Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

l2tp tunnel authentication

Unanswered Question
Sep 24th, 2003
User Badges:


I've set up a LAC with no l2tp tunnel authentication but I'm getting a challenge in the SCCRQ at the LNS.

lac conf..

vpdn enable


vpdn-group 1


protocol l2tp

no l2tp tunnel authentication

LAC is a 7206xvr running 12.2(8) ZB8

lns debug...

4w2d: Tnl 91 L2TP: GOt a challenge in SCCRQ, model-pdsn

any help would be appreciated,



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dbellazetin Thu, 09/25/2003 - 06:46
User Badges:

Do you see the LAC send the challenge in the LAC debug ?


kevitt Thu, 09/25/2003 - 14:57
User Badges:


also noticed that changing the local name in the LAC config has no effect...the hostname is always seen in the LNS debug as the source of the SCCRQ.

When i change the local name in the LNS the changes are seen in the LAC debug as expected.

dbellazetin Fri, 09/26/2003 - 05:35
User Badges:

Thats very strange. If you are running Cisco LNS, and LAC I would recommend trying to run L2F as the protocol instead of L2TP. It essentially works the same way. And if the behavior is still the same I would recommend opening a TAC case for this. The LAC is not behaving appropriately.


kevitt Mon, 09/29/2003 - 00:48
User Badges:

thanks for the advice...I've now opened a case..

I've found that nothing within the vpdn-group has any effect, in the end I used radius to assign tunnel password. I can't use l2f as the LAC could be tunelling to non-Cisco LNSs within our core network...



JAN MARIS Thu, 01/15/2004 - 02:08
User Badges:


I have also noticed this in 12.2(15)T7. Has this been acknowledged by TAC?


kevitt Thu, 01/15/2004 - 11:09
User Badges:


I've since found that if you use radius authorisation it overrides anything in the vpdn-group. As we use Radius to get the tunnel endpoint the vpdn-group settings are not used. Unfortunately there is no Cisco AVP that you can send to disable tunnel authentication via RADIUS so I've been told by tac. Therefore it appears that if you use RADIUS then you MUST use tunnel Authentication.


This Discussion