From: Engelhard M. Labiro (engelhard@xxxxxxxxxxxxxx)
Date: Mon Apr 29 2002 - 08:31:14 GMT-3
Hi,
Thanks for everyone that suggest how to solve the problem,
finally I got the callback work ! Actually it is not something
basically wrong with the config I posted before, but it is the
IOS that caused the callback`s problem <gr>
Changed the IOS from 12.2(5) to 12.2(1c) on callback-client
(san-diego) does solve the problem, definitely it is an IOS`s bug.
Anyway, I learned a lot more about "callback" configuration,
some notes as follow:
A callback-server does have 3 options to look at where it should
make a callback to the callback-client:
1. By looking at "dial string" coming from callback-client.
Relevant command is "dialer caller <STRING-HERE> callback".
This is the only command for a callback-server to make a
decision whether it should callback to the callback-client.
2. By looking at "dial username" coming from callback-client.
Relevant command is as follow:
"dialer map ip BLAH name <NAME-HERE> class <CLASS-NAME>
and its related "map-class dialer <CLASS-NAME>" and
"dialer callback-server username" under map-class mode.
Command "dialer callback-secure" is only an option to make
the router more stricts on screening of the incoming username
from a callback-client.
3. By looking at E.164 dial number from callback-client.
Can`t verify this.
Thanks again.
Engelhard M. Labiro$B!!(B(engelhard@netmarks.co.jp)
Security Group, Technical Solution Center, Netmarks Inc.
2-13-34 Konan, Minato-Ku, Tokyo 108-0075
Tel: +81-3-5461-2575, Fax: +81-3-5461-2093
----- Original Message -----
From: "Lupi, Guy" <Guy.Lupi@eurekaggn.com>
To: "'Engelhard M. Labiro'" <engelhard@netmarks.co.jp>; <ccielab@groupstudy.com
>
Sent: Monday, April 29, 2002 12:44 AM
Subject: RE: "dialer callback-secure" prevent me from calling back ! HELP
> I saw that you had "isdn caller 12 callback" in the config of the
> called
> router, as well as a callback class and dialer callback-secure. Try
> removing the isdn caller 12 callback and see what happens, do a
> debug
> callback on the called router and if it still fails see what the router
> says.
>
> ~-----Original Message-----
> ~From: Engelhard M. Labiro [mailto:engelhard@netmarks.co.jp]
> ~Sent: Sunday, April 28, 2002 10:35 AM
> ~To: ccielab@groupstudy.com
> ~Subject: "dialer callback-secure" prevent me from calling back ! HELP
> ~
> ~
> ~Members,
> ~
> ~As subject says, I can`t make a callback to the callback client
> ~if "dialer callback-secure" configured on callback-server.
> ~There is no problem for callback-server to initiate a callback
> ~if that command is not configured.
> ~I know that this must be relate to dialer map ip name class
> ~and map-class configuration, but already spent a whole day
> ~trying to figure this out without success.
> ~Any help would be appreciate.
> ~
> ~The following are the configurations, debug results, etc:
> ~
> ~1. Network config
> ~Please refer to Solie`s book Lab 17.
> ~green-bay------FR (ISDN backup)-------san-diego
> ~
> ~green-bay is the callback-server , IOS 12.1(12a)
> ~san-diego is the callback-client , IOS 12.2(5)
> ~
> ~2. "debug dialer" result
> ~
> ~From green-bay console:
> ~
> ~green-bay#sd
> ~Dial on demand:
> ~ Dial on demand events debugging is on
> ~green-bay#1d00h: BR0/0:caller id callback to 12 but callback secure
> ~green-bay#1d00h: %LINK-3-UPDOWN: Interface BRI0/0:1, changed
> ~state to up
> ~green-bay#1d00h: %ISDN-6-DISCONNECT: Interface BRI0/0:1
> ~disconnected from 12 san-diego, call lasted 1 seconds
> ~1d00h: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to down
> ~green-bay#1d00h: BR0/0:1 DDR: disconnecting call
> ~green-bay#
> ~
> ~From san-diego console (first initiate a trigger packet by ping).
> ~
> ~san-diego#ping 10.10.20.2
> ~
> ~Type escape sequence to abort.
> ~Sending 5, 100-byte ICMP Echos to 10.10.20.2, timeout is 2 seconds:
> ~
> ~1d00h: BR0/0 DDR: Dialing cause ip (s=10.10.10.5, d=10.10.20.2)
> ~1d00h: BR0/0 DDR: Attempting to dial 11
> ~1d00h: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to up
> ~1d00h: BR0/0:1 DDR: Callback negotiated - Disconnecting now
> ~1d00h: BR0/0:1 DDR: disconnecting call.
> ~1d00h: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to
> ~11 green-bay
> ~1d00h: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to down
> ~1d00h: DDR: Callback client for green-bay 11 created
> ~1d00h: BR0/0:1 DDR: disconnecting call....
> ~Success rate is 0 percent (0/5)
> ~san-diego#
> ~1d00h: DDR: No callback received from green-bay 11
> ~1d00h: DDR: Freeing callback to green-bay 11
> ~san-diego#
> ~
> ~3. Router configuration
> ~
> ~san-diego router as follow:
> ~version 12.2
> ~service timestamps debug uptime
> ~service timestamps log uptime
> ~no service password-encryption
> ~!
> ~hostname san-diego
> ~!
> ~!
> ~username green-bay password 0 pass1
> ~ip subnet-zero
> ~!
> ~!
> ~no ip domain-lookup
> ~!
> ~ip audit notify log
> ~ip audit po max-events 100
> ~ip ssh time-out 120
> ~ip ssh authentication-retries 3
> ~!
> ~isdn switch-type ntt
> ~interface Serial0/0
> ~ no ip address
> ~ encapsulation frame-relay
> ~ no fair-queue
> ~ clockrate 2000000
> ~!
> ~interface Serial0/0.1 point-to-point
> ~ ip address 10.10.10.2 255.255.255.252
> ~ frame-relay interface-dlci 604
> ~!
> ~interface BRI0/0
> ~ ip address 10.10.10.5 255.255.255.252
> ~ encapsulation ppp
> ~ ip ospf cost 9999
> ~ ip ospf demand-circuit
> ~ dialer idle-timeout 60
> ~ dialer wait-for-carrier-time 10
> ~ dialer map ip 10.10.10.6 name green-bay broadcast 11
> ~ dialer load-threshold 1 outbound
> ~ dialer-group 1
> ~ isdn switch-type ntt
> ~ ppp callback request
> ~ ppp authentication chap
> ~ ppp multilink
> ~!
> ~!
> ~router ospf 1
> ~ log-adjacency-changes
> ~ network 10.10.10.0 0.0.0.3 area 0
> ~ network 10.10.10.4 0.0.0.3 area 0
> ~ network 192.168.10.0 0.0.0.127 area 1
> ~!
> ~ip classless
> ~ip http server
> ~ip pim bidir-enable
> ~!
> ~dialer-list 1 protocol ip permit
> ~!
> ~
> ~green-bay configuration:
> ~
> ~version 12.1
> ~service timestamps debug uptime
> ~service timestamps log uptime
> ~no service password-encryption
> ~!
> ~hostname green-bay
> ~!
> ~!
> ~username san-diego password 0 pass1
> ~!
> ~!
> ~!
> ~!
> ~memory-size iomem 30
> ~ip subnet-zero
> ~no ip domain-lookup
> ~!
> ~isdn switch-type ntt
> ~!
> ~interface Serial0/0
> ~ bandwidth 56000
> ~ no ip address
> ~ encapsulation frame-relay
> ~ no fair-queue
> ~!
> ~interface Serial0/0.1 point-to-point
> ~ ip address 10.10.10.1 255.255.255.252
> ~ frame-relay interface-dlci 406
> ~!
> ~!
> ~interface BRI0/0
> ~ ip address 10.10.10.6 255.255.255.252
> ~ encapsulation ppp
> ~ ip ospf cost 9999
> ~ ip ospf demand-circuit
> ~ dialer callback-secure
> ~ dialer idle-timeout 60
> ~ dialer enable-timeout 5
> ~ dialer map ip 10.10.10.5 name san-diego class CALLBACK broadcast 12
> ~ dialer load-threshold 1 outbound
> ~ dialer-group 1
> ~ isdn switch-type ntt
> ~ isdn caller 12 callback
> ~ ppp callback accept
> ~ ppp authentication chap
> ~!
> ~!
> ~router eigrp 2
> ~ redistribute ospf 1 metric 10000 1000 255 1 1500 match
> ~internal external 1 external 2
> ~ network 192.168.20.0
> ~ no auto-summary
> ~ no eigrp log-neighbor-changes
> ~!
> ~router ospf 1
> ~ log-adjacency-changes
> ~ redistribute eigrp 2 subnets
> ~ network 10.10.10.0 0.0.0.3 area 0
> ~ network 10.10.10.4 0.0.0.3 area 0
> ~!
> ~ip classless
> ~ip http server
> ~!
> ~map-class dialer CALLBACK
> ~ dialer callback-server username
> ~dialer-list 1 protocol ip permit
> ~!
> ~!
> ~
> ~
> ~Thanks in advance.
> ~
> ~Engelhard M. Labiro$B!!(B(engelhard@netmarks.co.jp)
> ~Security Group, Technical Solution Center, Netmarks Inc.
> ~2-13-34 Konan, Minato-Ku, Tokyo 108-0075
> ~Tel: +81-3-5461-2575, Fax: +81-3-5461-2093
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:21 GMT-3