Access VPN Solutions Using Tunneling Technology (1): Layer 2 Forwarding Case Study
Configuring the NAS for Basic Dial Access
Downloads: This chapterpdf (PDF - 216.0KB) | Feedback

Configuring the NAS for Basic Dial Access

Table Of Contents

Configuring the NAS for Basic Dial Access

Introduction

Configuring Basic Dial Access

Step 1—Configuring the Host Name, Enable Password, and Service Time Stamps

Step 2—Configuring Local AAA

Step 3—Configuring the LAN Interface

Step 4—Commissioning the T1 Controllers

Step 5—Configuring the Serial Channels to Let Modem Calls Come In

Step 6—Configuring the Modems and Asynchronous Lines

Step 7—Specifying the IP Address Pool and DNS Servers

Step 8—Configuring the Group-Async Interface

Verifying Basic Dial Access

Step 1—Checking the NAS Running Configuration

Step 2—Dialing in to the NAS

Step 3—Pinging the NAS

Step 4—Displaying Active Call Statistics on the NAS

Step 5—Pinging the Client

Step 6—Verifying That the Asynchronous Interface Is Up and That LCP Is Open

Troubleshooting Basic Dial Access

Step 1—Checking the ISDN Status

Step 2—Troubleshooting PPP Negotiation

Step 3—Troubleshooting ISDN

Step 4—Checking the Error Status of the T1 Controllers

Step 5—Troubleshooting the Modem Call State Machine


Configuring the NAS for Basic Dial Access


Introduction

In this first task, the ISP:

Configures the Cisco AS5300 network access server (NAS) to support basic IP and modem services.

Verifies that basic dial access works before the ISP starts forwarding PPP sessions to the enterprise customer's home gateway.

Troubleshoots the NAS if there are problems.

shows the ISP's basic dial access topology. Clients using modems dial in to the NAS over four T1 PRI lines that are assigned to 555-0945.

Figure 8 Basic Dial Access Network Topology

After the ISP completes this task, basic dial access will function as follows:

The client dials in to the NAS.

The client and the NAS successfully complete PPP negotiation.

The NAS assigns an IP address to the client.

The client and NAS bidirectionally support IP services.

Configuring Basic Dial Access

To configure the NAS for basic dial access, the ISP completes the following steps:

Step 1—Configuring the Host Name, Enable Password, and Service Time Stamps

Step 2—Configuring Local AAA

Step 3—Configuring the LAN Interface

Step 4—Commissioning the T1 Controllers

Step 5—Configuring the Serial Channels to Let Modem Calls Come In

Step 6—Configuring the Modems and Asynchronous Lines

Step 7—Specifying the IP Address Pool and DNS Servers

Step 8—Configuring the Group-Async Interface

Step 1—Configuring the Host Name, Enable Password, and Service Time Stamps

In this step, the ISP:

Assigns a host name to the NAS

Sets up configuration privileges

Turns on service time stamps

Use this command
To do this
Router> enable

Access privileged EXEC mode.

Router# configure terminal
Enter configuration commands, one per line. End
with CNTL/Z.

Access global configuration mode1 .

Router(config)# hostname ISP_NAS

Assign a host name to the access server.

A host name distinguishes the NAS from other devices on the network.

ISP_NAS(config)# enable secret letmein

Enter a secret enable password, which secures privileged EXEC mode.

An enable password allows you to prevent unauthorized configuration changes. Make sure to change letmein to your own secret password.

ISP_NAS(config)# service password-encryption

Encrypt passwords in the configuration file.

ISP_NAS(config)# service timestamps debug datetime msec
ISP_NAS(config)# service timestamps log datetime msec

Apply millisecond time stamping to debug and logging output.

These time stamps help identify debug output when there is a lot of activity on the router.

1 If the logging output generated by the NAS interferes with your terminal screen, redisplay the current command line by using the Tab key.


Step 2—Configuring Local AAA

In this step, the ISP:

Enables the authentication, authorization, and accounting (AAA) access control system

Creates a local username database

AAA provides the primary framework through which you set up access control on the NAS. Authentication identifies the client; authorization tells the client what it can do; accounting records what the client did do.

Use this command
To do this
ISP_NAS(config)# aaa new-model

Initiate the AAA access control system.

ISP_NAS(config)# aaa authentication ppp default local

Configure PPP authentication to use the local database.

ISP_NAS(config)# username jane-admin password 
jane-password

Create a local login database and username for yourself—the network administrator1 .

Note   This step also prevents you from getting locked out of the access server.

ISP_NAS(config)# username jeremy password subaru

Create a local login username for the client. The username jeremy and password subaru are locally authenticated by the NAS.

Later in the case study, jeremy is authenticated by the home gateway's CiscoSecure AAA server (not the NAS).

1 Make sure you use your own username and password.


Step 3—Configuring the LAN Interface

In this step, the ISP:

Assigns an IP address to the Ethernet interface

Brings up the interface

Use this command
To do this
ISP_NAS(config)# interface ethernet 0
ISP_NAS(config-if)# ip address 172.22.66.23 255.255.255.192

Configure the IP address and subnet mask on the Ethernet interface. Do not forget to use your own IP address and subnet mask.

ISP_NAS(config-if)# no shutdown
%LINK-3-UPDOWN: Interface Ethernet0, changed state to up
ISP_NAS(config-if)# exit

Bring up the interface.

This command changes the state of the interface from administratively down to up1 .

1 The term administratively down means that the interface is intentionally shut down by the administrator. The shutdown command is applied to the interface.


Step 4—Commissioning the T1 Controllers

In this step, the ISP:

Defines the ISDN switch type

Commissions the T1 controllers to allow modem calls to come into the NAS. The ISP must specify the following information for each controller:

Framing type

Line code type

Clock source

Timeslot assignments

Use this command
To do this
ISP_NAS(config)# isdn switch-type primary-5ess

Enter the telco switch type, which is 5ESS in this case study.

An ISDN switch type that is specified in global configuration mode is automatically propagated into the individual serial interfaces (for example, interface serial 0:23, 1:23, 2:23, and 3:23).

ISP_NAS(config)# controller t1 0 

Access controller configuration mode for the first T1 controller, which is number 0. The controller ports are numbered 0 through 3 on the quad T1/PRI card.

ISP_NAS(config-controller)# framing esf

Enter the T1 framing type, which is extended super frame (ESF) in this case study.

ISP_NAS(config-controller)# linecode b8zs

Enter the T1 line code type, which is B8ZS in this case study.

ISP_NAS(config-controller)# clock source line primary

Configure the access server to get its primary clocking from the T1 line assigned to controller 0.

Line clocking comes from the remote switch.

ISP_NAS(config-controller)# pri-group timeslots 1-24

Assign all 24 T1 timeslots as ISDN PRI channels.

After you enter this command, a D-channel serial interface is instantly created (for example S0:23) as well as individual B-channel serial interfaces (for example S0:0, S0:1, S0:2, S0:3, and so on.).

The D-channel interface functions like a dialer for all the 23 B channels using the controller. If this was an E1 interface, the PRI group range would be 1 to 31. The D-channel serial interfaces would be S0:15, S1:15, S2:15, and S3:15.

ISP_NAS(config-controller)# exit

Exit back to global configuration mode.

ISP_NAS(config#) controller t1 1
ISP_NAS(config-controller)# framing esf
ISP_NAS(config-controller)# linecode b8zs
ISP_NAS(config-controller)# clock source line secondary
ISP_NAS(config-controller)# pri-group timeslots 1-24
ISP_NAS(config-controller)# exit

Configure the second controller, controller T1 1.

Set the clocking to secondary. If the line clocking from controller T1 0 fails, the access server receives its clocking from controller T1 1.

ISP_NAS(config#) controller t1 2
ISP_NAS(config-controller)# framing esf
ISP_NAS(config-controller)# linecode b8zs
ISP_NAS(config-controller)# clock source internal
ISP_NAS(config-controller)# pri-group timeslots 1-24
ISP_NAS(config-controller)# exit
ISP_NAS(config#) controller t1 3
ISP_NAS(config-controller)# framing esf
ISP_NAS(config-controller)# linecode b8zs
ISP_NAS(config-controller)# clock source internal
ISP_NAS(config-controller)# pri-group timeslots 1-24
ISP_NAS(config-controller)# exit
ISP_NAS(config#)

Configure the remaining two controllers.

Set both clocking entries to internal because the primary and secondary clock sources have already been assigned.


Step 5—Configuring the Serial Channels to Let Modem Calls Come In

In this step, the ISP:

Configures the D channels to allow incoming voice calls to be routed to the integrated MICA modems. The D channel is the signaling channel.

Uses the D channel to control the behavior of individual B channels

Use this command
To do this
ISP_NAS(config)# interface serial 0:23

Access configuration mode for the D-channel serial interface that corresponds to controller T1 0.

The behavior of serial 0:0 through serial 0:22 is controlled by the configuration instructions provided for serial 0:23. This concept is also true for the other remaining D-channel configurations.

ISP_NAS(config-if)# isdn incoming-voice modem

Enable analog modem voice calls coming in through the B channels to be connected to the integrated modems.

ISP_NAS(config-if)# exit

Exit back to global configuration mode.

ISP_NAS(config)# interface serial 1:23
ISP_NAS(config-if)# isdn incoming-voice modem
ISP_NAS(config-if)# exit
ISP_NAS(config)# interface serial 2:23
ISP_NAS(config-if)# isdn incoming-voice modem
ISP_NAS(config-if)# exit
ISP_NAS(config)# interface serial 3:23
ISP_NAS(config-if)# isdn incoming-voice modem
ISP_NAS(config-if)# exit

Configure the three remaining D channels with the same ISDN incoming-voice modem setting.


Step 6—Configuring the Modems and Asynchronous Lines

In this step, the ISP:

Defines a range of modem lines

Enables PPP clients to dial in, bypass the EXEC facility, and automatically start PPP.

Configure the modems and lines after the ISDN channels are operational. Each modem corresponds with a dedicated asynchronous line inside the access server. The modem speed 115200 bps and hardware flow control are default values for integrated modems.

Use this command
To do this
ISP_NAS(config)# line 1 96

Enter the range of modem lines that you want to configure. The NAS used in this case study has 96 integrated MICA modems.

ISP_NAS(config-line)# autoselect ppp
ISP_NAS(config-line)# autoselect during-login

Enable PPP clients to dial in, bypass the EXEC facility, and automatically start PPP on the lines. The autoselect during-login command displays the username:password prompt as the modems connect.

Note   These two autoselect commands enable EXEC (shell) and PPP services on the same lines.

ISP_NAS(config-line)# modem inout

Support incoming and outgoing modem calls.


Step 7—Specifying the IP Address Pool and DNS Servers

In this step, the ISP:

Creates an IP addresses pool that contains one IP address

Specifies a primary and secondary domain name server (DNS)

Use this command
To do this
ISP_NAS(config)# ip local pool default 1.1.1.1

Create an IP pool containing one IP address to assign to one client1 .

ISP_NAS(config)# async-bootp dns-server 171.68.10.70 171.68.10.140

Specify the domain name servers on the network, which can be used for clients dialing in with PPP.

1 Later in the case study, the client is assigned an IP address from the local IP pool configured on the home gateway. The NAS, which is maintained by the ISP, does not assign IP addresses to the enterprise customer's clients when the network is configured as an access VPN.


Step 8—Configuring the Group-Async Interface

In this step, the ISP:

Creates a group-async interface

Projects protocol characteristics to 96 asynchronous interfaces

The group-async interface is a template that controls the configuration of all the asynchronous interfaces inside the NAS. Asynchronous interfaces are lines running in PPP mode. An asynchronous interface uses the same number as its corresponding line. Configuring all the asynchronous interfaces as an async group saves you time by reducing the number of configuration steps.

!

Use this command
To do this
ISP_NAS(config)# interface group-async 1

Create the group-async interface.

ISP_NAS(config-if)# ip unnumbered ethernet 0

Use the IP address defined on the Ethernet interface.

ISP_NAS(config-if)# encapsulation ppp

Enable PPP.

ISP_NAS(config-if)# async mode interactive

Configure interactive mode on the asynchronous interfaces. Interactive mode means that clients can dial in to the NAS and get a router prompt or PPP session.

Dedicated mode means that only PPP sessions can be established on the NAS. Clients cannot dial in and get an EXEC (shell) session.

ISP_NAS(config-if)# ppp authentication chap pap

Configure CHAP and PAP authentication to be used on the interface during LCP negotiation.

The access server first authenticates with CHAP. If CHAP is rejected by the client, PAP authentication is used.

ISP_NAS(config-if)# peer default ip address pool default

Assign IP addresses to clients from the default IP address pool.

ISP_NAS(config-if)# group-range 1 96
Building configuration...

Specify the range of asynchronous interfaces to include in the group, which is usually equal to the number of modems in the access server.


Verifying Basic Dial Access

This section describes how to verify that the following end-to-end connections function as shown in :

Step 1—Checking the NAS Running Configuration

Step 2—Dialing in to the NAS

Step 3—Pinging the NAS

Step 4—Displaying Active Call Statistics on the NAS

Step 5—Pinging the Client

Step 6—Verifying That the Asynchronous Interface Is Up and That LCP Is Open

Figure 9 Basic Dial Access Network Topology

After you successfully test these connections, go to "Configuring the Access VPN to Work with Local AAA." If you experience problems, see "Troubleshooting Basic Dial Access."

Step 1—Checking the NAS Running Configuration

Enter the show running-config command in privileged EXEC mode to make sure that the NAS accepted the commands you entered:

ISP_NAS# show running-config
Building configuration...

Current configuration:
!
version 11.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ISP_NAS
!
aaa new-model
aaa authentication ppp default local
enable secret 5 $1$AXl/$27hOM6j51a5P76Enq.LCf0
!
!
username jeremy password 7 021511590A141A
username jane-admin password 7 0501090A6C5C4F1A0A1218000F
!
async-bootp dns-server 171.68.10.70 171.68.10.140
isdn switch-type primary-5ess
!
controller T1 0
 framing esf
 clock source line primary
 linecode b8zs
 pri-group timeslots 1-24
!
controller T1 1
 framing esf
 clock source line secondary
 linecode b8zs
 pri-group timeslots 1-24
!
controller T1 2
 framing esf
 clock source internal
 linecode b8zs
 pri-group timeslots 1-24
!
controller T1 3
 framing esf
 clock source internal
 linecode b8zs
 pri-group timeslots 1-24
!
!
interface Ethernet0
 ip address 172.22.66.23 255.255.255.192
!
interface Serial0:23
 no ip address
 isdn switch-type primary-5ess
 isdn incoming-voice modem
 no cdp enable
!
interface Serial1:23
 no ip address
 isdn switch-type primary-5ess
 isdn incoming-voice modem
 no cdp enable
!
interface Serial2:23
 no ip address
 isdn switch-type primary-5ess
 isdn incoming-voice modem
 no cdp enable
!
interface Serial3:23
 no ip address
 isdn switch-type primary-5ess
 isdn incoming-voice modem
 no cdp enable
!
interface FastEthernet0
 no ip address
 shutdown
!
interface Group-Async1
 ip unnumbered Ethernet0
 encapsulation ppp
 async mode interactive
 peer default ip address pool default
 ppp authentication chap pap
 group-range 1 96
!
ip local pool default 1.1.1.1
ip classless
ip route 0.0.0.0 0.0.0.0 172.22.66.1
!
line con 0
 transport input none
line 1 96
 autoselect during-login
 autoselect ppp
 modem InOut
line aux 0
line vty 0 4
!
end

Step 2—Dialing in to the NAS

From the client, dial in to the NAS. Use the PRI telephone number assigned to the NAS' T1 trunks. Sometimes the PRI telephone is called the hunt group number. shows the username, password, and PRI telephone entered in the Windows 95 dial-up networking utility.

Figure 10 Windows 95 Dial-Up Networking Utility

As the call comes into the NAS, a LINK-3-UPDOWN message automatically appears on the NAS' terminal screen. In this example, the call comes in to the NAS on asynchronous interface 47. The asynchronous interface is up.

*Jan  1 21:22:18.410: %LINK-3-UPDOWN: Interface Async47, changed state to up


Note   No debug commands are turned on to display this log message. Start troubleshooting the NAS if you do not see this message after 30 seconds of when the client first transmits the call.


Step 3—Pinging the NAS

Ping the NAS from the client. From the Windows 95 desktop:

(a) Click Start.

(b) Select Run.

(c) Enter ping 172.22.66.23. See .

(d) Click OK.

(e) Look at the ping terminal screen and verify that the NAS is sending ping reply packets to the client. See .

Figure 11

Windows 95 Ping Utility

Figure 12

Ping Reply Packets Sent from the NAS to the Client

Step 4—Displaying Active Call Statistics on the NAS

From the NAS, enter the show caller command and show caller user name command to verify that the client received an IP address. This example shows that Jeremy is using TTY line 47, asynchronous interface 47, and IP address 1.1.1.1. The network administrator jane-admin is using console 0.

ISP_NAS# show caller
  Line         User               Service       Active   
  con 0        jane-admin          TTY           01:54:15
  tty 47       jeremy             Async         00:00:54
  As47         jeremy             PPP           00:00:50

ISP_NAS# show caller user jeremy

  User: jeremy, line tty 47, service Async, active 00:01:49
  TTY: Line 47, running PPP on As47, idle 00:00:00
  Line: Baud rate (TX/RX) is 115200/115200, no parity, 1 stopbits, 8 databits
  Status: Ready, Active, No Exit Banner, Async Interface Active
          HW PPP Support Active
  Capabilities: Hardware Flowcontrol In, Hardware Flowcontrol Out
                Modem Callout, Modem RI is CD, 
                Line is permanent async interface, Integrated Modem
  Modem State: Ready
  Timeouts: Idle EXEC  Idle Session  Modem Answer   Session   Dispatch
             00:10:00         never             -     never   not set

  User: jeremy, line As47, service PPP, active 00:01:45
  PPP: LCP Open, CHAP (<- AAA), IPCP
  IP: Local 172.22.66.23, remote 1.1.1.1
  Counts: 29 packets input, 1690 bytes, 0 no buffer
          0 input errors, 0 CRC, 0 frame, 0 overrun
          12 packets output, 255 bytes, 0 underruns
          0 output errors, 0 collisions, 0 interface resets

Note   The show caller command was added to the Cisco IOS software at Release 11.3(5)AA. If your software version of software does not support the show caller command, use the show user command.


Step 5—Pinging the Client

From the NAS, ping Jeremy's PC at IP address 1.1.1.1:

ISP_NAS# ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.22.66.55, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 128/136/160 ms

Step 6—Verifying That the Asynchronous Interface Is Up and That LCP Is Open

From the NAS, enter the show interface async 47 command to verify that the interface is up, LCP is open, and no errors are reported:

ISP_NAS# show interface async 47     
Async47 is up, line protocol is up 
  modem(slot/port)=1/46, state=CONNECTED
  dsx1(slot/unit/channel)=0/0/0, status=VDEV_STATUS_ACTIVE_CALL.VDEV_STATUS_ALL.
  Hardware is Async Serial
  Interface is unnumbered. Using address of Ethernet0 (172.22.66.23)
  MTU 1500 bytes, BW 115 Kbit, DLY 100000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, loopback not set, keepalive not set
  DTR is pulsed for 5 seconds on reset
  LCP Open
  Open: IPCP
  Last input 00:00:46, output 00:02:42, output hang never
  Last clearing of "show interface" counters never
  Queueing strategy: fifo
  Output queue 0/10, 0 drops; input queue 1/10, 0 drops
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     37 packets input, 2466 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     12 packets output, 255 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions

Troubleshooting Basic Dial Access

This section provides the ISP with a methodology for troubleshooting basic dial access as described in . Complete the following steps to perform basic dial-up fault isolation. The bolded lines of output indicate important information.

Step 1—Checking the ISDN Status

Step 2—Troubleshooting PPP Negotiation

Step 3—Troubleshooting ISDN

Step 4—Checking the Error Status of the T1 Controllers

Step 5—Troubleshooting the Modem Call State Machine

Figure 13

Troubleshooting Flow Diagram for Basic Dial Access

If you use a Telnet session to connect to the NAS, enable the terminal monitor command, which ensures that your EXEC session is receiving the logging and debug output from the NAS.

When you finish troubleshooting, enter the undebug all command to turn off all debug commands. Isolating debug output helps you efficiently build a network.

Step 1—Checking the ISDN Status

Enter the show isdn status command to confirm that Layer 1 is active and the display field MULTIPLE_FRAME_ESTABLISHED appears at Layer 2. This example shows that each serial interface is functioning properly:

ISP_NAS# show isdn status 
Global ISDN Switchtype = primary-5ess
ISDN Serial0:23 interface
        dsl 0, interface ISDN Switchtype = primary-5ess
    Layer 1 Status:
        ACTIVE
    Layer 2 Status:
        TEI = 0, Ces = 1, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED
    Layer 3 Status:
        1 Active Layer 3 Call(s)
    Activated dsl 0 CCBs = 1
        CCB:callid=11E, sapi=0, ces=0, B-chan=12, calltype=DATA
ISDN Serial1:23 interface
        dsl 1, interface ISDN Switchtype = primary-5ess
    Layer 1 Status:
        ACTIVE
    Layer 2 Status:
        TEI = 0, Ces = 1, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED
    Layer 3 Status:
        1 Active Layer 3 Call(s)
    Activated dsl 1 CCBs = 1
        CCB:callid=12A, sapi=0, ces=0, B-chan=2, calltype=VOICE
ISDN Serial2:23 interface
        dsl 2, interface ISDN Switchtype = primary-5ess
    Layer 1 Status:
        ACTIVE
    Layer 2 Status:
        TEI = 0, Ces = 1, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED
    Layer 3 Status:
        1 Active Layer 3 Call(s)
    Activated dsl 2 CCBs = 1
        CCB:callid=143, sapi=0, ces=0, B-chan=7, calltype=DATA
ISDN Serial3:23 interface
        dsl 3, interface ISDN Switchtype = primary-5ess
    Layer 1 Status:
        ACTIVE
    Layer 2 Status:
        TEI = 0, Ces = 1, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED
    Layer 3 Status:
        4 Active Layer 3 Call(s)
    Activated dsl 3 CCBs = 4
        CCB:callid=160, sapi=0, ces=0, B-chan=14, calltype=VOICE
        CCB:callid=162, sapi=0, ces=0, B-chan=17, calltype=VOICE
        CCB:callid=167, sapi=0, ces=0, B-chan=22, calltype=VOICE
        CCB:callid=168, sapi=0, ces=0, B-chan=23, calltype=VOICE
    Total Allocated ISDN CCBs = 7

If Layer 1 is not active:

Check the physical layer connectivity. Try using another port or cable.

Check with your PRI provider.

If the display field MULTIPLE_FRAME_ESTABLISHED does not appear at Layer 2:

Verify that the ISDN switch setting is correct.

Enter the show controller command to verify that the controller is up without any alarms or errors. For an example, see "Step 4—Checking the Error Status of the T1 Controllers."


Note   If you isolated the problem to Layers 1 or 2 and you think that you fixed it, go back to the verification steps and confirm that the problem is resolved. If the client still cannot dial in to the NAS, go to Step 2.


Step 2—Troubleshooting PPP Negotiation

Troubleshoot PPP negotiation by:

(a) Turning on the debug ppp negotiation command.

(b) Pinging the NAS from the client.

(c) Observing the debug output messages that appear on the NAS' terminal screen. If you do not see debug output, turn off the debug ppp negotiation command and go to Step 3.

It is important to understand what a successful debug PPP sequence looks like before you troubleshoot PPP negotiation. In this way, comparing a faulty PPP debug session against a successfully completed debug PPP sequence saves you time and effort.

Following is an example of a successful PPP sequence. See for a detailed description of the output fields.

ISP_NAS# debug ppp negotiation
PPP protocol negotiation debugging is on
ISP_NAS# show debug
PPP:
  PPP protocol negotiation debugging is on

ISP_NAS#
Mar 13 10:57:13.415: %LINK-3-UPDOWN: Interface Async1, changed state to up
Mar 13 10:57:15.415: As1 LCP: O CONFREQ [ACKrcvd] id 2 len 25
Mar 13 10:57:15.415: As1 LCP:    ACCM 0x000A0000 (0x0206000A0000)
Mar 13 10:57:15.415: As1 LCP:    AuthProto CHAP (0x0305C22305)
Mar 13 10:57:15.415: As1 LCP:    MagicNumber 0x1084F0A2 (0x05061084F0A2)
Mar 13 10:57:15.415: As1 LCP:    PFC (0x0702)
Mar 13 10:57:15.415: As1 LCP:    ACFC (0x0802)
Mar 13 10:57:15.543: As1 LCP: I CONFACK [REQsent] id 2 len 25
Mar 13 10:57:15.543: As1 LCP:    ACCM 0x000A0000 (0x0206000A0000)
Mar 13 10:57:15.543: As1 LCP:    AuthProto CHAP (0x0305C22305)
Mar 13 10:57:15.543: As1 LCP:    MagicNumber 0x1084F0A2 (0x05061084F0A2)
Mar 13 10:57:15.543: As1 LCP:    PFC (0x0702)
Mar 13 10:57:15.547: As1 LCP:    ACFC (0x0802)
Mar 13 10:57:16.919: As1 LCP: I CONFREQ [ACKrcvd] id 4 len 23
Mar 13 10:57:16.919: As1 LCP:    ACCM 0x000A0000 (0x0206000A0000)
Mar 13 10:57:16.919: As1 LCP:    MagicNumber 0x001327B0 (0x0506001327B0)
Mar 13 10:57:16.919: As1 LCP:    PFC (0x0702)
Mar 13 10:57:16.919: As1 LCP:    ACFC (0x0802)
Mar 13 10:57:16.919: As1 LCP:    Callback 6  (0x0D0306)
Mar 13 10:57:16.919: As1 LCP: O CONFREJ [ACKrcvd] id 4 len 7
Mar 13 10:57:16.919: As1 LCP:    Callback 6  (0x0D0306)
Mar 13 10:57:17.047: As1 LCP: I CONFREQ [ACKrcvd] id 5 len 20
Mar 13 10:57:17.047: As1 LCP:    ACCM 0x000A0000 (0x0206000A0000)
Mar 13 10:57:17.047: As1 LCP:    MagicNumber 0x001327B0 (0x0506001327B0)
Mar 13 10:57:17.047: As1 LCP:    PFC (0x0702)
Mar 13 10:57:17.047: As1 LCP:    ACFC (0x0802)
Mar 13 10:57:17.047: As1 LCP: O CONFACK [ACKrcvd] id 5 len 20
Mar 13 10:57:17.047: As1 LCP:    ACCM 0x000A0000 (0x0206000A0000)
Mar 13 10:57:17.047: As1 LCP:    MagicNumber 0x001327B0 (0x0506001327B0)
Mar 13 10:57:17.047: As1 LCP:    PFC (0x0702)
Mar 13 10:57:17.047: As1 LCP:    ACFC (0x0802)
Mar 13 10:57:17.047: As1 LCP: State is Open
Mar 13 10:57:17.047: As1 PPP: Phase is AUTHENTICATING, by this end
Mar 13 10:57:17.047: As1 CHAP: O CHALLENGE id 1 len 28 from "ISP_NAS"
Mar 13 10:57:17.191: As1 CHAP: I RESPONSE id 1 len 30 from "jeremy"
Mar 13 10:57:17.191: As1 CHAP: O SUCCESS id 1 len 4
Mar 13 10:57:17.191: As1 PPP: Phase is UP
Mar 13 10:57:17.191: As1 IPCP: O CONFREQ [Closed] id 1 len 10
Mar 13 10:57:17.191: As1 IPCP:    Address 172.22.66.23 (0x0306AC164217)
Mar 13 10:57:17.303: As1 IPCP: I CONFREQ [REQsent] id 1 len 40
Mar 13 10:57:17.303: As1 IPCP:    CompressType VJ 15 slots CompressSlotID (0x020
6002D0F01)
Mar 13 10:57:17.303: As1 IPCP:    Address 0.0.0.0 (0x030600000000)
Mar 13 10:57:17.303: As1 IPCP:    PrimaryDNS 0.0.0.0 (0x810600000000)
Mar 13 10:57:17.303: As1 IPCP:    PrimaryWINS 0.0.0.0 (0x820600000000)
Mar 13 10:57:17.303: As1 IPCP:    SecondaryDNS 0.0.0.0 (0x830600000000)
Mar 13 10:57:17.303: As1 IPCP:    SecondaryWINS 0.0.0.0 (0x840600000000)
Mar 13 10:57:17.303: As1 IPCP: O CONFREJ [REQsent] id 1 len 22
Mar 13 10:57:17.303: As1 IPCP:    CompressType VJ 15 slots CompressSlotID (0x020
6002D0F01)
Mar 13 10:57:17.303: As1 IPCP:    PrimaryWINS 0.0.0.0 (0x820600000000)
Mar 13 10:57:17.303: As1 IPCP:    SecondaryWINS 0.0.0.0 (0x840600000000)
Mar 13 10:57:17.319: As1 CCP: I CONFREQ [Not negotiated] id 1 len 15
Mar 13 10:57:17.319: As1 CCP:    MS-PPC supported bits 0x00000001 (0x12060000000
1)
Mar 13 10:57:17.319: As1 CCP:    Stacker history 1 check mode EXTENDED (0x110500
0104)
Mar 13 10:57:17.319: As1 LCP: O PROTREJ [Open] id 3 len 21 protocol CCP
Mar 13 10:57:17.319: As1 LCP:  (0x80FD0101000F12060000000111050001)
Mar 13 10:57:17.319: As1 LCP:  (0x04)
Mar 13 10:57:17.319: As1 IPCP: I CONFACK [REQsent] id 1 len 10
Mar 13 10:57:17.319: As1 IPCP:    Address 172.22.66.23 (0x0306AC164217)
Mar 13 10:57:18.191: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async1, cha
nged state to up
Mar 13 10:57:19.191: As1 IPCP: TIMEout: State ACKrcvd
Mar 13 10:57:19.191: As1 IPCP: O CONFREQ [ACKrcvd] id 2 len 10
Mar 13 10:57:19.191: As1 IPCP:    Address 172.22.66.23 (0x0306AC164217)
Mar 13 10:57:19.315: As1 IPCP: I CONFACK [REQsent] id 2 len 10
Mar 13 10:57:19.315: As1 IPCP:    Address 172.22.66.23 (0x0306AC164217)
Mar 13 10:57:20.307: As1 IPCP: I CONFREQ [ACKrcvd] id 2 len 34
Mar 13 10:57:20.307: As1 IPCP:    Address 0.0.0.0 (0x030600000000)
Mar 13 10:57:20.307: As1 IPCP:    PrimaryDNS 0.0.0.0 (0x810600000000)
Mar 13 10:57:20.307: As1 IPCP:    PrimaryWINS 0.0.0.0 (0x820600000000)
Mar 13 10:57:20.307: As1 IPCP:    SecondaryDNS 0.0.0.0 (0x830600000000)
Mar 13 10:57:20.307: As1 IPCP:    SecondaryWINS 0.0.0.0 (0x840600000000)
Mar 13 10:57:20.307: As1 IPCP: O CONFREJ [ACKrcvd] id 2 len 16
Mar 13 10:57:20.307: As1 IPCP:    PrimaryWINS 0.0.0.0 (0x820600000000)
Mar 13 10:57:20.307: As1 IPCP:    SecondaryWINS 0.0.0.0 (0x840600000000)
Mar 13 10:57:20.419: As1 IPCP: I CONFREQ [ACKrcvd] id 3 len 22
Mar 13 10:57:20.419: As1 IPCP:    Address 0.0.0.0 (0x030600000000)
Mar 13 10:57:20.419: As1 IPCP:    PrimaryDNS 0.0.0.0 (0x810600000000)
Mar 13 10:57:20.419: As1 IPCP:    SecondaryDNS 0.0.0.0 (0x830600000000)
Mar 13 10:57:20.419: As1 IPCP: O CONFNAK [ACKrcvd] id 3 len 22
Mar 13 10:57:20.419: As1 IPCP:    Address 1.1.1.1 (0x030601010101)
Mar 13 10:57:20.419: As1 IPCP:    PrimaryDNS 171.68.10.70 (0x8106AB440A46)
Mar 13 10:57:20.419: As1 IPCP:    SecondaryDNS 171.68.10.140 (0x8306AB440A8C)
Mar 13 10:57:20.543: As1 IPCP: I CONFREQ [ACKrcvd] id 4 len 22
Mar 13 10:57:20.543: As1 IPCP:    Address 1.1.1.1 (0x030601010101)
Mar 13 10:57:20.547: As1 IPCP:    PrimaryDNS 171.68.10.70 (0x8106AB440A46)
Mar 13 10:57:20.547: As1 IPCP:    SecondaryDNS 171.68.10.140 (0x8306AB440A8C)
Mar 13 10:57:20.547: As1 IPCP: O CONFACK [ACKrcvd] id 4 len 22
Mar 13 10:57:20.547: As1 IPCP:    Address 1.1.1.1 (0x030601010101)
Mar 13 10:57:20.547: As1 IPCP:    PrimaryDNS 171.68.10.70 (0x8106AB440A46)
Mar 13 10:57:20.547: As1 IPCP:    SecondaryDNS 171.68.10.140 (0x8306AB440A8C)
Mar 13 10:57:20.547: As1 IPCP: State is Open
Mar 13 10:57:20.551: As1 IPCP: Install route to 1.1.1.1

Table 6

Time Stamp
Description

10:57:15.415

Outgoing configuration request (O CONFREQ). The NAS sends an outgoing PPP configuration request packet to the client.

10:57:15.543

Incoming configuration acknowledgment (I CONFACK). The client acknowledges the NAS' PPP request.

10:57:16.919

Incoming configuration request (I CONFREQ). The client wants to negotiate the callback protocol.

10:57:16.919

Outgoing configuration reject (O CONFREJ). The NAS rejects the callback option.

10:57:17.047

Incoming configuration request (I CONFREQ). The client requests a new set of options. Notice that Microsoft Callback is not requested this time.

10:57:17.047

Outgoing configuration acknowledgment (O CONFACK). The NAS accepts the new set of options.

10:57:17.047

PPP LCP negotiation is completed successfully (LCP: State is Open). Both sides have acknowledged (CONFACK) the other side's configuration request (CONFREQ).

10:57:17.047 to 10:57:17.191

PPP authentication is completed successfully. After LCP negotiates, authentication starts. Authentication must take place before any network protocols, such as IP, are delivered.

Both sides authenticate with the method negotiated during LCP. The Cisco AS5300 is authenticating the client using CHAP.

10:57:20.551

The state is open for IP Control Protocol (IPCP). A route is negotiated and installed for the IPCP peer, which is assigned IP address 1.1.1.1.


Time Stamps and Descriptions for Debug PPP Negotiation Events

Failed authentication is a common occurrence. Misconfigured or mismatched usernames and passwords create error messages in debug output.

The following example shows that the username sam-admin does not have permission to dial in to the NAS, which does not have a local username configured for this user. To fix the problem, use the username name password password command to add the username sam-admin to the NAS' local AAA database:

Mar 13 11:01:42.399: As2 LCP: State is Open
Mar 13 11:01:42.399: As2 PPP: Phase is AUTHENTICATING, by this end
Mar 13 11:01:42.399: As2 CHAP: O CHALLENGE id 1 len 28 from "ISP_NAS"
Mar 13 11:01:42.539: As2 CHAP: I RESPONSE id 1 len 30 from "sam-admin"
Mar 13 11:01:42.539: As2 CHAP: Unable to validate Response.  Username sam-admin not 
found
Mar 13 11:01:42.539: As2 CHAP: O FAILURE id 1 len 26 msg is "Authentication fail
ure"
Mar 13 11:01:42.539: As2 PPP: Phase is TERMINATING

The following example shows that the username sam-admin is configured on the NAS. However, the password comparison failed. To fix this problem, use the username name password password command to specify sam-admin's correct login password:

Mar 13 11:04:06.843: As3 LCP: State is Open
Mar 13 11:04:06.843: As3 PPP: Phase is AUTHENTICATING, by this end
Mar 13 11:04:06.843: As3 CHAP: O CHALLENGE id 1 len 28 from "ISP_NAS"
Mar 13 11:04:06.987: As3 CHAP: I RESPONSE id 1 len 30 from "sam-admin"
Mar 13 11:04:06.987: As3 CHAP: O FAILURE id 1 len 25 msg is "MD/DES compare failed"
Mar 13 11:04:06.987: As3 PPP: Phase is TERMINATING


Note   If you isolated the problem to PPP negotiation and you think that you fixed it, go back to the verification steps and confirm that the problem is resolved. If you are still having problems, go to Step 3.


Step 3—Troubleshooting ISDN

Troubleshoot ISDN if no debug output appeared when you tried debugging PPP negotiation. Turn on ISDN Q.931 debugging and verify that no other debug commands are enabled:

ISP_NAS# debug isdn q931
ISDN Q931 packets debugging is on
ISP_NAS# show debug
ISDN:
  ISDN Q931 packets debugging is on

Send a PPP modem call into the NAS. As the call enters the access server, the following successful call setup messages appear on the NAS' terminal screen. Refer to for a detailed description of the output fields.

ISP_NAS#     
Mar 13 11:06:01.715: ISDN Se0:23: RX <-  SETUP pd = 8  callref = 0x02AD
Mar 13 11:06:01.715:         Bearer Capability i = 0x8090A2
Mar 13 11:06:01.719:         Channel ID i = 0xA98381
Mar 13 11:06:01.719:         Progress Ind i = 0x8283 - Origination address is no
n-ISDN 
Mar 13 11:06:01.719:         Calling Party Number i = '!', 0x83, '4089548021'
Mar 13 11:06:01.719:         Called Party Number i = 0xC1, '5550945'
Mar 13 11:06:01.719: ISDN Se0:23: TX ->  CALL_PROC pd = 8  callref = 0x82AD
Mar 13 11:06:01.719:         Channel ID i = 0xA98381
Mar 13 11:06:01.719: ISDN Se0:23: TX ->  ALERTING pd = 8  callref = 0x82AD
Mar 13 11:06:01.867: ISDN Se0:23: TX ->  CONNECT pd = 8  callref = 0x82AD
Mar 13 11:06:01.895: ISDN Se0:23: RX <-  CONNECT_ACK pd = 8  callref = 0x02AD
Mar 13 11:06:33.619: %LINK-3-UPDOWN: Interface Async4, changed state to up
Mar 13 11:06:38.903: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async4, cha
nged state to up

If this debug output is not displayed on your terminal screen, confirm that the client is dialing the correct telephone number. If the number is correct, troubleshoot the problem with your PRI provider. If you are still having problems, go to Step 4.

Table 7

Time Stamp
Description

11:06:01.715

The NAS receives (RX) the ISDN setup message for an incoming call. Call characteristics appear.

11:06:01.719

The NAS transmits (TX) a call-proceeding message. The NAS has not answered the call as yet.

11:06:01.867

The NAS transmits a connect message and answers the call.

11:06:01.895

The NAS receives a connect acknowledgment, and the connection is established.


Time Stamps and Descriptions for Debug ISDN Q.931 Events

Step 4—Checking the Error Status of the T1 Controllers

Enter the show controller t1 command to display the error status of the T1 controllers. A properly functioning T1 0 controller displays "T1 0 is up" and "No alarms detected." The following example shows four T1 controllers in good working condition:

ISP_NAS# show controller t1
T1 0 is up.
  Applique type is Channelized T1
  No alarms detected.
  Version info of slot 0:  HW: 4, Firmware: 16, PLD Rev: 0

Manufacture Cookie Info:
 EEPROM Type 0x0001, EEPROM Version 0x01, Board ID 0x42,
 Board Hardware Version 1.32, Item Number 800-2540-2,
 Board Revision A0, Serial Number 11488142,
 PLD/ISP Version 0.0, Manufacture Date 10-Nov-1998.

  Framing is ESF, Line Code is B8ZS, Clock Source is Line Primary.
  Data in current interval (748 seconds elapsed):
     0 Line Code Violations, 0 Path Code Violations
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs
  Total Data (last 30 15 minute intervals):
     0 Line Code Violations, 0 Path Code Violations,
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs
T1 1 is up.
  Applique type is Channelized T1
  No alarms detected.
  Version info of slot 0:  HW: 4, Firmware: 16, PLD Rev: 0

Manufacture Cookie Info:
 EEPROM Type 0x0001, EEPROM Version 0x01, Board ID 0x42,
 Board Hardware Version 1.32, Item Number 800-2540-2,
 Board Revision A0, Serial Number 11488142,
 PLD/ISP Version 0.0, Manufacture Date 10-Nov-1998.

  Framing is ESF, Line Code is B8ZS, Clock Source is Line Secondary
.
  Data in current interval (751 seconds elapsed):
     0 Line Code Violations, 0 Path Code Violations
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs
  Total Data (last 30 15 minute intervals):
     0 Line Code Violations, 0 Path Code Violations,
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs
T1 2 is up.
  Applique type is Channelized T1
  No alarms detected.
  Version info of slot 0:  HW: 4, Firmware: 16, PLD Rev: 0

Manufacture Cookie Info:
 EEPROM Type 0x0001, EEPROM Version 0x01, Board ID 0x42,
 Board Hardware Version 1.32, Item Number 800-2540-2,
 Board Revision A0, Serial Number 11488142,
 PLD/ISP Version 0.0, Manufacture Date 10-Nov-1998.

  Framing is ESF, Line Code is B8ZS, Clock Source is Internal.
  Data in current interval (755 seconds elapsed):
     0 Line Code Violations, 0 Path Code Violations
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs
  Total Data (last 30 15 minute intervals):
     0 Line Code Violations, 0 Path Code Violations,
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs
T1 3 is up.
  Applique type is Channelized T1
  No alarms detected.
  Version info of slot 0:  HW: 4, Firmware: 16, PLD Rev: 0

Manufacture Cookie Info:
 EEPROM Type 0x0001, EEPROM Version 0x01, Board ID 0x42,
 Board Hardware Version 1.32, Item Number 800-2540-2,
 Board Revision A0, Serial Number 11488142,
 PLD/ISP Version 0.0, Manufacture Date 10-Nov-1998.

  Framing is ESF, Line Code is B8ZS, Clock Source is Internal.
  Data in current interval (757 seconds elapsed):
     0 Line Code Violations, 0 Path Code Violations
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs
  Total Data (last 30 15 minute intervals):
     0 Line Code Violations, 0 Path Code Violations,
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs

If counters increase on a specific T1 controller, look closely at the error statistics. Focus on the current interval that is indented under the display field "Data in current interval."

Error counters are recorded over a 24-hour period in 15-minute intervals. You must specify a specific controller number to see this detailed information. Enter the clear controller t1 number command before you look for current error statistics. Error counters stop increasing when the controller is configured correctly.

Step 5—Troubleshooting the Modem Call State Machine

Troubleshoot the modem's call state machine (CSM) by using the debug modem csm command. Troubleshoot the CSM if you do not see PPP debug output, and the show isdn status command and debug isdn q931 command demonstrate good working status:

ISP_NAS# debug modem csm 
Modem Management Call Switching Module debugging is on
ISP_NAS# show debug
Modem Management:
  Modem Management Call Switching Module debugging is on

Send a PPP modem call into the NAS. Transition states in the debug output signify that everything is operating properly. If you do not see transition states, look at the disconnect reason for the modem. For example, enter the show modem log 1/4 command.

See the following example of successful debug output for the debug modem csm command:

ISP_NAS#
Mar 13 11:13:12.487: EVENT_FROM_ISDN::dchan_idb=0x60EA108C, call_id=0x1D, ces=0x
1bchan=0x0, event=0x1, cause=0x0
Mar 13 11:13:12.487: VDEV_ALLOCATE: slot 1 and port 4 is allocated.
Mar 13 11:13:12.487: EVENT_FROM_ISDN:(001D): DEV_INCALL at slot 1 and port 4
Mar 13 11:13:12.487: CSM_PROC_IDLE: CSM_EVENT_ISDN_CALL at slot 1, port 4
Mar 13 11:13:12.487: Mica Modem(1/4): Configure(0x1 = 0x0) 
Mar 13 11:13:12.487: Mica Modem(1/4): Configure(0x23 = 0x0) 
Mar 13 11:13:12.487: Mica Modem(1/4): Call Setup
Mar 13 11:13:12.611: Mica Modem(1/4): State Transition to Call Setup
Mar 13 11:13:12.611: Mica Modem(1/4): Went offhook
Mar 13 11:13:12.611: CSM_PROC_IC1_RING: CSM_EVENT_MODEM_OFFHOOK at slot 1, port 4
Mar 13 11:13:12.631: EVENT_FROM_ISDN::dchan_idb=0x60EA108C, call_id=0x1D, ces=0x1 
bchan=0x0, event=0x4, cause=0x0
Mar 13 11:13:12.631: EVENT_FROM_ISDN:(001D): DEV_CONNECTED at slot 1 and port 4
Mar 13 11:13:12.631: CSM_PROC_IC4_WAIT_FOR_CARRIER: CSM_EVENT_ISDN_CONNECTED at slot 1, 
port 4
Mar 13 11:13:12.631: Mica Modem(1/4): Link Initiate
Mar 13 11:13:13.751: Mica Modem(1/4): State Transition to Connect
Mar 13 11:13:18.903: Mica Modem(1/4): State Transition to Link
ISP_NAS#      
Mar 13 11:13:37.051: Mica Modem(1/4): State Transition to Trainup
Mar 13 11:13:38.731: Mica Modem(1/4): State Transition to EC Negotiating
Mar 13 11:13:39.387: Mica Modem(1/4): State Transition to Steady State
Mar 13 11:13:42.007: %LINK-3-UPDOWN: Interface Async5, changed state to up
Mar 13 11:13:46.751: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async5, cha
nged state to up
Mar 13 11:14:41.803: Mica Modem(1/4): State Transition to Steady State Speedshif ting
Mar 13 11:14:44.139: Mica Modem(1/4): State Transition to Steady State
Mar 13 11:17:30.475: %SYS-5-CONFIG_I: Configured from console by vty0 (171.68.20
1.22)


Note   If you are still experiencing problems, contact your escalation support personnel.