06-21-2012 06:28 AM - edited 03-01-2019 02:35 PM
hi - we have an ASR 1002 configured to be an LNS: when we use the following RADIUS AV Pairs:
cisco-avpair="ip:ip-unnumbered=Loopback 13",
or
cisco-avpair="lcp:interface-config=ip address 16.16.45.41 255.255.255.252",
We get the following message and the L2TP tunnel drops:
Jun 21 13:15:46.348: %FMANRP_ESS-4-FULLVAI: Session creation failed due to Full Virtual-Access Interfaces not being supported. Check that all applied Virtual-Template and RADIUS features support Virtual-Access sub-interfaces. swidb= 0x42292368, ifnum= 23
Jun 21 13:15:46.350: %VPDN-6-CLOSED: L2TP LNS asr301.entlab closed Vi3 user
2911S-ASR@internet-mlppplab.co.uk
; Result 1, Error 0, Dataplane down
As per Cisco doc:
http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/chassis/scaling.html#wp1082057
the ASR is configured with 'aaa policy interface-config allow-subinterface'
If we hash out the above av-pairs the session is able to establish on a virtual-access interface but with no IP between the LNS and the CPE as the LNS has no route for the framed-routes it receives.
Config snippets as below on ASR1002 (IOS :
aaa session-id common
aaa policy interface-config allow-subinterface
interface Virtual-Template10
no ip address
no logging event link-status
load-interval 30
no peer neighbor-route
no peer default ip address
no snmp trap link-status
qos pre-classify
ppp authentication chap pap callin
ppp multilink
ppp multilink fragment disable
aaa session-id common
aaa policy interface-config allow-subinterface
vpdn enable
vpdn multihop
vpdn source-ip <<loopback 0>>
vpdn authen-before-forward
vpdn logging
vpdn logging local
vpdn logging remote
vpdn logging user
vpdn logging tunnel-drop
!
vpdn-template
!
vpdn-group 1
! Default L2TP VPDN group
description Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 10
session-limit 1000
local name asr301.entlab
lcp renegotiation always
l2tp tunnel hello 10
l2tp tunnel password XXXXXX
l2tp tunnel receive-window 100
l2tp tunnel timeout no-session 0vpdn enable
vpdn multihop
vpdn source-ip 87.84.214.168
vpdn authen-before-forward
vpdn logging
vpdn logging local
vpdn logging remote
vpdn logging user
vpdn logging tunnel-drop
!
vpdn-template
!
vpdn-group 1
! Default L2TP VPDN group
description Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 10
session-limit 1000
local name asr301.entlab
lcp renegotiation always
l2tp tunnel hello 10
l2tp tunnel password XXXXXX
l2tp tunnel receive-window 100
l2tp tunnel timeout no-session 0
!
interface Virtual-Template10
no ip address
no logging event link-status
load-interval 30
no peer neighbor-route
no peer default ip address
no snmp trap link-status
qos pre-classify
ppp authentication chap pap callin
ppp multilink
ppp multilink fragment disable
Other post-auth RADIUS attributes:
Service-Type=Framed-User,
Framed-Protocol=PPP,
Framed-IP-Address="16.16.45.42",
Framed-Netmask=255.255.255.255,
# cisco-avpair="lcp:interface-config=ip address 16.16.45.41 255.255.255.252",
Framed-Route="6.6.6.0/24"
Framed-Route="29.11.11.11/32"
cisco-avpair="ip:ip-unnumbered=Loopback 13",
07-02-2012 08:35 AM
Hello Lucy,
It seems like the problem is that you are using the "lcp:interface-config" VSA. Using the VSA will force the use of full VAI which are not allowed in ASR1k platform due to scalability reasons. You can read about this at:
http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/chassis/scaling.html#wp1124018
The first thing will be to not use the "lcp:interface-config" VSA and verify that the sessions comes up.
Regarding the IP connectivity, I'm afraid that I'm not quite following you. Normally, if you use Framed-IP-Address and the client is negotiating it's IP addres via IPCP, the IP address should be provided to the CPE via IPCP and the LNS should install a directly connected route in it's routing table to provide IP connectivity. After the session comes up you should be able to ping from the LNS to the CPE.
Let me know if this answer your inquires.
Best regards.
11-21-2015 11:03 AM
Hi Manuel,
I got a similar
Trying to clone into VAI instead of a subinterface.
interface Virtual-Template1
mtu 1460
no logging event link-status ! << I start seeing this when I added this line
ip unnumbered GigabitEthernet0/0/1.2001
peer default ip address dhcp-pool users
keepalive 30
ppp authentication pap callin vpdn
ppp ipcp dns x.x.x.x
ppp timeout authentication 15
RTR-DC-CORE: 029012: Nov 21 16:19:45.234: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access6, changed state to up
RTR-DC-CORE: 029013: Nov 21 16:19:45.235: %LINK-3-UPDOWN: Interface Virtual-Access6, changed state to up
RTR-DC-CORE: 029014: Nov 21 16:19:45.322: %DHCPD-6-LOW_UTIL: Pool "users" is in low utilization state (8 addresses used out of 508). Threshold set at 50%.
RTR-DC-CORE: 029015: Nov 21 16:19:45.323: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access31, changed state to down
RTR-DC-CORE: 029016: Nov 21 16:19:45.323: %LINK-3-UPDOWN: Interface Virtual-Access31, changed state to down
11-22-2015 11:42 PM
Hi Omar,
I do not see the "%FMANRP_ESS-4-FULLVAI: Session creation failed due to Full Virtual-Access Interfaces not being supported. Check that all applied Virtual-Template and RADIUS features support Virtual-Access sub-interfaces" logs in the logs you shared. Do you see the same logs? Also, it would be better if full logs are shared (preferibly from working and non-working cases) together with a full running configuration and show version, so we know what are we talking about.
Regards
11-23-2015 08:48 PM
Hello Manuel,
After some digging deep into my logs here what I could find:
132487: Nov 21 15:33:49.959: ppp489 PAP: I AUTH-REQ id 15 len 34 from "tarikb@befreemedia.com"
132488: Nov 21 15:33:49.959: ppp489 PAP: Authenticating peer tarikb@befreemedia.com
132489: Nov 21 15:33:49.960: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access5, changed state to up
132490: Nov 21 15:33:49.960: %LINK-3-UPDOWN: Interface Virtual-Access5, changed state to up
132491: Nov 21 15:33:49.960: ppp489 PPP: Sent PAP LOGIN Request
132492: Nov 21 15:33:49.961: ppp489 PPP: Received LOGIN Response PASS
132493: Nov 21 15:33:49.963: Vi7 PAP: O AUTH-ACK id 15 len 5
132494: Nov 21 15:33:49.964: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access7, changed state to up
132495: Nov 21 15:33:49.964: %LINK-3-UPDOWN: Interface Virtual-Access7, changed state to up
132496: Nov 21 15:33:51.030: ppp734 PAP: I AUTH-REQ id 76 len 37 from "dhouibyas@befreemedia.com"
132497: Nov 21 15:33:51.030: ppp734 PAP: Authenticating peer dhouibyas@befreemedia.com
132498: Nov 21 15:33:51.030: ppp734 PPP: Sent PAP LOGIN Request
132499: Nov 21 15:33:51.031: ppp734 PPP: Received LOGIN Response PASS
132500: Nov 21 15:33:51.033: Vi6 PAP: O AUTH-ACK id 76 len 5
132501: Nov 21 15:33:51.034: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access6, changed state to up
132502: Nov 21 15:33:51.034: %LINK-3-UPDOWN: Interface Virtual-Access6, changed state to up
132503: Nov 21 15:33:52.005: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access5, changed state to down
132504: Nov 21 15:33:52.006: %LINK-3-UPDOWN: Interface Virtual-Access5, changed state to down
132505: Nov 21 15:33:52.006: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access7, changed state to down
132506: Nov 21 15:33:52.006: %LINK-3-UPDOWN: Interface Virtual-Access7, changed state to down
132507: Nov 21 15:33:53.091: %FMANRP_ESS-4-FULLVAI: Session creation failed due to Full Virtual-Access Interfaces not being supported. Check that all applied Virtual-Template and RADIUS features support Virtual-Access sub-interfaces. swidb= 0x7F0842B4B708, ifnum= 315
132508: Nov 21 15:33:53.093: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access6, changed state to down
132509: Nov 21 15:33:53.093: %LINK-3-UPDOWN: Interface Virtual-Access6, changed state to down
132510: Nov 21 15:33:54.082: ppp1265 PAP: I AUTH-REQ id 47 len 34 from "fekkar@befreemedia.com"
132511: Nov 21 15:33:54.082: ppp1265 PAP: Authenticating peer fekkar@befreemedia.com
132512: Nov 21 15:33:54.082: ppp1265 PPP: Sent PAP LOGIN Request
132513: Nov 21 15:33:54.082: ppp1265 PPP: Received LOGIN Response PASS
132514: Nov 21 15:33:54.085: Vi4 PAP: O AUTH-ACK id 47 len 5
132515: Nov 21 15:33:54.086: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access4, changed state to up
132516: Nov 21 15:33:54.086: %LINK-3-UPDOWN: Interface Virtual-Access4, changed state to up
132517: Nov 21 15:33:56.133: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access4, changed state to down
132518: Nov 21 15:33:56.133: %LINK-3-UPDOWN: Interface Virtual-Access4, changed state to down
132519: Nov 21 15:33:57.171: ppp1246 PAP: I AUTH-REQ id 28 len 34 from "faycal@befreemedia.com"
132520: Nov 21 15:33:57.171: ppp1246 PAP: Authenticating peer faycal@befreemedia.com
132521: Nov 21 15:33:57.171: ppp1246 PPP: Sent PAP LOGIN Request
132522: Nov 21 15:33:57.171: ppp1246 PPP: Received LOGIN Response PASS
132523: Nov 21 15:33:57.174: Vi3 PAP: O AUTH-ACK id 28 len 5
And just note that at this step I'm using local login and not Radius.
Thanks.
11-23-2015 11:12 PM
Hi,
As mentioned earlier, share also a running config and a show version from the device.
Full VAI may not be forced by attributes sent from radius but also by commands configured under the Virtua-Template interface. You may want to try to verify your virtual-template interface using the command "test virtual-Template X subinterface". Also, make sure 'aaa policy interface-config allow-subinterface' is configured.
Regards.
11-24-2015 11:43 AM
I think that it is because of the missing:
aaa policy interface-config allow-subinterface
I something changed when I added the command logging event link-status than I removed it which may force this to use the whole virtual interface.
I don't know if this makes sense.
#sh run | i aaa
aaa new-model
aaa authentication login default local group radius
aaa authentication ppp default local
aaa authentication ppp vpdn local
aaa session-id common
aaa policy interface-config allow-subinterface
The Virtual-Tem1
interface Virtual-Template1
mtu 1460
ip unnumbered GigabitEthernet0/0/1.2001
peer default ip address dhcp-pool users
keepalive 30
ppp authentication pap callin vpdn
ppp ipcp dns x.x.x.x
ppp timeout authentication 15
end
Version:
Cisco IOS XE Software, Version 03.12.00a.S - Standard Support Release
Cisco IOS Software, ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSAL-M), Version 15.4(2)S0a, RELEASE SOFTWARE (fc1)
11-24-2015 11:59 PM
Hi,
'aaa policy interface-config allow-subinterface' should be configured to allow sub-interfaces to be cloned from virtual-template interface.
Regards.
11-27-2015 04:05 AM
Just curious if without the command, this could work? As first of all all was working fine even without the command.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide