255.255.255.0
ip mtu 1476
ip virtual-reassembly
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel destination xxx.xxx.xxx.xxx (other side WAN)
end

!
interface Loopback0
ip address 192.168.10.10 255.255.255.0
ip virtual-reassembly
end

ip route 0.0.0.0 0.0.0.0 (wan addr)
ip route 192.168.20.0 255.255.255.0 192.168.50.2

-------------------------------------------------
L2TPv3
-------------------------------------------------

vlan database
vtp transparent
vlan 111 name TUNNEL-L2TPv3-v200

configure terminal

!
ip cef
!
l2tp-class L2TP-CLASS1
hidden
authentication
hello 30
password xxx
!
pseudowire-class PW-CLASS1
encapsulation l2tpv3
sequencing both
protocol l2tpv3 L2TP-CLASS1
ip local interface Loopback0
ip pmtu
ip dfbit set
ip tos reflect
!
interface Fa0/1.111
description *** L2TP Tunnel to xxx ***
encapsulation dot1Q 111
xconnect 192.168.20.20 111 pw-class PW-CLASS1 sequencing both
!
snmp-server enable traps l2tun session

-------------------------------------------------

Other GW

-------------------------------------------------
Tunnel to loopbacks
-------------------------------------------------
!
interface Tunnel5
ip address 192.168.50.2 255.255.255.0
ip mtu 1476
ip virtual-reassembly
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel destination (wan addr)
end

!
interface Loopback0
ip address 192.168.20.20 255.255.255.0
ip virtual-reassembly
end

ip route 0.0.0.0 0.0.0.0 wan addr
ip route 192.168.10.0 255.255.255.0 192.168.50.1

-------------------------------------------------
L2TPv3
-------------------------------------------------

vlan database
vtp transparent
vlan 111 name TUNNEL-L2TPv3-v200

configure terminal

!
ip cef
!
l2tp-class L2TP-CLASS1
hidden
authentication
hello 30
password xxx
!
pseudowire-class PW-CLASS1
encapsulation l2tpv3
sequencing both
protocol l2tpv3 L2TP-CLASS1
ip local interface Loopback0
ip pmtu
ip dfbit set
ip tos reflect
!
interface Fa0/1.111
description *** L2TP Tunnel to xxx***
encapsulation dot1Q 111
xconnect 192.168.10.10 111 pw-class PW-CLASS1 sequencing both
!
snmp-server enable traps l2tun session

View solution in original post

Giuseppe Larosa · ‎08-02-2019

Hello Star_blazer,

if the other side can ping the fa0/0 IP addres with 80% of loss I would say that you have a connectivity problem in the path.

You need to verify if L2TPv3 protocol is allowed on the path too.

see

https://tools.ietf.org/html/rfc3931

You need to allow IP protocol 115 L2Tpv3 does not use UDP like L2TPv2 did

L2TPv3 over IP (both versions) utilizes the IANA-assigned IP protocol
   ID 115.

section 4.1.1 of the RFC

Hope to help

Giuseppe

Star_blazer · ‎08-05-2019

Ok, this problem resolved.

Steps:

1) We changed ios from other side 15 -> 12.xx (CIsco 2800).

2) I changed configuration to forward traffic through Loopback interfaces. So there are GRE Tunnel to provide connection between them.

This works pretty ok.

-------------------------------------------------
Our GW

-------------------------------------------------
Tunnel to loopbacks
-------------------------------------------------

!
interface Tunnel5
ip address 192.168.50.1 255.255.255.0
ip mtu 1476
ip virtual-reassembly
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel destination xxx.xxx.xxx.xxx (other side WAN)
end

!
interface Loopback0
ip address 192.168.10.10 255.255.255.0
ip virtual-reassembly
end

ip route 0.0.0.0 0.0.0.0 (wan addr)
ip route 192.168.20.0 255.255.255.0 192.168.50.2

-------------------------------------------------
L2TPv3
-------------------------------------------------

vlan database
vtp transparent
vlan 111 name TUNNEL-L2TPv3-v200

configure terminal

!
ip cef
!
l2tp-class L2TP-CLASS1
hidden
authentication
hello 30
password xxx
!
pseudowire-class PW-CLASS1
encapsulation l2tpv3
sequencing both
protocol l2tpv3 L2TP-CLASS1
ip local interface Loopback0
ip pmtu
ip dfbit set
ip tos reflect
!
interface Fa0/1.111
description *** L2TP Tunnel to xxx ***
encapsulation dot1Q 111
xconnect 192.168.20.20 111 pw-class PW-CLASS1 sequencing both
!
snmp-server enable traps l2tun session

-------------------------------------------------

Other GW

-------------------------------------------------
Tunnel to loopbacks
-------------------------------------------------
!
interface Tunnel5
ip address 192.168.50.2 255.255.255.0
ip mtu 1476
ip virtual-reassembly
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel destination (wan addr)
end

!
interface Loopback0
ip address 192.168.20.20 255.255.255.0
ip virtual-reassembly
end

ip route 0.0.0.0 0.0.0.0 wan addr
ip route 192.168.10.0 255.255.255.0 192.168.50.1

-------------------------------------------------
L2TPv3
-------------------------------------------------

vlan database
vtp transparent
vlan 111 name TUNNEL-L2TPv3-v200

configure terminal

!
ip cef
!
l2tp-class L2TP-CLASS1
hidden
authentication
hello 30
password xxx
!
pseudowire-class PW-CLASS1
encapsulation l2tpv3
sequencing both
protocol l2tpv3 L2TP-CLASS1
ip local interface Loopback0
ip pmtu
ip dfbit set
ip tos reflect
!
interface Fa0/1.111
description *** L2TP Tunnel to xxx***
encapsulation dot1Q 111
xconnect 192.168.10.10 111 pw-class PW-CLASS1 sequencing both
!
snmp-server enable traps l2tun session