Case Studies


In this case study, VPDN is configured so that a user dials into the L2TP Access Concentrator (LAC), and based on the domain name, two things happen: a VPDN tunnel is created to the L2TP Network Server (LNS), and the actual user is authenticated by the Radius Server on the LNS side. This case study is based on Figure 9-10.

Figure 9-10. Basic VPDN Setup


Router Configuration

As shown in Figure 9-10, there are two routers (LAC and LNS) involved for a successful VPDN implementation. In this section, work through the configuration of these two routers.

LAC Configuration

LAC configuration involves turning on VPDN, and configuring AAA for domain name authentication. Example 9-30 shows the configuration of the LAC with an explanation.

Example 9-30. Configuration of the LAC Router

LAC# show running-config Building configuration... Current configuration: ! version 12.2 service timestamps debug datetime service timestamps log uptime no service password-encryption ! hostname LAC ! !AAA commands needed to authenticate the user and obtain !VPDN tunnel information. Don't forget to turn on the authorization for PPP aaa new-model aaa authentication login default group local aaa authentication ppp default if-needed group radius aaa authorization network default group radius aaa accounting exec default start-stop group radius aaa accounting network default start-stop group radius enable password cisco^%we@sd ! !The following line is for router management, not significance for VPDN. !For simplicity, cisco123 is used as password, use strong password for !production router. username cisco password 0 cisco123 ip subnet-zero no ip domain-lookup ! !The following line turns on VPDN on the router. vpdn enable ! !Following line is needed to make VPDN tunnel authorization to be performed based on the !domain name. Note that the default is DNIS. vpdn search-order domain ! interface Ethernet0  ip address 10.1.1.10 255.255.255.0  no ip directed-broadcast ! interface Async1  ip unnumbered Ethernet0  no ip directed-broadcast  ip tcp header-compression passive  encapsulation ppp  async mode dedicated  peer default ip address pool async  no cdp enable  ppp authentication chap ! interface Group-Async1  physical-layer async  no ip address  no ip directed-broadcast ! ip local pool default 10.1.5.5 10.1.5.50 ip local pool async 10.1.10.1 10.1.10.5 ip classless ip route 0.0.0.0 0.0.0.0 10.1.1.1 ! !Define the RADIUS server with the following command. Use strong password here. For !simplicity, used ciscohtts123 in this example radius-server host 10.1.1.40 auth-port 1645 acct-port 1646 key ciscohtts123 ! line con 0  transport input none line 1  session-timeout 20  exec-timeout 0 0  password cisco123  autoselect during-login  autoselect ppp  modem InOut  transport preferred none  transport output none  stopbits 1  speed 38400  flowcontrol hardware line 2 16  modem InOut  transport input all  speed 38400  flowcontrol hardware line aux 0 line vty 0 4  password cisco123 ! end LAC# 

Example 9-31 shows the configuration of the HomeGateway.

Example 9-31. Configuration of LNS Router

LNS# show running-config Building configuration... Current configuration: ! version 12.2 service timestamps debug datetime service timestamps log uptime no service password-encryption ! hostname LNS !You must make sure to turn on PPP Authorization along with other authentication !commands. aaa new-model aaa authentication login default group local aaa authentication ppp default group radius local aaa authorization network default group radius local aaa accounting exec default start-stop group radius aaa accounting network default start-stop group radius enable password cisco^%we@sd ! username cisco password 0 cisco123 ip subnet-zero no ip domain-lookup !User the_LNS is used to authenticate the tunnel. The password used here must match the !vpdn:l2tp-tunnel-password configured in the LAC RADIUS server. username LNS password 0 DHAKA !Enable VPDN on the LNS. vpdn enable !VPDN group for connection from the LAC. vpdn-group 1 !This command specifies that the router uses virtual-template 1 for tunnel-id DOHA !(which matches the tunnel-id configured in the LAC RADIUS server). accept dialin l2tp virtual-template 1 remote DOHA !The username used to authenticate this tunnel is the_LNS (configured above). local name the_LNS ! interface Ethernet0  ip address 10.1.1.15 255.255.255.0  no ip directed-broadcast ! !Virtual-template that is used for the incoming connection. interface Virtual-Template1  ip unnumbered Ethernet0  no ip directed-broadcast  peer default ip address pool default  ppp authentication chap ! interface Async1  ip unnumbered Ethernet0  no ip directed-broadcast  encapsulation ppp  async mode interactive  peer default ip address pool async  ppp authentication chap ! ip local pool default 10.1.6.1 10.1.6.5 ip local pool async 10.1.12.100 10.1.12.110 ip classless ip route 0.0.0.0 0.0.0.0 10.1.1.1 ! !RADIUS server host and key information is defined with the following line. It's !recommended to define a strong key radius-server host 10.1.1.40 auth-port 1645 acct-port 1646 key ciscohtts123 ! line con 0  transport input none line 1  session-timeout 20  exec-timeout 5 0  password ww  autoselect during-login  autoselect ppp  modem InOut  transport input all  escape-character BREAK  stopbits 1  speed 38400  flowcontrol hardware line 2 8 line aux 0 line vty 0 4  password ww ! end LNS# 

Once both LAC and LNS configuration is complete, proceed with the RADIUS Server as described in the following section.

RADIUS Server Configuration

In this case study, Cisco Secure ACS Windows is used as a RADIUS Server. This section explains the configuration required on both the LAC and LNS side RADIUS section.

LAC RADIUS Configuration

The LAC router strips off the username and sends the domain name to the LAC RADIUS Server as part of the authentication/authorization request. So the LAC RADIUS Server needs to configure the domain name as a username along with the tunnel attributes. Work through the following steps to complete this task:

Step 1.

From left Navigation, click on Network Configuration and set up the LAC Network Access Server (NAS) as the AAA client to use RADIUS (Cisco IOS/PIX).

Step 2.

Configure the user 'cisco.com' with the password cisco for both plain and CHAP. This is the username that is used for the tunnel attributes.

Step 3.

Click on the Group Setting button in the left navigation bar. Select the group the user belongs to and click Edit Settings. Scroll down to the IETF RADIUS section and select Attribute 6 Service-Type as Outbound (see Figure 9-11). If all checkable options do not appear, go into Interface Configuration and check the various boxes to make them appear in the group area.



Figure 9-11. LAC RADIUS Server Configuration for Tunnel Attributes


Step 4.

In the Cisco IOS/PIX RADIUS attributes section at the bottom, check the box for 009\001 cisco-av-pair, and type all the attributes as shown in Figure 9-11.

LNS RADIUS Configuration

Actual user authentication occurs at the LNS RADIUS Server. Complete the following steps to configure the LNS RADIUS Server:

Step 1.

Configure the user id cse@cisco.com and input any password for plain and CHAP.

Step 2.

Click on the Group Setup button in the left bar. Select the Group the user belongs to and click Edit Settings.

Step 3.

In the section for Internet Engineering Task Force (IETF) RADIUS Attributes, select Service-type (attribute 6) = Framed and Framed-Protocol (attribute 7) = PPP from the drop-down menu. Note that you must also click the check box located next to the selected attributes Service-Type and Framed-Protocol.

If you follow the steps for LAC, LNS, and RADIUS Servers configuration for the corresponding sites, you may not run into any issues with this VPDN implementation. However, most of the problems arise during run time, so it's extremely important to become familiar with the troubleshooting steps as explained in the following section.

Troubleshooting Steps

Show commands are extremely important to display the VPDN tunnel information to verify if your configuration is working correctly or not. The following two show commands are used frequently:

  • show vpdn tunnel Displays information about all active Layer 2 forwarding and L2TP tunnels in summary-style format.

  • show caller ip Displays a summary of caller information for the IP address you provide.

Once a problem is identified with the show command, run the debug command to find out details. Along with debug aaa authentication|authorization|accounting, and debug radius, the following list of commands will assist you in troubleshooting the VPDN issues:

  • debug vtemplate Displays cloning information for a virtual access interface, from the time it is cloned from a virtual template to the time the virtual access interface comes down when the call ends.

  • debug vpdn error Displays errors that prevent a PPP tunnel from being established, or errors that cause an established tunnel to be closed.

  • debug vpdn events Displays messages about events that are part of normal PPP tunnel establishment or shutdown.

  • debug vpdn l2x-errors Displays Layer 2 protocol errors that prevent Layer 2 establishment or prevent its normal operation.

  • debug vpdn l2x-events Displays messages about events that are part of normal PPP tunnel establishment or shutdown for Layer 2.

  • debug vpdn l2tp-sequencing Displays messages about L2TP.

If you are having problems with successful VPDN connections, analyze the debug output on both LAC and LNS routers. The following two sections demonstrate that analysis.

LAC Router Troubleshooting

Before looking at some of problems that you may encounter on the LAC, look at the debug as shown in Example 9-32 when the VPDN works.

Example 9-32. debug Output from the LAC When VPDN Works

LAC# show debug General OS:   AAA Authentication debugging is on   AAA Authorization debugging is on   AAA Accounting debugging is on VPN:   L2X protocol events debugging is on   L2X protocol errors debugging is on   VPDN events debugging is on   VPDN errors debugging is on   L2TP data sequencing debugging is on VTEMPLATE:   Virtual Template debugging is on Radius protocol debugging is on LAC# Mar  9 12:22:16: As1 AAA/AUTHOR/FSM: (0):     LCP succeeds trivially 2d18h: %LINK-3-UPDOWN: Interface Async1, changed state to up Mar  9 12:22:17: As1 VPDN: Looking for tunnel -- cisco.com -- Mar  9 12:22:17: AAA: parse name=Async1 idb type=10 tty=1 Mar  9 12:22:17: AAA: name=Async1 flags=0x11 type=4 shelf=0 slot=0     adapter=0 port=1 channel=0 Mar  9 12:22:17: AAA/AUTHEN: create_user (0x25BA84)     user='cisco.com' ruser='' port='Async1' rem_addr=''     authen_type=NONE service=LOGIN priv=0 Mar 9 12:22:17: AAA/AUTHOR/VPDN (6239469): Port='Async1' list='default' service=NET Mar  9 12:22:17: AAA/AUTHOR/VPDN:  (6239469) user='cisco.com' Mar  9 12:22:17: AAA/AUTHOR/VPDN:  (6239469) send AV service=ppp Mar  9 12:22:17: AAA/AUTHOR/VPDN:  (6239469) send AV protocol=vpdn Mar  9 12:22:17: AAA/AUTHOR/VPDN (6239469) found list "default" Mar  9 12:22:17: AAA/AUTHOR/VPDN:  (6239469) Method=RADIUS Mar  9 12:22:17: RADIUS: authenticating to get author data Mar  9 12:22:17: RADIUS: ustruct sharecount=2 !Sending the initial request packet to the RADIUS Server Mar  9 12:22:17: RADIUS: Initial Transmit Async1 id 66     10.1.1.40:1645, Access-Request, len 77 Mar  9 12:22:17:         Attribute 4 6 0A1F0106 Mar  9 12:22:17:         Attribute 5 6 00000001 Mar  9 12:22:17:         Attribute 61 6 00000000 Mar  9 12:22:17:         Attribute 1 15 7274702E Mar  9 12:22:17:         Attribute 2 18 6AB5A2B0 Mar  9 12:22:17:         Attribute 6 6 00000005 !Access received from the RADIUS Server Mar  9 12:22:17: RADIUS: Received from id 66     10.1.1.40:1645, Access-Accept, len 158 Mar  9 12:22:17:         Attribute 6 6 00000005 Mar  9 12:22:17:         Attribute 26 28 0000000901167670 Mar  9 12:22:17:         Attribute 26 29 0000000901177670 Mar  9 12:22:17:         Attribute 26 36 00000009011E7670 Mar  9 12:22:17:         Attribute 26 39 0000000901217670 Mar  9 12:22:17: RADIUS: saved authorization data for user 25BA84 at 24C488 !RADIUS server supplies the VPDN tunnel attributes as shown by the following four lines. Mar  9 12:22:17: RADIUS: cisco AVPair "vpdn:tunnel-id=DOHA" Mar  9 12:22:17: RADIUS: cisco AVPair "vpdn:tunnel-type=l2tp" Mar  9 12:22:17: RADIUS: cisco AVPair "vpdn:ip-addresses=10.1.1.15," Mar  9 12:22:17: RADIUS: cisco AVPair "vpdn:l2tp-tunnel-password=DHAKA" Mar  9 12:22:17: AAA/AUTHOR (6239469): Post authorization status = PASS_ADD Mar  9 12:22:17: AAA/AUTHOR/VPDN: Processing AV service=ppp Mar  9 12:22:17: AAA/AUTHOR/VPDN: Processing AV protocol=vpdn Mar  9 12:22:17: AAA/AUTHOR/VPDN: Processing AV tunnel-id=DOHA Mar  9 12:22:17: AAA/AUTHOR/VPDN: Processing AV tunnel-type=l2tp Mar  9 12:22:17: AAA/AUTHOR/VPDN: Processing AV ip-addresses=10.1.1.15, Mar  9 12:22:17: AAA/AUTHOR/VPDN: Processing AV l2tp-tunnel-password=DHAKA Mar 9 12:22:17: As1 VPDN: Get tunnel info for cisco.com with LAC DOHA, IP 10.1.1.15 Mar  9 12:22:17: AAA/AUTHEN: free_user (0x25BA84)     user='cisco.com' ruser='' port='Async1' rem_addr=''     authen_type=NONE service=LOGIN priv=0 !The following line shows the LNS ip address which is 10.1.1.15 Mar  9 12:22:17: As1 VPDN: Forward to address 10.1.1.15 Mar  9 12:22:17: As1 VPDN: Forwarding... Mar  9 12:22:17: AAA: parse name=Async1 idb     type=10 tty=1 Mar  9 12:22:17: AAA: name=Async1 flags=0x11 type=4     shelf=0 slot=0 adapter=0 port=1 channel=0 Mar  9 12:22:17: AAA/AUTHEN: create_user (0xB7918)     user='cse@cisco.com' ruser='' port='Async1'     rem_addr='async' authen_type=CHAP service=PPP priv=1 Mar  9 12:22:17: As1 VPDN: Bind interface direction=1 Mar  9 12:22:17: Tnl/Cl 51/1 L2TP: Session FS enabled Mar  9 12:22:17: Tnl/Cl 51/1 L2TP: Session state change from idle to wait-for-tunnel Mar  9 12:22:17: As1 51/1 L2TP: Create session Mar  9 12:22:17: Tnl 51 L2TP: SM State idle Mar  9 12:22:17: Tnl 51 L2TP: O SCCRQ Mar  9 12:22:17: Tnl 51 L2TP: Tunnel state change from idle to wait-ctl-reply Mar  9 12:22:17: Tnl 51 L2TP: SM State wait-ctl-reply !Following line shows username is forwarded to LNS Mar  9 12:22:17: As1 VPDN: cse@cisco.com is forwarded Mar  9 12:22:17: Tnl 51 L2TP: I SCCRP from the_LNS !Tunnel authentication is show successful here by the following three lines. Mar  9 12:22:17: Tnl 51 L2TP: Got a challenge from remote peer, the_LNS Mar  9 12:22:17: Tnl 51 L2TP: Got a response from remote peer, the_LNS Mar  9 12:22:17: Tnl 51 L2TP: Tunnel Authentication success Mar  9 12:22:17: Tnl 51 L2TP: Tunnel state change from     wait-ctl-reply to established Mar  9 12:22:17: Tnl 51 L2TP: O SCCCN to the_LNS tnlid 38 Mar  9 12:22:17: Tnl 51 L2TP: SM State established Mar  9 12:22:17: As1 51/1 L2TP: O ICRQ to the_LNS 38/0 Mar  9 12:22:17: As1 51/1 L2TP: Session state change from     wait-for-tunnel to wait-reply Mar  9 12:22:17: As1 51/1 L2TP: O ICCN to the_LNS 38/1 Mar  9 12:22:17: As1 51/1 L2TP: Session state change from     wait-reply to established 2d18h: %LINEPROTO-5-UPDOWN: Line protocol on Interface     Async1, changed state to up LAC# 

The following is a list of common problems you may encounter with VPDN on the LAC router. Examples shown for every problem are generated with the same debug as shown in Example 9-31.

  • Wrong domain name in the username If the user name comes in with the wrong domain name, the RADIUS Server will cause the domain name authentication to fail. In Example 9-33, the debug shows that the user comes in as cse@xyz.com instead of cse@cisco.com, hence the LAC RADIUS Server does not recognize this domain.

    Example 9-33. Wrong Domain Name Fails on the LAC Router

    LAC# Mar  9 12:50:48: RADIUS: Received from id 86 10.1.1.40:1645, Access-Reject, len 46 Mar  9 12:50:48:         Attribute 18 26 41757468 Mar  9 12:50:48: RADIUS: failed to get authorization data: authen status = 2 %VPDN-6-AUTHORFAIL: L2F NAS LAC, AAA authorization failure for As1 user cse@xyz.com LAC# 

  • Invalid Tunnel IP from the RADIUS Server If the user profile on CS ACS is configured for the domain name with the wrong tunnel IP address, the LAC router will get the wrong tunnel IP. Therefore, the user attempts to establish a session that will fail with the debug message shown in Example 9-34.

    Example 9-34. debug Output on the LAC Router When CS ACS Provides Wrong Tunnel IP

    LAC# Mar  9 12:55:45: As1 VPDN: Forward to address 1.1.1.1 Mar  9 12:55:45: As1 VPDN: Forwarding... Mar  9 12:55:45: Tnl 56 L2TP: Tunnel state change from idle to wait-ctl-reply Mar 9 13:32:46: As1 56/1 L2TP: Discarding data packet because tunnel is not open LAC# 

  • Tunnel Password Mismatch The tunnel password that is provided by the LAC RADIUS Server to the LAC router should match the LNS router password. If they do not match, debug messages as shown in Example 9-35 will result.

    Example 9-35. debug Message When There Is Tunnel Password Mismatch between the LAC and LNS

    LAC# Mar  9 12:57:37: Tnl 59 L2TP: Tunnel Authentication fails for the_LNS Mar  9 12:57:37: Tnl 59 L2TP: Expected E530DA13B826685C678589250C0BF525 Mar  9 12:57:37: Tnl 59 L2TP: Got E09D90E8A91CF1014C91D56F65BDD052 Mar  9 12:57:37: Tnl 59 L2TP: O StopCCN to the_LNS tnlid 44 Mar  9 12:57:37: Tnl 59 L2TP: Tunnel state change from wait-ctl-reply to shutting-down Mar  9 12:57:37: Tnl 59 L2TP: Shutdown tunnel LAC# 

LNS Router Troubleshooting

Just as with the LAC router, it is worth going through a good debug output on the LNS router. Example 9-36 shows a good debug from the LNS when the VPDN works.

Example 9-36. debug Output of LNS Router When VPDN Works

LNS# show debug General OS:   AAA Authentication debugging is on   AAA Authorization debugging is on   AAA Accounting debugging is on VPN:   L2X protocol events debugging is on   L2X protocol errors debugging is on   VPDN events debugging is on   VPDN errors debugging is on   L2TP data sequencing debugging is on VTEMPLATE:   Virtual Template debugging is on Radius protocol debugging is on LNS# Mar  9 12:22:16: L2TP: I SCCRQ from DOHA tnl 51 !The following line shows tunnel created for the LAC Mar  9 12:22:16: Tnl 38 L2TP: New tunnel created for     remote DOHA, address 10.1.1.10 Mar  9 12:22:16: Tnl 38 L2TP: Got a challenge in SCCRQ, DOHA Mar  9 12:22:16: Tnl 38 L2TP: O SCCRP to DOHA tnlid 51 Mar  9 12:22:16: Tnl 38 L2TP: Tunnel state change from idle to wait-ctl-reply Mar  9 12:22:16: Tnl 38 L2TP: I SCCCN from DOHA tnl 51 Mar  9 12:22:16: Tnl 38 L2TP: Got a Challenge Response in SCCCN from DOHA !Tunnel authentication is successful Mar  9 12:22:16: Tnl 38 L2TP: Tunnel Authentication success Mar 9 12:22:16: Tnl 38 L2TP: Tunnel state change from wait-ctl-reply to established Mar  9 12:22:16: Tnl 38 L2TP: SM State established Mar  9 12:22:17: Tnl 38 L2TP: I ICRQ from DOHA tnl 51 Mar  9 12:22:17: Tnl/Cl 38/1 L2TP: Session FS enabled Mar  9 12:22:17: Tnl/Cl 38/1 L2TP: Session state change     from idle to wait-for-tunnel Mar  9 12:22:17: Tnl/Cl 38/1 L2TP: New session created Mar  9 12:22:17: Tnl/Cl 38/1 L2TP: O ICRP to DOHA 51/1 Mar  9 12:22:17: Tnl/Cl 38/1 L2TP: Session state change     from wait-for-tunnel to wait-connect Mar  9 12:22:17: Tnl/Cl 38/1 L2TP: I ICCN from DOHA tnl 51, cl 1 Mar  9 12:22:17: Tnl/Cl 38/1 L2TP: Session state change     from wait-connect to established Mar  9 12:22:17: Vi1 VTEMPLATE: Reuse Vi1, recycle queue size 0 Mar  9 12:22:17: Vi1 VTEMPLATE: Hardware address 00e0.1e68.942c !Following three lines shows using Virtual-template 1 for this user. Mar  9 12:22:17: Vi1 VPDN: Virtual interface created for cse@cisco.com Mar  9 12:22:17: Vi1 VPDN: Set to Async interface Mar  9 12:22:17: Vi1 VPDN: Clone from Vtemplate 1 filterPPP=0 blocking Mar  9 12:22:17: Vi1 VTEMPLATE: Has a new cloneblk vtemplate, now it has vtemplate Mar  9 12:22:17: Vi1 VTEMPLATE: ************* CLONE     VACCESS1 ***************** Mar  9 12:22:17: Vi1 VTEMPLATE: Clone from Virtual-Template1 interface Virtual-Access1 default ip address no ip address encap ppp ip unnum eth 0 no ip directed-broadcast peer default ip address pool default ppp authen chap end Mar  9 12:22:18: cse@cisco.com 38/1 L2TP: Session     with no hwidb 02:23:59: %LINK-3-UPDOWN: Interface Virtual-Access1,     changed state to up Mar  9 12:22:19: Vi1 AAA/AUTHOR/FSM: (0): LCP succeeds     trivially Mar  9 12:22:19: Vi1 VPDN: Bind interface direction=2 Mar  9 12:22:19: Vi1 VPDN: PPP LCP accepted rcv CONFACK Mar  9 12:22:19: Vi1 VPDN: PPP LCP accepted sent CONFACK Mar  9 12:22:19: Vi1 L2X: Discarding packet because of     no mid/session Mar  9 12:22:19: AAA: parse name=Virtual-Access1 idb type=21 tty=-1 Mar  9 12:22:19: AAA: name=Virtual-Access1 flags=0x11     type=5 shelf=0 slot=0 adapter=0 port=1 channel=0 Mar  9 12:22:19: AAA/AUTHEN: create_user (0x2462A0)     user='cse@cisco.com' ruser='' port='Virtual-Access1'     rem_addr='' authen_type=CHAP service=PPP priv=1 Mar  9 12:22:19: AAA/AUTHEN/START (2229277178):     port='Virtual-Access1' list='' action=LOGIN     service=PPP Mar  9 12:22:19: AAA/AUTHEN/START (2229277178):     using "default" list Mar  9 12:22:19: AAA/AUTHEN/START (2229277178):     Method=RADIUS Mar  9 12:22:19: RADIUS: ustruct sharecount=1 !Access-request packet is sending to the RADIUS Server Mar  9 12:22:19: RADIUS: Initial Transmit Virtual-Access1     id 78 171.68.120.194:1645, Access-Request, len 92 Mar  9 12:22:19:         Attribute 4 6 0A1F0109 Mar  9 12:22:19:         Attribute 5 6 00000001 Mar  9 12:22:19:         Attribute 61 6 00000005 Mar  9 12:22:19:         Attribute 1 23 6464756E Mar  9 12:22:19:         Attribute 3 19 34A66389 Mar  9 12:22:19:         Attribute 6 6 00000002 Mar  9 12:22:19:         Attribute 7 6 00000001 Mar  9 12:22:19: RADIUS: Received from id 78 !Access-Accept received as shown here     171.68.120.194:1645, Access-Accept, len 32 Mar  9 12:22:19:         Attribute 6 6 00000002 Mar  9 12:22:19:         Attribute 7 6 00000001 Mar  9 12:22:19: AAA/AUTHEN (2229277178): status = PASS Mar  9 12:22:19: Vi1 AAA/AUTHOR/LCP: Authorize LCP Mar  9 12:22:19: AAA/AUTHOR/LCP Vi1 (1756915964):     Port='Virtual-Access1' list='' service=NET Mar  9 12:22:19: AAA/AUTHOR/LCP: Vi1 (1756915964)     user='cse@cisco.com' Mar  9 12:22:19: AAA/AUTHOR/LCP: Vi1 (1756915964)     send AV service=ppp Mar  9 12:22:19: AAA/AUTHOR/LCP: Vi1 (1756915964)     send AV protocol=lcp Mar  9 12:22:19: AAA/AUTHOR/LCP (1756915964) found     list "default" Mar  9 12:22:19: AAA/AUTHOR/LCP: Vi1 (1756915964)     Method=RADIUS Mar  9 12:22:19: AAA/AUTHOR (1756915964): Post     authorization status = PASS_REPL Mar  9 12:22:19: Vi1 AAA/AUTHOR/LCP: Processing     AV service=ppp Mar  9 12:22:19: AAA/ACCT/NET/START User     cse@cisco.com, Port Virtual-Access1, List "" Mar  9 12:22:19: AAA/ACCT/NET: Found list "default" Mar  9 12:22:19: Vi1 AAA/AUTHOR/FSM: (0): Can we     start IPCP? Mar  9 12:22:19: AAA/AUTHOR/FSM Vi1 (1311872588):     Port='Virtual-Access1' list='' service=NET Mar  9 12:22:19: AAA/AUTHOR/FSM: Vi1 (1311872588)     user='cse@cisco.com' Mar  9 12:22:19: AAA/AUTHOR/FSM: Vi1 (1311872588)     send AV service=ppp Mar  9 12:22:19: AAA/AUTHOR/FSM: Vi1 (1311872588)     send AV protocol=ip Mar  9 12:22:19: AAA/AUTHOR/FSM (1311872588)     found list "default" Mar  9 12:22:19: AAA/AUTHOR/FSM: Vi1 (1311872588)     Method=RADIUS Mar  9 12:22:19: AAA/AUTHOR (1311872588): Post     authorization status = PASS_REPL Mar  9 12:22:19: Vi1 AAA/AUTHOR/FSM: We can start     IPCP Mar  9 12:22:19: RADIUS: ustruct sharecount=2 Mar  9 12:22:19: RADIUS: Initial Transmit Virtual-Access1     id 79 171.68.120.194:1646, Accounting-Request, len 101 Mar  9 12:22:19:         Attribute 4 6 0A1F0109 Mar  9 12:22:19:         Attribute 5 6 00000001 Mar  9 12:22:19:         Attribute 61 6 00000005 Mar  9 12:22:19:         Attribute 1 23 6464756E Mar  9 12:22:19:         Attribute 40 6 00000001 Mar  9 12:22:19:         Attribute 45 6 00000001 Mar  9 12:22:19:         Attribute 6 6 00000002 Mar  9 12:22:19:         Attribute 44 10 30303030 Mar  9 12:22:19:         Attribute 7 6 00000001 Mar  9 12:22:19:         Attribute 41 6 00000000 Mar  9 12:22:19: Vi1 AAA/AUTHOR/IPCP: Start.  Her     address 0.0.0.0, we want 0.0.0.0 Mar  9 12:22:19: Vi1 AAA/AUTHOR/IPCP: Processing     AV service=ppp !The authorization is shown to be successful Mar  9 12:22:19: Vi1 AAA/AUTHOR/IPCP: Authorization     succeeded Mar  9 12:22:19: Vi1 AAA/AUTHOR/IPCP: Done.  Her     address 0.0.0.0, we want 0.0.0.0 Mar  9 12:22:19: RADIUS: Received from id 79     171.68.120.194:1646, Accounting-response,     len 20 Mar  9 12:22:19: Vi1 AAA/AUTHOR/IPCP: Start.     Her address 0.0.0.0, we want 10.1.6.1 Mar  9 12:22:19: Vi1 AAA/AUTHOR/IPCP: Processing     AV service=ppp Mar  9 12:22:19: Vi1 AAA/AUTHOR/IPCP: Authorization     succeeded Mar  9 12:22:19: Vi1 AAA/AUTHOR/IPCP: Done.     Her address 0.0.0.0, we want 10.1.6.1 Mar  9 12:22:19: Vi1 AAA/AUTHOR/IPCP: Start.     Her address 10.1.6.1, we want 10.1.6.1 Mar  9 12:22:19: AAA/AUTHOR/IPCP Vi1 (2909132255):     Port='Virtual-Access1' list='' service=NET Mar  9 12:22:19: AAA/AUTHOR/IPCP: Vi1 (2909132255)     user='cse@cisco.com' Mar  9 12:22:19: AAA/AUTHOR/IPCP: Vi1 (2909132255)     send AV service=ppp Mar  9 12:22:19: AAA/AUTHOR/IPCP: Vi1 (2909132255)     send AV protocol=ip Mar  9 12:22:19: AAA/AUTHOR/IPCP: Vi1 (2909132255)     send AV addr*10.1.6.1 Mar  9 12:22:19: AAA/AUTHOR/IPCP (2909132255)     found list "default" Mar  9 12:22:19: AAA/AUTHOR/IPCP: Vi1 (2909132255)     Method=RADIUS Mar  9 12:22:19: AAA/AUTHOR (2909132255): Post     authorization status = PASS_REPL Mar  9 12:22:19: Vi1 AAA/AUTHOR/IPCP: Reject     10.1.6.1, using 10.1.6.1 Mar  9 12:22:19: Vi1 AAA/AUTHOR/IPCP: Processing     AV service=ppp Mar  9 12:22:19: Vi1 AAA/AUTHOR/IPCP: Processing     AV addr*10.1.6.1 Mar  9 12:22:19: Vi1 AAA/AUTHOR/IPCP: Authorization     succeeded Mar  9 12:22:19: Vi1 AAA/AUTHOR/IPCP: Done.     Her address 10.1.6.1, we want 10.1.6.1 02:24:00: %LINEPROTO-5-UPDOWN: Line protocol on     Interface Virtual-Access1, changed state to up LNS# 

The following is a list of problems that you may encounter on the LNS side for VPDN:

  • Tunnel ID for LAC is missing or misconfigured You must ensure that the proper Tunnel ID is configured for LAC. In this case study, you must have already configured "accept dialing l2tp virtual-template 1 remote DOHA" on the LNS; otherwise, you will receive a debug message as shown in Example 9-37.

    Example 9-37. debug Message When Tunnel ID is Misconfigured or Not Configured

    LNS# Mar  9 13:45:32: L2TP: I SCCRQ from DOHA tnl 62 Mar  9 13:45:32: L2X: Never heard of DOHA Mar  9 13:45:32: L2TP: Could not find info block for DOHA LNS# 

  • Tunnel password mismatch If there is a password mismatch between the LAC and LNS, you will get the same message as you did for the LAC router as shown in Example 9-34.

  • Actual user authentication failure Actual user authentication occurs at the LNS router. Hence, if the LNS RADIUS Server is not configured with the proper username and password, then although the VPDN tunnel may become built up, the user will still not be able to access network resources.

This troubleshooting concludes the case study on VPDN. In the next section, we examine some of the common problems and resolutions.



Cisco Network Security Troubleshooting Handbook
Cisco Network Security Troubleshooting Handbook
ISBN: 1587051893
EAN: 2147483647
Year: 2006
Pages: 190
Authors: Mynul Hoda

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net