Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00 ACCESS SERVERS

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Zulfiqar Ahmed about configuration and troubleshooting of Cisco AS5x00 access servers for ISDN/Modems/PPP Connectivity. Zulfiqar, CCIE# 3960, is part of 'High Touch Technical Support' (HTTS) based out of San Jose, California where he currently holds the position of High Touch Engineer (HTE). He routinely provides escalation in complex access related issues, conducts trainings, and writes and reviews Cisco.com documents.

Remember to use the rating system to let Zulfiqar know if you have received an adequate response.

Zulfiqar might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 13, 2007. Visit this forum often to view responses to your questions and the questions of other community members.

52 REPLIES
New Member

Re: ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00

It(He,She) wanted to know if the shindy 837, he(she) supports adsl2 + or not, and if he(she) her(it) supports that they say to me like to do it, I have this router and cannot use it in my connection, occupy for the present a dlink dsl-500b. rodrigoaguerob@gmail.com

Bronze

Re: ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00

Hi Rodrigo,

Please correct me if I am wrong, but I believe you are wondering whether Cisco 837 router supports DSL.

If you go through the following document on cisco.com .....

http://www.cisco.com/en/US/partner/products/hw/routers/ps380/products_data_sheet09186a008010e5c5.html

..... you'll see (in Table 2) that 837 does have a DSL interface as your WAN connection. So yes, it does support DSL.

Thanks and Regards,

~Zulfiqar

Bronze

Re: ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00

Hi Rodrigo,

Upon reading your question again, I understand you are actually wondering whether your 837 router would support ADSL2+.

Please note that ADSL2/ADSL2+ are not supported by any of the 830 series routers.

Instead its the 870 series (like 876 and 877 routers) that supports ADSL2/ADSL2+. Please refer to the following doc that confirms this info :

http://www.cisco.com/en/US/partner/products/hw/routers/ps380/products_data_sheet0900aecd8028a976.html

Thanks and Regards,

~Zulfiqar

New Member

Re: ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00

I am using a pair of AS5300s for isdn/modem calls in Multichassis MLP environment along with a 7200 as an offload server, both for the multilink calls and as well as for terminating single channel PPP calls. What I am seeing is that calltracker reports 'ip=0.0.0.0' for all my users. Is that some IOS bug, or am I missing some calltracker configuration? I am running the latest 12.3(22) on my AS5300s. I would appreciate any pointers in troubleshooting this issue.

Thanks.

Bill

Bronze

Re: ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00

Hi Bill,

I believe what you are seeing is an expected behaviour, and is not a software defect at all.

Basically you are terminating your multilink and as well as single link PPP calls on the offload server. So offload server is the device that is negotiating IPCP for each and every call, and assigns IP address to incoming callers. Since your AS5300s are not taking part in IPCP, hence calltracker on these access servers have no knowledge of IP addresses being assigned. Hence you will see ip=0.0.0.0 in calltracker records on the AS5300s. Hope this clears the confusion.

Thanks and Regards,

~Zulfiqar

New Member

Re: ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00

Good Morning Zulfigar,

My shop uses few ASA5510 as firewall devices. I would appreciate if you could help on this.

I need to know if ASA5510 could log both successful and failed attempts to login to my private network. It looks like our live and saved (in syslog servers) loggings only indicate failed attempt via "deny statements" by ASA5510.

I need both successful and failed attempts for the purpose of forensic investigation.

Thank you very much.

HD

Bronze

Re: ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00

Hi HD,

Please make sure you have the keyword "log" at the end of your permit statements in the ACLs. By default only 'denies' are logged even though there is no 'log' keyword in access-list deny statements. But for permit statements, you do have to have 'log' defined in order for the permit udp/tcp/whatever lines to show up in logs for successful attempts through your ASA firewalls.

Thanks and Regards,

~Zulfiqar

New Member

Re: ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00

Thanks Zulfiquar.

It works. Thanks to its working, now I get another question.

The keyword "Log" in access-list statement generates Syslog ID 106100. This syslog ID is default to level 6 (informational). Its Logging level in Syslog Setup config is N/A. How can I change it to different level (say 4 for ex.)

Thanks.

HD

Bronze

Re: ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00

Hi HD,

You can specify the syslog level after the keyword 'log' :

ciscoasa(config)# access-list 155 per tcp any any log ?

configure mode commands/options:

<0-7> Enter syslog level (0 - 7)

Default Keyword for restoring default log behavior (log 106023)

alerts

critical

debugging

disable Disable log option on this ACL element, (no log at all)

emergencies

errors

inactive Keyword for disabling an ACL element

informational

interval Configure log interval, default value is 300 sec

notifications

time-range Keyword for attaching time-range option to this ACL element

warnings

Hope this helps.

Thanks and Regards,

~Zulfiqar

Silver

Re: ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00

Hello Zulfiqar,

I have this ISR 1811 router with internal modem that I am using as dial backup. It dials out and connects fine to my ISP but every now and then it stops routing packets. I have tried several commands but none seems to work. Let me know if you would like to check my configuration.

Thanks,

Amrit

Bronze

Re: ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00

Hi Amrit,

This is most likely this V.44 compression problem related to this internal modem on 1811 routers that we found and fixed under CSCsg14276.

The problem symptom has been sudden and continuous packet loss over async interface tied to the internal modem after about 10-15 minutes of good ip connectivity.

A quick workaround is to disable V.44 on the 1811.

Please read the Release notes for the workaround and the information on IOS versions containing the fix via Bug Toolkit:

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsg14276&Submit=Search

Thanks and Regards,

~Zulfiqar

New Member

Re: ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00

We're planning on replacing a legacy dial-in appliance no longer supported, with a AS5350XM.

Do you know if it has built in strong authenticatio for username/password? We require the following

-- password length 6-16

-- password expiry, 30 days or 60 days

-- password expired on first logon attempt

-- User must be promoted to change the password after expired day grace period or account locked

-- Unsuccessful login attempts x 3 only, then account is locked.

-- Make sure that user can't choose the same password recently used (password recycle)

Can it provide this internally or will we need Radius or RSA tokens?

Bronze

Re: ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00

Hi Joe,

All of these functionalities will be provided by your AAA server such as RADIUS.

Some of the documents in the following archive will be helpful on your questions :

http://www.cisco.com/en/US/tech/tk583/tk547/tsd_technology_support_sub-protocol_home.html

Thanks and Regards,

~Zulfiqar

New Member

Re: ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00

Thanks for your prompt response.

What type of authentication is built in to the box? I mean if we don't want to use an external server?

Bronze

Re: ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00

Joe,

Hope this answers your question :

AS5350-2(config-if)#ppp authen ?

chap Challenge Handshake Authentication Protocol (CHAP)

eap Extensible Authentication Protocol (EAP)

ms-chap Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

ms-chap-v2 Microsoft CHAP Version 2 (MS-CHAP-V2)

pap Password Authentication Protocol (PAP)

Thanks and Regards,

~Zulfiqar

New Member

Re: ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00

Unfortunately I am still not clear.

The question is; If we don't want to use any external authentication servers, does this box provide any strong authentication by itself and if so what exactly?

Thanks

Bronze

Re: ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00

Joe,

If you do not want to use a AAA server, you can build a database of username/passwords in the global config of your access server, and use CHAP authentication for incoming PPP sessions which uses MD5 hash algorithm and is pretty robust.

You can read more on this in the following docs:

Understanding and Configuring PPP CHAP Authentication

http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml

Troubleshooting PPP (CHAP or PAP) Authentication

http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4130.shtml

Thanks and Regards,

~Zulfiqar

New Member

Re: ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00

Although the authentication using CHAP is robust this box still won't allow us to configure password policies such as

-- password expiry, 30 days or 60 days

-- password expired on first logon attempt

-- User must be promoted to change the password after expired day grace period or account locked

-- Unsuccessful login attempts x 3 only, then account is locked.

-- Make sure that user can't choose the same password recently used (password recycle)

Do you have any sugestions without using AAA server?

Thanks

Bronze

Re: ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00

Joe,

Its not a question of this box. The functionalities you are looking for are strictly what external AAA servers provide - except this "ppp max-bad-auth " interface level command that lets you prompt a user for his credentials for n number of times. However, this then does not result in account being blocked or anything.

So the features you are looking for are provided by external authentication servers. They are not provided by the dial/access servers.

Thanks and Regards,

~Zulfiqar

New Member

Re: ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00

Hello, I have a configuration problem. When I want to create PPP interfaces based on virtual-template on which "service-policy input" is configured, there is a problem. in "show policy-map session" is no information and when debuging "SSS Manager" there is an erroro: %SW_MGR-3-CM_ERROR_FEATURE_CLASS: Connection Manager Feature Error: Class SSS: (

QoS) - install error, ignore.

-Traceback= 722F54 EC2F2C ED450C 2489854 2489904 ED47D8 ED49C4 ED4E4C EC1834 EC1

BA4 EC1C98 EBD430 EBD7F0

What to do?

Bronze

Re: ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00

Hi Basia,

It would have been helpful to see 'show ver' and 'show run' but if this is on your L2TP LNS device running the latest 12.2SB code, this could be the follow new IOS defect (CSCsi11553) :

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsi11553&Submit=Search

You might want to open up a TAC case for more info as its still being worked upon.

Thanks and Regards,

~Zulfiqar

New Member

Re: ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00

Yes, I am using 12.2(31)SB5. As for the IOS defect, I have no access to the link you provide. Is it possible to by-pass the defect?

Bronze

Re: ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00

Basia,

No, there is no workaround available as far as I can see in the bug toolkit.

I would suggest you definitely open up a TAC case so that your case gets linked to the bug, and go from there.

Thanks and Regards,

~Zulfiqar

New Member

Re: ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00

One more (and last question): Is it possible to use a "Cisco AVpair" for selection of virtual-template on which new PPPoE session will be created? Or is it possible to use "Cisco AVpair" to select bba-group that I want to use?

Simple, I would like to configure RADIUS to associate subscribers with configuration based on virtual-template.

Bronze

Re: ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00

Basia,

Let me do some research on this and I ll get back to you as soon as I can.

Thanks and Regards,

~Zulfiqar

Bronze

Re: ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00

Basia,

There is no AV pair that I am aware of that will help you select a certain bba-group or a vtemp interface for a particular incoming subscriber, but you can instead use per-user AAA attributes via Radius accordingly so that you can apply any PPP or IP layer parameters to it.

Thanks and Regards,

~Zulfiqar

Re: ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00

How to make reverse telnet to AS5xxx to access modems? Long time ago I was using something like "telnet A.B.C.D 2xxx" where xxx can be found in output for "sh line". It seems it is not working any more :( Can you put some light on this? For example, if this is still possible, what commands I need to enable it (global config mode, line mode, group-async mode)?

Bronze

Re: ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00

Hi Tenaro,

I think you are wondering about reverse telneting on nextport based platforms like AS5350/AS5400/AS5850.

One approach you can take is to configure "rotary 1" under the tty lines (like 'line 1/00 1/107), and then do a 'telnet 1.1.1.1 7001' where 1.1.1.1 is the ip address of an up & up interface on the access server.

Or you could do a "show spe modem summ" to find out the actual TTY line numbers and reverse telnet to 1.1.1.1 plus 2 as you normally do.

So for instance I have this 108 port card in slot 1 in my lab AS5400 and I want to reverse telnet into one of the nextports on this card :

AS5400-2#show run | begin line 1/00 1/107

line 1/00 1/107

modem InOut

transport input all

line 4/00 4/107

modem InOut

!

end

Lets do a "show spe modem summ" to find out the TTY line numbers associated with lines 1/00 through 1/107 :

AS5400-2#show spe modem sum 1

Async1/00 - 1/107, TTY216 - 323

0 incoming completes 0 incoming failures

0 outgoing completes 0 outgoing failures

0 failed dial attempts 0 ring no answers 0 autotests

0 no carriers 0 dial timeouts 0 autotest fails

0 no dial tones 0 link failures 0 fail count

0 watchdog timeouts 0 protocol errors 0 recovers

[snipped...]

Lets reverse telnet to the first nextport modem on this card (tty 216) :

AS5400-2#telnet 1.1.1.1 2216

Trying 1.1.1.1, 2216 ... Open

User Access Verification

Username: whatever

Password: whatever

Hope this helps.

Thanks and Regards,

~Zulfiqar

Bronze

Re: ASK THE EXPERT-CONFIGURING AND TROUBLSEHOOTING CISCO AS5x00

Hi Tenaro,

I think you are wondering about reverse telneting on nextport based platforms like AS5350/AS5400/AS5850.

One approach you can take is to configure "rotary 1" under the tty lines (like 'line 1/00 1/107), and then do a 'telnet 1.1.1.1 7001' where 1.1.1.1 is the ip address of an up & up interface on the access server.

Or you could do a "show spe modem summ" to find out the actual TTY line numbers and reverse telnet to 1.1.1.1 plus 2 as you normally do.

So for instance I have this 108 port card in slot 1 in my lab AS5400 and I want to reverse telnet into one of the nextports on this card :

AS5400-2#show run | begin line 1/00 1/107

line 1/00 1/107

modem InOut

transport input all

line 4/00 4/107

modem InOut

!

end

Lets do a "show spe modem summ" to find out the TTY line numbers associated with lines 1/00 through 1/107 :

AS5400-2#show spe modem sum 1

Async1/00 - 1/107, TTY216 - 323

0 incoming completes 0 incoming failures

0 outgoing completes 0 outgoing failures

0 failed dial attempts 0 ring no answers 0 autotests

0 no carriers 0 dial timeouts 0 autotest fails

0 no dial tones 0 link failures 0 fail count

0 watchdog timeouts 0 protocol errors 0 recovers

[snipped...]

Lets reverse telnet to the first nextport modem on this card (tty 216) :

AS5400-2#telnet 1.1.1.1 2216

Trying 1.1.1.1, 2216 ... Open

User Access Verification

Username: whatever

Password: whatever

Hope this helps.

Thanks and Regards,

~Zulfiqar

205
Views
18
Helpful
52
Replies
CreatePlease to create content