Hi Manuel,

lucy.west · ‎06-21-2012

hi - we have an ASR 1002 configured to be an LNS: when we use the following RADIUS AV Pairs:

cisco-avpair="ip:ip-unnumbered=Loopback 13",

or

cisco-avpair="lcp:interface-config=ip address 16.16.45.41 255.255.255.252",

We get the following message and the L2TP tunnel drops:

Jun 21 13:15:46.348: %FMANRP_ESS-4-FULLVAI: Session creation failed due to Full Virtual-Access Interfaces not being supported. Check that all applied Virtual-Template and RADIUS features support Virtual-Access sub-interfaces. swidb= 0x42292368, ifnum= 23

Jun 21 13:15:46.350: %VPDN-6-CLOSED: L2TP LNS asr301.entlab closed Vi3 user

2911S-ASR@internet-mlppplab.co.uk

; Result 1, Error 0, Dataplane down

As per Cisco doc:

http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/chassis/scaling.html#wp1082057

the ASR is configured with 'aaa policy interface-config allow-subinterface'

If we hash out the above av-pairs the session is able to establish on a virtual-access interface but with no IP between the LNS and the CPE as the LNS has no route for the framed-routes it receives.

Config snippets as below on ASR1002 (IOS :

aaa session-id common

aaa policy interface-config allow-subinterface

interface Virtual-Template10

no ip address

no logging event link-status

load-interval 30

no peer neighbor-route

no peer default ip address

no snmp trap link-status

qos pre-classify

ppp authentication chap pap callin

ppp multilink

ppp multilink fragment disable

aaa session-id common
aaa policy interface-config allow-subinterface

vpdn enable

vpdn multihop

vpdn source-ip <<loopback 0>>

vpdn authen-before-forward

vpdn logging

vpdn logging local

vpdn logging remote

vpdn logging user

vpdn logging tunnel-drop

!

vpdn-template

!

vpdn-group 1

! Default L2TP VPDN group

description Default L2TP VPDN group

accept-dialin

protocol l2tp

virtual-template 10

session-limit 1000

local name asr301.entlab

lcp renegotiation always

l2tp tunnel hello 10

l2tp tunnel password XXXXXX

l2tp tunnel receive-window 100

l2tp tunnel timeout no-session 0vpdn enable
vpdn multihop
vpdn source-ip 87.84.214.168
vpdn authen-before-forward
vpdn logging
vpdn logging local
vpdn logging remote
vpdn logging user
vpdn logging tunnel-drop
!
vpdn-template
!
vpdn-group 1
! Default L2TP VPDN group
description Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 10
session-limit 1000
local name asr301.entlab
lcp renegotiation always
l2tp tunnel hello 10
l2tp tunnel password XXXXXX
l2tp tunnel receive-window 100
l2tp tunnel timeout no-session 0

!

interface Virtual-Template10
no ip address
no logging event link-status
load-interval 30
no peer neighbor-route
no peer default ip address
no snmp trap link-status
qos pre-classify
ppp authentication chap pap callin
ppp multilink
ppp multilink fragment disable

Other post-auth RADIUS attributes:

Service-Type=Framed-User,

Framed-Protocol=PPP,

Framed-IP-Address="16.16.45.42",

Framed-Netmask=255.255.255.255,

# cisco-avpair="lcp:interface-config=ip address 16.16.45.41 255.255.255.252",

Framed-Route="6.6.6.0/24"

Framed-Route="29.11.11.11/32"

cisco-avpair="ip:ip-unnumbered=Loopback 13",

Manuel Rodriguez · ‎07-02-2012

Hello Lucy,

It seems like the problem is that you are using the "lcp:interface-config" VSA. Using the VSA will force the use of full VAI which are not allowed in ASR1k platform due to scalability reasons. You can read about this at:

http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/chassis/scaling.html#wp1124018

The first thing will be to not use the "lcp:interface-config" VSA and verify that the sessions comes up.

Regarding the IP connectivity, I'm afraid that I'm not quite following you. Normally, if you use Framed-IP-Address and the client is negotiating it's IP addres via IPCP, the IP address should be provided to the CPE via IPCP and the LNS should install a directly connected route in it's routing table to provide IP connectivity. After the session comes up you should be able to ping from the LNS to the CPE.

Let me know if this answer your inquires.

Best regards.

Omar El-Mohri · ‎11-21-2015

Hi Manuel,

I got a similar issue but I'm not using a Radius but Local users DB.

Trying to clone into VAI instead of a subinterface.

interface Virtual-Template1
mtu 1460
no logging event link-status ! << I start seeing this when I added this line
ip unnumbered GigabitEthernet0/0/1.2001
peer default ip address dhcp-pool users
keepalive 30
ppp authentication pap callin vpdn
ppp ipcp dns x.x.x.x
ppp timeout authentication 15

RTR-DC-CORE: 029012: Nov 21 16:19:45.234: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access6, changed state to up
RTR-DC-CORE: 029013: Nov 21 16:19:45.235: %LINK-3-UPDOWN: Interface Virtual-Access6, changed state to up
RTR-DC-CORE: 029014: Nov 21 16:19:45.322: %DHCPD-6-LOW_UTIL: Pool "users" is in low utilization state (8 addresses used out of 508). Threshold set at 50%.
RTR-DC-CORE: 029015: Nov 21 16:19:45.323: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access31, changed state to down
RTR-DC-CORE: 029016: Nov 21 16:19:45.323: %LINK-3-UPDOWN: Interface Virtual-Access31, changed state to down

Manuel Rodriguez · ‎11-22-2015

Hi Omar,

I do not see the "%FMANRP_ESS-4-FULLVAI: Session creation failed due to Full Virtual-Access Interfaces not being supported. Check that all applied Virtual-Template and RADIUS features support Virtual-Access sub-interfaces" logs in the logs you shared. Do you see the same logs? Also, it would be better if full logs are shared (preferibly from working and non-working cases) together with a full running configuration and show version, so we know what are we talking about.

Regards

Omar El-Mohri · ‎11-23-2015

Hello Manuel,

After some digging deep into my logs here what I could find:

132487: Nov 21 15:33:49.959: ppp489 PAP: I AUTH-REQ id 15 len 34 from "tarikb@befreemedia.com"
132488: Nov 21 15:33:49.959: ppp489 PAP: Authenticating peer tarikb@befreemedia.com
132489: Nov 21 15:33:49.960: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access5, changed state to up
132490: Nov 21 15:33:49.960: %LINK-3-UPDOWN: Interface Virtual-Access5, changed state to up
132491: Nov 21 15:33:49.960: ppp489 PPP: Sent PAP LOGIN Request
132492: Nov 21 15:33:49.961: ppp489 PPP: Received LOGIN Response PASS
132493: Nov 21 15:33:49.963: Vi7 PAP: O AUTH-ACK id 15 len 5
132494: Nov 21 15:33:49.964: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access7, changed state to up
132495: Nov 21 15:33:49.964: %LINK-3-UPDOWN: Interface Virtual-Access7, changed state to up
132496: Nov 21 15:33:51.030: ppp734 PAP: I AUTH-REQ id 76 len 37 from "dhouibyas@befreemedia.com"
132497: Nov 21 15:33:51.030: ppp734 PAP: Authenticating peer dhouibyas@befreemedia.com
132498: Nov 21 15:33:51.030: ppp734 PPP: Sent PAP LOGIN Request
132499: Nov 21 15:33:51.031: ppp734 PPP: Received LOGIN Response PASS
132500: Nov 21 15:33:51.033: Vi6 PAP: O AUTH-ACK id 76 len 5
132501: Nov 21 15:33:51.034: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access6, changed state to up
132502: Nov 21 15:33:51.034: %LINK-3-UPDOWN: Interface Virtual-Access6, changed state to up
132503: Nov 21 15:33:52.005: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access5, changed state to down
132504: Nov 21 15:33:52.006: %LINK-3-UPDOWN: Interface Virtual-Access5, changed state to down
132505: Nov 21 15:33:52.006: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access7, changed state to down
132506: Nov 21 15:33:52.006: %LINK-3-UPDOWN: Interface Virtual-Access7, changed state to down
132507: Nov 21 15:33:53.091: %FMANRP_ESS-4-FULLVAI: Session creation failed due to Full Virtual-Access Interfaces not being supported. Check that all applied Virtual-Template and RADIUS features support Virtual-Access sub-interfaces. swidb= 0x7F0842B4B708, ifnum= 315
132508: Nov 21 15:33:53.093: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access6, changed state to down
132509: Nov 21 15:33:53.093: %LINK-3-UPDOWN: Interface Virtual-Access6, changed state to down
132510: Nov 21 15:33:54.082: ppp1265 PAP: I AUTH-REQ id 47 len 34 from "fekkar@befreemedia.com"
132511: Nov 21 15:33:54.082: ppp1265 PAP: Authenticating peer fekkar@befreemedia.com
132512: Nov 21 15:33:54.082: ppp1265 PPP: Sent PAP LOGIN Request
132513: Nov 21 15:33:54.082: ppp1265 PPP: Received LOGIN Response PASS
132514: Nov 21 15:33:54.085: Vi4 PAP: O AUTH-ACK id 47 len 5
132515: Nov 21 15:33:54.086: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access4, changed state to up
132516: Nov 21 15:33:54.086: %LINK-3-UPDOWN: Interface Virtual-Access4, changed state to up
132517: Nov 21 15:33:56.133: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access4, changed state to down
132518: Nov 21 15:33:56.133: %LINK-3-UPDOWN: Interface Virtual-Access4, changed state to down
132519: Nov 21 15:33:57.171: ppp1246 PAP: I AUTH-REQ id 28 len 34 from "faycal@befreemedia.com"
132520: Nov 21 15:33:57.171: ppp1246 PAP: Authenticating peer faycal@befreemedia.com
132521: Nov 21 15:33:57.171: ppp1246 PPP: Sent PAP LOGIN Request
132522: Nov 21 15:33:57.171: ppp1246 PPP: Received LOGIN Response PASS
132523: Nov 21 15:33:57.174: Vi3 PAP: O AUTH-ACK id 28 len 5

And just note that at this step I'm using local login and not Radius.

Thanks.

Manuel Rodriguez · ‎11-23-2015

Hi,

As mentioned earlier, share also a running config and a show version from the device.

Full VAI may not be forced by attributes sent from radius but also by commands configured under the Virtua-Template interface. You may want to try to verify your virtual-template interface using the command "test virtual-Template X subinterface". Also, make sure 'aaa policy interface-config allow-subinterface' is configured.

Regards.

Omar El-Mohri · ‎11-24-2015

I think that it is because of the missing:

aaa policy interface-config allow-subinterface

I something changed when I added the command logging event link-status than I removed it which may force this to use the whole virtual interface.

I don't know if this makes sense.

#sh run | i aaa
aaa new-model
aaa authentication login default local group radius
aaa authentication ppp default local
aaa authentication ppp vpdn local
aaa session-id common
aaa policy interface-config allow-subinterface

The Virtual-Tem1

interface Virtual-Template1
mtu 1460
ip unnumbered GigabitEthernet0/0/1.2001
peer default ip address dhcp-pool users
keepalive 30
ppp authentication pap callin vpdn
ppp ipcp dns x.x.x.x
ppp timeout authentication 15
end

Version:

Cisco IOS XE Software, Version 03.12.00a.S - Standard Support Release
Cisco IOS Software, ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSAL-M), Version 15.4(2)S0a, RELEASE SOFTWARE (fc1)

Manuel Rodriguez · ‎11-24-2015

Hi,

'aaa policy interface-config allow-subinterface' should be configured to allow sub-interfaces to be cloned from virtual-template interface.

Regards.

Omar El-Mohri · ‎11-27-2015

Good thank you, I did.

Just curious if without the command, this could work? As first of all all was working fine even without the command.

ASR1002 - PPPoE/VPDN virtual-access