PIX 515e ADSL LLC Based Encapsulation

Answered Question
Jun 12th, 2010

Hey all

Right, so I have a very weird issue that is annoying me no end. I can not figure it out

I have a PIX 515e firewall with an ADSL Modem attahced to one of the fast ethernet ports. The ADSL modem is in bridge mode and the PIX does the authentication on the ADSL connection

Now, its been working fine for weeks and weeks. I changed from 1 ADSL provider to another, and NO troubles.....

Today, we had a power outage and when it all came back online, no dice. The config to the PIX had be written to flash before the power cut

2 hours of mucking around and i gave up. I grabbed an old netgear modem and plugged it in, didnt work at first, until i changed the ADSL Multiplexing Method type to LLC-Based

Changed back to the PIX - same issue, got sync, but no connection

My questions: How the heck can i set that same Multiplexing Method on the PIX to rule that out as the issue?

The modem being used for the Bridging - i hard reset it, and that modem connects fine (its a Linksys), but again, back in bridge mode - no dice

I redid all the PPPoE config on the PIX and same thing, but i can not for the life of me find where to change the Multiplexing Method

Any advice? Please? I'm really desperate here, Please and thank you in advance guys

I have this problem too.
0 votes
Correct Answer by Marcin Latosiewicz about 6 years 6 months ago

Alek,

Wouldn't that indicate something changed on ISP side? I mean PIX/ASA never supported SNAP/LLC from what I know.

As last resort give it a try without password storing then I would give ISP a call. (you might try running "fsck" before doing any changes).

Marcin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Marcin Latosiewicz Sun, 06/13/2010 - 02:35

Alek,

I checked internal resources but unfortunately I do not see SNAP/LLC support. But as far as I understand that part should be done bridging modem...

Are you sure that for some reason PPPoE credentials or setting didn't get corrupted after power outage?

pattya94191 Sun, 06/13/2010 - 02:49

Hey Marcin,

Thanks for your reply

The modem is in a bridging mode, where it more acts as a media converter. The Public IP's and the authentication are done on the cisco pix - nothing is done in the modem - regardless i did just check now, and it was set correctly to have the correct multiplexing

As for the details in the PIX going wrong - i deleted them and recreated them just to be sure, and same issue

Thanks guys, appreciate the help

Marcin Latosiewicz Sun, 06/13/2010 - 02:54

Alek,

Can you get:

-------

deb pppoe err

deb pppoe pack

deb pppoe eve

deb ppp auth

deb ppp lcp

deb ppp neg

deb ppp ipcp

-------

In fact you may want to try debugging all the suboptions under ppp.

Marcin

pattya94191 Sun, 06/13/2010 - 03:17

Hey

Thanks for the quick reply

The commands were all issued - The first 3 returned this

sussex# deb pppoe eve
debug pppoe event enabled at level 1

Then this started appearing after i finished issuing all commands

sussex# PPPoE: send_padi:(Snd) Dest:ffff.ffff.ffff Src:0017.9514.XXXX Type:0x8863=PPPoE-Discovery
PPPoE: Ver:1 Type:1 Code:09=PADI Sess:0 Len:12
PPPoE: Type:0101:SVCNAME-Service Name Len:0
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000002
PPPoE: padi timer expired

This just reapeats time and time over - I'm not 100% sure of its meaning, ill start to google now - thought i would post this first

Marcin Latosiewicz Sun, 06/13/2010 - 03:33

Alek,

I need your model, SW version and configuration for PPPoE and routing.

I'd also need to know if the ASA was affected by power outage or was it not torn down.

There are some bugs, some even with workarounds:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsh58003

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsy89445

But basically the ASA never received answer to PADI (PADO I believe) ... packet capture on outside interface?

Marcin

pattya94191 Sun, 06/13/2010 - 03:57

Hey there

Thanks again

OK, so some basic info, which i should have provided earlier

Have checked the authentication type: It is correct, ive also tried a couple different user name combos - they all result in the same thing - that error

PPPoE: send_padi:(Snd) Dest:ffff.ffff.ffff Src:0017.9514.xxxx Type:0x8863=PPPoE-Discovery
PPPoE: Ver:1 Type:1 Code:09=PADI Sess:0 Len:12
PPPoE: Type:0101:SVCNAME-Service Name Len:0
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000001
PPPoE: padi timer expired

Firewall is a Cisco PIX Firewall 515e with a Restricted license

Result of the command: "show running-config"

: Saved

:

PIX Version 8.0(4)32

!

hostname sussex

domain-name home.local

enable password xxxxx encrypted

passwd xxxxx encrypted

names

name 192.168.0.100 Alek-PC description Aleks Main PC

name 192.168.0.10 Avoca description Main Link Avoca

name 192.168.0.86 Bilgola description Switch

name 192.168.0.20 Calculon description Cisco Home Lab Entry Point

name 192.168.0.110 Karen-PC description Mums PC

name 192.168.0.191 Lounge-MCPC description Loungeroom-MCPC

name 192.168.0.30 Ninetymile description Colour Laserjet Printer

name 192.168.0.190 Sunroom-MCPC description Back room MCPC

name 192.168.0.140 TAN-R31NBL description LAN

name 192.168.0.141 TAN-R31NBW description WLAN

name 192.168.0.142 TAN-R51NBL description LAN

name 192.168.0.143 TAN-R51NBW description WLAN

name 192.168.0.144 TAN-S10NBL description LAN

name 192.168.0.145 TAN-S10NBW description WLAN

name 192.168.0.79 Windawoppa description WAP

name 192.168.0.11 Balmoral description NTP and DNS server VIRTUAL

name 192.168.0.15 Palm description Cacti

name 192.168.0.16 Whale description Torrent Server

name 192.168.0.89 Robot_Santa description CHL 3550 Switch

name 10.0.0.10 Avoca-DMZ description Avoca DMZ

name 10.0.0.16 Whale-DMZ description Torrent Server

name 10.0.0.12 Avalon description Main Link Avalon VIRTUAL

name 192.168.0.192 Living-MCPC description Sunroom MCPC

!

interface Ethernet0

nameif outside

security-level 0

pppoe client vpdn group TPG

ip address pppoe

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.0.2 255.255.255.0

!

interface Ethernet2

description dmz

nameif dmz

security-level 30

ip address 10.0.0.1 255.255.255.0

!

banner exec You are now logged onto $(hostname).$(domain)

banner exec Please logout when you are done

banner login -------------------------------------------------------------------------------

banner login                        Welcome to XXXX!

banner login -------------------------------------------------------------------------------

banner login    UNAUTHORISED ACCESS TO ANY SERVER ON THIS NETWORK IS STRICTLY PROHIBITED

banner login Loging in to any any server within this network without a user and

banner login password is considered cracking. If you gain access to his network

banner login without direct permission, you will be prosecuted to the full extent of the law.

banner login If you access further systems by tunneling through this connection, you are

banner login breaching the network and you will be punished to the full extent of the law

banner login By accessing this system, you are consenting to system monitoring for law

banner login enforcement purposes including your IP Address and login times.

banner login Any information (including data) is property of this network and is

banner login protected under International Copyright.

banner login ------------------------------------------------------------------------------ -

ftp mode passive

clock timezone EST 10

clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00

dns server-group DefaultDNS

retries 3

timeout 5

domain-name home.local

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_SERVICE_1

service-object icmp

service-object icmp traceroute

object-group service RemoteAccess tcp

description RemoteAccess

port-object eq 3389

port-object eq pptp

port-object eq ssh

port-object eq telnet

port-object eq 10000

object-group service mail tcp

description mail

port-object eq imap4

port-object eq pop2

port-object eq pop3

port-object eq smtp

object-group service data tcp

description data

port-object eq ftp

port-object eq ftp-data

port-object eq 1044

object-group network desktops

description Main Desktop PC's

network-object host Alek-PC

network-object host Karen-PC

object-group network laptops

description Laptops

network-object host TAN-R31NBL

network-object host TAN-R31NBW

network-object host TAN-R51NBL

network-object host TAN-R51NBW

network-object host TAN-S10NBL

network-object host TAN-S10NBW

object-group network servers

description Servers

network-object host Avoca

network-object host Balmoral

network-object host Palm

network-object host Whale

object-group network DM_INLINE_NETWORK_1

group-object desktops

group-object laptops

network-object host Avoca

object-group service DM_INLINE_SERVICE_2

service-object tcp eq 13646

service-object udp eq 13646

object-group network DM_INLINE_NETWORK_2

network-object 192.168.0.0 255.255.255.0

network-object host 192.168.0.102

object-group network Printers

description Printers

network-object host Ninetymile

object-group network WAPs

description Wireless Access Devices

network-object host Windawoppa

object-group network switches

description Network Switches

network-object host Bilgola

object-group network Media_Centers

network-object host Living-MCPC

network-object host Lounge-MCPC

object-group network DM_INLINE_NETWORK_4

group-object desktops

group-object laptops

network-object host Avoca

group-object Media_Centers

object-group network LiveServers

description Servers in everyday use

network-object host Avoca

network-object host Balmoral

object-group network DM_INLINE_NETWORK_6

group-object desktops

group-object laptops

group-object LiveServers

object-group network DM_INLINE_NETWORK_7

group-object desktops

group-object laptops

object-group network DM_INLINE_NETWORK_8

group-object desktops

group-object laptops

object-group network DM_INLINE_NETWORK_9

group-object desktops

group-object laptops

object-group service MSN_TCP tcp

description MSN Messenger TCP

port-object range 1025 1035

port-object eq 1863

port-object range 5000 5010

port-object eq 5061

port-object eq 7001

object-group service MSN_UDP udp

description MSN Messenger UDP

port-object range 1025 1035

port-object range 5000 5010

port-object range 5004 5014

port-object eq 7001

port-object eq discard

object-group network DM_INLINE_NETWORK_10

network-object host Alek-PC

network-object host TAN-R31NBL

object-group service Torrent tcp

description Torrents

port-object eq 13646

port-object eq 13367

port-object eq 6969

object-group service Torrent_UDP udp

description Torrent UDP

port-object eq 13646

port-object eq 13367

port-object eq 6969

object-group network DM_INLINE_NETWORK_11

network-object host Alek-PC

network-object host TAN-R31NBL

object-group service DM_INLINE_SERVICE_4

service-object tcp eq 13367

service-object udp eq 13367

object-group network PlanetExpress

description Cisco Home Lab

network-object host Robot_Santa

object-group network DNSServers

description DNS Servers

network-object host Avoca

network-object host Balmoral

object-group network DMZServers

description DMZ Server

network-object host Avalon

network-object host Whale-DMZ

access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_4 any object-group DM_INLINE_TCP_1

access-list inside_access_in remark MSN Messenger

access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_8 any object-group MSN_TCP

access-list inside_access_in remark MSN Messenger

access-list inside_access_in extended permit udp object-group DM_INLINE_NETWORK_9 any object-group MSN_UDP

access-list inside_access_in remark SSH, Telnet, RDC, Webmin

access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 any object-group RemoteAccess

access-list inside_access_in remark Torrent Traffic

access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_10 object-group Torrent any object-group Torrent

access-list inside_access_in extended permit udp object-group DM_INLINE_NETWORK_11 object-group Torrent_UDP any object-group Torrent_UDP

access-list inside_access_in remark FTP etc

access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 any object-group data

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object-group DNSServers any eq domain

access-list inside_access_in extended permit udp host Balmoral any eq ntp

access-list inside_access_in remark Ping & tracert

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_6 any

access-list inside_access_in extended permit ip host 192.168.0.101 any

access-list inside_access_in extended permit ip host TAN-R31NBL any

access-list inside_access_in extended permit ip host 192.168.0.101 host Avalon

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any any

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any any

access-list outside_access_in extended permit tcp any any eq www

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any

access-list outside_access_in remark RDC

access-list outside_access_in extended permit tcp any any eq 3389

access-list outside_access_in remark SSH

access-list outside_access_in extended permit tcp any any eq ssh

access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any eq domain

access-list dmz_access_in extended permit object-group DM_INLINE_PROTOCOL_1 host Avalon any eq www

access-list dmz_access_in extended permit object-group DM_INLINE_PROTOCOL_1 host Avalon any eq domain

access-list outside2_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm debugging

logging mail errors

logging from-address [email protected]

logging recipient-address [email protected] level errors

mtu outside 1500

mtu inside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 101 interface

global (inside) 1 interface

global (dmz) 30 interface

nat (inside) 101 192.168.0.0 255.255.255.0

nat (dmz) 101 10.0.0.0 255.255.255.0

static (inside,outside) tcp interface 13646 Alek-PC 13646 netmask 255.255.255.255

static (inside,outside) udp interface 13646 Alek-PC 13646 netmask 255.255.255.255

static (inside,outside) tcp interface 13367 TAN-R31NBL 13367 netmask 255.255.255.255

static (inside,outside) udp interface 13367 TAN-R31NBL 13367 netmask 255.255.255.255

static (inside,outside) tcp interface 3389 Avoca 3389 netmask 255.255.255.255

static (dmz,outside) tcp interface www Avalon www netmask 255.255.255.255

static (dmz,outside) tcp interface ssh Avalon ssh netmask 255.255.255.255

static (inside,outside) tcp 110.175.27.11 www Palm www netmask 255.255.255.255

static (dmz,inside) tcp Alek-PC ssh Avalon ssh netmask 255.255.255.255

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

static (dmz,inside) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

user-message "Remember that you are connected to home. Please disconnect when you are done."

network-acl inside_access_in

network-acl outside_access_in

eou allow none

aaa authentication telnet console LOCAL

http server enable 81

http 192.168.0.0 255.255.255.0 inside

snmp-server host inside Palm community public

snmp-server location Study Rack

snmp-server contact Alek

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change

snmp-server enable traps remote-access session-threshold-exceeded

no sysopt connection permit-vpn

auth-prompt prompt Please authenticate:

auth-prompt accept Welcome Home!

auth-prompt reject Whoopsies. You didnt climb the stairs!

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

no vpn-addr-assign local

telnet 192.168.0.101 255.255.255.255 inside

telnet timeout 60

ssh timeout 5

console timeout 0

management-access inside

vpdn group TPG request dialout pppoe

vpdn group TPG localname [email protected]

vpdn group TPG ppp authentication pap

vpdn username [email protected] password ********* store-local

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server Balmoral source inside prefer

group-policy DfltGrpPolicy attributes

banner value Welcome to Home

wins-server value 192.168.0.10

dns-server value 192.168.0.10

default-domain value home.local

username alek password XXXXX encrypted privilege 15

username alek attributes

vpn-group-policy DfltGrpPolicy

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout none

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec l2tp-ipsec

password-storage enable

group-lock value DefaultRAGroup

tunnel-group DefaultRAGroup general-attributes

authentication-server-group (outside) LOCAL

authorization-server-group LOCAL

authorization-server-group (outside) LOCAL

dhcp-server Avoca

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

no tunnel-group-map enable ou

no tunnel-group-map enable ike-id

no tunnel-group-map enable peer-ip

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect pptp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:89adb5e8e628209e5b9e4473eec3e292

: end

Marcin Latosiewicz Sun, 06/13/2010 - 04:10

Alek,

Granted I have not been touching PPPoE for a long time but I don't think this is the moment you send username and password for authentication.

Note, it's PPPoE discovery message.

So :

1) was the PIX reloaded in the course of power outage?

2) Did you reload if afterwards?

3) Did you try removing all PPPoE config from both interface and global config and adding it back again?Possibly withotu the store option until we know it works.

4) But again... there's something funky with the bridge IMHO ... I would expect reply to our PPPoE discovery messages... everything OK on ISP side?

pattya94191 Sun, 06/13/2010 - 04:17

Marcin,

1) The PIX lost power completely for 20 minutes

2) Yes, it has been reloaded several times to see if it helped - No dice

3) Yes i did - No change - I will try removing it all again and not selecting the store option and see how we go

4) Everything is definatly ok from the ISP side - when i use a old netgear modem i have, it works fine (this is bypassing the PIX altogether however) but i had to select the LLC-Based Multiplexing - before i did that, the netgear was doing the same thing as the PIX config - once i changed that i was able to connect fine

Correct Answer
Marcin Latosiewicz Sun, 06/13/2010 - 04:23

Alek,

Wouldn't that indicate something changed on ISP side? I mean PIX/ASA never supported SNAP/LLC from what I know.

As last resort give it a try without password storing then I would give ISP a call. (you might try running "fsck" before doing any changes).

Marcin

pattya94191 Sun, 06/13/2010 - 04:42

Tried without storing the password - no dice

I don't know what the heck has changed - ISP says nothing has changed - i beg to differ, but they say nothings changed- they wont assist with this setup either unfortunatly

2 modems connect fine when they arent connected to the PIX, but when the PIX takes over the authentication - no go

Any other ideas Marcin? - Thanks for your help so far by the way, i really appreciate it

I guess the other option is to always try a complete factory reset of the PIX (Dont really want to do that but)

Marcin Latosiewicz Sun, 06/13/2010 - 04:52

Alek,

Looks to me liek you will not lose too much info (no certificates, some passwords, passphrases) by doing

---------

fsck

clear conf all

wri

reload

(copy back previous config - filling in the password hidden behind *****)

----------

It's an idea - probably last thing you can do short of opening a TAC case if you want to have this verified.

Marcin

pattya94191 Sun, 06/13/2010 - 06:44

Hey again

Im starting to think its the 1 modem im using because i had a PIX 501 - and it threw the same error once i configured it up

Ive reset it and upgraded the firmware, going to leave it off overnight and see if it works in the morning

Hopefully it will!

Thanks again for the help

pattya94191 Sun, 06/13/2010 - 20:41

Marcin,

Thank you so much for you help, really really appreciate it

This problem is now solved

Turned out that the modem in use for the bridge was at fault - i was using a Linksys AM300 - seemed that after a hard reset, was doing the same thing. So i hard reset it, reloaded the firmware and left it off overnight without setting it up. This morning, reset the modem into bridge mode set it up and it worked fine first go

So i guess it was the modem the whole time.

Thanks heaps for your help, really appreciate the suggestions and ideas.

Just to bring back to the original issue however, for the sake of google searches

We never did work out changing the multiplexing method - i didnt change anything in regards to this - simply reset everything and it seemed to work ok - The modem was the biggest issue I beleive

Actions

This Discussion