L2TP Tunnel to ISP goes down after a minute

Unanswered Question
Sep 11th, 2010
User Badges:

Hardware: Cisco 851 (MPC8272) processor (revision 0x300) with 59392K/6144K bytes of memory.

IOS: Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(15)T13, RELEASE SOFTWARE (fc3)


I connected to my ISP via LAN (by DHCP) and need to establish a ppp conenction with l2tp tunnel to get to the internet.

I made all setup according to cisco documentation here http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtvoltun.html


After a successful negotiation and obtaining a WAN address tunnel stays up for a 50-60 seconds, then goes down.

Here's the debug log:


----------------------------------------------------------------------------------------------------------------------------
000036: *Sep 11 16:42:24.071 PCTime: %LINK-3-UPDOWN: Interface Virtual-PPP1, changed state to up
000037: *Sep 11 16:42:24.071 PCTime: Vp1 PPP: Using vpn set call direction
000038: *Sep 11 16:42:24.071 PCTime: Vp1 PPP: Treating connection as a callout
000039: *Sep 11 16:42:24.071 PCTime: Vp1 PPP: Session handle[80000002] Session id[4]
000040: *Sep 11 16:42:24.071 PCTime: Vp1 PPP: Phase is ESTABLISHING, Active Open
000041: *Sep 11 16:42:24.071 PCTime: Vp1 PPP: Authorization required
000042: *Sep 11 16:42:24.071 PCTime: Vp1 PPP: No remote authentication for call-out
000043: *Sep 11 16:42:24.071 PCTime: Vp1 LCP: O CONFREQ [Closed] id 51 len 10
000044: *Sep 11 16:42:24.071 PCTime: Vp1 LCP:    MagicNumber 0xB1E0E382 (0x0506B1E0E382)
000045: *Sep 11 16:42:24.075 PCTime: L2X  00001:_____:________: APP->L2TP: Session reopen, 
000046: *Sep 11 16:42:24.075 PCTime: L2X  00001:_____:________:            sock 0xC8000001
000047: *Sep 11 16:42:24.075 PCTime: L2X  00001:_____:________:            serv 0x00000000
000048: *Sep 11 16:42:24.075 PCTime: L2X  00001:_____:________:            data 0x829ADABC[92]
000049: *Sep 11 16:42:24.075 PCTime: L2X  00001:_____:________:  
000050: *Sep 11 16:42:24.075 PCTime: L2TP 00001:_____:________: Create session
000051: *Sep 11 16:42:24.075 PCTime: L2TP 00001:_____:________:   App type set to XCONNECT
000052: *Sep 11 16:42:24.075 PCTime: L2TP 00001:_____:________:   Need cc version: V2
000053: *Sep 11 16:42:24.075 PCTime: L2TP 00001:_____:________:   Session classname beeline
000054: *Sep 11 16:42:24.075 PCTime: L2TP 00001:_____:________:   L2TPoUDP session needed between
000055: *Sep 11 16:42:24.075 PCTime: L2TP 00001:_____:________:     <unset>:0<->10.0.0.28:0
000056: *Sep 11 16:42:24.075 PCTime: L2TP 00001:_____:________:   Using ICRQ FSM
000057: *Sep 11 16:42:24.075 PCTime: L2TP 00001:_____:________:     remote ip set to 10.0.0.28
000058: *Sep 11 16:42:24.075 PCTime: L2TP 00001:_____:________:     local ip set to 10.68.183.241
000059: *Sep 11 16:42:24.075 PCTime: L2TP 00001:_____:________:     guessed local ip of 10.68.183.241
000060: *Sep 11 16:42:24.075 PCTime: L2TP 00001:_____:________: no cookies enabled
000061: *Sep 11 16:42:24.075 PCTime: L2TP 00001:_____:________: FSM-Sn ev App-Conn
000062: *Sep 11 16:42:24.075 PCTime: L2TP 00001:_____:________: FSM-Sn    Idle->Wt-CC
000063: *Sep 11 16:42:24.075 PCTime: L2TP 00001:_____:________: FSM-Sn do App-Connect
000064: *Sep 11 16:42:24.075 PCTime: L2TP 00001:_____:________: Find or create cc for session
000065: *Sep 11 16:42:24.075 PCTime: L2TP       _____:________: Find cc between
000066: *Sep 11 16:42:24.075 PCTime: L2TP       _____:________:   <unset><->10.0.0.28
000067: *Sep 11 16:42:24.075 PCTime: L2TP       _____:________:   with class: beeline
000068: *Sep 11 16:42:24.075 PCTime: L2TP       _____:________:   and IP proto: L2TPoUDP
000069: *Sep 11 16:42:24.075 PCTime: L2TP       _____:________:   and framing type: none
000070: *Sep 11 16:42:24.079 PCTime: L2TP       _____:________:   and bearer type: none
000071: *Sep 11 16:42:24.079 PCTime: L2TP       _____:________:   and version: V2
000072: *Sep 11 16:42:24.079 PCTime: L2TP       _____:________: Need to instigate control channel
000073: *Sep 11 16:42:24.079 PCTime: L2X  tnl   0100A:________: Create logical tunnel
000074: *Sep 11 16:42:24.079 PCTime: L2TP tnl   0100A:________: Create tunnel
000075: *Sep 11 16:42:24.079 PCTime: L2TP tnl   0100A:________:     version set to V2
000076: *Sep 11 16:42:24.079 PCTime: L2TP tnl   0100A:________:     remote ip set to 10.0.0.28
000077: *Sep 11 16:42:24.079 PCTime: L2TP tnl   0100A:________:     local ip set to 10.68.183.241
000078: *Sep 11 16:42:24.079 PCTime: L2TP tnl   0100A:________:     guessed local ip of 10.68.183.241
000079: *Sep 11 16:42:24.079 PCTime: L2TP tnl   0100A:00001251:     class name beeline
000080: *Sep 11 16:42:24.079 PCTime: L2TP tnl   0100A:00001251: FSM-CC ev Session-Conn
000081: *Sep 11 16:42:24.079 PCTime: L2TP tnl   0100A:00001251: FSM-CC    Idle->Wt-Sock
000082: *Sep 11 16:42:24.079 PCTime: L2TP tnl   0100A:00001251: FSM-CC do Session-Conn-Sock
000083: *Sep 11 16:42:24.079 PCTime: L2TP tnl   0100A:00001251:   Session count now 1
000084: *Sep 11 16:42:24.079 PCTime: L2TP tnl   0100A:00001251:   XCONNECT Session count now 1
000085: *Sep 11 16:42:24.079 PCTime: L2TP tnl   0100A:00001251:   Session PMTU count now 1
000086: *Sep 11 16:42:24.079 PCTime: L2TP tnl   0100A:00001251: Open sock 10.68.183.241:1701->10.0.0.28:1701
000087: *Sep 11 16:42:24.079 PCTime: L2TP tnl   0100A:00001251: FSM-CC ev Sock-Ready
000088: *Sep 11 16:42:24.079 PCTime: L2TP tnl   0100A:00001251: FSM-CC    Wt-Sock->Wt-SCCRP
000089: *Sep 11 16:42:24.079 PCTime: L2TP tnl   0100A:00001251: FSM-CC do Tx-SCCRQ
000090: *Sep 11 16:42:24.083 PCTime: L2TP tnl   0100A:00001251:  
000091: *Sep 11 16:42:24.083 PCTime: L2TP tnl   0100A:00001251: O SCCRQ to 10.0.0.28
000092: *Sep 11 16:42:24.083 PCTime: L2TP tnl   0100A:00001251:  IETF v2:
000093: *Sep 11 16:42:24.083 PCTime: L2TP tnl   0100A:00001251:   Protocol Version  1, Revision 0
000094: *Sep 11 16:42:24.083 PCTime: L2TP tnl   0100A:00001251:   Framing Cap       none(0x0)
000095: *Sep 11 16:42:24.083 PCTime: L2TP tnl   0100A:00001251:   Tie Breaker
000096: *Sep 11 16:42:24.083 PCTime: L2TP tnl   0100A:00001251:     2573437734206683887
000097: *Sep 11 16:42:24.083 PCTime: L2TP tnl   0100A:00001251:   Firmware Ver      0x1130
000098: *Sep 11 16:42:24.083 PCTime: L2TP tnl   0100A:00001251:   Hostname          "cisco"
000099: *Sep 11 16:42:24.083 PCTime: L2TP tnl   0100A:00001251:   Vendor Name       
000100: *Sep 11 16:42:24.083 PCTime: L2TP tnl   0100A:00001251:     "Cisco Systems, Inc."
000101: *Sep 11 16:42:24.087 PCTime: L2TP tnl   0100A:00001251:   Assigned Tunnel I 4689
000102: *Sep 11 16:42:24.087 PCTime: L2TP tnl   0100A:00001251:   Rx Window Size    128
000103: *Sep 11 16:42:24.087 PCTime: L2TP tnl   0100A:00001251:  
000104: *Sep 11 16:42:24.087 PCTime: L2TP 00001:0100A:0000000C: Session attached
000105: *Sep 11 16:42:24.087 PCTime: L2TP 00001:0100A:0000000C:  
000106: *Sep 11 16:42:24.087 PCTime: L2TP 00001:0100A:0000000C: APP->L2TP: setup dataplane, 
000107: *Sep 11 16:42:24.087 PCTime: L2TP 00001:0100A:0000000C:            sock 0xC8000001
000108: *Sep 11 16:42:24.087 PCTime: L2TP 00001:0100A:0000000C:            serv 0x00000000
000109: *Sep 11 16:42:24.087 PCTime: L2TP 00001:0100A:0000000C:            no serv hdl yet; use socket
000110: *Sep 11 16:42:24.087 PCTime: L2TP 00001:0100A:0000000C:  
000111: *Sep 11 16:42:24.087 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn ev DP-Setup
000112: *Sep 11 16:42:24.087 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn    in Wt-CC
000113: *Sep 11 16:42:24.091 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn do Ignore-DP-Setup
000114: *Sep 11 16:42:24.091 PCTime: L2TP tnl   0100A:00001251:  
000115: *Sep 11 16:42:24.091 PCTime: L2TP tnl   0100A:00001251: I SCCRP, flg TLS, ver 2, len 109
000116: *Sep 11 16:42:24.091 PCTime: L2TP tnl   0100A:00001251:  IETF v2:
000117: *Sep 11 16:42:24.091 PCTime: L2TP tnl   0100A:00001251:   Protocol Version  1, Revision 0
000118: *Sep 11 16:42:24.091 PCTime: L2TP tnl   0100A:00001251:   Framing Cap       none(0x0)
000119: *Sep 11 16:42:24.091 PCTime: L2TP tnl   0100A:00001251:   Firmware Ver      0x1130
000120: *Sep 11 16:42:24.091 PCTime: L2TP tnl   0100A:00001251:   Hostname          "ar0-co25.zp.fttb"
000121: *Sep 11 16:42:24.091 PCTime: L2TP tnl   0100A:00001251:   Vendor Name       
000122: *Sep 11 16:42:24.091 PCTime: L2TP tnl   0100A:00001251:     "Cisco Systems, Inc."
000123: *Sep 11 16:42:24.095 PCTime: L2TP tnl   0100A:00001251:   Assigned Tunnel I 36720
000124: *Sep 11 16:42:24.095 PCTime: L2TP tnl   0100A:00001251:   Rx Window Size    1024
000125: *Sep 11 16:42:24.095 PCTime: L2TP tnl   0100A:00001251:  
000126: *Sep 11 16:42:24.095 PCTime: L2TP tnl   0100A:00001251: I SCCRP from ar0-co25.zp.fttb
000127: *Sep 11 16:42:24.095 PCTime: L2TP tnl   0100A:00001251: FSM-CC ev Rx-SCCRP
000128: *Sep 11 16:42:24.095 PCTime: L2TP tnl   0100A:00001251: FSM-CC    Wt-SCCRP->Proc-SCCRP
000129: *Sep 11 16:42:24.095 PCTime: L2TP tnl   0100A:00001251: FSM-CC do Rx-SCCRP
000130: *Sep 11 16:42:24.095 PCTime: L2TP tnl   0100A:00001251: FSM-CC ev SCCRP-OK
000131: *Sep 11 16:42:24.095 PCTime: L2TP tnl   0100A:00001251: FSM-CC    Proc-SCCRP->established
000132: *Sep 11 16:42:24.095 PCTime: L2TP tnl   0100A:00001251: FSM-CC do Tx-SCCCN
000133: *Sep 11 16:42:24.095 PCTime: L2TP tnl   0100A:00001251:  
000134: *Sep 11 16:42:24.095 PCTime: L2TP tnl   0100A:00001251: O SCCCN to ar0-co25.zp.fttb tnl 36720
000135: *Sep 11 16:42:24.099 PCTime: L2TP tnl   0100A:00001251:  
000136: *Sep 11 16:42:24.099 PCTime: L2TP tnl   0100A:00001251: Control channel up
000137: *Sep 11 16:42:24.099 PCTime: L2TP tnl   0100A:00001251:   10.68.183.241<->10.0.0.28
000138: *Sep 11 16:42:24.099 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn ev CC-Up
000139: *Sep 11 16:42:24.099 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn    Wt-CC->Wt-Sock
000140: *Sep 11 16:42:24.099 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn do CC-Up
000141: *Sep 11 16:42:24.099 PCTime: L2TP 00001:0100A:0000000C:   Session needs to have:
000142: *Sep 11 16:42:24.099 PCTime: L2TP 00001:0100A:0000000C:     V2 V3 Eth VLAN HDLC PPP FR-DLCI 
000143: *Sep 11 16:42:24.099 PCTime: L2TP 00001:0100A:0000000C:     ATM-PORT ATM-VP ATM-VC-CELL IP 
000144: *Sep 11 16:42:24.099 PCTime: L2TP 00001:0100A:0000000C:     Tie-Breaker
000145: *Sep 11 16:42:24.099 PCTime: L2TP 00001:0100A:0000000C:   Peer cc can do:
000146: *Sep 11 16:42:24.099 PCTime: L2TP 00001:0100A:0000000C:     V2 Tie-Breaker
000147: *Sep 11 16:42:24.099 PCTime: L2TP 00001:0100A:0000000C: Open sock 10.68.183.241:1701->10.0.0.28:1701
000148: *Sep 11 16:42:24.103 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn ev Sock-Ready
000149: *Sep 11 16:42:24.103 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn    Wt-Sock->Wt-Tx-ICRQ
000150: *Sep 11 16:42:24.103 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn do Tx-ICRQ-Local-Check
000151: *Sep 11 16:42:24.103 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn ev Local-Cont
000152: *Sep 11 16:42:24.103 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn    Wt-Tx-ICRQ->Wt-Rx-ICRP
000153: *Sep 11 16:42:24.103 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn do Tx-ICRQ
000154: *Sep 11 16:42:24.103 PCTime: L2TP 00001:0100A:0000000C:  
000155: *Sep 11 16:42:24.103 PCTime: L2TP 00001:0100A:0000000C: O ICRQ to ar0-co25.zp.fttb 36720/0
000156: *Sep 11 16:42:24.103 PCTime: L2TP 00001:0100A:0000000C:  IETF v2:
000157: *Sep 11 16:42:24.103 PCTime: L2TP 00001:0100A:0000000C:   Assigned Call ID  12
000158: *Sep 11 16:42:24.103 PCTime: L2TP 00001:0100A:0000000C:   Serial Number     52641
000159: *Sep 11 16:42:24.103 PCTime: L2TP 00001:0100A:0000000C:  
000160: *Sep 11 16:42:24.107 PCTime: L2TP tnl   0100A:00001251: I ZLB ACK, flg TLS, ver 2, len 12
000161: *Sep 11 16:42:24.107 PCTime: L2TP tnl   0100A:00001251:  
000162: *Sep 11 16:42:24.107 PCTime: L2TP 00001:0100A:0000000C: I ICRP, flg TLS, ver 2, len 28
000163: *Sep 11 16:42:24.107 PCTime: L2TP 00001:0100A:0000000C:  IETF v2:
000164: *Sep 11 16:42:24.107 PCTime: L2TP 00001:0100A:0000000C:   Assigned Call ID  47223
000165: *Sep 11 16:42:24.107 PCTime: L2TP 00001:0100A:0000000C:  
000166: *Sep 11 16:42:24.107 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn ev Rx-ICRP
000167: *Sep 11 16:42:24.107 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn    Wt-Rx-ICRP->Proc-ICRP
000168: *Sep 11 16:42:24.107 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn do Rx-ICRP
000169: *Sep 11 16:42:24.107 PCTime: L2TP 00001:0100A:0000000C:   MTU is 65535
000170: *Sep 11 16:42:24.111 PCTime: L2TP 00001:0100A:0000000C: Session data plane UP
000171: *Sep 11 16:42:24.111 PCTime: L2TP 00001:0100A:0000000C: Remote AC is now UP
000172: *Sep 11 16:42:24.111 PCTime: L2TP 00001:0100A:0000000C:  
000173: *Sep 11 16:42:24.111 PCTime: L2TP 00001:0100A:0000000C: APP<-L2TP: remote circuit status
000174: *Sep 11 16:42:24.111 PCTime: L2TP 00001:0100A:0000000C:            sock 0xC8000001
000175: *Sep 11 16:42:24.111 PCTime: L2TP 00001:0100A:0000000C:            serv 0x00001000
000176: *Sep 11 16:42:24.111 PCTime: L2TP 00001:0100A:0000000C:            UP
000177: *Sep 11 16:42:24.111 PCTime: L2TP 00001:0100A:0000000C:  
000178: *Sep 11 16:42:24.111 PCTime: L2TP 00001:0100A:0000000C: XCONNECT: process AVPs
000179: *Sep 11 16:42:24.111 PCTime: L2TP 00001:0100A:0000000C:  
000180: *Sep 11 16:42:24.111 PCTime: L2TP 00001:0100A:0000000C: APP<-L2TP: connecting
000181: *Sep 11 16:42:24.111 PCTime: L2TP 00001:0100A:0000000C:            sock 0xC8000001
000182: *Sep 11 16:42:24.111 PCTime: L2TP 00001:0100A:0000000C:            serv 0x00001000
000183: *Sep 11 16:42:24.111 PCTime: L2TP 00001:0100A:0000000C:  
000184: *Sep 11 16:42:24.115 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn ev Local-Up
000185: *Sep 11 16:42:24.115 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn    in Proc-ICRP
000186: *Sep 11 16:42:24.115 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn do Noop-Local-State-Change
000187: *Sep 11 16:42:24.115 PCTime: L2TP 00001:0100A:0000000C:  
000188: *Sep 11 16:42:24.115 PCTime: L2TP 00001:0100A:0000000C: APP->L2TP: connect cont, 
000189: *Sep 11 16:42:24.115 PCTime: L2TP 00001:0100A:0000000C:            sock 0xC8000001
000190: *Sep 11 16:42:24.115 PCTime: L2TP 00001:0100A:0000000C:            serv 0x00001000
000191: *Sep 11 16:42:24.115 PCTime: L2TP 00001:0100A:0000000C:            replied on same socket
000192: *Sep 11 16:42:24.115 PCTime: L2TP 00001:0100A:0000000C:  
000193: *Sep 11 16:42:24.115 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn ev ICRP-OK
000194: *Sep 11 16:42:24.115 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn    Proc-ICRP->Wt-Tx-ICCN
000195: *Sep 11 16:42:24.115 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn do Tx-ICCN-Local-Check
000196: *Sep 11 16:42:24.115 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn ev Local-Cont
000197: *Sep 11 16:42:24.115 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn    Wt-Tx-ICCN->established
000198: *Sep 11 16:42:24.115 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn do Tx-ICCN
000199: *Sep 11 16:42:24.115 PCTime: L2TP 00001:0100A:0000000C:  
000200: *Sep 11 16:42:24.115 PCTime: L2TP 00001:0100A:0000000C: APP<-L2TP: connected
000201: *Sep 11 16:42:24.119 PCTime: L2TP 00001:0100A:0000000C:            sock 0xC8000001
000202: *Sep 11 16:42:24.119 PCTime: L2TP 00001:0100A:0000000C:            serv 0x00001000
000203: *Sep 11 16:42:24.119 PCTime: L2TP 00001:0100A:0000000C:  
000204: *Sep 11 16:42:24.119 PCTime: L2TP 00001:0100A:0000000C: O ICCN to ar0-co25.zp.fttb 36720/47223
000205: *Sep 11 16:42:24.119 PCTime: L2TP 00001:0100A:0000000C:  IETF v2:
000206: *Sep 11 16:42:24.119 PCTime: L2TP 00001:0100A:0000000C:   Framing Type      none(0)
000207: *Sep 11 16:42:24.119 PCTime: L2TP 00001:0100A:0000000C:   Connect Speed     0
000208: *Sep 11 16:42:24.119 PCTime: L2TP 00001:0100A:0000000C:  
000209: *Sep 11 16:42:24.123 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn ev Established
000210: *Sep 11 16:42:24.123 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn    in established
000211: *Sep 11 16:42:24.123 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn do Established
000212: *Sep 11 16:42:24.123 PCTime: L2TP 00001:0100A:0000000C: Session up
000213: *Sep 11 16:42:24.123 PCTime: L2TP 00001:0100A:0000000C:   10.68.183.241<->10.0.0.28
000214: *Sep 11 16:42:24.123 PCTime: L2TP tnl   0100A:00001251:  
000215: *Sep 11 16:42:24.123 PCTime: L2TP tnl   0100A:00001251: I ZLB ACK, flg TLS, ver 2, len 12
000216: *Sep 11 16:42:24.123 PCTime: L2TP tnl   0100A:00001251:  
000217: *Sep 11 16:42:24.123 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn ev Local-Up
000218: *Sep 11 16:42:24.127 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn    in established
000219: *Sep 11 16:42:24.127 PCTime: L2TP 00001:0100A:0000000C: FSM-Sn do Tx-SLI
000220: *Sep 11 16:42:26.079 PCTime: Vp1 LCP: Timeout: State REQsent
000221: *Sep 11 16:42:26.079 PCTime: Vp1 LCP: O CONFREQ [REQsent] id 52 len 10
000222: *Sep 11 16:42:26.079 PCTime: Vp1 LCP:    MagicNumber 0xB1E0E382 (0x0506B1E0E382)
000223: *Sep 11 16:42:26.079 PCTime: Vp1 LCP: I CONFREQ [REQsent] id 1 len 19
000224: *Sep 11 16:42:26.079 PCTime: Vp1 LCP:    MRU 1460 (0x010405B4)
000225: *Sep 11 16:42:26.079 PCTime: Vp1 LCP:    AuthProto CHAP (0x0305C22305)
000226: *Sep 11 16:42:26.079 PCTime: Vp1 LCP:    MagicNumber 0xE8A9B341 (0x0506E8A9B341)
000227: *Sep 11 16:42:26.079 PCTime: Vp1 LCP: O CONFNAK [REQsent] id 1 len 8
000228: *Sep 11 16:42:26.079 PCTime: Vp1 LCP:    MRU 1500 (0x010405DC)
000229: *Sep 11 16:42:26.079 PCTime: Vp1 LCP: I CONFACK [REQsent] id 52 len 10
000230: *Sep 11 16:42:26.079 PCTime: Vp1 LCP:    MagicNumber 0xB1E0E382 (0x0506B1E0E382)
000231: *Sep 11 16:42:26.087 PCTime: Vp1 LCP: I CONFREQ [ACKrcvd] id 2 len 19
000232: *Sep 11 16:42:26.087 PCTime: Vp1 LCP:    MRU 1500 (0x010405DC)
000233: *Sep 11 16:42:26.087 PCTime: Vp1 LCP:    AuthProto CHAP (0x0305C22305)
000234: *Sep 11 16:42:26.087 PCTime: Vp1 LCP:    MagicNumber 0xE8A9B341 (0x0506E8A9B341)
000235: *Sep 11 16:42:26.087 PCTime: Vp1 LCP: O CONFACK [ACKrcvd] id 2 len 19
000236: *Sep 11 16:42:26.087 PCTime: Vp1 LCP:    MRU 1500 (0x010405DC)
000237: *Sep 11 16:42:26.087 PCTime: Vp1 LCP:    AuthProto CHAP (0x0305C22305)
000238: *Sep 11 16:42:26.087 PCTime: Vp1 LCP:    MagicNumber 0xE8A9B341 (0x0506E8A9B341)
000239: *Sep 11 16:42:26.087 PCTime: Vp1 LCP: State is Open
000240: *Sep 11 16:42:26.087 PCTime: Vp1 PPP: No authorization without authentication
000241: *Sep 11 16:42:26.087 PCTime: Vp1 PPP: Phase is AUTHENTICATING, by the peer
000242: *Sep 11 16:42:26.119 PCTime: Vp1 CHAP: I CHALLENGE id 1 len 37 from "ar0-co25.zp.fttb"
000243: *Sep 11 16:42:26.119 PCTime: Vp1 CHAP: Using hostname from interface CHAP
000244: *Sep 11 16:42:26.119 PCTime: Vp1 CHAP: Using password from interface CHAP
000245: *Sep 11 16:42:26.119 PCTime: Vp1 CHAP: O RESPONSE id 1 len 31 from "0003803100"
000246: *Sep 11 16:42:26.207 PCTime: Vp1 CHAP: I SUCCESS id 1 len 4
000247: *Sep 11 16:42:26.207 PCTime: Vp1 PPP: Phase is FORWARDING, Attempting Forward
000248: *Sep 11 16:42:26.207 PCTime: Vp1 PPP: Queue IPCP code[1] id[1]
000249: *Sep 11 16:42:26.207 PCTime: Vp1 PPP: Phase is ESTABLISHING, Finish LCP
000250: *Sep 11 16:42:26.211 PCTime: Vp1 PPP: Phase is UP
000251: *Sep 11 16:42:26.211 PCTime: Vp1 IPCP: O CONFREQ [Closed] id 1 len 10
000252: *Sep 11 16:42:26.211 PCTime: Vp1 IPCP:    Address 0.0.0.0 (0x030600000000)
000253: *Sep 11 16:42:26.211 PCTime: Vp1 PPP: Process pending ncp packets
000254: *Sep 11 16:42:26.211 PCTime: Vp1 IPCP: Redirect packet to Vp1
000255: *Sep 11 16:42:26.211 PCTime: Vp1 IPCP: I CONFREQ [REQsent] id 1 len 10
000256: *Sep 11 16:42:26.211 PCTime: Vp1 IPCP:    Address 94.27.126.8 (0x03065E1B7E08)
000257: *Sep 11 16:42:26.211 PCTime: Vp1 IPCP: O CONFACK [REQsent] id 1 len 10
000258: *Sep 11 16:42:26.211 PCTime: Vp1 IPCP:    Address 94.27.126.8 (0x03065E1B7E08)
000259: *Sep 11 16:42:26.215 PCTime: Vp1 IPCP: I CONFNAK [ACKsent] id 1 len 10
000260: *Sep 11 16:42:26.215 PCTime: Vp1 IPCP:    Address 46.118.76.217 (0x03062E764CD9)
000261: *Sep 11 16:42:26.215 PCTime: Vp1 IPCP: O CONFREQ [ACKsent] id 2 len 10
000262: *Sep 11 16:42:26.219 PCTime: Vp1 IPCP:    Address 46.118.76.217 (0x03062E764CD9)
000263: *Sep 11 16:42:26.223 PCTime: Vp1 IPCP: I CONFACK [ACKsent] id 2 len 10
000264: *Sep 11 16:42:26.223 PCTime: Vp1 IPCP:    Address 46.118.76.217 (0x03062E764CD9)
000265: *Sep 11 16:42:26.223 PCTime: Vp1 IPCP: State is Open
000266: *Sep 11 16:42:26.223 PCTime: Vp1 IPCP: Install negotiated IP interface address 46.118.76.217
000267: *Sep 11 16:42:26.227 PCTime: Vp1 IPCP: Install route to 94.27.126.8
000268: *Sep 11 16:42:27.207 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-PPP1, changed state to up
000270: *Sep 11 16:43:18.430 PCTime: Vp1 PPP: Missed 5 keepalives, taking LCP down
000271: *Sep 11 16:43:18.430 PCTime: Vp1 PPP: Sending Acct Event[Down] id[5]
000272: *Sep 11 16:43:18.430 PCTime: Vp1 LCP: State is Closed
000273: *Sep 11 16:43:18.430 PCTime: Vp1 PPP: Phase is DOWN
000274: *Sep 11 16:43:18.430 PCTime: Vp1 IPCP: State is Closed
000275: *Sep 11 16:43:18.430 PCTime: Vp1 PPP: Phase is ESTABLISHING, Passive Open
000276: *Sep 11 16:43:18.430 PCTime: Vp1 LCP: State is Listen
000277: *Sep 11 16:43:18.438 PCTime: Vp1 IPCP: Remove route to 94.27.126.8
000278: *Sep 11 16:43:19.430 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-PPP1, changed state to down

----------------------------------------------------------------------------------------------------------------------------


After interface goes down I can't ever ping my provider local network hosts (10.x.x.x), including gateway, dns servers and BRAS, until disabling Virtual-PPP1 interface and making "shut/no shut" operation on WAN interface (FastEthernet4).


What I have missed?


My config:


!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 *****************************
!
no aaa new-model
clock timezone PCTime 2
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 4:00
!
crypto pki trustpoint TP-self-signed-2208831923
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2208831923
revocation-check none
rsakeypair TP-self-signed-2208831923
!
!
crypto pki certificate chain TP-self-signed-2208831923
certificate self-signed 01 nvram:IOS-Self-Sig#25.cer
dot11 syslog
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.121 192.168.1.254
!
ip dhcp pool Home-LAN
   import all
   network 192.168.1.0 255.255.255.0
   lease infinite
!
!
ip cef
ip domain name internet.beeline.ua
l2tp-class beeline
!
!
!
!
username max privilege 15 secret 5 *********************
!
!
archive
log config
  hidekeys
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
pseudowire-class pwc1
encapsulation l2tpv2
protocol l2tpv2 beeline
ip local interface FastEthernet4
ip pmtu
ip dfbit set
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address dhcp
duplex auto
speed auto
!
interface Virtual-PPP1
ip address negotiated
no cdp enable
ppp authentication chap callin
ppp chap hostname 0003803100
ppp chap password 7 ******************
pseudowire 10.0.0.28 1 pw-class pwc1
!
interface Vlan1
ip address 192.168.1.254 255.255.255.0
!
no ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
logging trap debugging
logging 192.168.1.2
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
no cdp run
!
control-plane
!
banner login  CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!

!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
j-marenda Sat, 09/11/2010 - 08:51
User Badges:

Your logging states it:


Vp1 PPP: Missed 5 keepalives, taking LCP down


On Cisco Routers, keepalive default is 10 Seconds.

After 5 missed keepalive-answers, the link is declared dead.

5 x 10 sec = 50 sec, your ca minute.


For allmost all ADSL Connections, typical Telco keepalive time is 30 seconds.


If you can check with the other side,

they should check

a) your radius-profile for a keepalive statement

b) the virtual-template for the default value.


If you cannt check, try:


c)

conf t

interface Virtual-PPP1

keep 30

end


or


d)

conf t

interface Virtual-PPP1
no keep

end

d) means no keepalive checking so your router will think after initial connection it's allways logged in even when the remote-side

clears your session (probably, you get this signalled by l2tp).


Hope this help's,


Juergen.



EnemaBandit Sat, 09/11/2010 - 09:36
User Badges:

Already tried keepalive option, with no success.


Keepalives loss is just an indication of something wrong with routes/cef as far as i understand.


I forgot to mention that the same L2TP connection from my computer with Windows (connected to ISP) works well.


Also already tried no peer neighbor-route, no ip route-cache cef, setting routes manually

ip route 0.0.0.0 0.0.0.0 Virtual-PPP1
ip route 10.0.0.28 255.255.255.255 dhcp
ip route 10.10.14.2 255.255.255.255 dhcp


still fail.

EnemaBandit Sat, 09/11/2010 - 09:52
User Badges:

I have found something similar here - http://www.velocityreviews.com/forums/t379750-p3-cisco-1721-as-pptp-client.html


"Any packets sent into the vpn will disappear into a black hole because of the routing loop created by using the same address for the server's end of the PPP link and the initiate-to.  That's what is killing the vpn by blocking the keepalives."


Maybe it's the cause?

j-marenda Sat, 09/11/2010 - 12:27
User Badges:

that sound liek a good explanation for the scenario.


So you must construct either a ip local policy route-map

to fix this - may be a problem with dynamic "Internet" ip,

or put the different layers into differnet routing clouds "vrf"s  to solve that problem.


Juergen.

EnemaBandit Sat, 09/11/2010 - 13:05
User Badges:

Can you please provide an example? I'm new to cisco routers, just started to learn IOS concepts.

j-marenda Sat, 09/11/2010 - 14:00
User Badges:

the l2tp traffic is global, your int fas 4 dhcp connection.

the vlan1 and ppp interface go to the routing-table "home"

So you can easily have for both just the default-route without

having to differate them or write magic policy maps:


conf t

!

ip vrf home

rd 65535:20

route-target both 65535:20

!

int virt-ppp 1

ip vrf forwarding home

! entering this deletes configured ip address, so configure it again

ip address negotiated

!

int vlan 1

ip vrf forwarding home

! entering this deletes configured ip address, so configure it again

! oops you was telnetting thru this interface.

! good old serial light-blue cable

ip address 192.168.1.254 255.255.255.0

!

ip route vrf home 0.0.0.0 0.0.0.0 virt-ppp 1

!

end


CLI-Commands let you select the right routing-cloud:

"show ip route vrf home"

"ping vrf home 1.2.3.4"

"telnet 1.2.3.4 /vrf home"

...


hope this helps,


Juergen.

EnemaBandit Sat, 09/11/2010 - 15:08
User Badges:

Unfortunately, cisco 851 does not recognize ip vrf syntax.

j-marenda Mon, 09/13/2010 - 08:47
User Badges:

Now i have set up a 881 out of the box (behind nat internet router).

( universal-data-12.4(15)XZ  image )

Central side is currently a 7206vxr-npe300, with the latest/last possible ios.


My sessions get closed after 2:40 which fits the configured keepalive of 30 seconds.

Or is it a nat timeout on the device in-between ?


In the meantime, there is only going very few traffic beetween them (1 or 2 "ping" work, then fini)


(independent of vrf or not).


I suspect my central side since that device has shut off CEF due to low memory.


I will setup hmmm. wednesday a 1812 to have a "fresh" central side.


Juergen..

j-marenda Mon, 09/13/2010 - 09:13
User Badges:

just moved the config to the nat-router in front of the 881 (a cisco 1803, 12.4(15T2) )

so that nat is not the factor: no change, session down after <3 min because of 5 lost keepalives

(routing with overlapping ip addresses is not the case here).


Since the "central side" is quite old and i set up the l2tp function here to have a quick start,

i believe i must change this device first.


Juergen.

j-marenda Tue, 09/21/2010 - 04:42
User Badges:

So, i did set up my "central side" .


When the virtual-template uses the same (loopback) adress as the l2tp does,

(and the cpe, here: 881) does _not_ have a vrf as shown,

i also get the missed keepalive and session-shutdown.


With a vrf for the "inside" LAN everything works fine.


Also with "no peer neighbro route" and some special route it works.


looking thru software advisor...looks like no vrf support for 851 .

Strange, even a soho96 had it in 12.3(14)T7 .



Here is what i have configured:


!
! Cisco 881 C880DATA-UNIVERSALK9-M Version 12.4(15)XZ
! ROUTE version
!
ip cef
!
vpdn enable
!
l2tp-class l2tpc1
authentication
hostname TUNNEL-CLIENT
password TUNNEL-CLIENT-PASSWORD
!
pseudowire-class pwc1
encapsulation l2tpv2
protocol l2tpv2 l2tpc1
ip local interface FastEthernet4
ip pmtu
ip tos reflect
!
interface FastEthernet4
ip address dhcp
duplex auto
speed auto
no shutdown
!
interface Loopback0
ip address 222.333.444.555 255.255.255.255
no shutdown
!
interface Virtual-PPP1
ip unnumbered Loopback0
no peer neighbor-route
no cdp enable
ppp authentication pap chap callin
ppp chap hostname
[email protected]
ppp chap password TIGGER
ppp pap sent-username
[email protected] password TIGGER
pseudowire 999.888.777.666 1 pw-class pwc1
no shutdown
!
ip route 0.0.0.0 0.0.0.0 Virtual-PPP1
!
ip route 999.888.777.666 255.255.255.255 dhcp
!
interface Vlan1
! ip address ...
!
end
!


And here is the vrf version:


!
! Cisco 881 C880DATA-UNIVERSALK9-M Version 12.4(15)XZ
! VRF Version
!
!
ip cef
!
vpdn enable
!
ip vrf home
rd 65535:20
route-target export 65535:20
route-target import 65535:20
!
l2tp-class l2tpc1
authentication
hostname TUNNEL-CLIENT
password TUNNEL-CLIENT-PASSWORD
!
pseudowire-class pwc1
encapsulation l2tpv2
protocol l2tpv2 l2tpc1
ip local interface FastEthernet4
ip pmtu
ip tos reflect
!
interface FastEthernet4
ip address dhcp
duplex auto
speed auto
no shutdown
!
pseudowire-class pwc1
encapsulation l2tpv2
protocol l2tpv2 l2tpc1
ip local interface FastEthernet4
ip pmtu
ip tos reflect
!
interface Loopback0
ip vrf forwarding home
ip address 222.333.444.555 255.255.255.255
no shutdown
!
interface Virtual-PPP1
ip vrf forwarding home
ip unnumbered Loopback0
no cdp enable
ppp authentication pap chap callin
ppp chap hostname
[email protected]
ppp chap password TIGGER
ppp pap sent-username
[email protected] password TIGGER
pseudowire 999.888.777.666 1 pw-class pwc1
no shutdown
!
ip route vrf home 0.0.0.0 0.0.0.0 Virtual-PPP1
!
interface Vlan1
ip vrf forwarding home
! ip address ...
!
end


Finally, relevant LNS and radius-profile:


!
! LNS
!
ip cef
!
vpdn enable
vpdn source-ip 999.888.777.666
vpdn search-order domain
vpdn domain-delimiter @ suffix
!
vpdn-group 99
accept-dialin
  protocol l2tp
  virtual-template 99
terminate-from hostname TUNNEL-CLIENT
source-ip 999.888.777.666
local name TUNNEL-SERVER
lcp renegotiation always
l2tp tunnel password TUNNEL-CLIENT-PASSWORD
l2tp tunnel receive-window 256
!
interface Loopback0
ip address 999.888.777.666 255.255.255.255
no shutdown
!
! connection to internet not shown
!
interface Virtual-Template99
ip unnumbered Loopback0
ip verify unicast reverse-path
ppp multilink
!
aaa new-model
aaa authentication ppp default group radius
aaa nas port extended
aaa session-id common
!
radius-server host 111.999.111.999 auth-port 1812 acct-port 1813 non-standard key ROADRUNNER
!
end
!

!
! Radius profile
!

[email protected] Password = "TIGGER", Service-Type = Framed-User
        Framed-Protocol = PPP,
        Framed-IP-Address = 222.333.444.555,
        Framed-IP-Netmask = 255.255.255.255,
        Framed-Routing = None

!
! THE END
!

The mistake here is that the IP-Adress for the virtual-template is the same as the IP-Adress used for bulding the L2TP Tunnel,

which leads to the disconnection after approx. 5x keepalive = 50 seconds,

which may be corrected by "no peer neighbor route" and explicit route for the LNSes IP-Address.


Configuring an LNS in this way is not recommended and should be avoided.

Allways seperate tunnel-feet and user-traffic thru tunnel - it is irrelevant wether it's a GRE- L2Tp or IPSEC- tunnel.

If you have just a handfull (and not the default) route to go thru the l2tp/virtual-ppp interface,

static routes for


Seperating both worlds using VRF is an elegant solution for this problem.


Hope this help's,


Jürgen.

EnemaBandit Wed, 09/22/2010 - 05:39
User Badges:

Though all my efforts in configuring are still unsuccessful I am very glad for your responses and appreciate your work on diagnostics.

Actions

This Discussion

Related Content