Table Of Contents
Configuring L2TP HA Session SSO/ISSU on a LAC/LNS
Prerequisites for L2TP HA Session SSO/ISSU on a LAC/LNS
Restrictions for L2TP HA Session SSO/ISSU on a LAC/LNS
Information About L2TP HA Session SSO/ISSU on a LAC/LNS
ISSU Software Superpackage and Rolling Upgrade Requirements
Software Upgrades and Downgrades
How to Configure L2TP HA Session SSO/ISSU on a LAC/LNS
Configuring SSO on a Route Processor
Configuring Global L2TP HA SSO Mode
Configuring VPDN Groups or VPDN Templates for L2TP HA SSO
Controlling Packet Resynchronization for L2TP HA
Verifying the Checkpoint Status of L2TP HA Sessions
Verifying the Checkpoint Status of VPDN Sessions
Troubleshooting L2TP or VPDN Redundancy Sessions
Configuring L2TP HA SSO/ISSU on a RADIUS Server
Configuration Examples for L2TP HA Session SSO/ISSU on a LAC/LNS
Configuring SSO on a Route Processor: Example
Configuring L2TP High Availability: Example
Displaying L2TP Checkpoint Status: Examples
Displaying L2TP Redundancy Information: Example
Displaying L2TP Redundancy Detail Information: Example
Displaying All L2TP Redundancy Information: Example
Displaying L2TP Redundancy ID Information: Example
Displaying L2TP Redundancy Detail ID Information: Example
Feature Information for L2TP HA Session SSO/ISSU on a LAC/LNS
Configuring L2TP HA Session SSO/ISSU on a LAC/LNS
First Published: September. 22, 2008Last Updated: November 25, 2009The L2TP HA Session SSO/ISSU on a LAC/LNS feature provides a generic stateful switchover and In Service Software Upgrade (SSO/ISSU) mechanism for Layer 2 Tunneling Protocol (L2TP) on a Layer 2 Access Concentrator (LAC) and a Layer 2 Network Server (LNS). This feature preserves all fully established PPP and L2TP sessions during an SSO switchover or an ISSU upgrade or downgrade.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for L2TP HA Session SSO/ISSU on a LAC/LNS" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS, Catalyst OS, and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for L2TP HA Session SSO/ISSU on a LAC/LNS
•
•
•
•
•
Prerequisites for L2TP HA Session SSO/ISSU on a LAC/LNS
Before you can provide for the L2TP HA Session SSO/ISSU on a LAC/LNS feature, you must:
•
•
•
Restrictions for L2TP HA Session SSO/ISSU on a LAC/LNS
The following restrictions are applicable when configuring L2TP HA Session SSO/ISSU on a LAC/LNS.
•
•
•
–
–
–
Information About L2TP HA Session SSO/ISSU on a LAC/LNS
To implement L2TP HA Session SSO/ISSU on a LAC/LNS feature, you need to understand the following concepts:
•
Stateful Switchover
Development of the stateful switchover (SSO) feature is an incremental step within an overall program to improve the availability of networks constructed with Cisco IOS routers.
In specific Cisco networking devices that support dual RPs, stateful switchover takes advantage of Route Processor (RP) redundancy to increase network availability. The feature establishes one of the RPs as the active processor and designating the other RP as the standby processor, and then synchronizing critical state information between them. Following an initial synchronization between the two processors, SSO dynamically maintains RP state information between them.
A switchover from the active to the standby processor occurs when the active RP fails, is removed from the networking device, or is manually taken down for maintenance.
SSO is particularly useful at the network edge. Traditionally, core routers protect against network faults using router redundancy and mesh connections that allow traffic to bypass failed network elements. SSO provides protection for network edge devices with dual RPs that represent a single point of failure in the network design, and where an outage might result in loss of service for customers.
Note
For complete information of SSO on Cisco IOS routers, see the Stateful Switchover module in the Cisco IOS High Availability Configuration Guide.
Checkpointing Data
SSO always checkpointing or saving and resynchronizing client-specific state data that transfers to a peer client on a remote RP for HA switchover and on the local RP for ION restart. Once a valid checkpointing session is established, the checkpointed state data is established without error.
Add packaging updates here.
ISSU Software Superpackage and Rolling Upgrade Requirements
This section describes the affects on L2TP when performing an ISSU superpackage or subpackage software upgrade or downgrade on a Cisco ASR 1000 Series Router. During the ISSU operation of software upgrades and downgrades, there can be control traffic interruption in some scenarios of ISSU, causing the L2TP resynchronization operation (with L2TP silent switchover) to fail, resulting in a loss of an L2TP tunnel or session.
In general, there is no effect on the data traffic while performing an ISSU superpackage or subpackage software upgrade or downgrade. Data traffic interruptions are contained within a managed and expected operating set. For example, when you upgrade the software for a given spa, the software upgrade only affects the data traffic serviced by that spa; the remaining network continues to operate normally.
Software Upgrades and Downgrades
When you are configuring a superpackage software upgrade or downgrade, L2TP sessions and tunnels might be lost. To help mitigate any potential loss of L2TP tunnels or sessions, use a rolling-upgrade method to help minimize any L2TP tunnel or session outages.
Note
For the Cisco ASR 1000 Series Routers, it is important to realize that ISSU-compatibility depends on the software sub-package being upgraded and the hardware configuration. Consolidated packages are ISSU-compatible in dual RP configurations only and have other limitations. The SPA and SIP software sub-packages must be upgraded on a per-SPA or per-SIP basis.
If you are upgrading a software package on the Cisco ASR 1000 Series Router that requires a reload of the standby Route Processor (RP), you must manually initiate a upgrade of the standby FP, SPA and SIP software with the same version of software provisioned on the new active RP following the switchover, to prevent any reload when the standby RP takes over as the new active RP.
For complete information on ISSU on Cisco ASR 1000 Series Routers, see: http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/chassis/issu.html.
Adjusting Receive Window Size
When configuring L2TP HA Session SSO/ISSU on a LAC/LNS, Cisco IOS software internally adjusts the L2TP receive window size to a smaller value. This adjusted receive-window value displays when using the show vpdn tunnel detail command. If required, use the l2tp tunnel resync command to increase the size of the L2TP receive window.
How to Configure L2TP HA Session SSO/ISSU on a LAC/LNS
You can configure L2TP HA globally using the l2tp sso enable command. You can also configure L2TP HA sessions for a specific VPDN group by using the sso enable command in VPDN group configuration mode. Both global and VPDN group L2TP HA sessions are enabled, by default. You must configure both the l2tp sso enable command and the sso enable command for VPDN groups for protocol L2TP to execute L2TP HA session functionality.
Global and VPDN group-specific L2TP HA sessions are hidden from the output of the show running-config command, because they are enabled by default. If you use the no l2tp sso enable command, the HA commands will display as NVGEN and appear in the output of the show running-config command.
After an SSO switchover, L2TP HA sessions determines the sequence numbers used by L2TP peers. Determining sequence numbers can be time consuming if peers send a large number of unacknowledged messages. You can use the l2tp tunnel resync command to control the number of unacknowledged messages sent by a peer. Increasing the value of the number of packets can improve the session setup rate for L2TP HA tunnels with a large number of sessions.
This section contains the following procedures:
•
•
•
•
•
•
•
•
Configuring SSO on a Route Processor
Cisco series Internet routers operate in SSO mode by default after reloading the same version of SSO-aware images on the device.
Before you can use SSO, use must enable SSO on an RP. This task explains how to use the redundancy command to enable SSO on an RP. This task ensures that all redundancy session data, following a SSO, is used to re-create and reestablishes existing sessions to their peer connections.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Configuring Global L2TP HA SSO Mode
Cisco series Internet routers operate in L2TP HA SSO mode by default after reloading the same version of SSO-aware images on the device. No configuration is necessary to enable L2TP HA SSO sessions.
The following procedure shows how to use the l2tp sso enable command to enable or disable HA globally. The l2tp sso enable command is enabled by default.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Configuring VPDN Groups or VPDN Templates for L2TP HA SSO
Perform this task when configuring a VPDN group or a VPDN template for L2TP HA SSO. This configuration example provides recommended scaling parameters to use when the number of VPDN tunnels in use is high, such as 8000 tunnels, with each tunnel supporting only a few VPDN sessions (two or less).
Conversely, if the number of VPDN tunnels is low and the number of VPDN sessions per VPDN tunnel is high, use the l2tp tunnel resync command to increase the resynchronization value. For example, if the number of VPDN session per VPDN tunnel are in the hundreds, use the l2tp tunnel resync command to increase the resynchronization value to a matching value in the hundreds.
Beginning with Cisco IOS XE Release 2.3, you can set the retransmit retries and timeout values to default values.
For HA functionality for a VPDN group, both the l2tp sso enable and sso enable commands must be enabled (default). If either command is disabled, no HA functionality is available for the VPDN group.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
DETAILED STEPS
Controlling Packet Resynchronization for L2TP HA
After a SSO switchover, L2TP HA determines the sequence numbers used by L2TP peers. Determining sequence numbers can be time consuming, if peers send a large number of unacknowledged messages. You can use the l2tp tunnel resync command to control the number of unacknowledged messages sent by a peer. Increasing the value of the number of packets can improve the session setup rate for L2TP HA tunnels with a large number of sessions.
The following procedure shows how to use the l2tp tunnel resync command, in VPDN-group configuration mode, to control the number of packets a L2TP HA tunnel sends before waiting for an acknowledgement.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Verifying the Checkpoint Status of L2TP HA Sessions
The show l2tp redundancy command provides information regarding the global state of the L2TP or specific L2TP sessions, with regard to their checkpointing status. You can display detailed information on:
•
–
–
–
–
•
–
–
–
–
–
–
•
–
–
–
–
The L2TP HA protocol state information for tunnels configured for HA (HA-enabled) and HA tunnels established successfully (HA-established) should match on the active and standby RP, unless there is a failure.
The output of the show l2tp redundancy command on the standby RP does not display total counter values or values for L2TP resynthesized tunnels. Total counter values would include non-HA protected tunnels and sessions, and these are not present on the standby RP.
To display global L2TP or specific L2TP sessions having checkpoint status, follow this procedure.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Verifying the Checkpoint Status of VPDN Sessions
To verify the checkpoint status of VPDN sessions, follow this procedure.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Troubleshooting L2TP or VPDN Redundancy Sessions
There is extensive troubleshooting aids for L2TP or VPDN redundancy sessions. For example, if the standby RP does not initialize, the show l2tp redundancy command displays a warning message and will display no tunnel or session information.
Router> enableRouter# show l2tp redundancyL2TP HA support: Silent FailoverL2TP HA Status:Checkpoint Messaging on: FALSEStandby RP is up: TRUERecv'd Message Count: 0No HA CC of Session data to display until Standby RP is up.You can use the debug l2tp redundancy or debug vpdn redundancy commands to display debug information relating to L2TP- or VPDN-checkpointing events or errors. Debug information includes:
•
•
•
•
•
•
•
To debug an L2TP or VPDN session having redundancy event errors, follow this procedure.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Configuring L2TP HA SSO/ISSU on a RADIUS Server
Beginning with Cisco IOS XE Software 2.4, you can configure L2TP HA SSO/ISSU on a RADIUS server, using the following RADIUS attribute-value (AV) pair:
cisco:cisco-avpair="vpdn:l2tp-silent-switchover=1"You can configure the L2TP HA SSO/ISSU resynchronous parameter on a RADIUS server, using the following RADIUS AV pair:
cisco:cisco-avpair="vpdn:l2tp-tunnel-resync-packet=<num>"Configuration Examples for L2TP HA Session SSO/ISSU on a LAC/LNS
This section includes the following examples:
•
•
Configuring SSO on a Route Processor: Example
This example shows how to configure L2TP SSO:
Router> enableRouter# configure terminalRouter(config)# redundancyRouter (config-red)# mode ssoRouter (config-red)# exitConfiguring L2TP High Availability: Example
This example shows how to configure L2TP SSO:
Router> enableRouter# configure terminalRouter(config)# l2tp sso enableRouter (config-red)# exitDisplaying L2TP Checkpoint Status: Examples
This section provides the following configuration examples:
•
•
•
•
•
Displaying L2TP Redundancy Information: Example
The following example shows an L2TP redundancy information request:
Router> enableRouter# show l2tp redundancyL2TP HA support: Silent FailoverL2TP HA Status:Checkpoint Messaging on: FALSEStandby RP is up: TRUERecv'd Message Count: 0L2TP Active Tunnels: 1/1/0 (total/HA-enabled/resync)L2TP Active Sessions: 1/1 (total/HA-enabled)L2TP Resynced Tunnels: 1/0 (success/fail)Displaying L2TP Redundancy Detail Information: Example
The following example shows an L2TP redundancy detail information request:
Router> enableRouter# show l2tp redundancy detailL2TP HA support: Silent FailoverL2TP HA Status:Checkpoint Messaging on: FALSEStandby RP is up: TRUERecv'd Message Count: 0L2TP Active Tunnels: 1/1/0 (total/HA-enabled/resync)L2TP Active Sessions: 1/1 (total/HA-enabled)L2TP Resynced Tunnels: 1/0 (success/fail)L2TP HA CC Check Point Status:Local ID : 33003Remote ID : 26355Control Channel state: establishedRemote name : LAC-1Class Name : 1Number of sessions : 1Logical CC ID : 4096Local UDP port : 1701Remote UDP port : 1701Current Ns : 8Currect Nr : 10Check pointed Ns/Nr values available on Standby RPLocal session ID : 28017Remote session ID : 10Local CC ID : 33003Local UDP port : 1701Remote UDP port : 1701Waiting for VPDN application: NoWaiting for L2TP protocol : NoDisplaying All L2TP Redundancy Information: Example
The following example shows an L2TP redundancy all-information request:
Router> enableRouter# show l2tp redundancy allL2TP HA support: Silent FailoverL2TP HA Status:Checkpoint Messaging on: FALSEStandby RP is up: TRUERecv'd Message Count: 0L2TP Active Tunnels: 1/1/0 (total/HA-enabled/resync)L2TP Active Sessions: 1/1 (total/HA-enabled)L2TP Resynced Tunnels: 1/0 (success/fail)L2TP HA CC Check Point Status:State LocID RemID Remote Name Class/Group Num. Sessionsest 33003 26355 LAC-1 1 1L2TP HA Session Status:LocID RemID TunID Waiting for Waiting forVPDN app? L2TP proto?28017 10 33003 No NoDisplaying L2TP Redundancy ID Information: Example
The following example shows an L2TP redundancy information request for ID 33003:
Router> enableRouter# show l2tp redundancy id 33003L2TP HA Session Status:LocID RemID TunID Waiting for Waiting forVPDN app? L2TP proto?28017 10 33003 No NoDisplaying L2TP Redundancy Detail ID Information: Example
The following example shows an L2TP redundancy detail information request for ID 33003:
Router> enableRouter# show vpdn redundancy detail id 33003Local session ID : 28017Remote session ID : 10Local CC ID : 33003Local UDP port : 1701Remote UDP port : 1701Waiting for VPDN application: NoWaiting for L2TP protocol : NoTroubleshooting Tips
This section provides debugging commands you can use to help troubleshoot an L2TP HA SSO session.
The following example configuration shows a debugging session for an LNS:
LNS1> debug enableLNS1# debug l2tp redundancy cfL2TP redundancy cf debugging is onLNS1# debug l2tp redundancy detailL2TP redundancy details debugging is onLNS1# debug l2tp redundancy errorL2TP redundancy errors debugging is onLNS1# debug l2tp redundancy eventL2TP redundancy events debugging is onLNS1# debug l2tp redundancy fsmL2TP redundancy fsm debugging is onLNS1# debug l2tp redundancy resyncL2TP redundancy resync debugging is onLNS1# debug l2tp redundancy rfL2TP redundancy rf debugging is onAdditional References
The following sections provide references related to the L2TP HA Session SSO/ISSU on a LAC/LNS feature.
Related Documents
Cisco IOS commands
ISSU
Cisco ASR 1000 Series Aggregation Services Routers Software Configuration Guide
L2TP
High availability on Cisco ASR 1000 Series Routers
VPDN technology overview
VPDN Technology Overview, Cisco IOS XE VPDN Configuration Guide
Multihop VPDN
Configuring Multihop VPDN, Cisco IOS XE VPDN Configuration Guide
Standards
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Feature Information for L2TP HA Session SSO/ISSU on a LAC/LNS
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0910R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2009 Cisco Systems, Inc. All rights reserved.
