Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORMS- ACCESS DIAL

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Tejal Patel about any configuration and troubleshooting issues regarding PPP, ISDN(BRI & PRI), T1/CAS, analog and digital modems, RPM, and AAA on any platforms like 26xx, 36xx and access servers like AS53xx, AS5400,AS58xx etc. Tejal is a customer support engineer at the Technical Assistance Center (TAC) at Cisco Systems, Inc. He joined Cisco in July 1999. His current responsibilities include troubleshooting complex issues, training, and authoring documentation. His areas of expertise are Telco Signaling, Configuration and Troubleshooting of Access Servers, AAA etc. Tejal is CCIE # 6619 for ISP Dial. He continually shares his expertise by speaking at the Access Design Clinic at Networkers to discuss and resolve the design related technical issues.

Remember to use the rating system to let Tejal know if you have received an adequate response.

Tejal might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through January 13, 2006. Visit this forum often to view responses to your questions and the questions of other community members.

52 REPLIES
New Member

Re: ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORM

hi Tejal, I am pawan from Ahmedabad. i have completed my MCA through distance education and presently working in IAF. now I have cinfusion whether to go for networking or programming. please guide me. pkverma7750@yahoo.co.in

New Member

Re: ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORM

Hi Tejal,

I have a readius server with cat6500 having CatOS 6.4.10 configured as acess server. I am using dot1x authentication. When I test with a PC and try to connect, I get the authentication but the radius server shows the following log.

User ITLINFOSYS\sagar_shetty was granted access.

Fully-Qualified-User-Name = ad.infosys.com/IND/BLR/KEC/Users/GEN/Sagar Ramanna Shetty

NAS-IP-Address = 192.168.94.70

NAS-Identifier =

Client-Friendly-Name = B19_20 Radius Client

Client-IP-Address = 192.168.94.70

Calling-Station-Identifier =

NAS-Port-Type =

NAS-Port =

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server =

Policy-Name = Connections to Microsoft Routing and Remote Access server

Authentication-Type = PEAP

EAP-Type = Secured password (EAP-MSCHAP v2)

Here I am not able to understand why the NAS port-type is showing "not present". If I configure this as ethernet. I get authentication failure.

Is it a problem with the switch or something else?

sagar

Cisco Employee

Re: ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORM

Sagar,

I am not the expert in Cat 6500 switches with Cat OS. I think it should work with "ethernet" as nas-port-type but i am checking more in to this issue.

Tejal

Cisco Employee

Re: ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORM

Looking on the 6500 docs, it seems that there is not much to configure on 6500 for 802.1x authentication via radius server. Hardly 2-3 commands. Much configs needs to be done in AAA/RADIUS server.

So pl. let me know which radius server you have. Here is the link for "configuring 802.1x authentication on 6500 switches" for more help and see if anything is missing in radius config.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a008019f00a.html

Pl. post the same question in the "security" area under "Virtual Private Network" section on this forum. OR you can open a tac case by logging at www.cisco.com/tac

Thanks..

Tejal

Cisco Employee

Re: ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORM

Hi Pawan,

Its your choice which field you like it. I am sure both the fields are great.

Thanks

Tejal

Cisco Employee

Re: ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORM

.

New Member

Re: ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORM

Hello -

I have a CISCO 1811 router/firewall that is the interface between a LAN and the Internet. On the WAN side, it connects to a cable modem. The cable modem's IP address is received from a DHCP server, and therefore periodically changes.

My requirement is to be able to VPN tunnel through the router to a computer on the inside. However, when the IP address of the cable modem changes, it interrupts my VPN capability until I rediscover the new cable modem IP address.

Can you suggest an automated solution such that I get a report (perhaps by email) daily of the IP address of the cable modem? I know that the CISCO 1811 router can see the IP address of the cable modem, even after it changes. Can the router grab this information and pass it on, periodically?

thanks

R,

Cisco Employee

Re: ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORM

There is no way that router can send you the new ip address via email or some sort. You can use some Network Management Software which can actively poll that router's interface and can update you for ip address change every so often.

New Member

Re: ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORM

Hi Tejal,

I'm using Cisco AS5400HPX to connect more than 600 simultanous users.

I have a proble mwith V.120 connection.

I'd like to authenticate this connection through radius authentication server but for the moment vty line are authenticate with tacacs+ server.

In fact, I'd like to dedicate some vty line, for example vty 0 4 for administrators connection and configure line vty 5 10 to V.120 connection. Can you tell me if this configuration is possible or not.

Kind regards.

New Member

Re: ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORM

The problem to affect some vty line to telnet and some vty line to V.120 connection is solved.

Now I have an other problem :

When I try to connect with windows RAS (Using V.120 modem configuration/emulation) the connection is working perfectily but when I try to do the same with AT command.

The conenction seems to be ok but I don't know why I received strange character and after 5 times I loss the Carrier.

atb15

OK

at

OK

ATDT0155382859

CONNECT

User Access Verification

Username: USERNAME

Password: PASSWORD

Entering PPP mode.

Async interface address is unnumbered (FastEthernet0/0.1)

Your IP address is 10.10.10.1 MTU is 1524 bytes

~ÿ}#À!}!}!} }<}!}$}%ô}"}&} } } } }#}$À#}%}&qÊQï}'}"}(}"K~~ÿ}#À!}!}"} }<}!}$}%ô}"}&} } } } }#}$À#}%}&qÊQï}'}"}(}"§½~~ÿ}#À!}!}#} }<}!}$}%ô}"}&} } } } }#}$À#}%}&qÊQï}'}"}(}"ïï~~ÿ}#À!}!}$} }<}!}$}%ô}"}&} } } } }#}$À#}%}&qÊQï}'}"}(}"}&X~~ÿ}#À!}!}%} }<}!}$}%ô}"}&} } } } }#}$À#}%}&qÊQï}'}"}(}"N}*~~ÿ}#À!}!}&} }<}!}$}%ô}"}&} } } } }#}$À#}%}&qÊQï}'}"}(}"–ü~~ÿ}#À!}!}'} }<}!}$}%ô}"}&} } } } }#}$À#}%}&qÊQï}'}"}(}"Þ®~~ÿ}#À!}!}(} }<}!}$}%ô}"}&} } } } }#}$À#}%}&qÊQï}'}"}(}"U›~~ÿ}#À!}!})} }<}!}$}%ô}"}&} } } } }#}$À#}%}&qÊQï}'}"}(}"}=É~~ÿ}#À!}!}*} }<}!}$}%ô}"}&} } } } }#}$À#}%}&qÊQï}'}"}(}"Å?~

NO CARRIER

If someone knows why I see this characters it will be helpful for me.

kind regards.

Cisco Employee

Re: ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORM

Those characters means that other side (i believe AS5400) in which you have dialied into have started the PPP session already after successful authentication.

The dialed side has started sending ppp(LCP) packets which this terminal session on the windows box is not able to understnad and it displays it as a garbage characters.

Look for a command "autocommand ..." under the line config.

Re: ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORM

When you say look for Autocommand under line config do you want it added or removed. This would clear up what you mean for others who are reading this and may have the same problem.

Mike

New Member

Re: ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORM

I think the request is to remove it.

But without the configuration line autocommand PPP default I establish a telnet connection to AS54000.

Find below some traces with and without the configuration line.

without autocommand

at

OK

atB15

OK

atdt01XXXXXXXX

CONNECT

User Access Verification

Username: USERNAME

Password: PASSWORD

AS54000 >

with autocommand autocommand ppp default

at

OK

atdt01XXXXXXXX

CONNECT

User Access Verification

Username: USERNAME

Password: PASSWORD

Entering PPP mode.

Async interface address is unnumbered (FastEthernet0/0.1)

Your IP address is 10.10.10.1 MTU is 1524 bytes

Header compression is on.

~ }#À!}!}!} }<}!}$}%ô}"}&} }*} } }#}$À#}%}&vŽ­g}'}"}(}"Eþ~~ }#À!}!}"} }<}!}$}%ô}

"}&} }*} } }#}$À#}%}&vŽ­g}'}"}(}"}(~~ }#À!}!}#} }<}!}$}%ô}"}&} }*} } }#}$À#}%}&

vŽ­g}'}"}(}"ÕZ~~ }#À!}!}$} }<}!}$}%ô}"}&} }*} } }#}$À#}%}&vŽ­g}'}"}(}"<í~~ }#À!}

!}%} }<}!}$}%ô}"}&} }*} } }#}$À#}%}&vŽ­g}'}"}(}"t¿~~ }#À!}!}&} }<}!}$}%ô}"}&} }*

} } }#}$À#}%}&vŽ­g}'}"}(}"¬I~~ }#À!}!}'} }<}!}$}%ô}"}&} }*} } }#}$À#}%}&vŽ­g}'}"

}(}"ä};~~ }#À!}!}(} }<}!}$}%ô}"}&} }*} } }#}$À#}%}&vŽ­g}'}"}(}"o.~~ }#À!}!})} }<

}!}$}%ô}"}&} }*} } }#}$À#}%}&vŽ­g}'}"}(}"'|~~ }#À!}!}*} }<}!}$}%ô}"}&} }*} } }#}

$À#}%}&vŽ­g}'}"}(}" Š~~

NO CARRIER

Do you have an other idea?

I have some traces coming from Windows RAS with alll the AT command use.

When I try to do the same things from Hyperterm I have the same garbage characters.

Thanks.

Cisco Employee

Re: ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORM

Thats right. with "no autocommand PPP", if you dial in the router using hyperterminal or any character based application like procomm etc, which doesn't support PPP, you will get a router prompt as router will treat the dialin session as "exec connection". Once the router prompt is displayed, you can change the configs etc...

You can type PPP at the AS54000> prompt tha you got and you will get the same since hyperterminal doesn't support it.

"Autocommand PPP" will make the router start PPP session right after the successfull authentication. You can use the windows DUN with "bring terminal window after dialing" option and you will get the same as above. There you can enter PPP at AS54000> prompt and Windows DUN will start PPP and it will work.Many customer's do use that if they want authentication in terminal window.

So to avoid getting router prompt

you need to use "autocommand ppp" for ppp service.

You can use "autoselect ppp" under the line if you want router to start PPP session after it receives the PPP packet from the dialin client.

Re: ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORM

So if I am doing a DUN ppp connection should I use both commands autocommand ppp and autoselect ppp?

The reason I ask, I have had this issue with a laptop that has used 2 different modems one modem gives me a lot of that garbage data and the other does not when connecting to a 5300 we use.

Thanks,

Mike

Cisco Employee

Re: ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORM

You need to use "autocommnd PPP". Both the commands works differently in terms of who will start the PPP session first. Autocommand PPP will make the router to start PPP after successfull authentication while autoselect ppp will wait for dialin client to start ppp and then once the router receives the first ppp packet from client, it will start ppp.

In your case "autocommand ppp" is the best option to avoid getting router prompt in the terminal window.

New Member

Re: ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORM

hi,

The problem stay the same for me.

Connection with Windows RAS works perfectily using V120 over B Channel.

Connection with Hyperterm doesn't work using V.120 configuration.

I tried with autocommand and I receive the strange characters.

I tried with autoselect PPP command and I never receive prompt to type LOGIN/PASSWORD.

I continue to seek the solution to permit PPP connection through V.120 over B-Channel using Hyperterminal.

Regards.

New Member

Re: ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORM

It seems that nobody has an answer regarding the mean to solve this problem of strange characters receive just after the IP address affectation.

Tejal,

Did you see this type of trouble on the past?

Do you have an solution to explain with this hyperterm connexion works perfectly with Lucent equipment and not with cisco?

I hope that you'll be able to help me regarding this case because you are and Dial expert.

Regards.

Cisco Employee

Re: ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORM

Here is the link for future reference which has sample config about how to increase the vty lines on any cisco router and also about terminating V.120.

http://www.cisco.com/en/US/tech/tk713/tk507/technologies_configuration_example09186a0080094551.shtml

New Member

Re: ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORM

Hi,

unfortunately I tried this document but this solution gives me the result of garbage characters.

In fact, I have an old equipement Lucent MAX4000 and I haven't the same result.

I receive the same request of login and password, I give it and after I have the information regarding my IP address and so on without garbage characters.

Regards.

New Member

Re: ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORM

I have tried to configure a L2TP LNS on 6500 Sup2 MSFC 2 Runing Native IOS version 12.1(26)E4.

We couldn't establish the connectivity between the local network and the remote hosts ( Although the connectivity between the LNS and the clients are active)

I have cut and paste the configuration snapshot below .

I appreciate any help.

aaa group server radius dradius

server xxx.xxx.xxx auth-port 1812 acct-port 1813

!

aaa authentication login default local

aaa authentication ppp LINE group dradius

aaa authorization network LINE group dradius

aaa accounting network LINE start-stop group dradius

vpdn enable

vpdn session-limit 3000

vpdn-group 111

accept-dialin

protocol l2tp

virtual-template 1

terminate-from hostname RL

lcp renegotiation on-mismatch

l2tp tunnel password 7 XXXXXXXX

!

virtual-template 1 pre-clone 100

spanning-tree mode pvst

interface Virtual-Template1

ip unnumbered Vlan80

ip verify unicast reverse-path

ip mroute-cache

no keepalive

ntp disable

no snmp trap link-status

no peer default ip address

ppp authentication chap LINE

ppp authorization LINE

ppp accounting LINE

ppp link reorders

ppp multilink

interface Vlan80

ip address XX XX XX

!

interface Vlan100

ip address XX XX XX

!

IP ROUTE

ip route

Cisco Employee

Re: ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORM

Pl. let me have more information.

Pl. try to outline the network diagram here so that i can understand where the remote hosts are located.

Also clarify more how the clients are connected with LAC and LNS etc..

The connectivity between clients and LNS are active means you can reach clients (i assume that are connected LAC) to and from LNS right?

In that case it looks like a routing issue where somehow the subnet on which the remote hosts are not reachable.

New Member

Re: ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORM

Thanks for your reply,

Please check the link below to view similar diagram to the topology of the network.

http://www.cisco.com/warp/public/793/access_dial/vpdn-without-aaa.html

1. The clients connect through DSL to the LACs via an ISP which pass the authetication to the Radius server.

2. The LNS connect directly to the LACs on through METRO Ethernet link.

3. The connectivity between the LNS and the LAC are active..

4. I have copied the exact configuration from the 6500 ( LNS ) to a Cisco 1721 to verify the sanity of the configuration and manage to establish the communication between the local networks and all the clients with out any problem.

4. I am not sure whether the 6500 has a certain feature need to be enabled or configured to allow the

VPDN tunnel routing to the local subnet.

I appreciate your kind help and support.

Cisco Employee

Re: ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORM

It is possible that something needs to be configure more on the 6500. To troubleshoot this issue, we need to see how far we have ip connectivity from clients to the local netowrks and vice-a-versa. First verify that clients can reach the interface Vlan80 ip address on 6500.

After that you can try to reach the other networks/ip-addresses by using a traceroutes etc.

After that its just a general routes troubleshooting etc..

New Member

Re: ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORM

Thanks for your help, I have some feeling the issue is to do with either additional feature need to be enabled on the Catalyst or a bug on the version of the IOS running on the 6500.

I have tested the local connectivity from the hosts on the local lan to interface VLAN 80.

1. The clients can connect to the VLAN 80 ip address

and to all the other VLANs hosts connected via the switch.

2. The local clients can't see the virtual interfa ce of the L2TP tunnels .

3. I have use extended ping using the loopback address on the 6500 as source address. I have managed to ping successfully.

New Member

Re: ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORM

Hi Tejal,

I am using a 2511 to connect to remotes switchs using async lines, but in some locations I am not capable to reach the EXEC mode. I connect, the banner appears and my connection freeze. I am not capable to see the EXEC mode or do my login.

Some information about :

line 4

login authentication terminaux

session-timeout 2

exec-timeout 1 0

absolute-timeout 5

stopbits 1

Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns

0 CTY - - - - - 0 0 0/0

1 TTY 9600/9600 - - - - - 6 8580 41/235

2 TTY 9600/9600 - - - - - 4 331260 4040/12968

3 TTY 9600/9600 - - - - - 0 0 0/0

4 TTY 9600/9600 - - - - - 7 1108370 53/165

5 TTY 9600/9600 - - - - - 0 0 0/0

6 TTY 9600/9600 - - - - - 3 0 0/0

7 TTY 9600/9600 - - - - - 0 0 0/0

8 TTY 9600/9600 - - - - - 4 843 67/213

9 TTY 9600/9600 - - - - - 0 0 0/0

10 TTY 9600/9600 - - - - - 4 813 24/73

11 TTY 9600/9600 - - - - - 0 0 0/0

12 TTY 9600/9600 - - - - - 0 0 0/0

13 TTY 9600/9600 - - - - - 0 0 0/0

14 TTY 9600/9600 - - - - - 0 0 0/0

15 TTY 9600/9600 - - - - - 0 0 0/0

16 TTY 9600/9600 - - - - - 0 0 0/0

I have two versions of IOS installed in those switches :

Cisco Internetwork Operating System Software

IOS (tm) 2500 Software (C2500-D-L), Version 11.3(11d), RELEASE SOFTWARE (fc1)

Cisco Internetwork Operating System Software

IOS (tm) 2500 Software (C2500-D-L), Version 11.2(12), RELEASE SOFTWARE (fc1)

How I can troubleshoot this problem ? Some log or function that I can enable to help me find the problem.

Regards.

Cisco Employee

Re: ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORM

Paulo,

I would start with very simple config like following. Make sure to have a "no exec" for Unwanted signals from the attached device do not launch. An EXEC session ensures that the line never becomes unavailable due to a rogue EXEC process.

line 4

transport input all

login authentication terminaux

no exec

exec-timeout 0 0

See if that helps. Here is the link which talks about how to config and troubleshoot router as a terminal server using async lines.

http://www.cisco.com/en/US/tech/tk801/tk36/technologies_configuration_example09186a008014f8e7.shtml

New Member

Re: ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORM

Hi Tejal,

I am using this configuration now :

line 10

session-timeout 3

location XXXXXXXXXXXXXXXX

no exec

exec-timeout 0 0

login authentication terminaux

transport input all

line con 0

location XXXXXXXXXXXXXXXXXXXX

exec-timeout 0 0

login authentication terminaux

With this config, almost of the lines are working well, but I have problems where I have two 2511 to connect the network :

My network---2511---Ext Network( modem )---2511---Ext Network( modem )---My network

I am concerning about the security too. With this config, If I forgot to exit the Privileged Exec Mode, and someone connect to the Console port locally, he will have full access to my networt. Can I include some line to prevent that ?

Regards,

Paulo

Cisco Employee

Re: ASK THE EXPERT – CONFIGURATION AND TROUBLESHOOTING PLATFORM

Hi Paulo,

You need to modify the settings of "exec-timeout". That command will allow to specify the timeout for no input under the line. Here is the link for more on that

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ffun_r/ffrprt1/frf004.htm#wp1017909

"exec-timeout 0 0" will never timeout the exec session. We use it for troubleshooting purpose.

you can also use "absolute-timeout" command to timeout the connection exactly at that time even if its not idle. Pl. visit following link for more on that.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ftersv_r/trfalat.htm#wp1003950

114
Views
5
Helpful
52
Replies