Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k

ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS SERVERS

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss Configuration and Troubleshooting of Access Servers with Cisco expert Tejal Patel. Tejal joined Cisco in July 1999. His current responsibilities include Technical Assistance Center (TAC) Escalation in which he troubleshoots complex issues, provides training, and authors documentation. Feel free to post any questions relating to Configuration and Troubleshooting of Access Servers. Remember to use the rating system to let Tejal know if you’ve received an adequate response.

Tejal might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through March 28. Visit this forum often to view responses to your questions and the questions of other community members.

43 REPLIES
Silver

Re: ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS

Suppose I have two T1 controllers on a routerA, 1/0 and 2/0. T1 1/0 is taking the clock from the line, using command clock source line. On the T1 2/0 controller I configuired clock source internal. So, what clock will the T1 2/0 provide to the line, will it be the clock it is receiving from the T1 1/0? I have connected another routerB to T1 2/0 of routerA, and configured that router's interface for clock source line. So, with this configuration is the routerB receiving the clock that routerA's T1 1/0 is getting from its line?

Thanks,

Partha

Silver

Re: ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS

For dial-in installations, Router will always be deriving clock from the service provider. The ios commands for timing vary depending on platform, however, their functions are similar. You should always be set to derive clocking from the T1 line and not internally.

The purpose of having a primary clock source is to clock the TDM bus correctly. Only one source is capable of clocking the bus, hence the reason for the primary / secondary (in case T1 configured for primary clock goes down)

Answer to your question is, T1 2/0 will use clocking received from the SP on T1 1/0.

Router B's any one controller must be configured to get it's clocking (primary)from the Provider (Note, Router B is at the other end of the telco cloud).

Thanks, Mak.

Cisco Employee

Re: ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS

All roter need is one good reliable clock from service provider. So once the router/Access Server receives the reliable clock from provider on one of the line, rest of the lines will be tunned to that reliable clock.

Now suppose you have multiple line getting the clock from provider, you can set the priority for master clock source. If the master clock fails then router will be tunned to next priority clock source.

Anyway, if 1/0 is talking a clock form line, rest all the controller ports will be tunned to that clock. You need to use "clock source internal" generally if lines are connected back to back ..like in LAB environment. So if 2/0 of router A & B connected back to back (without telco in the middle) then it should be fine. But if the T1 line in 2/0 of both the router provided by service provider, then you do not need to use internal clock source as telco will complain on that. In that case you need to make 2/0 clock source as secondary.

Bronze

Re: ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS

Hi Tejal,

I believe this is a discussion about access servers but I'm not sure if questions about L2TP is included.

Almost a month ago I've posted a question asking about the maximum number of concurrent (or simultaneous)

L2TP sessions supported by the 7200 and 7100 series routers. I've been searching the CCO for some

documentation but I found nothing until now. Since it was mentioned in the first post that you're also with the TAC,

I was just thinking you might have some information about my query. Thanks.

Cisco Employee

Re: ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS

Answer to that question depends on many variables like what NPE you have, how many tunnels configured, VXR or non-VXR chassis, Trunk interface and cpu utilization etc..

Based on that i can share some numbers with you.

Cisco Employee

Re: ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS

continuing to the answer..here are some numbers with router/npe type, # of tunnels, sessions, cpu usage.

7200, NPE-150, 13 L2F tunnels 552 sessions, 26%

7200, NPE-150, 14 L2F tunnels 629 sessions, 60%

7200, NPE-200, 17 L2F tunnels 1001 sessions, 38%

7206VXR,NPE-300,14 L2F tunnels 780 sessions, 26%

7200 / 7400 has been tested with OC3 line rate (at IMIX packets) with 8,000 PPP session and 1,000 L2TP tunnels with NPE-400 , 512MB of RAM and 12.1(5)T

Also enable/disable cef with pps will also makes difference.

So as you can see that you can load max users on a 7200 but the cpu usage will go high too. So in real isp environment, you need to load balance the usrs between multiple 7200 so that one 7200 is at managable cpu usage.

Bronze

Re: ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS

Thanks Tejal, if I may, I have some additional queries.

- for L2TP, will the numbers that you've provided be the same?

- is there something like a sort of table for these numbers?

For example, if I have 20 VPDN-groups, how many PPP sessions

is allowed to be established per tunnel. For 240 PPP sessions

per tunnel, how many tunnels are recommended to be established.

- for a 7206VXR, NPE-400, 512MB, running as LNS only, no dynamic routing,

with ACLs but only for management, RADIUS server for AAA, could you share

the numbers with me?

- PPP calls are accepted by an AS5300 with 8 E1's.

Thanks again.

Cisco Employee

Re: ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS

If you have OC3 line for core routing, 8000 ppp sessions as total sould be fine on 7206vxr. You can configure as many as 1000 vpdn-groups (as many as you running can hold)

So now if you have 20 vpdn sessions, you can have 8000 ppp sessions max on 7206 so you can have 400 session/tunnel as avarage.

Again those are the numbers tested here in the lab.

Bronze

Re: ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS

Thanks for the info. Although we don't have such number of PPP sessions right now,

I'll take note of that very important imformation, hopefully, for future use. Thanks again.

New Member

Re: ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS

Hello,

we are interested in using MPPC (Microsoft Point-to-Point Compression), for our dialup customers. Unfortunately AS5300 are not powerfull enough to handle compression for

hundreds of VCs.

We have found that 7200 can be used as offload server which handles compression, but it is very expensive for us to buy and use half a dozen of 7200s just for that.

Are there any other solutions?

Cisco 3725 with AIM-COMPR4 looks fine, but it can handle only 120 VCs.

Are there any plans for software solution on servers (Solaris, Win2000, Linux,...)?

Cisco Employee

Re: ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS

I do not think that we have any plans for software solution for compression.

Now as far as AS5300 goes, its end of life product which is replaced by AS5350. Also another product in that area is AS5400. AFAIK MPPC works fine on those boxes..How many users you are talking about who wants to use MPPC? Also you are talking about PPP users right?

New Member

Re: ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS

Yes, PPP users. Do you have any information (or

document) about a number of maximum MPPC

connections on AS5350 and AS5400. We would

like to use it for as many users as possible

(theoretically 30 per E1).

Also (I know that this is not techincal question),

is there some replacement program for replaceing AS5300 with AS5350 or AS5400?

Cisco Employee

Re: ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS

AS5300 will support mppc for 8T1 or 8E1 worth of users. So max users will be 192 for T1 and 248 for E1. While AS5350 can suport a CT3 card which is 28T1. AS5400 support 2xCT3 cards so you can calculate max users.

I don't think that there are any replacement or buyback plans for AS5300. You can talk to your account manager or Cisco Rep. for that.

New Member

Re: ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS

You said that AS5300 will support mppc for 8E1 worth of users but my experience is that AS5300 become saturated with 90 MPPC users.

Cisco Employee

Re: ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS

I have seen AS5300 working well with full load using compression.

Now older ios (12.1) does have some issues with compression. So if you have seen compression dosen't work for more then 90 users, you might want to go near the latest images (12.2(2)XB10). With that it should work.

New Member

Re: ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS

We have a Cisco VPN 3000 Concerntrator and use Cisco Secure ACS for username and password authentication. I just recently found a problem when trying to create new groups in the concentrator. What happens when I add a new group, and add my Auth and Acct servers. When I try to log in with the VPN client I get conneted to the concentrator and prompted for a username and password, (as is usual) but when I enter the user/pass it fails every time. When I go back into the concentrator and test the Auth server it fails again and gives me the error "Authentication Error: No active server found". Here is where it gets complicated, when I select an older group that was created earlier and test the Auth server it works. I deleted one of the older groups and test the new groups auth server again, it works..

I'm dont think there is a limit to the amount of groups you can have acitve in the Concentrator beucase if there was I would think you would not be able to add new groups, which isnt the case. If anyone has any idea what this could be I would be very greatful. I have about 10 more groups that need to be added into the concentrator and I am really stuck. Thanks..

Cisco Employee

Re: ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS

To be honest, i don't have much experience with VPN Concentrator configuration. So to get the answer from the expert for this issue, pl. post it under "VPN Service Architectures" under "Service Provider" section at following url

http://forums.cisco.com/eforum/servlet/NetProf?page=main

Meanwhile i will try to find the answer for you. Thanks...Tejal Patel

New Member

Re: ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS

We always see the following information in our 7507 log buffer :

Mar 17 08:07:55.397: %FR-5-DLCICHANGE: Interface Serial1/1/0:0 - DLCI 772 state changed to ACTIVE

Mar 17 08:07:55.397: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1/0:0.1, changed state to up

Mar 17 08:08:55.397: %FR-5-DLCICHANGE: Interface Serial1/1/0:0 - DLCI 772 state changed to INACTIVE

Mar 17 08:08:55.397: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1/0:0.1, changed state to down

Mar 17 08:16:55.393: %FR-5-DLCICHANGE: Interface Serial1/1/0:0 - DLCI 772 state changed to ACTIVE

Mar 17 08:16:55.393: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1/0:0.1, changed state to up

Mar 17 08:17:55.397: %FR-5-DLCICHANGE: Interface Serial1/1/0:0 - DLCI 772 state changed to INACTIVE

Mar 17 08:17:55.397: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1/0:0.1, changed state to down

Mar 17 08:18:55.397: %FR-5-DLCICHANGE: Interface Serial1/1/0:0 - DLCI 772 state changed to ACTIVE

But the ISP says they never see any error log infor on they device.

I want to know what happend on my central 7507 ,is there anything wrong on my device or on ISP's . how to solve it ?

The processor of 7507 is VIP2-50 ,with 2 PA-MC-2E1/120 cards to support frame-relay ,the IOS version is 12.1(4)E.

Thanks!

Cisco Employee

Re: ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS

As youcan see that the DLCI 772 is bouncing between ACTIVE and INACTIVE which makes the subinterface serial1/1/0:0.1 up/down.

Now you can see that there is exactly one min delay between dlci being active and inactive. so you need to issue "show frame-relay pvc 772" to see the status of PVC.

If the status of PVC always remains ACTIVE and you don't have any problems with data transfer or no packet drops etc..then it can be just a cosmetic issue.

Now with this issue, ISP will not see any errors. If PVC status does go to INACTIVE then you need to ask ISP about the PVC is going up and down, are they seeing that or what is the reason for that?

Here is the goos url which will help you to troubleshoot Frame-Relay Connection.

http://www.cisco.com/univercd/cc/td/doc/cisintwk/itg_v1/tr1918.htm

New Member

Re: ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS

Thanks a lot ! I have seen the document .

But all the dlci on the e1interface will up and down at the same time.

and that have happend on all e1 interface asynchronous, sometimes this e1,sometimes another ! (I have 4 e1 interface on my 7507 ). sometimes the dlci going to down for several millisecody ,that will do nothing on my network ; but sometimes it stands for more than 1miute ,so I will lose my packet ,but fortunately ,that is seldom happended.

do you still think is not serious ? can you give me any suggestion more ?

thanks again !

Cisco Employee

Re: ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS

DLCI going down which results in packet loss, that is a serious issue. Now DLCI's on entire E1 is bouncing out of blue, and "sh frame PVC" reports INACTIVE, i would ask isp about that.

turn on debug for "debug frame-relay lmi" to see the lmi's from the router is replied back by isp or not. If not, then its isp's issue. Youcan ask ISP about "why the lmi's are not replied. Visit following urls for more on that

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121sup/121debug/dbddlsw.htm#1018656

also

http://www.cisco.com/warp/public/125/25.html

http://www.cisco.com/warp/public/125/frbacktoback_hybrid.html

If not much help from ISP (which usually the case) pl.open a case by logging at http://www.cisco.com/tac.

New Member

Re: ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS

Hi,

We have AS5800 access servers deployed at 28 access-points with 144 MICA modem cards. Unfortunately I happened to see at some locations the number of modems being marked as BAD is higher.

The IOS used is latest release 12.7(13).

Can you clarify

why the higher number of failures?

Is there any wayouts to recover those BAD modems?

What work around solution cisco recommends for modem

disconnection due to DSP

Thanks,

Dinesh

New Member

Re: ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS

Hi.

I have 2 routers Cisco 3640 (1 PRI each one) connected to a Firewall. Firewall returns packets to a HSRP address where cisco1 with PRI1 is the active router and when PRI1 fails router with PRI2 becomes active.

But we have a problem , when PRI1 is ok but it's the 30 channels busy the new calls are redirected to the second PRI and the firewall is still sending packets to the first router. Is there any way in HSRP protocol to track a PRI when it's full.Maybe we have to configure a routing protocol between our two router. Which protocol do you think is the more appropiatedfor our case?

Cisco Employee

Re: ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS

Little rough network diagram for this issue will be very helpful to see where those routers and firewall is placed togather. So if you can outline that, it will be great.

It sounds like the 2nd pri line is getting overflow calls if 1st pri line is full to its capacity, but in case of HSRP, there is no way to track that status of 1st pri line.

I am sure there must be another way to do that which can be figured out once the little more detailed diagram is available.

New Member

Re: ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS

Hi Tepatel.

How can I send you a diagram of my network?

Cisco Employee

Re: ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS

Can you try to outline it here? Like this

Internet....firewall.........router1......PRI1

I

I......router1....PRI2

Try to draw like this. Thanks..

New Member

Re: ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS

DMZ (VLAN1) - Web server - Firewall card hme0 .......VLAN 2 Firewall card hme1 - Cisco3640 A PRI1 (active router)--- Cisco3640 B PRI2 (standby router)........ ISDN network ......... customer.

When PRI1 goes down CiscoB PRI2 becomes active , this situation is running ok.

When PRI1 has all channels busy , we have established an option of our Telco where new calls are reallocated to PRI2 . In this situation the users that are reallocated to PRI2 don't have link because firewall sends the packets to the ip active. I'm sure that there is a solution for this situation but I can't find it. Maybe a routing protocol between routers ?

New Member

Re: ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS

DMZ (VLAN1) -... Web server -...... Firewall card hme0 .......

|

|

VLAN 2 Firewall card hme1 .....Cisco3640 A PRI1 (active router)....... Cisco3640 B PRI2 (standby router)

|

|

|

ISDN network

|

| customer.

When PRI1 goes down CiscoB PRI2 becomes active , this situation is running ok.

When PRI1 has all channels busy , we have established an option of our Telco where new calls are reallocated to PRI2 . In this situation the users that are reallocated to PRI2 don't have link because firewall sends the packets to the ip active. I'm sure that there is a solution for this situation but I can't find it. Maybe a routing protocol between routers ?

New Member

Re: ASK THE EXPERT- CONFIGURATION AND TROUBLESHOOTING OF ACCESS

*

45
Views
4
Helpful
43
Replies
CreatePlease to create content