02-27-2003 11:44 AM - edited 03-02-2019 05:27 AM
Hi All,
I have a Cisco 3640 running IOS 12.2(13a) w/ IP Plus feature pack. I have a T1 connected to a T1 WIC in an NM-1E2W for my connection to the Internet backbone and a NM-4T1-IMA card with single T1 for my ATM connection to terminate DSL sessions from Sprint. Currently, all of the connections are running decently on a Cisco 2620. When I switch over the connections to the new 3640, my regular T1 comes and up my standard dial-up users and my office workstations can communicate perfectly, but my DSL users connecting to the 3640 are having problems.
My DSL PPPoE users come up, but cannot pass traffic. Also, when I use the command "show caller user <username>@rivercityonline.com" I get no output, whereas on my 2620, I get substantial info, namely the user's IP address.
Also, SSH will not function. I was trying to follow the instructions provided by Cisco, but the command "cry" is rejected by my router as an unrecognized command.
My config is below:
!
! Last configuration change at 16:24:13 EST Mon Mar 1 1993
! NVRAM config last updated at 16:24:14 EST Mon Mar 1 1993
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname "pamlico"
!
boot system flash slot0:c3640-is-mz.122-13a.bin
no logging console
aaa new-model
aaa authentication ppp default group radius local
aaa authorization network default group radius
aaa accounting send stop-record authentication failure
aaa accounting system default stop-only group radius
enable password 7 <encrypted>
!
username <username> privilege 15 password 7 <encrypted>
clock timezone EST -5
ip subnet-zero
!
!
ip domain-name rivercto.net
ip name-server 63.165.97.3
ip name-server 63.165.97.5
!
vpdn enable
vpdn aaa attribute nas-port vpdn-nas
!
vpdn-group 1
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname RBNCRCMT01
lcp renegotiation on-mismatch
l2tp tunnel password 7 <encrypted>
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet1/0
description connected to EthernetLAN
ip address 63.165.97.1 255.255.255.0 secondary
ip address 65.170.247.1 255.255.255.0
duplex auto
speed auto
!
interface ATM2/0
no ip address
no atm ilmi-keepalive
no scrambling-payload
!
interface ATM2/0.1 point-to-point
description ckt 10.HCGJ.410638..CNTR for wholesale DSL
ip address 192.168.4.58 255.255.255.252
atm pvc 1 0 256 aal5snap 1500 1500
!
interface ATM2/1
no ip address
shutdown
no atm ilmi-keepalive
no scrambling-payload
!
interface ATM2/2
no ip address
shutdown
no atm ilmi-keepalive
no scrambling-payload
!
interface ATM2/3
no ip address
shutdown
no atm ilmi-keepalive
no scrambling-payload
!
interface Ethernet3/0
ip address 192.168.0.25 255.255.255.0
half-duplex
!
interface Serial3/0
description connected to Internet
ip address 160.81.28.114 255.255.255.252
ip access-group elkin_in in
ip access-group elkin_out out
ip accounting output-packets
service-module t1 remote-alarm-enable
!
interface Serial3/1
no ip address
shutdown
!
interface Virtual-Template1
mtu 1492
ip unnumbered FastEthernet1/0
peer default ip address pool dslpool
ppp authentication chap
!
router rip
version 2
network 63.0.0.0
no auto-summary
!
ip local pool dslpool 65.170.247.2 65.170.247.50
ip classless
ip route 0.0.0.0 0.0.0.0 Serial3/0 permanent
no ip http server
ip pim bidir-enable
!
!
ip access-list extended elkin_in
deny ip any host 63.165.97.2
deny tcp any host 63.165.97.12
deny tcp any host 63.165.97.15 eq 9707 log
deny icmp any host 63.165.97.15
deny ip any host 63.165.97.27
deny udp any any eq 135
deny udp any any eq netbios-ns
deny tcp any any eq 139
deny udp any any eq netbios-dgm
deny udp any any eq netbios-ss
deny udp any any eq 445
permit ip any any
ip access-list extended elkin_out
permit ip any any
logging trap debugging
logging facility local6
logging 63.165.97.15
access-list 1 permit 63.165.97.0 0.0.0.255
access-list 1 permit 65.170.247.0 0.0.0.255
access-list 4 permit 63.165.97.15
access-list 4 permit 63.165.97.14
access-list 4 permit 63.165.97.3
access-list 101 deny icmp any any timestamp-request
access-list 101 deny icmp any any mask-request
snmp-server engineID local <encrypted>
snmp-server community public RO 4
snmp-server enable traps tty
radius-server host 63.165.97.4 auth-port 1645 acct-port 1646
radius-server retransmit 5
radius-server timeout 6
radius-server attribute nas-port format d
radius-server key 7 <encrypted>
!
dial-peer cor custom
!
!
!
banner motd Unauthorized access prohibited. Violators will be prosecuted.
!
line con 0
exec-timeout 0 0
password 7 <encrypted>
line aux 0
line vty 0 4
password 7 <encrypted>
!
ntp clock-period 17180095
ntp master
ntp server 192.5.41.41
ntp server 192.5.41.40
ntp server 192.5.41.209
end
02-27-2003 02:13 PM
Issue "sh users" and see that users is listed at all. If it dosen't that he/she is not connected. We need to see the configuration for working 2620 that you have terminating the PPPoE users. . So post the working config from 2620 for pppoe.
Now here is the link which had sample config and troubleshooting for PPPoE users terminating on aggregation routers.
02-27-2003 03:25 PM
Here's the output of "show users"
pamlico#show users
Line User Host(s) Idle Location
*130 vty 0 johnwiles idle 00:00:00 192.168.0.50
Interface User Mode Idle Peer Address
Vi1 aneaves@ri Virtual PPP (L2TP ) 00:00:58
Vi3 ewgryphon@ Virtual PPP (L2TP ) 00:00:03
Vi4 jamessimps Virtual PPP (L2TP ) 00:00:01
Vi5 brcyad@riv Virtual PPP (L2TP ) 00:00:39
Vi7 lkennedy@r Virtual PPP (L2TP ) 00:00:00
Vi8 gambillros Virtual PPP (L2TP ) 00:00:34
On my 2620, if I type "show caller full", I get several pages of material like:
User: ewgryphon@rivercityonline.com, line Vi20, service PPP L2TP
Connected for 00:49:44, Idle for 00:00:03
Timeouts: Limit Remaining Timer Type
1d00h 23:10:14 Session
00:15:00 00:14:59 PPP idle
PPP: LCP Open, PAP (<- none), IPCP
Idle timer 900 secs, idle 0 secs
IP: Local 63.165.97.1, remote 65.170.247.12
VPDN: NAS RBNCRCMT01, MID 1671, MID Unknown
HGW pamlico, NAS CLID 0, HGW CLID 0, tunnel open
Counts: 7680 packets input, 3150085 bytes, 0 no buffer
0 input errors, 0 CRC, 0 frame, 0 overrun
24262 packets output, 6285316 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
Whereas on the 3640 I get only a reference to the telnet session I'm using to talk to the box.
Here's the 2620 config:
!
! Last configuration change at 11:41:50 EST Tue Feb 25 2003 by johnwiles
! NVRAM config last updated at 11:41:51 EST Tue Feb 25 2003 by johnwiles
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname pamlico
!
no logging console
aaa new-model
!
!
aaa authentication ppp default group radius local
aaa authorization network default group radius
aaa accounting send stop-record authentication failure
aaa accounting system default stop-only group radius
aaa session-id common
enable password 7
!
username
clock timezone EST -5
ip subnet-zero
!
!
ip domain-name rivercto.net
ip name-server 63.165.97.3
ip name-server 63.165.97.5
!
vpdn enable
vpdn aaa attribute nas-port vpdn-nas
!
vpdn-group 1
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname RBNCRCMT01
lcp renegotiation on-mismatch
l2tp tunnel password 7
!
!
!
!
!
!
!
!
!
fax interface-type fax-mail
mta receive maximum-recipients 0
!
!
!
!
interface FastEthernet0/0
description connected to EthernetLAN
ip address 65.170.247.1 255.255.255.0 secondary
ip address 63.165.97.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
description connected to Internet
ip address 160.81.28.114 255.255.255.252
ip access-group elkin_in in
ip access-group elkin_out out
ip accounting output-packets
service-module t1 remote-alarm-enable
!
interface ATM1/0
no ip address
no atm ilmi-keepalive
no scrambling-payload
!
interface ATM1/0.1 point-to-point
description ckt 10.HCGJ.410638..CNTR for wholesale DSL
ip address 192.168.4.58 255.255.255.252
ip accounting output-packets
atm pvc 1 0 256 aal5snap 1500 1500
!
interface ATM1/1
no ip address
shutdown
no atm ilmi-keepalive
no scrambling-payload
!
interface ATM1/2
no ip address
shutdown
no atm ilmi-keepalive
no scrambling-payload
!
interface ATM1/3
no ip address
shutdown
no atm ilmi-keepalive
no scrambling-payload
!
interface Virtual-Template1
mtu 1492
ip unnumbered FastEthernet0/0
peer default ip address pool dslpool
ppp authentication pap
!
router rip
version 2
passive-interface Serial0/0
network 63.0.0.0
no auto-summary
!
ip local pool dslpool 65.170.247.2 65.170.247.50
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
no ip http server
ip pim bidir-enable
!
!
ip access-list extended elkin_in
deny ip any host 63.165.97.2
deny tcp any host 63.165.97.12
deny tcp any host 63.165.97.15 eq 9707 log
deny icmp any host 63.165.97.15
deny ip any host 63.165.97.21
deny ip any host 63.165.97.27
deny udp any any eq 135
deny udp any any eq netbios-ns
deny tcp any any eq 139
deny udp any any eq netbios-dgm
deny udp any any eq netbios-ss
deny udp any any eq 445
permit ip any any
ip access-list extended elkin_out
permit ip any any
!
logging trap debugging
logging facility local6
logging 63.165.97.15
access-list 1 permit 63.165.97.0 0.0.0.255
access-list 1 permit 65.170.247.0 0.0.0.255
access-list 4 permit 63.165.97.15
access-list 4 permit 63.165.97.14
access-list 4 permit 63.165.97.3
access-list 101 deny icmp any any timestamp-request
access-list 101 deny icmp any any mask-request
!
snmp-server engineID local
snmp-server community public RO 4
radius-server host 63.165.97.4 auth-port 1645 acct-port 1646
radius-server retransmit 5
radius-server timeout 6
radius-server attribute nas-port format d
radius-server key 7
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
banner motd Unauthorized access prohibited. Violators will be prosecuted.
!
line con 0
exec-timeout 0 0
password 7
line aux 0
line vty 0 4
password 7
transport input ssh
!
ntp clock-period 17180234
ntp master
ntp server 192.5.41.41
ntp server 192.5.41.40
ntp server 192.5.41.209
!
end
02-27-2003 08:58 PM
I think those are l2tp users and not the pppoe users as there is no pppoe config. For pppoe config, you need to have a "protocol pppoe" under vodn-group instead of l2tp.
Anyway, try "sh caller ip" to see the ip address allocated to the users. Issue "sh ip route" and you will the host (with madk /32) routes will be installed for all the connected users. Try to ping them from router itself. Config looks fine at this point so i am out of suggestions. You can open a case by logging at www.cisco.com/tac for this issue.
03-02-2003 04:46 PM
When I changed my config to "protocol pppoe" under VPDN group/accept-dialin, it removes my L2TP tunnel password and terminate-from hostname syntax, thereby eliminating the ability for me to establish the tunnel to Sprint's Redback and even begin to terminate PPPoE sessions.
However, I went back to my original config and typed "show ip route" and the PPPoE users don't have routes created for them on the 3640, but they do on the 2620.
03-02-2003 05:58 PM
If you don't see routes or "sh users" dosen't report any users connected, that means the users are not connected at all.
At this point its just l2tp termination using vpdn. So now you just need to troubleshoot that. Try to open a case on www.cisco.com/tac
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide