Re: VPDN/PPPoE on Cisco 3640

jwwiles · ‎02-27-2003

Hi All,

I have a Cisco 3640 running IOS 12.2(13a) w/ IP Plus feature pack. I have a T1 connected to a T1 WIC in an NM-1E2W for my connection to the Internet backbone and a NM-4T1-IMA card with single T1 for my ATM connection to terminate DSL sessions from Sprint. Currently, all of the connections are running decently on a Cisco 2620. When I switch over the connections to the new 3640, my regular T1 comes and up my standard dial-up users and my office workstations can communicate perfectly, but my DSL users connecting to the 3640 are having problems.

My DSL PPPoE users come up, but cannot pass traffic. Also, when I use the command "show caller user <username>@rivercityonline.com" I get no output, whereas on my 2620, I get substantial info, namely the user's IP address.

Also, SSH will not function. I was trying to follow the instructions provided by Cisco, but the command "cry" is rejected by my router as an unrecognized command.

My config is below:

!

! Last configuration change at 16:24:13 EST Mon Mar 1 1993

! NVRAM config last updated at 16:24:14 EST Mon Mar 1 1993

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname "pamlico"

!

boot system flash slot0:c3640-is-mz.122-13a.bin

no logging console

aaa new-model

aaa authentication ppp default group radius local

aaa authorization network default group radius

aaa accounting send stop-record authentication failure

aaa accounting system default stop-only group radius

enable password 7 <encrypted>

!

username <username> privilege 15 password 7 <encrypted>

clock timezone EST -5

ip subnet-zero

!

ip domain-name rivercto.net

ip name-server 63.165.97.3

ip name-server 63.165.97.5

!

vpdn enable

vpdn aaa attribute nas-port vpdn-nas

!

vpdn-group 1

accept-dialin

protocol l2tp

virtual-template 1

terminate-from hostname RBNCRCMT01

lcp renegotiation on-mismatch

l2tp tunnel password 7 <encrypted>

!

call rsvp-sync

!

interface FastEthernet1/0

description connected to EthernetLAN

ip address 63.165.97.1 255.255.255.0 secondary

ip address 65.170.247.1 255.255.255.0

duplex auto

speed auto

!

interface ATM2/0

no ip address

no atm ilmi-keepalive

no scrambling-payload

!

interface ATM2/0.1 point-to-point

description ckt 10.HCGJ.410638..CNTR for wholesale DSL

ip address 192.168.4.58 255.255.255.252

atm pvc 1 0 256 aal5snap 1500 1500

!

interface ATM2/1

no ip address

shutdown

no atm ilmi-keepalive

no scrambling-payload

!

interface ATM2/2

no ip address

shutdown

no atm ilmi-keepalive

no scrambling-payload

!

interface ATM2/3

no ip address

shutdown

no atm ilmi-keepalive

no scrambling-payload

!

interface Ethernet3/0

ip address 192.168.0.25 255.255.255.0

half-duplex

!

interface Serial3/0

description connected to Internet

ip address 160.81.28.114 255.255.255.252

ip access-group elkin_in in

ip access-group elkin_out out

ip accounting output-packets

service-module t1 remote-alarm-enable

!

interface Serial3/1

no ip address

shutdown

!

interface Virtual-Template1

mtu 1492

ip unnumbered FastEthernet1/0

peer default ip address pool dslpool

ppp authentication chap

!

router rip

version 2

network 63.0.0.0

no auto-summary

!

ip local pool dslpool 65.170.247.2 65.170.247.50

ip classless

ip route 0.0.0.0 0.0.0.0 Serial3/0 permanent

no ip http server

ip pim bidir-enable

!

ip access-list extended elkin_in

deny ip any host 63.165.97.2

deny tcp any host 63.165.97.12

deny tcp any host 63.165.97.15 eq 9707 log

deny icmp any host 63.165.97.15

deny ip any host 63.165.97.27

deny udp any any eq 135

deny udp any any eq netbios-ns

deny tcp any any eq 139

deny udp any any eq netbios-dgm

deny udp any any eq netbios-ss

deny udp any any eq 445

permit ip any any

ip access-list extended elkin_out

permit ip any any

logging trap debugging

logging facility local6

logging 63.165.97.15

access-list 1 permit 63.165.97.0 0.0.0.255

access-list 1 permit 65.170.247.0 0.0.0.255

access-list 4 permit 63.165.97.15

access-list 4 permit 63.165.97.14

access-list 4 permit 63.165.97.3

access-list 101 deny icmp any any timestamp-request

access-list 101 deny icmp any any mask-request

snmp-server engineID local <encrypted>

snmp-server community public RO 4

snmp-server enable traps tty

radius-server host 63.165.97.4 auth-port 1645 acct-port 1646

radius-server retransmit 5

radius-server timeout 6

radius-server attribute nas-port format d

radius-server key 7 <encrypted>

!

dial-peer cor custom

!

banner motd Unauthorized access prohibited. Violators will be prosecuted.

!

line con 0

exec-timeout 0 0

password 7 <encrypted>

line aux 0

line vty 0 4

password 7 <encrypted>

!

ntp clock-period 17180095

ntp master

ntp server 192.5.41.41

ntp server 192.5.41.40

ntp server 192.5.41.209

end

tepatel · ‎02-27-2003

Issue "sh users" and see that users is listed at all. If it dosen't that he/she is not connected. We need to see the configuration for working 2620 that you have terminating the PPPoE users. . So post the working config from 2620 for pppoe.

Now here is the link which had sample config and troubleshooting for PPPoE users terminating on aggregation routers.

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087bf2.html

jwwiles · ‎02-27-2003

Here's the output of "show users"

pamlico#show users

Line User Host(s) Idle Location

*130 vty 0 johnwiles idle 00:00:00 192.168.0.50

Interface User Mode Idle Peer Address

Vi1 aneaves@ri Virtual PPP (L2TP ) 00:00:58

Vi3 ewgryphon@ Virtual PPP (L2TP ) 00:00:03

Vi4 jamessimps Virtual PPP (L2TP ) 00:00:01

Vi5 brcyad@riv Virtual PPP (L2TP ) 00:00:39

Vi7 lkennedy@r Virtual PPP (L2TP ) 00:00:00

Vi8 gambillros Virtual PPP (L2TP ) 00:00:34

On my 2620, if I type "show caller full", I get several pages of material like:

User: ewgryphon@rivercityonline.com, line Vi20, service PPP L2TP

Connected for 00:49:44, Idle for 00:00:03

Timeouts: Limit Remaining Timer Type

1d00h 23:10:14 Session

00:15:00 00:14:59 PPP idle

PPP: LCP Open, PAP (<- none), IPCP

Idle timer 900 secs, idle 0 secs

IP: Local 63.165.97.1, remote 65.170.247.12

VPDN: NAS RBNCRCMT01, MID 1671, MID Unknown

HGW pamlico, NAS CLID 0, HGW CLID 0, tunnel open

Counts: 7680 packets input, 3150085 bytes, 0 no buffer

0 input errors, 0 CRC, 0 frame, 0 overrun

24262 packets output, 6285316 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

Whereas on the 3640 I get only a reference to the telnet session I'm using to talk to the box.

Here's the 2620 config:

!

! Last configuration change at 11:41:50 EST Tue Feb 25 2003 by johnwiles

! NVRAM config last updated at 11:41:51 EST Tue Feb 25 2003 by johnwiles

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname pamlico

!

no logging console

aaa new-model

!

aaa authentication ppp default group radius local

aaa authorization network default group radius

aaa accounting send stop-record authentication failure

aaa accounting system default stop-only group radius

aaa session-id common

enable password 7

!

username privilege 15 password 7

clock timezone EST -5

ip subnet-zero

!

ip domain-name rivercto.net

ip name-server 63.165.97.3

ip name-server 63.165.97.5

!

vpdn enable

vpdn aaa attribute nas-port vpdn-nas

!

vpdn-group 1

accept-dialin

protocol l2tp

virtual-template 1

terminate-from hostname RBNCRCMT01

lcp renegotiation on-mismatch

l2tp tunnel password 7

!

fax interface-type fax-mail

mta receive maximum-recipients 0

!

interface FastEthernet0/0

description connected to EthernetLAN

ip address 65.170.247.1 255.255.255.0 secondary

ip address 63.165.97.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0

description connected to Internet

ip address 160.81.28.114 255.255.255.252

ip access-group elkin_in in

ip access-group elkin_out out

ip accounting output-packets

service-module t1 remote-alarm-enable

!

interface ATM1/0

no ip address

no atm ilmi-keepalive

no scrambling-payload

!

interface ATM1/0.1 point-to-point

description ckt 10.HCGJ.410638..CNTR for wholesale DSL

ip address 192.168.4.58 255.255.255.252

ip accounting output-packets

atm pvc 1 0 256 aal5snap 1500 1500

!

interface ATM1/1

no ip address

shutdown

no atm ilmi-keepalive

no scrambling-payload

!

interface ATM1/2

no ip address

shutdown

no atm ilmi-keepalive

no scrambling-payload

!

interface ATM1/3

no ip address

shutdown

no atm ilmi-keepalive

no scrambling-payload

!

interface Virtual-Template1

mtu 1492

ip unnumbered FastEthernet0/0

peer default ip address pool dslpool

ppp authentication pap

!

router rip

version 2

passive-interface Serial0/0

network 63.0.0.0

no auto-summary

!

ip local pool dslpool 65.170.247.2 65.170.247.50

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0

no ip http server

ip pim bidir-enable

!

ip access-list extended elkin_in

deny ip any host 63.165.97.2

deny tcp any host 63.165.97.12

deny tcp any host 63.165.97.15 eq 9707 log

deny icmp any host 63.165.97.15

deny ip any host 63.165.97.21

deny ip any host 63.165.97.27

deny udp any any eq 135

deny udp any any eq netbios-ns

deny tcp any any eq 139

deny udp any any eq netbios-dgm

deny udp any any eq netbios-ss

deny udp any any eq 445

permit ip any any

ip access-list extended elkin_out

permit ip any any

!

logging trap debugging

logging facility local6

logging 63.165.97.15

access-list 1 permit 63.165.97.0 0.0.0.255

access-list 1 permit 65.170.247.0 0.0.0.255

access-list 4 permit 63.165.97.15

access-list 4 permit 63.165.97.14

access-list 4 permit 63.165.97.3

access-list 101 deny icmp any any timestamp-request

access-list 101 deny icmp any any mask-request

!

snmp-server engineID local

snmp-server community public RO 4

radius-server host 63.165.97.4 auth-port 1645 acct-port 1646

radius-server retransmit 5

radius-server timeout 6

radius-server attribute nas-port format d

radius-server key 7

call rsvp-sync

!

mgcp profile default

!

dial-peer cor custom

!

banner motd Unauthorized access prohibited. Violators will be prosecuted.

!

line con 0

exec-timeout 0 0

password 7

line aux 0

line vty 0 4

password 7

transport input ssh

!

ntp clock-period 17180234

ntp master

ntp server 192.5.41.41

ntp server 192.5.41.40

ntp server 192.5.41.209

!

end

tepatel · ‎02-27-2003

I think those are l2tp users and not the pppoe users as there is no pppoe config. For pppoe config, you need to have a "protocol pppoe" under vodn-group instead of l2tp.

Anyway, try "sh caller ip" to see the ip address allocated to the users. Issue "sh ip route" and you will the host (with madk /32) routes will be installed for all the connected users. Try to ping them from router itself. Config looks fine at this point so i am out of suggestions. You can open a case by logging at www.cisco.com/tac for this issue.

jwwiles · ‎03-02-2003

When I changed my config to "protocol pppoe" under VPDN group/accept-dialin, it removes my L2TP tunnel password and terminate-from hostname syntax, thereby eliminating the ability for me to establish the tunnel to Sprint's Redback and even begin to terminate PPPoE sessions.

However, I went back to my original config and typed "show ip route" and the PPPoE users don't have routes created for them on the 3640, but they do on the 2620.

tepatel · ‎03-02-2003

If you don't see routes or "sh users" dosen't report any users connected, that means the users are not connected at all.

At this point its just l2tp termination using vpdn. So now you just need to troubleshoot that. Try to open a case on www.cisco.com/tac