Panasonic NN46240-710 User Manual

Nortel Secure Router 8000 Series

Troubleshooting - VPN

Release: Document Revision:

5.3

01.01

www.nortel.com

NN46240-710 324768-A Rev01

Nortel Secure Router 8000 Series Release: 5.3 Publication: NN46240-710 Document Revision: 01.01 Document status: Standard Document release date: 30 March 2009

Printed in Canada, India, and the United States of America LEGAL NOTICE

While the information in this document is believed to be accurate and reliable, except as otherwise expressly agreed to in writing NORTEL PROVIDES THIS DOCUMENT "AS IS" WITHOUT WARRANTY OR CONDITION OF ANY KIND, EITHER EXPRESS OR IMPLIED. The information and/or products described in this document are subject to change without notice.

Nortel, the Nortel logo, and the Globemark are trademarks of Nortel Networks. All other trademarks are the property of their respective owners.

ATTENTION

For information about the safety precautions, read "Safety messages" in this guide. For information about the software license, read "Software license" in this guide.

Nortel Secure Router 8000 Series Troubleshooting - VPN

About this document.......................................................................................................................1

1 L2TP troubleshooting................................................................................................................1-5

1.1 L2TP overview............................................................................................................................................1-5

1.1.1 Two typical L2TP tunnel modes........................................................................................................1-5

1.1.2 L2TP tunnel session setup.................................................................................................................1-5

1.2 VPDN troubleshooting on the L2TP ...........................................................................................................1-5

1.2.1 Networking environment...................................................................................................................1-5

1.2.2 Configuration notes...........................................................................................................................1-5

1.2.3 Diagnostic flowchart.........................................................................................................................1-5

1.2.4 Trou bleshoot ing proced ures..............................................................................................................1-5

1.3 Troubleshooting L2TP access to the Layer 3 VPN......................................................................................1-5

1.3.1 Networking environment...................................................................................................................1-5

1.3.2 Configuration notes...........................................................................................................................1-5

1.3.3 Diagnostic flowchart.........................................................................................................................1-5

1.3.4 Trou blesho otin g procedure................................................................................................................1-5

1.4 Troubleshooting cases .................................................................................................................................1-5

1.4.1 The session disconnects as soon as it is set up..................................................................................1-5

1.5 FAQs............................................................................................................................................................1-5

1.6 Diagnostic tools...........................................................................................................................................1-5

1.6.1 Display commands............................................................................................................................1-5

1.6.2 Debugging commands.......................................................................................................................1-5

2 GRE troubleshooting.................................................................................................................2-1

2.1 GRE overview.............................................................................................................................................2-2

2.1.1 Introduction to GRE..........................................................................................................................2-2

2.1.2 Related concepts of GRE ..................................................................................................................2-2

2.1.3 Applications of GRE .........................................................................................................................2-3

2.2 Troubleshooting GRE..................................................................................................................................2-4

2.2.1 Typical networking............................................................................................................................2-4

2.2.2 Configuration notes...........................................................................................................................2-4

2.2.3 Trou bleshooti ng flowchart................................................................................................................2-7

2.2.4 Trou blesho otin g procedure................................................................................................................2-8

Issue 5.3 (19 January 2009)

Nortel Networks Inc.

Nortel Secure Router 8000 Series

2.3 Troubleshooting cases ...............................................................................................................................2-10

2.3.1 Ping of the peer tunnel fails although the network layer protocols on both ends are up.................2-11

2.3.2 PCs cannot ping through each other although tunnel interf aces on two ends can ping each other successfully

2.4 FAQs..........................................................................................................................................................2-15

2.5 Diagnostic tools.........................................................................................................................................2-17

2.5.1 display commands...........................................................................................................................2-17

2.5.2 debugging commands......................................................................................................................2-19

2.5.3 Alarms.............................................................................................................................................2-21

..............................................................................................................................................2-14

Troubleshooting - VPN

3 BGP/MPLS IP VPN troubleshooting .....................................................................................3-1

3.1 BGP/MPLS IP VPN overview.....................................................................................................................3-2

3.1.1 Introduction to VPN..........................................................................................................................3-2

3.1.2 Network topology..............................................................................................................................3-3

3.1.3 Operation model................................................................................................................................3-3

3.2 MPLS L3VPN troubleshooting...................................................................................................................3-5

3.2.1 Typical networking............................................................................................................................3-5

3.2.2 Configuration notes...........................................................................................................................3-6

3.2.3 Trou bleshooti ng flowchart................................................................................................................3-9

3.2.4 Trou blesho otin g procedure..............................................................................................................3-10

3.3 Troubleshooting cases ...............................................................................................................................3-14

3.3.1 PE fails to send private network routes to the remote CE...............................................................3-14

3.3.2 CEs cannot communicate................................................................................................................3-17

3.3.3 Failure to ping large packets of the private network.......................................................................3-18

3.3.4 PE cannot ping through the remote CE network segment...............................................................3-19

3.3.5 Failure to establish the MP-EBGP peer in inter-AS VPN-OptionC................................................3-20

3.4 FAQs..........................................................................................................................................................3-21

3.5 Diagnostic tools.........................................................................................................................................3-23

3.5.1 display commands...........................................................................................................................3-23

3.5.2 debugging commands......................................................................................................................3-23

3.5.3 Alarms.............................................................................................................................................3-24

3.5.4 Logs.................................................................................................................................................3-26

4 MPLS L2VPN troubleshooting................................................................................................4-1

4.1 MPLS Layer 2 VPN overview.....................................................................................................................4-2

4.1.1 Introduction to MPLS Layer 2 VPN..................................................................................................4-2

4.1.2 CCC MPLS Layer 2 VPN .................................................................................................................4-3

4.1.3 SVC MPLS Layer 2 VPN..................................................................................................................4-4

4.1.4 Martini MPLS Layer 2 VPN.............................................................................................................4-4

4.1.5 PWE3 MPLS Layer 2 VPN ...............................................................................................................4-5

4.1.6 Kompella MPLS Layer 2 VP N..........................................................................................................4-6

4.1.7 MPLS Layer 2 VPN IP-interworking................................................................................................4-6

4.2 Layer 2 VPN troubleshooting......................................................................................................................4-7

Nortel Networks Inc.

Issue 5.3 (19 January 2009)

Nortel Secure Router 8000 Series Troubleshooting - VPN

4.2.1 Typical networking............................................................................................................................4-8

4.2.2 Configuration notes.........................................................................................................................4-10

4.2.3 Trou bleshooti ng flowchart..............................................................................................................4-13

4.2.4 Trou blesho otin g procedure..............................................................................................................4-14

4.3 Troubleshooting cases ...............................................................................................................................4-17

4.3.1 VC type is not supported when setting up a PW on an ATM subinterface......................................4-17

4.3.2 A static PW cannot be switched with other PWs.............................................................................4-19

4.3.3 Switch-L2VC is down after PW switching configuration...............................................................4-21

4.3.4 PW attributes cannot be changed by using the reset pw command.................................................4-22

4.3.5 VC is up but the PPP session cannot establish................................................................................4-26

4.3.6 VC under the interface is missing after the link protocol changes..................................................4-27

4.3.7 Both the session and the AC are up, but the VC cannot be up........................................................4-29

4.3.8 Ethernet interconnects with ATM, the VC is up, but the ping between CEs fails ...........................4-33

4.3.9 CEs cannot communicate by using the accessing mode of VLAN .................................................4-35

4.3.10 CEs cannot access each other though the static VC is up..............................................................4-35

4.3.11 VC is down though AC is up.........................................................................................................4-37

4.3.12 Large-sized packets are lost between CEs on two ends of Layer 2 VPN......................................4-38

4.3.13 Failure to establish the MPLS LDP session between PEs when RIP-1 is used in the Layer 2 VPN backbone

4.4 FAQs..........................................................................................................................................................4-40

4.5 Diagnostic tools.........................................................................................................................................4-44

4.5.1 display commands...........................................................................................................................4-44

4.5.2 debugging commands......................................................................................................................4-45

..................................................................................................................................................4-39

5 VPLS troubleshooting...............................................................................................................5-1

5.1 VPLS overview ...........................................................................................................................................5-2

5.1.1 Related concepts of VPLS.................................................................................................................5-2

5.1.2 Encapsulation type............................................................................................................................5-3

5.1.3 MTU..................................................................................................................................................5-4

5.2 VPLS troubleshooting.................................................................................................................................5-4

5.2.1 Typical networking............................................................................................................................5-4

5.2.2 Configuration notes...........................................................................................................................5-6

5.2.3 Trou bleshooti ng flowchart..............................................................................................................5-10

5.2.4 Trou bleshoot ing proced ures............................................................................................................5-10

5.3 Troubleshooting cases ...............................................................................................................................5-11

5.3.1 A VSI cannot be up in LDP signaling mode....................................................................................5-12

5.3.2 Packets cannot forward successfully between two PEs though VSI is up.......................................5-14

5.3.3 A VSI cannot be up in BGP signaling m ode....................................................................................5-15

5.4 FAQs..........................................................................................................................................................5-17

5.5 Diagnostic tools.........................................................................................................................................5-19

5.5.1 display commands...........................................................................................................................5-19

5.5.2 debugging command.......................................................................................................................5-20

Issue 5.3 (19 January 2009)

Nortel Networks Inc.

iii

Nortel Secure Router 8000 Series Troubleshooting - VPN

Figures

Figure 1-1 Typical L2TP tunnel modes ............................................................................................................1-5

Figure 1-2 The process flow for setting up an L2TP tunnel .............................................................................1-5

Figure 1-3 Networking of the L2TP tunnel ......................................................................................................1-5

Figure 1-4 The flowchart for diagnosing faults on L2TP.................................................................................1-5

Figure 1-5 Networking of the L2TP access to the Layer 3 VPN......................................................................1-5

Figure 1-6 Networking of the discon necti on of the L2TP session....................................................................1-5

Figure 2-1 Format of an encapsulated tunnel packet........................................................................................2-2

Figure 2-2 Two networks interconnecting through the GRE tunnel.................................................................2-3

Figure 2-3 Typical GRE networking diagram...................................................................................................2-4

Figure 2-4 GRE troubleshooting flowchart ......................................................................................................2-7

Figure 2-5 Networking diagram of the GRE troubleshooting I......................................................................2-11

Figure 2-6 Networking diagram of the GRE troubleshooting II.....................................................................2-14

Figure 3-1 BGP/MPLS VPN network topology...............................................................................................3-3

Figure 3-2 BGP/MPLS VPN instances.............................................................................................................3-4

Figure 3-3 BGP/MPLS VPN networking.........................................................................................................3-6

Figure 3-4 MPLS VPN troubleshooting flowchart.........................................................................................3-10

Figure 3-5 Networking diagram .....................................................................................................................3-14

Figure 3-6 BGP/MPLS VP N net w orking diagram.........................................................................................3-17

Figure 3-7 PE cannot ping through the remote CE network segment.............................................................3-19

Figure 3-8 Networking diagram of the inter-AS VPN-OptionC troubleshooting...........................................3-20

Figure 4-1 MPLS LAYER 2 VPN networking.................................................................................................4-2

Figure 4-2 MPLS Layer 2 VPN label stack processing....................................................................................4-3

Figure 4-3 Martini signaling process................................................................................................................4-5

Figure 4-4 PWE3 signaling process..................................................................................................................4-5

Figure 4-5 Local cross-connection netw orking ................................................................................................4-8

Figure 4-6 Remote connection networking ......................................................................................................4-8

Issue 5.3 (19 January 2009)

Nortel Networks Inc.

Nortel Secure Router 8000 Series

Figure 4-7 Multihop connection networking....................................................................................................4-9

Figure 4-8 Inter-AS networking .....................................................................................................................4-10

Figure 4-9 Troubleshooting flowchart of the MPLS Layer 2 VPN remote connection fault..........................4-13

Figure 4-10 Troubleshooting flowchart of the MPLS Layer 2 VPN local connection fault...........................4-14

Figure 4-11 Sketch map of the SVC remote connection label........................................................................4-15

Figure 4-12 Sketch map of the CCC remote connection label .......................................................................4-16

Figure 4-13 Networking diagram of the switching between the static PW and dynamic PW........................4-19

Figure 4-14 Networking diagram of Switch-L2VC troubleshooting..............................................................4-21

Figure 4-15 Networking diagram ...................................................................................................................4-26

Figure 4-16 Networking diagram ...................................................................................................................4-29

Figure 4-17 Networking diagram ...................................................................................................................4-33

Figure 4-18 IP address configuration diagram................................................................................................4-34

Figure 4-19 Networking diagram of the Layer 2 VPN backbone adopting RIP.............................................4-39

Troubleshooting - VPN

Figure 4-20 Networking scheme using DCE and DTE as the interface types................................................4-41

Figure 5-1 Basic VPLS networking..................................................................................................................5-4

Figure 5-2 Hierarchical VPLS Net working......................................................................................................5-5

Figure 5-3 VPLS troubleshooting flowchart...................................................................................................5-10

Figure 5-4 VPLS networking diagram............................................................................................................5-12

Nortel Networks Inc.

Issue 5.3 (19 January 2009)

Nortel Secure Router 8000 Series Troubleshooting - VPN

Tables

Table 1-1 Description of the output of the display L2tp tunnel command .....................................................1-5

Table 1-2 Description of the output of the display L2tp session command.....................................................1-5

Table 2-1 Description of the display this command output ...........................................................................2-18

Table 2-2 Description of the display this interface command output ...........................................................2-18

Issue 5.3 (19 January 2009)

Nortel Networks Inc.

vii

Nortel Secure Router 8000 Series Troubleshooting - VPN

Contents

About this document....................................................................................................................... 1

Issue 5.3 (19 January 2009)

Nortel Networks Inc.

Nortel Secure Router 8000 Series Troubleshooting - VPN About this document

About this document

Overview

This part describes the organization of this document, product version, intended audience, conventions, and update history.

Related versions

The following table lists the product versions to which this document relates.

Product name Version

Nortel Secure Router 8000 Series V200R005

Intended audience

The intended audiences of this document are:

Network operators

Network administrators

Network maintenance engineers

Organization

The following table identifies the five chapters in this document.

Chapter Description

1 L2TP troubleshooting This chapter describes the basic knowledge about the Layer

Issue 5.3 (19 January 2009)

2 VPN tunneling protocol (L2TP), troubleshooting procedures for L2TP faults, troubleshooting cases, diagnostic tools, and FAQs.

Nortel Networks Inc.

About this document

Nortel Secure Router 8000 Series

Troubleshooting - VPN

Chapter Description

2 GRE troubleshooting This chapter describes the basic knowledge about Generic

Routing Encapsulation (GRE), troubleshooting procedures for GRE faults, troubleshooting cases, diagnostic tools, and FAQs.

3 BGP/MPLS IP VPN troubleshooting

4 MPLS Layer 2 VPN troubleshooting

5 VPLS troubleshooting This chapter describes the basic knowledge about VPLS,

Conventions

Symbol conventions

The following table defines the symbols in this document.

This chapter describes the basic knowledge about MultiProtocol Label Switching/Border Gateway Protocol (MPLS/BGP) IP virtual private networks (VPN), troubleshooting procedures for BGP/MPLS IP VPN faults, troubleshooting cases, diagnostic tools, and FAQs.

This chapter describes the basic knowledge about MPLS Layer 2 VPN (L2VPN), troubleshooting procedures for MPLS L2VPN faults, troubleshooting cases, diagnostic tools, and FAQs.

troubleshooting procedures for VPLS faults, troubleshooting cases, diagnostic tools, and FAQs.

Symbol Description

Indicates a hazard with a high level of risk that, if you do not avoid, results in death or serious injury.

Indicates a hazard with a medium or low level of risk which, if you do not avoid, can result in minor or moderate injury.

Indicates a potentially hazardous situation that, if you do not avoid, can cause equipment damage, data loss, and performance degradation or unexpected results.

Indicates a tip that can help you solve a problem or save time. Provides additional information to emphasize or supplement

important points of the main text.

Nortel Networks Inc.

Issue 5.3 (19 January 2009)

Nortel Secure Router 8000 Series Troubleshooting - VPN About this document

General conventions

Convention Description

Times New Roman Normal paragraphs use Times New Roman.

Boldface

Italic Book titles use italics.

Courier New

Command conventions

Convention Description

Boldface

Italic Command arguments use italics. [ ] Items (keywords or arguments) in square brackets [ ] are

{ x | y | ... } Alternative items are grouped in braces and separated by

[ x | y | ... ] Optional alternative items are grouped in square brackets

Names of files, directories, folders, and users use boldface. For example, log in as user root.

Terminal display uses Courier New.

The keywords of a command line use boldface.

optional.

vertical bars. Select one of the items.

and separated by vertical bars. Select one or none of the items.

{ x | y | ... } * Alternative items are grouped in braces and separated by

[ x | y | ... ] *

&<1-n> You can repeat the parameter before the ampersand sign (&)

GUI conventions

Convention Description

Boldface

vertical bars. Select a minimum of one or a maximum of all of the items.

Optional alternative items are grouped in square brackets and separated by vertical bars. Select many or none of the items.

1 to n times. A line that begins with the number sign (#) indicates

comments.

Buttons, menus, parameters, tabs, windows, and dialog titles use boldface. For example, click OK.

Issue 5.3 (19 January 2009)

Nortel Networks Inc.

About this document

Convention Description

> Multilevel menus use boldface and a greater-than sign (>)

Keyboard operation

Format Description

Nortel Secure Router 8000 Series

Troubleshooting - VPN

separates the menu choices. For example, choose File >

Create > Folder.

Key Key 1+Key 2

Key 1, Key 2 Press the keys in turn. For example, press Alt, A means you

Mouse operation

Action Description

Click Press and release the primary mouse button without moving

Double-click Quickly press the primary mouse button twice without

Drag Press and hold the primary mouse button and move the

Press the key. For example, press Enter and press Tab. Press the keys concurrently. For example, press Ctrl+Alt+A

means you press the three keys at the same time.

press the two keys one after the other.

the pointer.

moving the pointer.

pointer to a specific position.

Update history

Updates between document versions are cumulative. The latest document version contains all updates made to previous versions.

Updates in Issue 1.0 ( 6 June 2008 )

The first commercial release.

Nortel Networks Inc.

Issue 5.3 (19 January 2009)

Nortel Secure Router 8000 Series Troubleshooting - VPN

Contents

1 L2TP troubleshooting................................................................................................................1-1

1.1 L2TP overview..............................................................................................................................................1-2

1.1.1 Two typical L2TP tunnel modes..........................................................................................................1-2

1.1.2 L2TP tunnel session setup....................................................................................................................1-3

1.2 VPDN troubleshooting on the L2TP.............................................................................................................1-4

1.2.1 Networking environment .....................................................................................................................1-4

1.2.2 Configuration notes..............................................................................................................................1-5

1.2.3 Diagnostic flowchart............................................................................................................................1-7

1.2.4 Trou bleshoot ing proced ures.................................................................................................................1-9

1.3 Troubleshooting L2TP access to the Layer 3 VPN......................................................................................1-11

1.3.1 Networking environment ...................................................................................................................1-11

1.3.2 Configuration notes............................................................................................................................1-12

1.3.3 Diagnostic flowchart..........................................................................................................................1-16

1.3.4 Trou blesho otin g procedure................................................................................................................1-16

1.4 Troubleshooting cases.................................................................................................................................1-16

1.4.1 The session disconnects as soon as it is set up...................................................................................1-16

1.5 FAQs ...........................................................................................................................................................1-18

1.6 Diagnostic tools...........................................................................................................................................1-20

1.6.1 Display commands.............................................................................................................................1-20

1.6.2 Debugging commands ........................................................................................................................1-23

Issue 5.3 (19 January 2009) Nortel Networks Inc. i

Nortel Secure Router 8000 Series Troubleshooting - VPN

Figures

Figure 1-1 Typical L2TP tunnel modes..............................................................................................................1-2

Figure 1-2 The process flow for setting up an L2TP tunnel...............................................................................1-3

Figure 1-3 Networking of the L2TP tunnel........................................................................................................1-4

Figure 1-4 The flowchart for diagnosing faults on L2TP...................................................................................1-8

Figure 1-5 Networking of the L2TP access to the Layer 3 VPN......................................................................1-12

Figure 1-6 Networking of the discon necti on of the L2TP session ...................................................................1-16

Issue 5.3 (19 January 2009) Nortel Networks Inc. iii

Nortel Secure Router 8000 Series Troubleshooting - VPN

Tables

Table 1-1 Description of the output of the display L2tp tunnel command.....................................................1-20

Table 1-2 Description of the output of the display L2tp session command ....................................................1-21

Issue 5.3 (19 January 2009) Nortel Networks Inc. v

Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting

1 L2TP troubleshooting

About this

chapter

T the conten

he following table lists ts of this chapter.

Section Describes

1.1 L2TP overview This section describes the concepts that you should know before troubleshooting Layer Two Tunneling Protoc (L2TP).

1.2 VPDN troubleshooting on This section contains the L2TP configuration notes, the

the L2TP

1.3 Troubleshooting L2TP This section contains notes for configuring L2TP access

access to the Layer 3 VPN

1.4 Troubleshooting cases This section presents troubleshooting cases.

1.5 FAQs AQ) and

troubleshooting flowchart, and the procedures for troubleshooting in the L2TP Virtual Private Da (VPDN) networking environment.

to the L3 Virtual Private Network (VPN), the troubleshooting flowchart, and the detailed troubleshooting procedures.

This section lists frequently asked questions (F their answers.

ta Network

1.6 Diagnostic tools This section lists the diagnostic tools, including the display command and debugging command.

Issue 5.3 (19 January 2009) Nortel Networks Inc. 1-1

1 L2TP troubleshooting

1.1 L2TP overview

L2TP is a VPDN tunnel protocol. This protocol supports transmission in a tunnel that is encapsulated by the PPP link and is applicable to remote access, such as remote user access to the internal source of the enterprise.

1.1.1 Two typical L2TP tunnel modes

The tunnel modes of PPP frames, which are between the user and L2TP Network Server (LNS), and between the user and L2TP Access Concentrator (LAC) clients (hosts running L2TP), are shown in

Figure 1-1 Typical L2TP tunnel modes

Figure 1-1.

LAC client

Nortel Secure Router 8000 Series

Troubleshooting - VPN

Remote

system

LAC

PSTN/ISDN

LAC

Internet

LNS

Internal server

Frame Relay

or ATM

LNS

Internal server

The methods of establishing a tunnel are as follows:

NAS-initialized: Initiated by remote dial-up users. The remote system dials LAC through

Public Switched Telephone Network (PSTN) or Integrated Services Digital Network

the (ISDN). LAC sends a request to establish a tunnel connection to LNS through the Internet. The addresses of the dial-up users are assigned by LNS. The agent on LAC or LNS performs the authentication and accounting of remote dial-up users.

Client-initialized: Initiated directly by LAC users who support L2TP. In this case, LAC users can directly send a request to establish a tunnel connection to LNS, without the need to pass through another LAC device. The addresses of the LAC users are assigned by LNS.

1-2 Nortel Networks Inc. Issue 5.3 (19 January 2009)

Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting

1.1.2 L2TP tunnel session setup

Figure 1-2 shows the process for setting up an L2TP tunnel.

Figure 1-2 The process flow for setting up an L2TP tunnel

(1) call setup

(2) PPP LCP setup

(3) PAP or CHAP

authentication

(12) CHAP authentication twice(challenge/response)

LAC

RouterA

(4) access request

(5) access accept

(7) PAP or CHAP authent ication

(9) user CHAP response, PPP

RADIUS Server

(6) tunnel establish

(challenge/response)

(8) authentication pas ses

negotiation parameter

LAC

LNS

RouterB

(10) access request

(11) access accept

(13) access request

LNS

RADIUS Server

(15) authentication passes

(14) access accept

The procedure for setting up an L2TP tunnel is as follows:

1. The PC on the user side sends a connection request.

2. The PC and LAC device (Router A) negotiate the PPP LCP.

3. LAC carries out PAP or CHAP authentication based on the information from the PC.

4. LAC sends an access request with the VPN user name and password to the RADIUS

server for identity authentication.

5. The RADIUS server authenticates this user and sends an access accept message, such as

the LNS address. After the authentication succeeds, LAC is ready to start a new tunnel request.

6. LAC makes a tunnel request to the LNS specified by the RADIUS server.

7. LAC informs LNS of a CHAP challenge, and LNS sends a CHAP response and its

CHAP challenge. LAC then sends back a CHAP response.

8. The authentication succeeds.

9. LAC transmits the information about the CHAP response, response identifier, and PPP

negotiation parameters to LNS.

Issue 5.3 (19 January 2009) Nortel Networks Inc. 1-3

1 L2TP troubleshooting

10. LNS sends an access request to the RADIUS server for authentication.

11. The RADIUS server reauthenticates this access request and sends back a response if

authentication succeeds.

12. If local mandatory CHAP authentication is configured at LNS, LNS authenticates the

VPN user by sending a challenge. The VPN user at the PC side sends back a response.

13. LNS resends this access request to the RADIUS server for authentication.

14. The RADIUS server reauthenticates this access request and sends back a response if

authentication is successful.

15. After all authentications pass, the VPN user can use the internal resources of the

enterprise.

1.2 VPDN troubleshooting on the L2TP

The section describes the following topics:

Networking environment

Configuration notes

Diagnostic flowchart

Troubleshooting procedure

Nortel Secure Router 8000 Series

Troubleshooting - VPN

1.2.1 Networking environment

Figure 1-3 shows the networking of the L2TP tunnel.

Figure 1-3 Networking of the L2TP tunnel

RADIUS Server

Network

PSTN/ISDN WAN

RouterA

LAC LNS

RADIUS Server

Network

RouterB

Router A works on the LAC side and Router B works on the LNS side. The user from the LAC side sends the request for connection to the LNS side. This achieves the interconnection with other PCs.

1-4 Nortel Networks Inc. Issue 5.3 (19 January 2009)

Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting

1.2.2 Configuration notes

Item Sub-item Description

Configuring AAA

Configuring VT

Configure the authentication mode

Configure the domain and the authenticatio n mode

Configure the address pool

Configure the user name and password

Configure the PPP authentication

To use the default local authentication, you need to configure the user name and the password in the AAA mode.

To use any other authentication, such as RADIUS, you must configure the RADIUS authentication.

You must configure the items for domain user access.

Configure an address pool on the LNS side. You need to configure common users to access an address pool in the AAA mode and configure domain users to access an address pool in the domain mode.

The user names and passwords on the user side, the LAC side, and the LNS side must be consistent.

After the LCP renegotiation on the LNS side is executed, you need to configure the PPP authentication mode on the virtual interface template. Otherwise, the user cannot pass the authentication.

Configuring L2TP

Appointment of the address pool

Configure the MTU Nortel recommends that you configure the

Enable the L2TP Configure the L2TP only after the L2TP is

Source interface of the tunnel on the LAC side

The name of the tunnel The name of the tunnel on the LAC side must

The authentication of the tunnel

The password of the authentication of the tunnel

To configure an address pool for a user, the number of address pool configured here must be the same as that configured in the AAA view.

MTU value as 1450.

enabled. You can specify the loopback interface,

Ethernet interface, and GigabitEthernet interface as the source interface of the tunnel.

be consistent with the name of the remote end to receive the tunnel on the LNS side.

The configuration for tunnel authentication on the LAC side must be the same as that on the LNS side.

After tunnel authentication is enabled, the passwords on both the LAC side and the LNS side must be consistent.

Issue 5.3 (19 January 2009) Nortel Networks Inc. 1-5

1 L2TP troubleshooting

Item Sub-item Description

Nortel Secure Router 8000 Series

Troubleshooting - VPN

The list separator of the user postfix

The static route on the LAC side

The request for the connection with the L2TP allowed on the LNS side

The IP address of the L2TP group bound on the LNS side

The user authentication on the LNS side

If you establish the connection with L2TP through the domain, you need to run the l2tp domain command to configure the separator of the user postfix.

When the LNS side uses the IP address of the loopback interface as the IP address of the L2TP group, you must configure the route to be reachable to the LNS loopback interface on the LAC side.

If the number of the L2TP is 1, you need not specify the remote-name. If you specify the remote name in the L2TP group 1 view, L2TP group 1 does not work as the default L2TP group.

The IP address of the Ethernet interface, GigabitEthernet interface, and loopback interface can be used as the IP address of an L2TP group. After the loopback interface is bound, it cannot be used for other services.

After the LCP renegotiation is configured on the LNS side, you need to configure the PPP authentication mode on the correct virtual interface template. Otherwise, the user cannot pass the authentication.

Domain — Generally, bind VTs and configure address

pools in the domain view when L2TP users access Layer 3 VPN groups. In other cases, bind VTs in the L2TP group view.

As an example for the configuration notes for the L2TP LNS, consider users in different domains that access the VPN.

1. Configure the interface of the LNS and LAC Ethernet2/0/0 and the address.

[Nortel] interface ethernet2/0/0 [Nortel-Ethernet2/0/0] ip address 10.1.1.3 255.255.255.0 [Nortel-Ethernet2/0/0] quit

2. Create a virtual template (VT) required by the L2TP group.

[Nortel] interface virtual-template 1 [Nortel-Virtual-Template1] ip address 35.1.1.1 255.255.255.0 [Nortel-Virtual-Template1] mtu 1450 [Nortel-Virtual-Template1] ppp authentication-mode pap [Nortel-Virtual-Template1] quit

The VT executes the LCP and PAP negotiation with the user.

3. Configure the loopback interface required by the L2TP group.

[Nortel] interface LoopBack 0

1-6 Nortel Networks Inc. Issue 5.3 (19 January 2009)

Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting

[Nortel-LoopBack0] ip address 100.1.1.1 255.255.255.255 [Nortel-LoopBack0] quit

As the terminal IP of the tunnel, the interface is responsible for decompressing the L2TP header and preparing for the next forwarding.

4. Configure the attributes on the L2TP group to be consistent with those on the LAC side.

# Enable the L2TP.

[Nortel] l2tp enable

# Set the identifier of the domain to be the @ symbol.

[Nortel] l2tp domain suffix-separator @

# Create the L2TP group.

[Nortel] l2tp-group 1

# Configure the name of the local tunnel as LNS.

[Nortel-l2tp1] tunnel name LNS

# Specify the VT to negotiate with the user, and the remote name (you do not need to configure the remote name if the L2TP group number is 1).

[Nortel-l2tp1] allow l2tp virtual-template 1 remote LAC

# Configure the tunnel authentication to be consistent with the LAC.

[Nortel-l2tp1] tunnel authentication

# Configure the password of the tunnel to be the same as the LAC.

[Nortel-l2tp1] tunnel password simple 12345

# Configure the destination number of the tunnel to be loopback 0.

[Nortel-l2tp1] tunnel destination loopback 0 [Nortel-l2tp1] quit

5. Create a domain and bind the virtual template and the corresponding address pool in the

domain.

[Nortel] aaa [Nortel-aaa] domain nortel1.com [Nortel-aaa-domain-nortel1.com] ip pool 8 8.1.1.2 8.1.1.10 [Nortel-aaa-domain-nortel1.com] quit [Nortel-aaa] domain nortel2.com [Nortel-aaa-domain-nortel2.com] ip pool 9 9.1.1.2 9.1.1.10 [Nortel-aaa-domain-nortel2.com] quit

6. Create two user names and passwords.

[Nortel-aaa] local-user vpdn@nortel1.com password simple 11111 [Nortel-aaa] local-user vpdn@nortel2.com password simple 22222

1.2.3 Diagnostic flowchart

Figure 1-4 shows the flowchart for diagnosing faults on L2TP.

Issue 5.3 (19 January 2009) Nortel Networks Inc. 1-7

1 L2TP troubleshooting

Figure 1-4 The flowchart for diagnosing faults on L2TP

Nortel Secure Router 8000 Series

Troubleshooting - VPN

Data cannot

be transmitte d.

Is the user

address correct?

Yes

Is the network

free of

congestion?

Yes

Does the tunnel

exist?

Yes

Is the

configuration of PPP negotiation on the LNS side

correct?

Yes

Can LAC

ping through the

LNS interface?

Configure the correct

user address.

Solve the

problem of the

network

congestion.

Check every

configuration and

establish the tunnel .

Reconfigure the

PPP parameters

on the LNS side.

Check the Loopback

interface bound by

the L2TP group of

the route and LNS.

Yes

Is the

PPP negotiation on

LAC normal?

Yes

Is the problem

solved?

Yes

End

Reconfigure the

PPP parameter

on the LAC side.

Seek the

technology

support.

1-8 Nortel Networks Inc. Issue 5.3 (19 January 2009)

Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting

1.2.4 Troubleshooting procedures

The troubleshooting procedures are as follows.

Step 1 Determining that the user address is correct Step 2 Checking whether network congestion occurs Step 3 Step 4 Checking the state of PPP negotiation on the LNS side Step 5 Checking that the LAC can ping through the loopback interface of the LNS Step 6 Checking the status of PPP negotiation on the LAC side

Checking that the tunnel exists

----End

The following sections describe the troubleshooting steps.

Determining that the user address is correct

The LNS can assign the address to the user, or the user can specify the address. If the assigned address and the specified address are not in the same network segment, the data transmission fails. Nortel recommends that the LNS assign the address. The two cases are as follows:

When the user accesses LNS with the full name, LNS checks that the correct address pool is bound in the VT. You must configure the address pool in the AAA view correctly. Run the remote address pool pool-number command to bind the address pool.

When the user accesses LNS with the domain name, LNS checks whether a correct address pool is configured in the domain view. You can use the ip pool pool-number first-address [ last-address ] command to configure the address pool in the domain view. Then, use the remote address pool pool-num ber com mand in the VT interface view to bind the address pool to this interface.

Checking whether network congestion occurs

L2TP transmits data based on the User Datagram Protocol (UDP). The UDP does not implement error control on the packets. If you apply L2TP when the link is unstable, the data transmission can fail.

Checking that the tunnel exists

You can use the display l2tp tunnel command to check whether the tunnel is established on the LAC and LNC. If no corresponding tunnel exists, check the configuration using the following methods:

1. Run the display this command in the L2TP group view on the LAC end to check

whether the LNS address with the start l2tp command is correctly configured. The address should be the same as the loopback address on the LNS end. If they are different, you need to reconfigure the LNS address.

2. Run the display this command in the L2TP group view on the LAC side to check

whether the LNS address is correct in the allow l2tp command. The address must be consistent with the IP address of the loopback interface on the LNS end. If they are inconsistent, you must reconfigure them.

Issue 5.3 (19 January 2009) Nortel Networks Inc. 1-9

1 L2TP troubleshooting

3. Check whether the tunnel authentication and the password are correctly configured on

the LAC and LNS ends. The request for the tunnel authentication can be initiated from either the LAC or the LNS. If one end starts the tunnel authentication, the tunnel can be established only when the remote end also starts the tunnel authentication and the passwords of both ends are consistent. Run the display this command in the L2TP group view on the LAC and LNS sides to check if the passwords of the tunnels are consistent. If one end is configured with the tunnel authentication but the passwords on both ends are inconsistent, use the tunnel password { simple | cipher } password command to configure the passwords.

4. Check whether the correct virtual template (VT) is bound on the LNS side.

5. If one end is forcibly disconnected, while the remote end does not receive the Disconnect

packet, the tunnel between the two ends cannot be connected. This is because the remote end requires a period of time to test the disconnection of the link.

6. LNS does not accept the request for the connection of the tunnel from the LACs that

have the same IP addresses. If the two LACs simultaneously send the request for the connection of the tunnel, the tunnel cannot be established.

Checking the state of PPP negotiation on the LNS side

1. Check that LCP renegotiation or forced CHAP authentication is configured.

Nortel Secure Router 8000 Series

Troubleshooting - VPN

Run the display this command in the L2TP group view to check if LCP renegotiation or forced CHAP authentication is configured. When the device is connected with the LAC equipment of other companies, the user authentication on the LNS uses the LCP renegotiation. You can configure the LAC device according to actual requirements.

After you configure LCP renegotiation on the LNS side, you must configure PPP authentication on the corresponding virtual interface template. Otherwise, the user cannot pass the authentication.

2. Check that the LNS configures the corresponding user name and the password.

The two cases are as follows:

− For local authentication, check whether the correct user name and password are

configured in the AAA view. If they are incorrect, configure them by using the local-user user-name password { simple | cipher } password command.

− For RADIUS authentication, see the section about VAS troubleshooting in Nortel

Secure Router 8000 Series Troubleshooting - VAS (NN46240-709).

3. Use the display ip pool command to check whether the address pool is small or no

address pool is configured.

4. Use the display this command in the VT view to check whether the authentication type

is consistent with that of the LAC.

Checking that the LAC can ping through the loopback interface of the LNS

1. Ping the loopback interface from the LAC. If you can ping through the loopback

interface, a reachable route between the LAC and LNS exists. If not, check whether the static route of the loopback interface on the LNS has been configured by the display ip routing-table command.

2. If a static route exists, you can use the display this command in the L2TP group view on

the LNS side to check that the L2TP group binds the loopback interface. If no loopback interface is bound, use the tunnel destination loopback command to bind it.

1-10 Nortel Networks Inc. Issue 5.3 (19 January 2009)

+ 151 hidden pages