06-12-2010 11:39 PM - edited 03-11-2019 10:58 AM
Hey all
Right, so I have a very weird issue that is annoying me no end. I can not figure it out
I have a PIX 515e firewall with an ADSL Modem attahced to one of the fast ethernet ports. The ADSL modem is in bridge mode and the PIX does the authentication on the ADSL connection
Now, its been working fine for weeks and weeks. I changed from 1 ADSL provider to another, and NO troubles.....
Today, we had a power outage and when it all came back online, no dice. The config to the PIX had be written to flash before the power cut
2 hours of mucking around and i gave up. I grabbed an old netgear modem and plugged it in, didnt work at first, until i changed the ADSL Multiplexing Method type to LLC-Based
Changed back to the PIX - same issue, got sync, but no connection
My questions: How the heck can i set that same Multiplexing Method on the PIX to rule that out as the issue?
The modem being used for the Bridging - i hard reset it, and that modem connects fine (its a Linksys), but again, back in bridge mode - no dice
I redid all the PPPoE config on the PIX and same thing, but i can not for the life of me find where to change the Multiplexing Method
Any advice? Please? I'm really desperate here, Please and thank you in advance guys
Solved! Go to Solution.
06-13-2010 04:23 AM
Alek,
Wouldn't that indicate something changed on ISP side? I mean PIX/ASA never supported SNAP/LLC from what I know.
As last resort give it a try without password storing then I would give ISP a call. (you might try running "fsck" before doing any changes).
Marcin
06-13-2010 02:35 AM
Alek,
I checked internal resources but unfortunately I do not see SNAP/LLC support. But as far as I understand that part should be done bridging modem...
Are you sure that for some reason PPPoE credentials or setting didn't get corrupted after power outage?
06-13-2010 02:49 AM
Hey Marcin,
Thanks for your reply
The modem is in a bridging mode, where it more acts as a media converter. The Public IP's and the authentication are done on the cisco pix - nothing is done in the modem - regardless i did just check now, and it was set correctly to have the correct multiplexing
As for the details in the PIX going wrong - i deleted them and recreated them just to be sure, and same issue
Thanks guys, appreciate the help
06-13-2010 02:54 AM
Alek,
Can you get:
-------
deb pppoe err
deb pppoe pack
deb pppoe eve
deb ppp auth
deb ppp lcp
deb ppp neg
deb ppp ipcp
-------
In fact you may want to try debugging all the suboptions under ppp.
Marcin
06-13-2010 03:17 AM
Hey
Thanks for the quick reply
The commands were all issued - The first 3 returned this
sussex# deb pppoe eve
debug pppoe event enabled at level 1
Then this started appearing after i finished issuing all commands
sussex# PPPoE: send_padi:(Snd) Dest:ffff.ffff.ffff Src:0017.9514.XXXX Type:0x8863=PPPoE-Discovery
PPPoE: Ver:1 Type:1 Code:09=PADI Sess:0 Len:12
PPPoE: Type:0101:SVCNAME-Service Name Len:0
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000002
PPPoE: padi timer expired
This just reapeats time and time over - I'm not 100% sure of its meaning, ill start to google now - thought i would post this first
06-13-2010 03:33 AM
Alek,
I need your model, SW version and configuration for PPPoE and routing.
I'd also need to know if the ASA was affected by power outage or was it not torn down.
There are some bugs, some even with workarounds:
But basically the ASA never received answer to PADI (PADO I believe) ... packet capture on outside interface?
Marcin
06-13-2010 03:57 AM
Hey there
Thanks again
OK, so some basic info, which i should have provided earlier
Have checked the authentication type: It is correct, ive also tried a couple different user name combos - they all result in the same thing - that error
PPPoE: send_padi:(Snd) Dest:ffff.ffff.ffff Src:0017.9514.xxxx Type:0x8863=PPPoE-Discovery
PPPoE: Ver:1 Type:1 Code:09=PADI Sess:0 Len:12
PPPoE: Type:0101:SVCNAME-Service Name Len:0
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000001
PPPoE: padi timer expired
Firewall is a Cisco PIX Firewall 515e with a Restricted license
Result of the command: "show running-config"
: Saved
:
PIX Version 8.0(4)32
!
hostname sussex
domain-name home.local
enable password xxxxx encrypted
passwd xxxxx encrypted
names
name 192.168.0.100 Alek-PC description Aleks Main PC
name 192.168.0.10 Avoca description Main Link Avoca
name 192.168.0.86 Bilgola description Switch
name 192.168.0.20 Calculon description Cisco Home Lab Entry Point
name 192.168.0.110 Karen-PC description Mums PC
name 192.168.0.191 Lounge-MCPC description Loungeroom-MCPC
name 192.168.0.30 Ninetymile description Colour Laserjet Printer
name 192.168.0.190 Sunroom-MCPC description Back room MCPC
name 192.168.0.140 TAN-R31NBL description LAN
name 192.168.0.141 TAN-R31NBW description WLAN
name 192.168.0.142 TAN-R51NBL description LAN
name 192.168.0.143 TAN-R51NBW description WLAN
name 192.168.0.144 TAN-S10NBL description LAN
name 192.168.0.145 TAN-S10NBW description WLAN
name 192.168.0.79 Windawoppa description WAP
name 192.168.0.11 Balmoral description NTP and DNS server VIRTUAL
name 192.168.0.15 Palm description Cacti
name 192.168.0.16 Whale description Torrent Server
name 192.168.0.89 Robot_Santa description CHL 3550 Switch
name 10.0.0.10 Avoca-DMZ description Avoca DMZ
name 10.0.0.16 Whale-DMZ description Torrent Server
name 10.0.0.12 Avalon description Main Link Avalon VIRTUAL
name 192.168.0.192 Living-MCPC description Sunroom MCPC
!
interface Ethernet0
nameif outside
security-level 0
pppoe client vpdn group TPG
ip address pppoe
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.0.2 255.255.255.0
!
interface Ethernet2
description dmz
nameif dmz
security-level 30
ip address 10.0.0.1 255.255.255.0
!
banner exec You are now logged onto $(hostname).$(domain)
banner exec Please logout when you are done
banner login -------------------------------------------------------------------------------
banner login Welcome to XXXX!
banner login -------------------------------------------------------------------------------
banner login UNAUTHORISED ACCESS TO ANY SERVER ON THIS NETWORK IS STRICTLY PROHIBITED
banner login Loging in to any any server within this network without a user and
banner login password is considered cracking. If you gain access to his network
banner login without direct permission, you will be prosecuted to the full extent of the law.
banner login If you access further systems by tunneling through this connection, you are
banner login breaching the network and you will be punished to the full extent of the law
banner login By accessing this system, you are consenting to system monitoring for law
banner login enforcement purposes including your IP Address and login times.
banner login Any information (including data) is property of this network and is
banner login protected under International Copyright.
banner login ------------------------------------------------------------------------------ -
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
retries 3
timeout 5
domain-name home.local
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object icmp traceroute
object-group service RemoteAccess tcp
description RemoteAccess
port-object eq 3389
port-object eq pptp
port-object eq ssh
port-object eq telnet
port-object eq 10000
object-group service mail tcp
description mail
port-object eq imap4
port-object eq pop2
port-object eq pop3
port-object eq smtp
object-group service data tcp
description data
port-object eq ftp
port-object eq ftp-data
port-object eq 1044
object-group network desktops
description Main Desktop PC's
network-object host Alek-PC
network-object host Karen-PC
object-group network laptops
description Laptops
network-object host TAN-R31NBL
network-object host TAN-R31NBW
network-object host TAN-R51NBL
network-object host TAN-R51NBW
network-object host TAN-S10NBL
network-object host TAN-S10NBW
object-group network servers
description Servers
network-object host Avoca
network-object host Balmoral
network-object host Palm
network-object host Whale
object-group network DM_INLINE_NETWORK_1
group-object desktops
group-object laptops
network-object host Avoca
object-group service DM_INLINE_SERVICE_2
service-object tcp eq 13646
service-object udp eq 13646
object-group network DM_INLINE_NETWORK_2
network-object 192.168.0.0 255.255.255.0
network-object host 192.168.0.102
object-group network Printers
description Printers
network-object host Ninetymile
object-group network WAPs
description Wireless Access Devices
network-object host Windawoppa
object-group network switches
description Network Switches
network-object host Bilgola
object-group network Media_Centers
network-object host Living-MCPC
network-object host Lounge-MCPC
object-group network DM_INLINE_NETWORK_4
group-object desktops
group-object laptops
network-object host Avoca
group-object Media_Centers
object-group network LiveServers
description Servers in everyday use
network-object host Avoca
network-object host Balmoral
object-group network DM_INLINE_NETWORK_6
group-object desktops
group-object laptops
group-object LiveServers
object-group network DM_INLINE_NETWORK_7
group-object desktops
group-object laptops
object-group network DM_INLINE_NETWORK_8
group-object desktops
group-object laptops
object-group network DM_INLINE_NETWORK_9
group-object desktops
group-object laptops
object-group service MSN_TCP tcp
description MSN Messenger TCP
port-object range 1025 1035
port-object eq 1863
port-object range 5000 5010
port-object eq 5061
port-object eq 7001
object-group service MSN_UDP udp
description MSN Messenger UDP
port-object range 1025 1035
port-object range 5000 5010
port-object range 5004 5014
port-object eq 7001
port-object eq discard
object-group network DM_INLINE_NETWORK_10
network-object host Alek-PC
network-object host TAN-R31NBL
object-group service Torrent tcp
description Torrents
port-object eq 13646
port-object eq 13367
port-object eq 6969
object-group service Torrent_UDP udp
description Torrent UDP
port-object eq 13646
port-object eq 13367
port-object eq 6969
object-group network DM_INLINE_NETWORK_11
network-object host Alek-PC
network-object host TAN-R31NBL
object-group service DM_INLINE_SERVICE_4
service-object tcp eq 13367
service-object udp eq 13367
object-group network PlanetExpress
description Cisco Home Lab
network-object host Robot_Santa
object-group network DNSServers
description DNS Servers
network-object host Avoca
network-object host Balmoral
object-group network DMZServers
description DMZ Server
network-object host Avalon
network-object host Whale-DMZ
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_4 any object-group DM_INLINE_TCP_1
access-list inside_access_in remark MSN Messenger
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_8 any object-group MSN_TCP
access-list inside_access_in remark MSN Messenger
access-list inside_access_in extended permit udp object-group DM_INLINE_NETWORK_9 any object-group MSN_UDP
access-list inside_access_in remark SSH, Telnet, RDC, Webmin
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 any object-group RemoteAccess
access-list inside_access_in remark Torrent Traffic
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_10 object-group Torrent any object-group Torrent
access-list inside_access_in extended permit udp object-group DM_INLINE_NETWORK_11 object-group Torrent_UDP any object-group Torrent_UDP
access-list inside_access_in remark FTP etc
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 any object-group data
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object-group DNSServers any eq domain
access-list inside_access_in extended permit udp host Balmoral any eq ntp
access-list inside_access_in remark Ping & tracert
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_6 any
access-list inside_access_in extended permit ip host 192.168.0.101 any
access-list inside_access_in extended permit ip host TAN-R31NBL any
access-list inside_access_in extended permit ip host 192.168.0.101 host Avalon
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any any
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any any
access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any
access-list outside_access_in remark RDC
access-list outside_access_in extended permit tcp any any eq 3389
access-list outside_access_in remark SSH
access-list outside_access_in extended permit tcp any any eq ssh
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any eq domain
access-list dmz_access_in extended permit object-group DM_INLINE_PROTOCOL_1 host Avalon any eq www
access-list dmz_access_in extended permit object-group DM_INLINE_PROTOCOL_1 host Avalon any eq domain
access-list outside2_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm debugging
logging mail errors
logging from-address sussex@home.local
logging recipient-address alek@home.local level errors
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 101 interface
global (inside) 1 interface
global (dmz) 30 interface
nat (inside) 101 192.168.0.0 255.255.255.0
nat (dmz) 101 10.0.0.0 255.255.255.0
static (inside,outside) tcp interface 13646 Alek-PC 13646 netmask 255.255.255.255
static (inside,outside) udp interface 13646 Alek-PC 13646 netmask 255.255.255.255
static (inside,outside) tcp interface 13367 TAN-R31NBL 13367 netmask 255.255.255.255
static (inside,outside) udp interface 13367 TAN-R31NBL 13367 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 Avoca 3389 netmask 255.255.255.255
static (dmz,outside) tcp interface www Avalon www netmask 255.255.255.255
static (dmz,outside) tcp interface ssh Avalon ssh netmask 255.255.255.255
static (inside,outside) tcp 110.175.27.11 www Palm www netmask 255.255.255.255
static (dmz,inside) tcp Alek-PC ssh Avalon ssh netmask 255.255.255.255
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (dmz,inside) 10.0.0.0 10.0.0.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
user-message "Remember that you are connected to home. Please disconnect when you are done."
network-acl inside_access_in
network-acl outside_access_in
eou allow none
aaa authentication telnet console LOCAL
http server enable 81
http 192.168.0.0 255.255.255.0 inside
snmp-server host inside Palm community public
snmp-server location Study Rack
snmp-server contact Alek
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change
snmp-server enable traps remote-access session-threshold-exceeded
no sysopt connection permit-vpn
auth-prompt prompt Please authenticate:
auth-prompt accept Welcome Home!
auth-prompt reject Whoopsies. You didnt climb the stairs!
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
no vpn-addr-assign local
telnet 192.168.0.101 255.255.255.255 inside
telnet timeout 60
ssh timeout 5
console timeout 0
management-access inside
vpdn group TPG request dialout pppoe
vpdn group TPG localname apat5364@L2TP.tpg.com.au
vpdn group TPG ppp authentication pap
vpdn username apat5364@L2TP.tpg.com.au password ********* store-local
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server Balmoral source inside prefer
group-policy DfltGrpPolicy attributes
banner value Welcome to Home
wins-server value 192.168.0.10
dns-server value 192.168.0.10
default-domain value home.local
username alek password XXXXX encrypted privilege 15
username alek attributes
vpn-group-policy DfltGrpPolicy
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage enable
group-lock value DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
authorization-server-group (outside) LOCAL
dhcp-server Avoca
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
no tunnel-group-map enable ou
no tunnel-group-map enable ike-id
no tunnel-group-map enable peer-ip
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:89adb5e8e628209e5b9e4473eec3e292
: end
06-13-2010 04:10 AM
Alek,
Granted I have not been touching PPPoE for a long time but I don't think this is the moment you send username and password for authentication.
Note, it's PPPoE discovery message.
So :
1) was the PIX reloaded in the course of power outage?
2) Did you reload if afterwards?
3) Did you try removing all PPPoE config from both interface and global config and adding it back again?Possibly withotu the store option until we know it works.
4) But again... there's something funky with the bridge IMHO ... I would expect reply to our PPPoE discovery messages... everything OK on ISP side?
06-13-2010 04:17 AM
Marcin,
1) The PIX lost power completely for 20 minutes
2) Yes, it has been reloaded several times to see if it helped - No dice
3) Yes i did - No change - I will try removing it all again and not selecting the store option and see how we go
4) Everything is definatly ok from the ISP side - when i use a old netgear modem i have, it works fine (this is bypassing the PIX altogether however) but i had to select the LLC-Based Multiplexing - before i did that, the netgear was doing the same thing as the PIX config - once i changed that i was able to connect fine
06-13-2010 04:23 AM
Alek,
Wouldn't that indicate something changed on ISP side? I mean PIX/ASA never supported SNAP/LLC from what I know.
As last resort give it a try without password storing then I would give ISP a call. (you might try running "fsck" before doing any changes).
Marcin
06-13-2010 04:42 AM
Tried without storing the password - no dice
I don't know what the heck has changed - ISP says nothing has changed - i beg to differ, but they say nothings changed- they wont assist with this setup either unfortunatly
2 modems connect fine when they arent connected to the PIX, but when the PIX takes over the authentication - no go
Any other ideas Marcin? - Thanks for your help so far by the way, i really appreciate it
I guess the other option is to always try a complete factory reset of the PIX (Dont really want to do that but)
06-13-2010 04:52 AM
Alek,
Looks to me liek you will not lose too much info (no certificates, some passwords, passphrases) by doing
---------
fsck
clear conf all
wri
reload
(copy back previous config - filling in the password hidden behind *****)
----------
It's an idea - probably last thing you can do short of opening a TAC case if you want to have this verified.
Marcin
06-13-2010 06:44 AM
Hey again
Im starting to think its the 1 modem im using because i had a PIX 501 - and it threw the same error once i configured it up
Ive reset it and upgraded the firmware, going to leave it off overnight and see if it works in the morning
Hopefully it will!
Thanks again for the help
06-13-2010 06:50 AM
Best of luck
Let me know either way.
Marcin
06-13-2010 08:41 PM
Marcin,
Thank you so much for you help, really really appreciate it
This problem is now solved
Turned out that the modem in use for the bridge was at fault - i was using a Linksys AM300 - seemed that after a hard reset, was doing the same thing. So i hard reset it, reloaded the firmware and left it off overnight without setting it up. This morning, reset the modem into bridge mode set it up and it worked fine first go
So i guess it was the modem the whole time.
Thanks heaps for your help, really appreciate the suggestions and ideas.
Just to bring back to the original issue however, for the sake of google searches
We never did work out changing the multiplexing method - i didnt change anything in regards to this - simply reset everything and it seemed to work ok - The modem was the biggest issue I beleive
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide