Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Debugging a Virtual Access Service Managed Gateway
Issue: 1.0
Date: 09 July 2013
Table of Contents _______________________________________________________________________________________________________
1 About this document .................................................................................... 3
1.1 Scope ..................................................................................................... 3
2 WAN connectivity ......................................................................................... 4
2.1 ADSL ...................................................................................................... 4
2.1.1 Active data connections ....................................................................... 4
2.1.2 ADSL bandwidth ................................................................................. 4
2.1.3 DSL spectrum analyzer ........................................................................ 5
2.1.4 Line history ........................................................................................ 9
2.1.5 PPP ................................................................................................. 10
2.1.6 LCP ................................................................................................. 10
2.1.7 Authentication .................................................................................. 11
2.1.8 IPCP ................................................................................................ 11
2.1.9 MLPPP ............................................................................................. 14
2.2 3G modem............................................................................................ 19
2.2.1 Signal strength ................................................................................. 20
2.2.2 3G status ......................................................................................... 20
2.2.3 GSM status ...................................................................................... 21
2.3 PSTN modem........................................................................................ 24
3 IPSec ......................................................................................................... 26
3.1 Phase I ................................................................................................ 26
3.1.1 PFS ................................................................................................. 27
3.2 Phase II ............................................................................................... 27
4 Port forwarding .......................................................................................... 29
4.1 Port forwarding using CLI .................................................................... 29
4.2 Port forwarding using the web interface .............................................. 29
1: About this document _______________________________________________________________________________________________________
1 About this document
1.1 Scope
This guide explains the various tools on a Service Managed Gateway (SMG) that will enable you to debug issues within the following features:
• WAN connectivity
• IPSec
• Port forwarding
This document is for engineers who have previous experience configuring and managing SMG routers.
2: WAN connectivity _______________________________________________________________________________________________________
2 WAN connectivity
Virtual Access routers enable WAN connections and other types of networks, so that users and devices in one location can communicate with users and devices in other locations.
2.1 ADSL
2.1.1 Active data connections
The Active Data Connections page shows the type of connection, IP address, ADSL rates and data uptime duration. The Duration field is a useful support tool as it shows how long the data connection has been up.
From the Start page, click Status. In the Status menu, click Active Data Connections. The Active Data Connections page appears.
Figure 1: The active data connections table
2.1.2 ADSL bandwidth
The ADSL bandwidth graph displays transmitted and received ADSL bandwidth in real time. This is useful for monitoring real-time usage of the WAN link.
Note: you can only view ADSL bandwidth information if your router has an ADSL interface.
In the Status menu, click ADSL Bandwidth. The ADSL Bandwidth page appears.
2: WAN connectivity _______________________________________________________________________________________________________
Figure 2: The ADSL bandwidth page
Command line: sh stats adslbw
Figure 3: Output for the command line sh stats adslbw
2.1.3 DSL spectrum analyzer
The DSL Line Spectrum is part of the ADSL service management support, which allows you to easily establish the source of a fault.
The DSL Spectrum Analyzer provides a graphical real-time display of the line spectrum. This enables you to check for a good ADSL connection at the expected upload and download trained rates. It is also possible to upload the spectrum data so that a record of the line quality can be stored at installation. Then if there are problems the recorded spectrum can be compared to the current data.
In the Status menu, select ADSL Line Spectrum. The ADSL Line Spectrum page appears.
2: WAN connectivity _______________________________________________________________________________________________________
Figure 4: The DSL spectrum analyzer page
2: WAN connectivity _______________________________________________________________________________________________________
Command line: show stats adsl adsl-0
Figure 5: Output of the command line show stats adsl
Use the command show stats adsl-1 to view line 2 statistics.
The ADSL Tx and Rx counters measure the number of transmitted and received packets on the ADSL interface. This view also contains FEC, HEC, CRC and BER error counters as well as detailed ADSL information. This information is critical in determining the quality of an ADSL circuit for VoIP.
To view the ADSL Tx and Rx statistics, from the Start page, click Advanced-> Expert View.
In the top menu, click Operations.
In the Operations menu, click performance-> interface stats > adsl stats > statistics.
2: WAN connectivity _______________________________________________________________________________________________________
Figure 6: Output of view stats adsl
Important elements to check are outlined below.
ADSL mode: interleaved or fast as outlined above. Note that ADSL2+ circuits will always display fast. To determine if interleaved is on, check if FEC errors are incrementing
Noise margin: the higher this value the better. This value is determined by the DSLAM SNR rate. The router will train the ADSL line according to this value. The lower the SNR, the higher the training rate but this may introduce excessive line errors which can be checked below.
Attenuation: the lower this value the better. This value is an indication of the quality of a line. The further you are away from the exchange, the higher this
2: WAN connectivity _______________________________________________________________________________________________________
value will be and the possibly more loss experienced. Attenuation figures above 60dB will cause poor voice quality
Error detection and correction: the number of CRC errors will indicate an error detection which required retransmission. The number of FECs will indicate the number of times the decoder detected an error and corrected it. HEC shows the number of error corrections in an ATM cell header. BER shows a ratio of error bits to transmitted bits.
2.1.4 Line history
The Line History view gives a history of ADSL connectivity over a number of days. The applet displays in horizontal blocks of 24 for each hour of the day. You can use the zoom facility to view detailed information for any hour during that period. This tool is useful as the first stop in support. Support teams can view how long the ADSL has been active and how long it has been down, or both. You can also download this line history information in text format.
In the Status menu, click Line History. The Line History page appears.
Figure 7: The line history page
To zoom in on any particular hour of any of the days displayed, either click the box and then click Zoom In, or double-click the box.
2: WAN connectivity _______________________________________________________________________________________________________
Downloaded line history appears in the following format.
Interface Connection time
Connection date
Disconnection time
Disconnection date
Duration time
Tx Speed
Rx Speed
Description
adsl-0 08:34:13 Dec 25, 2008 08:34:25 Dec 25, 2008 00:00:12 0 0 Connection Lost
adsl-0 08:34:25 Dec 25, 2008 22:34:55 Dec 28, 2008 14:00:30 384 3072
Connection opened, G.DMT, Fast
adsl-0 22:34:55 Dec 28, 2008 22:35:08 Dec 28, 2008 00:00:13 0 0 Connection Lost
adsl-0 22:35:08 Dec 28, 2008 08:09:01 Jan 01, 2009 09:33:53 384 3072
Connection opened, G.DMT, Fast
adsl-0 08:09:01 Jan 01, 2009 08:09:13 Jan 01, 2009 00:00:12 0 0 Connection Lost
Command line: show line history
Figure 8: Output of the command line show line history
2.1.5 PPP
Point to point protocol consists of three layers:
• LCP
• Authentication
• IPCP
2.1.6 LCP
Link Control protocol or LCP is the first layer between the CPE and the core network.
A number of configurable parameters are set at LCP layer.
The CPE will send out a configure request and the core network will acknowledge or nak it
To debug LCP, type in the following command lines.
Command line: ++all 6
Command line: ++PPPLCP
Command line: ++LCP
The following sample shows the output of the above debug command line.
2: WAN connectivity _______________________________________________________________________________________________________
|12:23:10 LCP Tx ppp-1: configure request id=[185]
|12:23:10 LCP Tx Opt = Maximum Receive Unit, Len = 4, Value = 1486
|12:23:10 LCP Rx ppp-1: configure request id=[1]
|12:23:10 LCP Rx Opt = Maximum Receive Unit, Len = 4, Value = 1492
|12:23:10 LCP Rx Opt = Authentication Protocol, Len = 5, Value = c2 23 05
|12:23:10 LCP Rx Opt = Magic Number, Len = 6, Value = b6 25 f7 68
|12:23:10 LCP Tx ppp-1: configure reject id=[1]
|12:23:10 LCP Tx Opt = Magic Number, Len = 6, Value = b6 25 f7 68
|12:23:10 LCP Rx ppp-1: configure ack id=[185]
|12:23:10 LCP Rx Opt = Maximum Receive Unit, Len = 4, Value = 1486
|12:23:10 LCP Rx ppp-1: configure request id=[2]
|12:23:10 LCP Rx Opt = Maximum Receive Unit, Len = 4, Value = 1492
|12:23:10 LCP Rx Opt = Authentication Protocol, Len = 5, Value = c2 23 05
|12:23:10 LCP Tx ppp-1: configure ack id=[2]
|12:23:10 LCP Tx Opt = Maximum Receive Unit, Len = 4, Value = 1492
|12:23:10 LCP Tx Opt = Authentication Protocol, Len = 5, Value = c2 23 05
|12:23:10 lcp up ppp-1
|12:23:10 PPP Debug LCP Layer Up
2.1.7 Authentication
During PPP negotiation PAP or CHAP authentication is used.
PAP or password authentication is rarely used in the Virtual Access CPE configuration deployment.
CHAP or Challenge Handshake Authentication Protocol is widely used in the VA CPE configuration deployment
Once the Lick has established at LCP then the core network will either challenge the CPE or the CPE authenticates itself by sending the username and password
To debug authentication, type in the following command lines.
Command line: ++all 6
Command line: ++auth
The following sample shows the output of the above debug command line.
|12:23:10 CHAP rx i/f ppp-1: [Challenge]
|12:23:10 PPP Debug Authenticate Request
|12:23:10 CHAP tx i/f ppp-1: [Response]
|12:23:11 LCP Tx ppp-1: echo request id=[187]
|12:23:12 CHAP rx i/f ppp-1: [Success]
|12:23:12 PPP Debug Authenticate ACK Received
2.1.8 IPCP
Internet protocol control protocol is the final layer of PPP.
2: WAN connectivity _______________________________________________________________________________________________________
To debug IPCP, type the following command lines.
Command line: ++all 6
Command line: ++IPCP
The following sample shows the output of the above debug command line.
|12:23:12 IPCP tx ppp-1: configure request id=[188]
|12:23:12 IPCP tx Opt = Address, Len = 6, Value = 0.0.0.0
|12:23:12 IPCP tx Opt = Primary DNS Address, Len = 6, Value = 0.0.0.0
|12:23:12 IPCP tx Opt = Secondary DNS Address, Len = 6, Value = 0.0.0.0
|12:23:12 IPCP rx ppp-1: configure request id=[1]
|12:23:12 IPCP rx Opt = Address, Len = 6, Value = 172.19.101.3
|12:23:12 PPP Debug NCP IP Routing Reject
|12:23:12 IPCP tx ppp-1: configure reject id=[1]
|12:23:12 IPCP tx Opt = Address, Len = 6, Value = 172.19.101.3
|12:23:12 LCP Tx ppp-1: echo request id=[189]
|12:23:12 IPCP rx ppp-1: configure reject id=[188]
|12:23:12 IPCP rx Opt = Secondary DNS Address, Len = 6, Value = 0.0.0.0
|12:23:12 IPCP tx ppp-1: configure request id=[190]
|12:23:12 IPCP tx Opt = Address, Len = 6, Value = 0.0.0.0
|12:23:12 IPCP tx Opt = Primary DNS Address, Len = 6, Value = 0.0.0.0
|12:23:12 IPCP rx ppp-1: configure request id=[2]
|12:23:12 PPP Debug NCP Configuration ACK
|12:23:12 IPCP tx ppp-1: configure ack id=[2]
|12:23:12 LCP Rx ppp-1: echo reply id=[189]
|12:23:12 IPCP rx ppp-1: configure nak id=[190]
|12:23:12 IPCP rx Opt = Address, Len = 6, Value = 172.22.100.96
|12:23:12 IPCP rx Opt = Primary DNS Address, Len = 6, Value = 8.8.8.8
|12:23:12 IPCP tx ppp-1: configure request id=[191]
|12:23:12 IPCP tx Opt = Address, Len = 6, Value = 172.22.100.96
|12:23:12 IPCP tx Opt = Primary DNS Address, Len = 6, Value = 8.8.8.8
|12:23:12 IPCP rx ppp-1: configure ack id=[191]
|12:23:12 IPCP rx Opt = Address, Len = 6, Value = 172.22.100.96
|12:23:12 IPCP rx Opt = Primary DNS Address, Len = 6, Value = 8.8.8.8
|12:23:12 ncp up ppp-1
|12:23:12 PPP Debug NCP Layer Up The following command lines show a sample debug of PPP.
Command line: ++all 6
Command line: ++PPP
Command line: ++PPPlcp
Command line: ++auth
Command line: ++IPCP
The following sample shows the output of the above debug command line.
2: WAN connectivity _______________________________________________________________________________________________________
|12:23:10 LCP Tx ppp-1: configure request id=[185]
|12:23:10 LCP Tx Opt = Maximum Receive Unit, Len = 4, Value = 1486
|12:23:10 LCP Rx ppp-1: configure request id=[1]
|12:23:10 LCP Rx Opt = Maximum Receive Unit, Len = 4, Value = 1492
|12:23:10 LCP Rx Opt = Authentication Protocol, Len = 5, Value = c2 23 05
|12:23:10 LCP Rx Opt = Magic Number, Len = 6, Value = b6 25 f7 68
|12:23:10 LCP Tx ppp-1: configure reject id=[1]
|12:23:10 LCP Tx Opt = Magic Number, Len = 6, Value = b6 25 f7 68
|12:23:10 LCP Rx ppp-1: configure ack id=[185]
|12:23:10 LCP Rx Opt = Maximum Receive Unit, Len = 4, Value = 1486
|12:23:10 LCP Rx ppp-1: configure request id=[2]
|12:23:10 LCP Rx Opt = Maximum Receive Unit, Len = 4, Value = 1492
|12:23:10 LCP Rx Opt = Authentication Protocol, Len = 5, Value = c2 23 05
|12:23:10 LCP Tx ppp-1: configure ack id=[2]
|12:23:10 LCP Tx Opt = Maximum Receive Unit, Len = 4, Value = 1492
|12:23:10 LCP Tx Opt = Authentication Protocol, Len = 5, Value = c2 23 05
|12:23:10 lcp up ppp-1
|12:23:10 PPP Debug LCP Layer Up
|12:23:10 CHAP rx i/f ppp-1: [Challenge]
|12:23:10 PPP Debug Authenticate Request
|12:23:10 CHAP tx i/f ppp-1: [Response]
|12:23:11 LCP Tx ppp-1: echo request id=[187]
|12:23:12 CHAP rx i/f ppp-1: [Success]
|12:23:12 PPP Debug Authenticate ACK Received
12:23:12 IPCP tx ppp-1: configure request id=[188]
|12:23:12 IPCP tx Opt = Address, Len = 6, Value = 0.0.0.0
|12:23:12 IPCP tx Opt = Primary DNS Address, Len = 6, Value = 0.0.0.0
|12:23:12 IPCP tx Opt = Secondary DNS Address, Len = 6, Value = 0.0.0.0
|12:23:12 IPCP rx ppp-1: configure request id=[1]
|12:23:12 IPCP rx Opt = Address, Len = 6, Value = 172.19.101.3
|12:23:12 PPP Debug NCP IP Routing Reject
|12:23:12 IPCP tx ppp-1: configure reject id=[1]
|12:23:12 IPCP tx Opt = Address, Len = 6, Value = 172.19.101.3
|12:23:12 LCP Tx ppp-1: echo request id=[189]
|12:23:12 IPCP rx ppp-1: configure reject id=[188]
|12:23:12 IPCP rx Opt = Secondary DNS Address, Len = 6, Value = 0.0.0.0
|12:23:12 IPCP tx ppp-1: configure request id=[190]
|12:23:12 IPCP tx Opt = Address, Len = 6, Value = 0.0.0.0
|12:23:12 IPCP tx Opt = Primary DNS Address, Len = 6, Value = 0.0.0.0
|12:23:12 IPCP rx ppp-1: configure request id=[2]
|12:23:12 PPP Debug NCP Configuration ACK
|12:23:12 IPCP tx ppp-1: configure ack id=[2]
|12:23:12 LCP Rx ppp-1: echo reply id=[189]
|12:23:12 IPCP rx ppp-1: configure nak id=[190]
|12:23:12 IPCP rx Opt = Address, Len = 6, Value = 172.22.100.96
2: WAN connectivity _______________________________________________________________________________________________________
|12:23:12 IPCP rx Opt = Primary DNS Address, Len = 6, Value = 8.8.8.8
|12:23:12 IPCP tx ppp-1: configure request id=[191]
|12:23:12 IPCP tx Opt = Address, Len = 6, Value = 172.22.100.96
|12:23:12 IPCP tx Opt = Primary DNS Address, Len = 6, Value = 8.8.8.8
|12:23:12 IPCP rx ppp-1: configure ack id=[191]
|12:23:12 IPCP rx Opt = Address, Len = 6, Value = 172.22.100.96
|12:23:12 IPCP rx Opt = Primary DNS Address, Len = 6, Value = 8.8.8.8
|12:23:12 ncp up ppp-1
|12:23:12 PPP Debug NCP Layer Up
12:23:13 LCP Tx ppp-1: echo request id=[192]
|12:23:13 LCP Rx ppp-1: echo reply id=[192]
|12:23:14 LCP Tx ppp-1: echo request id=[193]
|12:23:14 LCP Rx ppp-1: echo reply id=[193]
|12:23:15 LCP Tx ppp-1: echo request id=[194]
|12:23:15 LCP Rx ppp-1: echo reply id=[194]
|12:23:16 LCP Tx ppp-1: echo request id=[195]
|12:23:16 LCP Rx ppp-1: echo reply id=[195] To check the status of PPP, type the following command.
Command line: show ppp options ppp-1
The following command line shows a sample of the output of PPP status.
LCP Configured MRU 1482
LCP Configured MRRU 1486
LCP Tx Accepted MRU 1500
LCP Tx Accepted MRRU 1486
LCP Rx Accepted MRU 1486
LCP Rx Accepted Authentication Protocol c22305
LCP Rx Accepted MRRU 1524
LCP Rx Accepted Endpoint Discriminator 01 6c 6e 73 31
IPCP Configured Address 0.0.0.0
IPCP Configured Primary DNS Address 0.0.0.0
IPCP Configured Secondary DNS Address 0.0.0.0
IPCP Tx Accepted Address 172.22.100.96
IPCP Tx Accepted Primary DNS Address 8.8.8.8
IPCP Tx Accepted Secondary DNS Address 4.4.4.4
CCP Configured Stacker LZS Compression 000104
2.1.9 MLPPP
Multilink PPP is the bonding of two or more ADSL lines. The most common issue is MRRU values that have not been configured correctly or the LNS not set up correctly, both of which are out of the scope of this document.
To check the status of MLPPP, type the following command.
2: WAN connectivity _______________________________________________________________________________________________________
Command line: show stats mlppp all
The following command line shows a sample of the output of MLPPP status.
2: WAN connectivity _______________________________________________________________________________________________________
Bundle Uptime: 001:19:20:40 (DDD:HH:MM:SS)
Active links: 2 (2)
Username:
Endpoint Discriminator: 01 6c 6e 73 31
Local MRRU: 1486
Remote MRRU: 1524
Transmitted Packets: 2585602
Received Packets: 3249965
Received Fragmented Packets: 0
Bundle Id: 1
Member Links: 2
Last Processed Seq: 3257543
MRRU: 1524
MP header format: Long
Total Pkts Tx / Rx: 2585602 / 3249965
Total Bytes Tx / Rx: 892585393 / 2959041473
Total Frags Tx / Rx: 2585593 / 3249965
Single Frags Tx / Rx: 2585601 / 3249965
NULL Frags Tx / Rx: 0 / 0
Dropped Pkts Tx / Rx: 0 / 0
Non-MP Pkts Tx / Rx: 312084 / 312195
RX out of sequence frags: 2216702
RX pkts discarded (frag loss): 0
RX frags discarded (frag loss): 0
RX pkts expired: 10351
RX pkts arrived too late: 3196
Maximum too late arrival(ms): 262
Sequence queue bypassed: 975171
Sequence queue overflow: 36
Link ppp-1 ppp-2
Bundle ID 1 1
Uptime (DDD:HH:MM:SS) 001:19:20:40 000:02:06:28
Last Received Seq 3257542 3257543
Load Balance Bytes Tx 20587844 20642535
Bytes Tx 445385821 20642535
Bytes Rx 1643887292 279305691
Frags Tx 1292929 153028
Frags Rx 2015953 285719
Single Frags Tx 1292928 153028
Single Frags Rx 2015952 285719
NULL Frags Tx 0 0
NULL Frags Rx 0 0
Dropped Pkts Tx 0 0
Dropped Pkts Rx 0 0
Non-MP Pkts Tx 156050 7587
2: WAN connectivity _______________________________________________________________________________________________________
Non-MP Pkts Rx 156130 7586 The following command lines show a sample debug of MLPPP.
Command line: ++all 6
Command line: ++PPP
Command line: ++PPPLCP
Command line: ++auth
Command line: ++IPCP
Command line: ++MLPPP
The following command line shows a sample of the output of MLPPP.
2: WAN connectivity _______________________________________________________________________________________________________
|13:03:27 LCP Tx ppp-2: configure request id=[122]
|13:03:27 LCP Tx Opt = Maximum Receive Unit, Len = 4, Value = 1482
|13:03:27 POE link up ppp-2
|13:03:28 LCP Rx ppp-2: configure request id=[6]
|13:03:28 LCP Rx Opt = Maximum Receive Unit, Len = 4, Value = 1492
|13:03:28 LCP Rx Opt = Authentication Protocol, Len = 5, Value = c2 23 05
|13:03:28 LCP Rx Opt = Magic Number, Len = 6, Value = 5e f4 ef 4a
|13:03:28 LCP Tx ppp-2: configure reject id=[6]
|13:03:28 LCP Tx Opt = Magic Number, Len = 6, Value = 5e f4 ef 4a
|13:03:28 LCP Rx ppp-2: configure ack id=[122]
|13:03:28 LCP Rx Opt = Maximum Receive Unit, Len = 4, Value = 1482
|13:03:28 LCP Rx ppp-2: configure request id=[7]
|13:03:28 LCP Rx Opt = Maximum Receive Unit, Len = 4, Value = 1492
|13:03:28 LCP Rx Opt = Authentication Protocol, Len = 5, Value = c2 23 05
|13:03:28 LCP Tx ppp-2: configure ack id=[7]
|13:03:28 LCP Tx Opt = Maximum Receive Unit, Len = 4, Value = 1492
|13:03:28 LCP Tx Opt = Authentication Protocol, Len = 5, Value = c2 23 05
|13:03:28 lcp up ppp-2
|13:03:28 PPP Debug LCP Layer Up
|13:03:28 PPP Debug Authenticate Request
|13:03:28 LCP Tx ppp-1: echo request id=[140]
|13:03:28 LCP Tx ppp-2: echo request id=[123]
|13:03:28 LCP Rx ppp-1: echo reply id=[140]
|13:03:28 LCP Rx ppp-2: echo reply id=[123]
|13:03:28 LCP Rx ppp-2: configure request id=[1]
|13:03:28 LCP Rx Opt = Authentication Protocol, Len = 5, Value = c2 23 05
|13:03:28 LCP Rx Opt = Magic Number, Len = 6, Value = bd 73 3a f2
|13:03:28 LCP Rx Opt = MLPPP MRRU, Len = 4, Value = 1524
|13:03:28 LCP Rx Opt = MLPPP EPDM, Len = 7, Value = 01 6c 6e 73 31
|13:03:28 PPP Debug EPDM accepted
|13:03:28 lcp down ppp-2
|13:03:28 PPP Debug LCP Layer Down
|13:03:28 LCP Tx ppp-2: configure request id=[124]
|13:03:28 LCP Tx Opt = Maximum Receive Unit, Len = 4, Value = 1482
|13:03:28 LCP Tx Opt = MLPPP MRRU, Len = 4, Value = 1486
|13:03:28 LCP Tx Opt = MLPPP EPDM, Len = 15, Value = 01 30 30 65 30 63 38 30 30
|13:03:28 LCP Tx ppp-2: configure reject id=[1]
|13:03:28 LCP Rx ppp-2: configure nak id=[124]
|13:03:28 LCP Rx Opt = Maximum Receive Unit, Len = 4, Value = 1500
|13:03:28 PPP Debug LCP NAK
|13:03:28 LCP Tx ppp-2: configure request id=[125]
|13:03:28 LCP Tx Opt = Maximum Receive Unit, Len = 4, Value = 1500
|13:03:28 LCP Tx Opt = MLPPP MRRU, Len = 4, Value = 1486
|13:03:28 LCP Tx Opt = MLPPP EPDM, Len = 15, Value = 01 30 30 65 30 63 38 30 30
|13:03:28 LCP Rx ppp-2: configure request id=[2]
2: WAN connectivity _______________________________________________________________________________________________________
|13:03:28 LCP Rx Opt = Authentication Protocol, Len = 5, Value = c2 23 05
|13:03:28 LCP Rx Opt = Magic Number, Len = 6, Value = bd 73 3a f2
|13:03:28 LCP Rx Opt = MLPPP MRRU, Len = 4, Value = 1524
|13:03:28 LCP Rx Opt = MLPPP EPDM, Len = 7, Value = 01 6c 6e 73 31
|13:03:28 PPP Debug EPDM accepted
|13:03:28 LCP Tx ppp-2: configure reject id=[2]
|13:03:28 LCP Tx Opt = Magic Number, Len = 6, Value = bd 73 3a f2
|13:03:28 LCP Rx ppp-2: configure ack id=[125]
|13:03:28 LCP Rx Opt = Maximum Receive Unit, Len = 4, Value = 1500
|13:03:28 LCP Rx Opt = MLPPP MRRU, Len = 4, Value = 1486
|13:03:28 LCP Rx Opt = MLPPP EPDM, Len = 15, Value = 01 30 30 65 30 63 38 30 30
|13:03:28 LCP Rx ppp-2: configure request id=[3]
|13:03:28 LCP Rx Opt = Authentication Protocol, Len = 5, Value = c2 23 05
|13:03:28 LCP Rx Opt = MLPPP MRRU, Len = 4, Value = 1524
|13:03:28 LCP Rx Opt = MLPPP EPDM, Len = 7, Value = 01 6c 6e 73 31
|13:03:28 PPP Debug EPDM accepted
|13:03:28 LCP Tx ppp-2: configure nak id=[3]
|13:03:28 LCP Tx Opt = Maximum Receive Unit, Len = 4, Value = 1486
|13:03:28 LCP Rx ppp-2: configure request id=[4]
|13:03:28 LCP Rx Opt = Maximum Receive Unit, Len = 4, Value = 1486
|13:03:28 LCP Rx Opt = Authentication Protocol, Len = 5, Value = c2 23 05
|13:03:28 LCP Rx Opt = MLPPP MRRU, Len = 4, Value = 1524
|13:03:28 LCP Rx Opt = MLPPP EPDM, Len = 7, Value = 01 6c 6e 73 31
|13:03:28 PPP Debug EPDM accepted
|13:03:28 LCP Tx ppp-2: configure ack id=[4]
|13:03:28 LCP Tx Opt = Maximum Receive Unit, Len = 4, Value = 1486
|13:03:28 LCP Tx Opt = Authentication Protocol, Len = 5, Value = c2 23 05
|13:03:28 LCP Tx Opt = MLPPP MRRU, Len = 4, Value = 1524
|13:03:28 LCP Tx Opt = MLPPP EPDM, Len = 7, Value = 01 6c 6e 73 31
|13:03:28 lcp up ppp-2
|13:03:28 PPP Debug LCP Layer Up
|13:03:28 PPP Debug Authenticate Request
|13:03:28 PPP Debug Authenticate ACK Received
|13:03:28 MP (Link added): port 1 to bundle (id=1)
|13:03:28 ncp up ppp-2
|13:03:28 PPP Debug NCP Layer Up
|13:03:29 LCP Tx ppp-1: echo request id=[141]
|13:03:29 LCP Tx ppp-2: echo request id=[126]
|13:03:29 LCP Rx ppp-1: echo reply id=[141]
|13:03:29 LCP Rx ppp-2: echo reply id=[126]
2.2 3G modem
Depending on the hardware model some Virtual Access routers have optional 3G modems. The most common issues are signal strength and SIM registration.
2: WAN connectivity _______________________________________________________________________________________________________
Depending on the provider, the SIM will be allocated a public or Private IP address which may or may not be reachable from the internet.
2.2.1 Signal strength
Signal Strength Description > -113dBm, < -89 dBm Low signal strength - connection not reliable >= -89 dBm, < -69 dBm Medium signal strength - Good connection >= -69 dBm High signal strength - Excellent connection
Table 1: Samples of signal strength and their values
2.2.2 3G status
Depending on the hardware model, the modem interface will be assigned to either modem-0 or modem-1
2: WAN connectivity _______________________________________________________________________________________________________
Command line: show modem interface status modem-0
Modem state: Activated
Connected: Yes
Call state: Connected
GSM status
SIM status: Ready
Signal quality: -63 dBm
Network registration: Registered - home network
GPRS network registration: Registered - home network
Operator: vodafone IE
Operator selection: Automatic
Radio access technology: UMTS: HSDPA
IMEI: 355783040128144
Mobile country code: 272
Mobile network code: 01
Location area code: 0BCC
Cell identifier: 000AA787
Active SIM: SIM1
IMSI: 272017111378751
ICCID: 8935301091020030148
Scrambling Code: Not known or not detectable
RSCP: Not known or not detectable
Ec/Io: Not known or not detectable
SIM switch enabled: No
Automatic reset enabled: No
Number of resets: 0
Number of remote disconnects: 0
The following command lines show a sample debug of 3G.
Command line: ++all 6
Command line: ++modem
Command line: ++PPP
Command line: ++PPPLCP
Command line: ++Auth
Command line: ++IPCP
The following command line shows a sample of the output of GM status.
2: WAN connectivity _______________________________________________________________________________________________________
|04:16:23 Modem Tx: AT+CGREG?;+CREG?;+CSQ;+COPS=3,0;+COPS?;+COPS=3,2;+COPS?
|04:16:23 Modem Rx: AT+CGREG?;+CREG?;+CSQ;+COPS=3,0;+COPS?;+COPS=3,2;+COPS?
|04:16:23 Modem Rx: +CGREG: 2,1,"0BCC","000AA787",4
|04:16:23 Modem Rx: +CREG: 0,1
|04:16:23 Modem Rx: +CSQ: 25,99
|04:16:23 Modem Rx: +COPS: 0,0,"vodafone IE",2
|04:16:23 Modem Rx: +COPS: 0,2,"27201",2
|04:16:23 Modem Rx: OK
|04:16:26 modem-0: Connecting GPRS/UMTS ()
|04:16:26 Modem Tx: AT+CPIN?
|04:16:26 Modem Rx: AT+CPIN?
|04:16:26 Modem Rx: +CPIN: READY
|04:16:26 Modem Rx: OK
|04:16:26 modem-0: SIM ready
|04:16:26 Modem Tx: AT+CGDCONT=1,"IP",""
|04:16:26 Modem Rx: AT+CGDCONT=1,"IP",""
|04:16:26 Modem Rx: OK
|04:16:26 Modem Tx: ATD*99#
|04:16:26 Modem Rx: ATD*99#
|04:16:27 Modem Rx: CONNECT
|04:16:27 LCP Tx ppp-1: configure request id=[17]
|04:16:27 LCP Tx Opt = Async Control Character Map, Len = 6, Value = 00 00 00 0
|04:16:27 LCP Tx Opt = Maximum Receive Unit, Len = 4, Value = 1518
|04:16:27 LCP Tx Opt = Protocol Field Compression, Len = 2, Value = none
|04:16:27 modem-0: Outgoing call connected
|04:16:27 LCP Rx ppp-1: configure request id=[1]
|04:16:27 LCP Rx Opt = Authentication Protocol, Len = 5, Value = c2 23 05
|04:16:27 LCP Rx Opt = Address and Control Field Compression, Len = 2, Value =
|04:16:27 LCP Rx Opt = Protocol Field Compression, Len = 2, Value = none
|04:16:27 LCP Rx Opt = Async Control Character Map, Len = 6, Value = 00 00 00 0
|04:16:27 LCP Rx Opt = Magic Number, Len = 6, Value = f8 11 73 55
|04:16:27 LCP Tx ppp-1: configure reject id=[1]
|04:16:27 LCP Tx Opt = Address and Control Field Compression, Len = 2, Value =
|04:16:27 LCP Tx Opt = Protocol Field Compression, Len = 2, Value = none
|04:16:27 LCP Tx Opt = Async Control Character Map, Len = 6, Value = 00 00 00 0
|04:16:27 LCP Tx Opt = Magic Number, Len = 6, Value = f8 11 73 55
|04:16:27 LCP Rx ppp-1: configure request id=[2]
|04:16:27 LCP Rx Opt = Authentication Protocol, Len = 5, Value = c2 23 05
|04:16:27 LCP Tx ppp-1: configure ack id=[2]
|04:16:27 LCP Tx Opt = Authentication Protocol, Len = 5, Value = c2 23 05
|04:16:30 LCP Tx ppp-1: configure request id=[18]
|04:16:30 LCP Tx Opt = Async Control Character Map, Len = 6, Value = 00 00 00 0
|04:16:30 LCP Tx Opt = Maximum Receive Unit, Len = 4, Value = 1518
|04:16:30 LCP Tx Opt = Protocol Field Compression, Len = 2, Value = none
|04:16:30 LCP Rx ppp-1: configure ack id=[18]
2: WAN connectivity _______________________________________________________________________________________________________
|04:16:30 LCP Rx Opt = Async Control Character Map, Len = 6, Value = 00 00 00 0
|04:16:30 LCP Rx Opt = Maximum Receive Unit, Len = 4, Value = 1518
|04:16:30 LCP Rx Opt = Protocol Field Compression, Len = 2, Value = none
|04:16:30 lcp up ppp-1
|04:16:30 PPP Debug LCP Layer Up
|04:16:30 CHAP rx i/f ppp-1: [Challenge]
|04:16:30 PPP Debug Authenticate Request
|04:16:30 CHAP tx i/f ppp-1: [Response]
|04:16:30 CHAP rx i/f ppp-1: [Success]
|04:16:30 PPP Debug Authenticate ACK Received
|04:16:30 IPCP tx ppp-1: configure request id=[19]
|04:16:30 IPCP tx Opt = Address, Len = 6, Value = 0.0.0.0
|04:16:30 IPCP tx Opt = Compression Protocol, Len = 6, Value = 00 2d 0f 01
|04:16:30 IPCP tx Opt = Primary DNS Address, Len = 6, Value = 0.0.0.0
|04:16:30 IPCP tx Opt = Secondary DNS Address, Len = 6, Value = 0.0.0.0
|04:16:30 Modem Rx: *EPSB: 3
|04:16:32 Modem Rx: *EPSB: 5
|04:16:32 Modem Rx: *EPSB: 6
|04:16:33 IPCP tx ppp-1: configure request id=[20]
|04:16:33 IPCP tx Opt = Address, Len = 6, Value = 0.0.0.0
|04:16:33 IPCP tx Opt = Compression Protocol, Len = 6, Value = 00 2d 0f 01
|04:16:33 IPCP tx Opt = Primary DNS Address, Len = 6, Value = 0.0.0.0
|04:16:33 IPCP tx Opt = Secondary DNS Address, Len = 6, Value = 0.0.0.0
|04:16:33 IPCP rx ppp-1: configure request id=[1]
|04:16:33 PPP Debug NCP Configuration ACK
|04:16:33 IPCP tx ppp-1: configure ack id=[1]
|04:16:33 IPCP rx ppp-1: configure nak id=[20]
|04:16:33 IPCP rx Opt = Address, Len = 6, Value = 10.60.237.154
|04:16:33 IPCP rx Opt = Primary DNS Address, Len = 6, Value = 89.19.64.36
|04:16:33 IPCP rx Opt = Secondary DNS Address, Len = 6, Value = 89.19.64.164
|04:16:33 IPCP tx ppp-1: configure request id=[21]
|04:16:33 IPCP tx Opt = Address, Len = 6, Value = 10.60.237.154
|04:16:33 IPCP tx Opt = Compression Protocol, Len = 6, Value = 00 2d 0f 01
|04:16:33 IPCP tx Opt = Primary DNS Address, Len = 6, Value = 89.19.64.36
|04:16:33 IPCP tx Opt = Secondary DNS Address, Len = 6, Value = 89.19.64.164
|04:16:33 IPCP rx ppp-1: configure ack id=[21]
|04:16:33 IPCP rx Opt = Address, Len = 6, Value = 10.60.237.154
|04:16:33 IPCP rx Opt = Compression Protocol, Len = 6, Value = 00 2d 0f 01
|04:16:33 IPCP rx Opt = Primary DNS Address, Len = 6, Value = 89.19.64.36
|04:16:33 IPCP rx Opt = Secondary DNS Address, Len = 6, Value = 89.19.64.164
|04:16:33 ncp up ppp-1
|04:16:33 PPP Debug NCP Layer Up
2: WAN connectivity _______________________________________________________________________________________________________
2.3 PSTN modem
Some Virtual Access routers have a PSTN modem, which by default is configured to allow dial in access or out of band management.
The modem interface is assigned to a configured PPP interface and the same PPP debugging will apply.
Some common faults are incorrect cabling or disconnected cables, PSTN fault and micro filter faults. These can lead to a slow speed connection in which the router will not be contactable due to the poor quality of the line.
The following command lines show a sample debug of PSTN modem.
Command line: ++all 6
Command line: ++modem
Command line: ++PPP
Command line: ++PPPLCP
Command line: ++Auth
Command line: ++IPCP
super> connect p1
The following shows a sample of the output of PSTN modem.
2: WAN connectivity _______________________________________________________________________________________________________
|13:18:48 Modem: Dial (900441234567899)
|13:18:48 Modem Tx: atv0w2e0
Connect initiated successfully
|13:18:48 Modem Rx: 0
|13:18:48 Modem Tx: ats7=30dt900441234567899
|13:19:19 Modem Rx: 84
|13:19:19 LCP Tx ppp-1: configure request id=[189]
|13:19:19 Modem: Outgoing Call Connected 33600 bps
|13:19:21 LCP Tx ppp-1: configure request id=[190]
|13:19:21 LCP Rx ppp-1: configure request id=[8]
|13:19:21 LCP Tx ppp-1: configure ack id=[8]
|13:19:21 LCP Rx ppp-1: configure ack id=[190]
|13:19:21 lcp up ppp-1
|13:19:21 PPP Debug LCP Layer Up
|13:19:21 IPCP tx ppp-1: configure request id=[191]
|13:19:21 IPCP rx ppp-1: configure request id=[9]
|13:19:21 IPCP rx Opt = Address, Len = 6, Value = 0.0.0.0
|13:19:21 PPP Debug NCP 0 32801 33 NAK
|13:19:21 IPCP tx ppp-1: configure nak id=[9]
|13:19:21 IPCP tx Opt = Address, Len = 6, Value = 172.168.100.11
|13:19:21 IPCP rx ppp-1: configure ack id=[191]
|13:19:22 IPCP rx ppp-1: configure request id=[10]
|13:19:22 IPCP rx Opt = Address, Len = 6, Value = 172.168.100.11
|13:19:22 PPP Debug NCP Configuration ACK
|13:19:22 IPCP tx ppp-1: configure ack id=[10]
|13:19:22 IPCP tx Opt = Address, Len = 6, Value = 172.168.100.11
|13:19:22 ncp up ppp-1
|13:19:22 PPP Debug NCP Layer Up
3: IPSec _______________________________________________________________________________________________________
3 IPSec
3.1 Phase I
A hybrid protocol called Internet Key exchange (IKE) establishes and maintains unidirectional communication in an IPSec environment.
Phase I establishes IKE.
There are two ways of implementing Phase I:
• Main mode
• Aggressive mode
Main mode
Most common use of main mode is when both ends of the tunnel are using fixed IP addresses.
In main mode, a secure channel is established by sending three packets of data from the initiator and three from the responder.
The most common failures for main mode messages between 1 and 4 are:
• Remote peer not configured to accept VPN negotiations
• Differing exchange types
• DH group mismatch
• Encryption Algorithms are wrong
• The most common failure for main mode messages 5 and 6 are
• Pre-shared keys not matching
The following command lines show a sample debug of Phase I.
Command line: ++all 6
Command line: ++ike
The following shows a sample of the output of Phase I debug.
3: IPSec _______________________________________________________________________________________________________
|17:32:45 IKE: MM Msg1 sent for policy 1
|17:32:45 IKE: MM Msg2 received for policy 1
|17:32:45 IKE: Vendor VA1
|17:32:45 IKE: Vendor DPD
|17:32:45 IKE: MM Msg3 sent for policy 1
|17:32:45 IKE: MM msg4 received for policy 1
|17:32:45 IKE: Vendor VA1
|17:32:45 IKE: Vendor DPD
|17:32:45 IKE: ID: IPv4 address, 172.22.100.96
|17:32:45 IKE: Diffie-Hellman negotiated, MM Msg 5 sent for policy 1
|17:32:46 IKE: MM Msg6 received for policy 1
|17:32:46 IKE: ID: IPv4 address, 172.22.100.100
|17:32:46 IKE: Main Mode completed for policy 1 Aggressive mode
Most common use of main mode is when one end of the tunnel is using fixed IP addresses and the other is dynamic
In aggressive mode, a secure channel is established by sending two packets of data from the initiator and three from the responder. This is faster than main mode, but also less secure
The most common failures for aggressive mode messages between 1 and 4 are:
• Remote peer not configured to accept VPN negotiations
• Differing exchange types
• DH group mismatch
• Encryption algorithms are wrong
The most common failure for aggressive mode messages 5 and 6 are pre-shared keys not matching.
3.1.1 PFS
Perfect Forward Secrecy (PFS) is a means of generating new keys that are unrelated to previously used keys. This means that if an unauthorized party cracks one key, they have no basis for cracking the next one used. To increase security, Virtual Access routers support PFS and automatically changes keys regularly.
3.2 Phase II
Phase II establishes the encryption domains and is configured using SPD policies.
When Phase I is completed, the IPSec connection automatically moves on to Phase II. If any further failures occur the issue lies with Phase II settings.
3: IPSec _______________________________________________________________________________________________________
In Phase II, when quick mode message 1 is received by the responder it will always state the subnet which is set in the packet it receives. This is useful as it will mean that the verification of SPD Subnet Addresses is easy.
The most common failures for SPD within Phase II are:
• Security protocol does not match
• ESP authentication set to “no” on one side of the tunnel
• Difference in Encryption Algorithms setting
• Difference in Addresses in SPD apply polices
The following command lines show a sample debug of Phase II
Command line: ++all 6
Command line: ++SPD
The following command line shows a sample of the output of phase II debug.
|17:32:46 IKE: Sending initial contact
|17:32:46 IKE: ID: IPv4 address, 192.168.100.100
|17:32:46 IKE: ID: IPv4 address, 192.168.200.100
|17:32:46 IKE: QM Msg1 sent for policy 1
|17:32:46 IKE: QM Msg 2 received for policy 1
|17:32:46 IKE: ID: IPv4 address, 192.168.200.100
|17:32:46 IKE: ID: IPv4 address, 192.168.100.100
|17:32:46 IKE: QM Msg3 sent for policy 1
|17:32:46 SPD: Phase 2 tunnel up for spd policy 1
|17:32:46 IKE: Quick Mode completed for policy 1
|17:32:46 Link up 01-VPN-IKE1 Src=172.22.100.96 Dest=172.22.100.100
4: Port forwarding _______________________________________________________________________________________________________
4 Port forwarding
4.1 Port forwarding using CLI
Port forwarding can be configured under the incoming address translation table.
To check to see if port forwarding is enabled, type the following command line and check the output is the same as the sample below.
Command line: show IPAT incoming all
The following shows a sample of the output of port forwarding enabled.
Entry Interface Prot Local host Port Gateway address Port
----- --------- ---- ---------- ---- --------------- ----
2. ppp-1 UDP 172.22.100.96 53 172.22.100.96 53
3. ppp-1 UDP 192.168.2.1 69 172.22.100.96 69
4. ppp-1 TCP 192.168.2.2 8844 172.22.100.96 8844
5. ppp-1 TCP 192.168.2.3 8899 172.22.100.96 8899
6. ppp-1 TCP 192.168.2.1 23 172.22.100.96 8023
7. ppp-1 TCP 192.168.2.1 80 172.22.100.96 8080
4.2 Port forwarding using the web interface
To enable port forwarding using the webs interface, from the Start page, click Advanced>expert view>system>IP>Address translation>Table.
Configure the target WAN interface, port number and LAN interface and port number.