PIX 515e ADSL LLC Based Encapsulation

Answered Question
Jun 12th, 2010
User Badges:

Hey all


Right, so I have a very weird issue that is annoying me no end. I can not figure it out


I have a PIX 515e firewall with an ADSL Modem attahced to one of the fast ethernet ports. The ADSL modem is in bridge mode and the PIX does the authentication on the ADSL connection


Now, its been working fine for weeks and weeks. I changed from 1 ADSL provider to another, and NO troubles.....


Today, we had a power outage and when it all came back online, no dice. The config to the PIX had be written to flash before the power cut


2 hours of mucking around and i gave up. I grabbed an old netgear modem and plugged it in, didnt work at first, until i changed the ADSL Multiplexing Method type to LLC-Based


Changed back to the PIX - same issue, got sync, but no connection


My questions: How the heck can i set that same Multiplexing Method on the PIX to rule that out as the issue?


The modem being used for the Bridging - i hard reset it, and that modem connects fine (its a Linksys), but again, back in bridge mode - no dice


I redid all the PPPoE config on the PIX and same thing, but i can not for the life of me find where to change the Multiplexing Method


Any advice? Please? I'm really desperate here, Please and thank you in advance guys

Correct Answer by Marcin Latosiewicz about 7 years 1 month ago

Alek,


Wouldn't that indicate something changed on ISP side? I mean PIX/ASA never supported SNAP/LLC from what I know.


As last resort give it a try without password storing then I would give ISP a call. (you might try running "fsck" before doing any changes).


Marcin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Marcin Latosiewicz Sun, 06/13/2010 - 02:35
User Badges:
  • Cisco Employee,

Alek,


I checked internal resources but unfortunately I do not see SNAP/LLC support. But as far as I understand that part should be done bridging modem...


Are you sure that for some reason PPPoE credentials or setting didn't get corrupted after power outage?

pattya94191 Sun, 06/13/2010 - 02:49
User Badges:

Hey Marcin,


Thanks for your reply


The modem is in a bridging mode, where it more acts as a media converter. The Public IP's and the authentication are done on the cisco pix - nothing is done in the modem - regardless i did just check now, and it was set correctly to have the correct multiplexing


As for the details in the PIX going wrong - i deleted them and recreated them just to be sure, and same issue


Thanks guys, appreciate the help

Marcin Latosiewicz Sun, 06/13/2010 - 02:54
User Badges:
  • Cisco Employee,

Alek,


Can you get:

-------

deb pppoe err

deb pppoe pack

deb pppoe eve

deb ppp auth

deb ppp lcp

deb ppp neg

deb ppp ipcp

-------


In fact you may want to try debugging all the suboptions under ppp.


Marcin

pattya94191 Sun, 06/13/2010 - 03:17
User Badges:

Hey


Thanks for the quick reply


The commands were all issued - The first 3 returned this


sussex# deb pppoe eve
debug pppoe event enabled at level 1


Then this started appearing after i finished issuing all commands


sussex# PPPoE: send_padi:(Snd) Dest:ffff.ffff.ffff Src:0017.9514.XXXX Type:0x8863=PPPoE-Discovery
PPPoE: Ver:1 Type:1 Code:09=PADI Sess:0 Len:12
PPPoE: Type:0101:SVCNAME-Service Name Len:0
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000002
PPPoE: padi timer expired


This just reapeats time and time over - I'm not 100% sure of its meaning, ill start to google now - thought i would post this first

Marcin Latosiewicz Sun, 06/13/2010 - 03:33
User Badges:
  • Cisco Employee,

Alek,


I need your model, SW version and configuration for PPPoE and routing.

I'd also need to know if the ASA was affected by power outage or was it not torn down.


There are some bugs, some even with workarounds:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsh58003

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsy89445



But basically the ASA never received answer to PADI (PADO I believe) ... packet capture on outside interface?



Marcin

pattya94191 Sun, 06/13/2010 - 03:57
User Badges:

Hey there


Thanks again


OK, so some basic info, which i should have provided earlier


Have checked the authentication type: It is correct, ive also tried a couple different user name combos - they all result in the same thing - that error


PPPoE: send_padi:(Snd) Dest:ffff.ffff.ffff Src:0017.9514.xxxx Type:0x8863=PPPoE-Discovery
PPPoE: Ver:1 Type:1 Code:09=PADI Sess:0 Len:12
PPPoE: Type:0101:SVCNAME-Service Name Len:0
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000001
PPPoE: padi timer expired




Firewall is a Cisco PIX Firewall 515e with a Restricted license


Result of the command: "show running-config"


: Saved

:

PIX Version 8.0(4)32

!

hostname sussex

domain-name home.local

enable password xxxxx encrypted

passwd xxxxx encrypted

names

name 192.168.0.100 Alek-PC description Aleks Main PC

name 192.168.0.10 Avoca description Main Link Avoca

name 192.168.0.86 Bilgola description Switch

name 192.168.0.20 Calculon description Cisco Home Lab Entry Point

name 192.168.0.110 Karen-PC description Mums PC

name 192.168.0.191 Lounge-MCPC description Loungeroom-MCPC

name 192.168.0.30 Ninetymile description Colour Laserjet Printer

name 192.168.0.190 Sunroom-MCPC description Back room MCPC

name 192.168.0.140 TAN-R31NBL description LAN

name 192.168.0.141 TAN-R31NBW description WLAN

name 192.168.0.142 TAN-R51NBL description LAN

name 192.168.0.143 TAN-R51NBW description WLAN

name 192.168.0.144 TAN-S10NBL description LAN

name 192.168.0.145 TAN-S10NBW description WLAN

name 192.168.0.79 Windawoppa description WAP

name 192.168.0.11 Balmoral description NTP and DNS server VIRTUAL

name 192.168.0.15 Palm description Cacti

name 192.168.0.16 Whale description Torrent Server

name 192.168.0.89 Robot_Santa description CHL 3550 Switch

name 10.0.0.10 Avoca-DMZ description Avoca DMZ

name 10.0.0.16 Whale-DMZ description Torrent Server

name 10.0.0.12 Avalon description Main Link Avalon VIRTUAL

name 192.168.0.192 Living-MCPC description Sunroom MCPC

!

interface Ethernet0

nameif outside

security-level 0

pppoe client vpdn group TPG

ip address pppoe

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.0.2 255.255.255.0

!

interface Ethernet2

description dmz

nameif dmz

security-level 30

ip address 10.0.0.1 255.255.255.0

!

banner exec You are now logged onto $(hostname).$(domain)

banner exec Please logout when you are done


banner login -------------------------------------------------------------------------------

banner login                        Welcome to XXXX!

banner login -------------------------------------------------------------------------------

banner login    UNAUTHORISED ACCESS TO ANY SERVER ON THIS NETWORK IS STRICTLY PROHIBITED

banner login Loging in to any any server within this network without a user and

banner login password is considered cracking. If you gain access to his network

banner login without direct permission, you will be prosecuted to the full extent of the law.

banner login If you access further systems by tunneling through this connection, you are

banner login breaching the network and you will be punished to the full extent of the law

banner login By accessing this system, you are consenting to system monitoring for law

banner login enforcement purposes including your IP Address and login times.

banner login Any information (including data) is property of this network and is

banner login protected under International Copyright.

banner login ------------------------------------------------------------------------------ -


ftp mode passive


clock timezone EST 10


clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00


dns server-group DefaultDNS


retries 3


timeout 5


domain-name home.local


object-group protocol TCPUDP


protocol-object udp


protocol-object tcp


object-group service DM_INLINE_TCP_1 tcp


port-object eq www


port-object eq https


object-group protocol DM_INLINE_PROTOCOL_1


protocol-object udp


protocol-object tcp


object-group service DM_INLINE_SERVICE_1


service-object icmp


service-object icmp traceroute


object-group service RemoteAccess tcp


description RemoteAccess


port-object eq 3389


port-object eq pptp


port-object eq ssh


port-object eq telnet


port-object eq 10000


object-group service mail tcp


description mail


port-object eq imap4


port-object eq pop2


port-object eq pop3


port-object eq smtp


object-group service data tcp


description data


port-object eq ftp


port-object eq ftp-data


port-object eq 1044


object-group network desktops


description Main Desktop PC's


network-object host Alek-PC


network-object host Karen-PC


object-group network laptops


description Laptops


network-object host TAN-R31NBL


network-object host TAN-R31NBW


network-object host TAN-R51NBL


network-object host TAN-R51NBW


network-object host TAN-S10NBL


network-object host TAN-S10NBW


object-group network servers


description Servers


network-object host Avoca


network-object host Balmoral


network-object host Palm


network-object host Whale


object-group network DM_INLINE_NETWORK_1


group-object desktops


group-object laptops


network-object host Avoca


object-group service DM_INLINE_SERVICE_2


service-object tcp eq 13646


service-object udp eq 13646


object-group network DM_INLINE_NETWORK_2


network-object 192.168.0.0 255.255.255.0


network-object host 192.168.0.102


object-group network Printers


description Printers


network-object host Ninetymile


object-group network WAPs


description Wireless Access Devices


network-object host Windawoppa


object-group network switches


description Network Switches


network-object host Bilgola


object-group network Media_Centers


network-object host Living-MCPC


network-object host Lounge-MCPC


object-group network DM_INLINE_NETWORK_4


group-object desktops


group-object laptops


network-object host Avoca


group-object Media_Centers


object-group network LiveServers


description Servers in everyday use


network-object host Avoca


network-object host Balmoral


object-group network DM_INLINE_NETWORK_6


group-object desktops


group-object laptops


group-object LiveServers


object-group network DM_INLINE_NETWORK_7


group-object desktops


group-object laptops


object-group network DM_INLINE_NETWORK_8


group-object desktops


group-object laptops


object-group network DM_INLINE_NETWORK_9


group-object desktops


group-object laptops


object-group service MSN_TCP tcp


description MSN Messenger TCP


port-object range 1025 1035


port-object eq 1863


port-object range 5000 5010


port-object eq 5061


port-object eq 7001


object-group service MSN_UDP udp


description MSN Messenger UDP


port-object range 1025 1035


port-object range 5000 5010


port-object range 5004 5014


port-object eq 7001


port-object eq discard


object-group network DM_INLINE_NETWORK_10


network-object host Alek-PC


network-object host TAN-R31NBL


object-group service Torrent tcp


description Torrents


port-object eq 13646


port-object eq 13367


port-object eq 6969


object-group service Torrent_UDP udp


description Torrent UDP


port-object eq 13646


port-object eq 13367


port-object eq 6969


object-group network DM_INLINE_NETWORK_11


network-object host Alek-PC


network-object host TAN-R31NBL


object-group service DM_INLINE_SERVICE_4


service-object tcp eq 13367


service-object udp eq 13367


object-group network PlanetExpress


description Cisco Home Lab


network-object host Robot_Santa


object-group network DNSServers


description DNS Servers


network-object host Avoca


network-object host Balmoral


object-group network DMZServers


description DMZ Server


network-object host Avalon


network-object host Whale-DMZ


access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_4 any object-group DM_INLINE_TCP_1


access-list inside_access_in remark MSN Messenger


access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_8 any object-group MSN_TCP


access-list inside_access_in remark MSN Messenger


access-list inside_access_in extended permit udp object-group DM_INLINE_NETWORK_9 any object-group MSN_UDP


access-list inside_access_in remark SSH, Telnet, RDC, Webmin


access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 any object-group RemoteAccess


access-list inside_access_in remark Torrent Traffic


access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_10 object-group Torrent any object-group Torrent


access-list inside_access_in extended permit udp object-group DM_INLINE_NETWORK_11 object-group Torrent_UDP any object-group Torrent_UDP


access-list inside_access_in remark FTP etc


access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 any object-group data


access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object-group DNSServers any eq domain


access-list inside_access_in extended permit udp host Balmoral any eq ntp


access-list inside_access_in remark Ping & tracert


access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_6 any


access-list inside_access_in extended permit ip host 192.168.0.101 any


access-list inside_access_in extended permit ip host TAN-R31NBL any


access-list inside_access_in extended permit ip host 192.168.0.101 host Avalon


access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any any


access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any any


access-list outside_access_in extended permit tcp any any eq www


access-list outside_access_in extended permit icmp any any echo-reply


access-list outside_access_in extended permit icmp any any


access-list outside_access_in remark RDC


access-list outside_access_in extended permit tcp any any eq 3389


access-list outside_access_in remark SSH


access-list outside_access_in extended permit tcp any any eq ssh


access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any eq domain


access-list dmz_access_in extended permit object-group DM_INLINE_PROTOCOL_1 host Avalon any eq www


access-list dmz_access_in extended permit object-group DM_INLINE_PROTOCOL_1 host Avalon any eq domain


access-list outside2_access_in extended permit ip any any


pager lines 24


logging enable


logging asdm debugging


logging mail errors


logging from-address sussex@home.local


logging recipient-address alek@home.local level errors


mtu outside 1500


mtu inside 1500


mtu dmz 1500


icmp unreachable rate-limit 1 burst-size 1


no asdm history enable


arp timeout 14400


global (outside) 101 interface


global (inside) 1 interface


global (dmz) 30 interface


nat (inside) 101 192.168.0.0 255.255.255.0


nat (dmz) 101 10.0.0.0 255.255.255.0


static (inside,outside) tcp interface 13646 Alek-PC 13646 netmask 255.255.255.255


static (inside,outside) udp interface 13646 Alek-PC 13646 netmask 255.255.255.255


static (inside,outside) tcp interface 13367 TAN-R31NBL 13367 netmask 255.255.255.255


static (inside,outside) udp interface 13367 TAN-R31NBL 13367 netmask 255.255.255.255


static (inside,outside) tcp interface 3389 Avoca 3389 netmask 255.255.255.255


static (dmz,outside) tcp interface www Avalon www netmask 255.255.255.255


static (dmz,outside) tcp interface ssh Avalon ssh netmask 255.255.255.255


static (inside,outside) tcp 110.175.27.11 www Palm www netmask 255.255.255.255


static (dmz,inside) tcp Alek-PC ssh Avalon ssh netmask 255.255.255.255


static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0


static (dmz,inside) 10.0.0.0 10.0.0.0 netmask 255.255.255.0


access-group outside_access_in in interface outside


access-group inside_access_in in interface inside


access-group dmz_access_in in interface dmz


timeout xlate 3:00:00


timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02


timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00


timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00


timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute


timeout tcp-proxy-reassembly 0:01:00


dynamic-access-policy-record DfltAccessPolicy


user-message "Remember that you are connected to home. Please disconnect when you are done."


network-acl inside_access_in


network-acl outside_access_in


eou allow none


aaa authentication telnet console LOCAL


http server enable 81


http 192.168.0.0 255.255.255.0 inside


snmp-server host inside Palm community public


snmp-server location Study Rack


snmp-server contact Alek


snmp-server community *****


snmp-server enable traps snmp authentication linkup linkdown coldstart


snmp-server enable traps ipsec start stop


snmp-server enable traps entity config-change


snmp-server enable traps remote-access session-threshold-exceeded


no sysopt connection permit-vpn


auth-prompt prompt Please authenticate:


auth-prompt accept Welcome Home!


auth-prompt reject Whoopsies. You didnt climb the stairs!


crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac


crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac


crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac


crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac


crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac


crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac


crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac


crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac


crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac


crypto ipsec security-association lifetime seconds 28800


crypto ipsec security-association lifetime kilobytes 4608000


no vpn-addr-assign aaa


no vpn-addr-assign dhcp


no vpn-addr-assign local


telnet 192.168.0.101 255.255.255.255 inside


telnet timeout 60


ssh timeout 5


console timeout 0


management-access inside


vpdn group TPG request dialout pppoe


vpdn group TPG localname apat5364@L2TP.tpg.com.au


vpdn group TPG ppp authentication pap


vpdn username apat5364@L2TP.tpg.com.au password ********* store-local


threat-detection basic-threat


threat-detection statistics host


threat-detection statistics port


threat-detection statistics protocol


threat-detection statistics access-list


no threat-detection statistics tcp-intercept


ntp server Balmoral source inside prefer


group-policy DfltGrpPolicy attributes


banner value Welcome to Home


wins-server value 192.168.0.10


dns-server value 192.168.0.10


default-domain value home.local


username alek password XXXXX encrypted privilege 15


username alek attributes


vpn-group-policy DfltGrpPolicy


vpn-access-hours none


vpn-simultaneous-logins 3


vpn-idle-timeout none


vpn-session-timeout none


vpn-filter none


vpn-tunnel-protocol IPSec l2tp-ipsec


password-storage enable


group-lock value DefaultRAGroup


tunnel-group DefaultRAGroup general-attributes


authentication-server-group (outside) LOCAL


authorization-server-group LOCAL


authorization-server-group (outside) LOCAL


dhcp-server Avoca


tunnel-group DefaultRAGroup ipsec-attributes


pre-shared-key *


no tunnel-group-map enable ou


no tunnel-group-map enable ike-id


no tunnel-group-map enable peer-ip


!


class-map inspection_default


match default-inspection-traffic


!


!


policy-map type inspect dns preset_dns_map


parameters


  message-length maximum 512


policy-map global_policy


class inspection_default


  inspect dns preset_dns_map


  inspect ftp


  inspect h323 h225


  inspect h323 ras


  inspect rsh


  inspect rtsp


  inspect esmtp


  inspect sqlnet


  inspect skinny


  inspect sunrpc


  inspect xdmcp


  inspect sip


  inspect netbios


  inspect tftp


  inspect pptp


!


service-policy global_policy global


prompt hostname context


Cryptochecksum:89adb5e8e628209e5b9e4473eec3e292


: end

Marcin Latosiewicz Sun, 06/13/2010 - 04:10
User Badges:
  • Cisco Employee,

Alek,


Granted I have not been touching PPPoE for a long time but I don't think this is the moment you send username and password for authentication.


Note, it's PPPoE discovery message.


So :

1) was the PIX reloaded in the course of power outage?

2) Did you reload if afterwards?

3) Did you try removing all PPPoE config from both interface and global config and adding it back again?Possibly withotu the store option until we know it works.

4) But again... there's something funky with the bridge IMHO ... I would expect reply to our PPPoE discovery messages... everything OK on ISP side?

pattya94191 Sun, 06/13/2010 - 04:17
User Badges:

Marcin,


1) The PIX lost power completely for 20 minutes


2) Yes, it has been reloaded several times to see if it helped - No dice


3) Yes i did - No change - I will try removing it all again and not selecting the store option and see how we go


4) Everything is definatly ok from the ISP side - when i use a old netgear modem i have, it works fine (this is bypassing the PIX altogether however) but i had to select the LLC-Based Multiplexing - before i did that, the netgear was doing the same thing as the PIX config - once i changed that i was able to connect fine

Correct Answer
Marcin Latosiewicz Sun, 06/13/2010 - 04:23
User Badges:
  • Cisco Employee,

Alek,


Wouldn't that indicate something changed on ISP side? I mean PIX/ASA never supported SNAP/LLC from what I know.


As last resort give it a try without password storing then I would give ISP a call. (you might try running "fsck" before doing any changes).


Marcin

pattya94191 Sun, 06/13/2010 - 04:42
User Badges:

Tried without storing the password - no dice


I don't know what the heck has changed - ISP says nothing has changed - i beg to differ, but they say nothings changed- they wont assist with this setup either unfortunatly


2 modems connect fine when they arent connected to the PIX, but when the PIX takes over the authentication - no go


Any other ideas Marcin? - Thanks for your help so far by the way, i really appreciate it


I guess the other option is to always try a complete factory reset of the PIX (Dont really want to do that but)

Marcin Latosiewicz Sun, 06/13/2010 - 04:52
User Badges:
  • Cisco Employee,

Alek,


Looks to me liek you will not lose too much info (no certificates, some passwords, passphrases) by doing

---------

fsck

clear conf all

wri

reload

(copy back previous config - filling in the password hidden behind *****)

----------


It's an idea - probably last thing you can do short of opening a TAC case if you want to have this verified.


Marcin

pattya94191 Sun, 06/13/2010 - 06:44
User Badges:

Hey again


Im starting to think its the 1 modem im using because i had a PIX 501 - and it threw the same error once i configured it up


Ive reset it and upgraded the firmware, going to leave it off overnight and see if it works in the morning


Hopefully it will!


Thanks again for the help

pattya94191 Sun, 06/13/2010 - 20:41
User Badges:

Marcin,


Thank you so much for you help, really really appreciate it


This problem is now solved


Turned out that the modem in use for the bridge was at fault - i was using a Linksys AM300 - seemed that after a hard reset, was doing the same thing. So i hard reset it, reloaded the firmware and left it off overnight without setting it up. This morning, reset the modem into bridge mode set it up and it worked fine first go


So i guess it was the modem the whole time.


Thanks heaps for your help, really appreciate the suggestions and ideas.


Just to bring back to the original issue however, for the sake of google searches


We never did work out changing the multiplexing method - i didnt change anything in regards to this - simply reset everything and it seemed to work ok - The modem was the biggest issue I beleive

Actions

This Discussion