Problem w/ external DSL modem

GarryG · ‎02-03-2020

Hi,

we are operating in Germany, and for a couple months now problems have occurred, most likely after some changes on the DSLAM side of the links.

We typically use 886VA routers, which work fine. But in some cases, either a firewall with direct PPPoE dialin is used, or a second link is handled by the same router. In these cases, we use some generic ADSL Annex J capable modems to connect to the line. While those are (and have been) working flawlessly for quite some time (years actually), recently several sites have run into problems ...

During the dialin, the whole low-level PPPoE works fine, with PADI/PADO/PADR/PADS, followed by the Virtual Interface coming up:

Feb 3 14:26:01.778: Sending PADI: Interface = Vlan7
Feb 3 14:26:01.778: pppoe_send_padi:

contiguous pak, size 60
Feb 3 14:25:07.302: PPPoE 0: I PADO R:288a.1ce3.cb39 L:0027.e3b5.cd60 Vl7
contiguous pak, size 66
Feb 3 14:25:09.218: PPPOE: we've got our pado and the pado timer went off
Feb 3 14:25:09.218: OUT PADR from PPPoE Session
contiguous pak, size 66
Feb 3 14:25:09.262: PPPoE 11139: I PADS R:288a.1ce3.cb39 L:0027.e3b5.cd60 Vl7
contiguous pak, size 66
Feb 3 14:25:09.262: IN PADS from PPPoE Session
Feb 3 14:25:09.262: %DIALER-6-BIND: Interface Vi3 bound to profile Di2
Feb 3 14:25:09.262: PPPoE: Virtual Access interface obtained.
Feb 3 14:25:09.262: PPPoE : encap string prepared
contiguous pak, size 20
Feb 3 14:25:09.262: [0]PPPoE 11139: data path set to PPPoE Client

Feb 3 14:25:09.266: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up

Anyway, after all of this, the connection is terminated again:

Feb 3 14:25:29.414: PPPoE : Shutting down client session
Feb 3 14:25:29.414: [0]PPPoE 11139: O PADT R:288a.1ce3.cb39 L:0027.e3b5.cd60 Vl7

Feb 3 14:25:29.414: PPPoE: Failed to add PPPoE switching subblock
Feb 3 14:25:29.414: %DIALER-6-UNBIND: Interface Vi3 unbound from profile Di2
Feb 3 14:25:29.418: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down

Feb 3 14:25:29.418: PPPoE: Unexpected Event!. PPPoE switching Subblockdestroy called

When I switch lines (if there are two aDSL at the same location), the error stays with the modem interface.

Through our analysis, we noticed that the PPPoE authentication never arrives, and - most likely - doesn't arrive at our uplink (to explain: Line is a resale connection from German Telekom, who our uplink is connected to and forwards the session to us once it is identified through the authentication with <something>#US@REALM)

The dialer interfaces are configured pretty much identically for both the internal dsl controller as well as the external modem:

interface Dialer1
mtu 1456
ip address negotiated
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1416
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname <username>
ppp chap password <password>
ppp pap sent-username <username> password <password>
ppp ipcp dns request
no cdp enable
service-policy output QoS-Policy-Parent
end

interface Dialer2
description DSL-Einwahl 2 Surfen
mtu 1456
ip address negotiated
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1412
dialer pool 2
ppp authentication chap pap callin
ppp chap hostname <username2>
ppp chap password <password2>
ppp ipcp dns request
no cdp enable
end

Searching through articles, I already tried reducing the MTU, have removed PAP authentication (one post about a bug in PPPoE of the Cisco) ... in a previous incident, we also tried a different modem manufacturer, with the same results.

Anybody have an idea?

Georg Pauwen · ‎02-03-2020

Hello,

is this the partial configuration of one router ? Are you using both dialers simultaneously ? Post the full output of 'sh run'....

GarryG · ‎02-03-2020

Yes, both are active at the same time, in different dialer groups ... as mentioned, the configuration was working until this morning ... no changes in the config. Same occurred on several other routers ...

version 15.5
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname r1-dreie-itse
!
boot-start-marker
boot-end-marker
!
logging buffered 65536 informational
enable secret xxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
ethernet lmi ce
memory-size iomem 10
clock timezone MET 1 0
clock summer-time MET-DST recurring last Sun Mar 2:00 3 Sun Oct 2:00
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid C886VA-K9 sn XXXXX
!
controller VDSL 0
firmware filename flash:VA_A_39h_B_38h3_24h_j.bin
!
track 1 interface Dialer1 ip routing
delay down 15 up 30
!
track 2 interface Dialer2 ip routing
delay down 15 up 30
!
class-map match-any QoS-VoIP
match access-group name QoS-VoIP
!
policy-map QoS-Policy
class QoS-VoIP
priority percent 70
set ip precedence 5
class class-default
fair-queue
policy-map QoS-Policy-Parent
class class-default
shape average 2800000
service-policy QoS-Policy
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.7 point-to-point
pvc 1/32
bridge-dot1q encap 7
pppoe-client dial-pool-number 1
!
interface Ethernet0
no ip address
!
interface Ethernet0.7
description VDSL Einwahl
encapsulation dot1Q 7
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0
description Link zur Firewall
no ip address
load-interval 30
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
description Ext. ADSL Annex J Modem
switchport trunk native vlan 2
switchport trunk allowed vlan 1,2,7,1002-1005
switchport mode trunk
no ip address
!
interface Vlan1
description Link zur Firewall
ip address XXXXXX
ip virtual-reassembly in
!
interface Vlan7
no ip address
pppoe enable group global
pppoe-client dial-pool-number 2
!
interface Dialer1
description DSL-Einwahl 1 VoIP
mtu 1456
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1416
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname XXXX
ppp chap password XXX
ppp pap sent-username XXXX password XXXX
ppp ipcp dns request
no cdp enable
service-policy output QoS-Policy-Parent
!
interface Dialer2
description DSL-Einwahl 2 Surfen
mtu 1440
ip address negotiated
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1400
dialer pool 2
ppp authentication chap pap callin
ppp chap hostname XXXX
ppp chap password XXXX
ppp ipcp dns request
no cdp enable
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 Dialer2 track 2
ip route 0.0.0.0 0.0.0.0 Dialer1 200 name Backup
ip scp server enable
!
ip access-list extended QoS-VoIP
permit ip any host XXXXX
!
!
route-map RM-ADSL1 permit 1
match ip address LAN
match interface Dialer1
!
route-map RM-ADSL2 permit 1
match ip address LAN
match interface Dialer2
!
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
access-class 23 in
logging synchronous
transport input all
!
scheduler allocate 20000 1000

(config sanitized to protect the innocent ;) )

Georg Pauwen · ‎02-03-2020

Hello,

--> (config sanitized to protect the innocent ;) )

I don't know what is missing from your configuration or what you have omitted, so it is difficult to comment. Your dialer 2 apparently is the primary interface, but it has no NAT statement. There is no access list for NAT either, and nothing that matches track 1. How exactly is dialer 2 connecting to the outside world ?

Either way, you could try and change the settings marked in bold:

version 15.5
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname r1-dreie-itse
!
boot-start-marker
boot-end-marker
!
logging buffered 65536 informational
enable secret xxxxx
!
aaa new-model
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
ethernet lmi ce
memory-size iomem 10
clock timezone MET 1 0
clock summer-time MET-DST recurring last Sun Mar 2:00 3 Sun Oct 2:00
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid C886VA-K9 sn XXXXX
!
controller VDSL 0
firmware filename flash:VA_A_39h_B_38h3_24h_j.bin
!
track 1 interface Dialer1 ip routing
delay down 15 up 30
!
track 2 interface Dialer2 ip routing
delay down 15 up 30
!
class-map match-any QoS-VoIP
match access-group name QoS-VoIP
!
policy-map QoS-Policy
class QoS-VoIP
priority percent 70
set ip precedence 5
class class-default
fair-queue
policy-map QoS-Policy-Parent
class class-default
shape average 2800000
service-policy QoS-Policy
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.7 point-to-point
pvc 1/32
bridge-dot1q encap 7
pppoe-client dial-pool-number 1
!
interface Ethernet0
no ip address
!
interface Ethernet0.7
description VDSL Einwahl
encapsulation dot1Q 7
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0
description Link zur Firewall
no ip address
load-interval 30
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
description Ext. ADSL Annex J Modem
switchport trunk native vlan 2
switchport trunk allowed vlan 1,2,7,1002-1005
switchport mode trunk
no ip address
!
interface Vlan1
description Link zur Firewall
ip address XXXXXX
ip virtual-reassembly in
!
interface Vlan7
no ip address
pppoe enable group global
pppoe-client dial-pool-number 2
!
interface Dialer1
description DSL-Einwahl 1 VoIP
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer idle-timeout 0
dialer-group 1
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname XXXX
ppp chap password XXX
ppp pap sent-username XXXX password XXXX
ppp ipcp dns request
ppp ipcp route default
ppp ipcp address accept
no cdp enable
service-policy output QoS-Policy-Parent
!
interface Dialer2
description DSL-Einwahl 2 Surfen
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 2
dialer idle-timeout 0
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname XXXX
ppp chap password XXXX
ppp ipcp dns request
ppp ipcp route default
ppp ipcp address accept
no cdp enable
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 Dialer2 track 2
ip route 0.0.0.0 0.0.0.0 Dialer1 200 name Backup
ip scp server enable
!
ip access-list extended QoS-VoIP
permit ip any host XXXXX
!
dialer-list 1 protocil ip permit
!
route-map RM-ADSL1 permit 1
match ip address LAN
match interface Dialer1
!
route-map RM-ADSL2 permit 1
match ip address LAN
match interface Dialer2
!
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
access-class 23 in
logging synchronous
transport input all
!
scheduler allocate 20000 1000

GarryG · ‎02-03-2020

@Georg Pauwen wrote:
Hello,

--> (config sanitized to protect the innocent ;) )

I don't know what is missing from your configuration or what you have omitted, so it is difficult to comment. Your dialer 2 apparently is the primary interface, but it has no NAT statement. There is no access list for NAT either, and nothing that matches track 1. How exactly is dialer 2 connecting to the outside world ?

both DSL links use public IPs, to the inside additional public IPs are used towards the firewall, so NAT isn't used (had one line in there from doing some tests with the DSL modem which uses a 172.16 IP for its management IP by default).

The MTU on the dialer interfaces has to be lower, as the DSL uplink is double-encapsulated with PPPoE and L2TP ... 1456 is what usually is the maximum we can get through without fragmentation.

The other changes you suggested and that I can add without breaking anything would not help, still no authentication request getting through to our DSL PE router ...

As I mentioned in the original post, the router worked fine until yesterday with the exact configuration, and dialer 1 which uses the internal DSL modem still does ...

Georg Pauwen · ‎02-04-2020

Hello,

odd indeed. What if you add:

ppp pap sent-username <username2> password <password2>

to the Dialer 2 interface ?

GarryG · ‎02-04-2020

The PAP authentication was in there originally, until I found an article stating that PAP might be broken in some versions of IOS, leading to the error I'm getting ...