From: Daniel Cisco Group Study (danielcgs@imc.net.au)
Date: Wed Jun 04 2003 - 19:34:07 GMT-3
Thanks for the feedback... Yes, very interesting (and obscure I guess).
Daniel
-----Original Message-----
From: Joe Martin [mailto:jmartin@capitalpremium.net]
Sent: Thursday, 5 June 2003 1:59 AM
To: Daniel Cisco Group Study; Brian Dennis; CCIE GroupStudy
Subject: RE: Interesting ISDN/PPP Finding
Daniel,
I checked out the dynamic dialer map created on r1 after the ping:
r1#sh dialer map
Dynamic dialer map ip 10.0.0.2 name 8358662 () on BR0
Notice that it points to the number on r2 and not the name.
So I created a static dialer map that pointed to r2's number and the ping
worked fine.
r1#sh run int bri0
Building configuration...
Current configuration : 251 bytes
!
interface BRI0
ip address 10.0.0.1 255.255.255.0
encapsulation ppp
dialer idle-timeout 0
dialer map ip 10.0.0.2 name 8358662 broadcast
dialer-group 1
isdn switch-type basic-ni
isdn spid1 0835866101 8358661
isdn spid2 0835866301 8358663
end
r1#sh dialer map
Static dialer map ip 10.0.0.2 name 8358662 () on BR0
r2#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 36/37/40 ms
r2#
18:47:37: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
r2#
18:47:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed
state to up
r2#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/40 ms
Of course if I try to use auth now it won't work as the dialer map does not
match the name used for auth.
Interesting!!! Just when I thought I understood ISDN it throws something
new at me. Such is the CCIE life:)
Joe Martin
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Daniel Cisco Group Study
Sent: June 04, 2003 2:40 AM
To: Joe Martin; Brian Dennis; CCIE GroupStudy
Subject: RE: Interesting ISDN/PPP Finding
A very interesting issue...... Here's my thoughts..
Scenario 1: no dialer map - This will rely on "inverse arp" (is that what
its called in ISDN?) to dynamically map the remote endpoint - Hence pings
are successful. Do a show dialer map to confirm this.
Scenario 2: dialer map - Now you have introduced a static mapping, which
maps the remote ip address to a name. This is where I start to speculate.
What is this name to the router? What does it mean? The remote IP address
has been mapped to some mysterious name..... The router shrugs and gives
up..... encap failed.
Scenario 3: ppp auth chap - After authenticating the inbound call ,the
router now knows something about that name in the dialer map..... The router
can now map the remote IP address to the ISDN call......
I think that there's more to it.....
Any contributors?
Daniel
-----Original Message-----
From: Joe Martin [mailto:jmartin@capitalpremium.net]
Sent: Wednesday, 4 June 2003 08:20
To: Brian Dennis; 'CCIE GroupStudy'
Subject: RE: Interesting ISDN/PPP Finding
Brian and all,
Below are configs, debugs, and show output. R2 config stays the same
throughout so I will only list it once.
truncated r2 config:
r2#sh run
Building configuration...
Current configuration : 3303 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r2
!
!
username r1 password 0 cisco
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
isdn switch-type basic-ni
!
!
!
!
!
interface Serial0
no ip address
shutdown
!
interface TokenRing0
no ip address
shutdown
!
interface BRI0
ip address 10.0.0.2 255.255.255.0
encapsulation ppp
dialer idle-timeout 30
dialer map ip 10.0.0.1 name r1 broadcast 8358661
dialer-group 1
isdn switch-type basic-ni
isdn spid1 0835866201 8358662
isdn spid2 0835866401 8358664
!
ip classless
ip http server
!
dialer-list 1 protocol ip permit
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line vty 0 4
login
!
end
Initial r1 config with no dialer map:
r1#sh run
Building configuration...
Current configuration : 757 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r1
!
!
username r2 password 0 cisco
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
isdn switch-type basic-ni
!
!
!
!
!
interface Serial0
no ip address
encapsulation frame-relay
shutdown
!
interface Serial1
no ip address
shutdown
!
interface TokenRing0
no ip address
shutdown
!
interface BRI0
ip address 10.0.0.1 255.255.255.0
encapsulation ppp
dialer idle-timeout 0
dialer-group 1
isdn switch-type basic-ni
isdn spid1 0835866101 8358661
isdn spid2 0835866301 8358663
!
ip classless
ip http server
!
dialer-list 1 protocol ip permit
!
!
line con 0
privilege level 15
logging synchronous
line aux 0
line vty 0 4
login
!
end
Ping from r2 to r1 bri0 is successful, and sh dialer looks good:
r2#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 36/38/40 ms
r2#
00:57:48: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
r2#
00:57:49: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed
state to up
r2#
00:57:54: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358661 r1
r2#sh dialer
BRI0 - dialer type = ISDN
Dial String Successes Failures Last DNIS Last status
8358661 12 0 00:00:10 successful
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.
BRI0:1 - dialer type = ISDN
Idle timer (30 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Dial reason: ip (s=10.0.0.2, d=10.0.0.1)
Time until disconnect 26 secs
Connected to 8358661 (r1)
BRI0:2 - dialer type = ISDN
Idle timer (30 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle
Now I add dialer map to r1, no authentication:
r1#sh run int bri0
Building configuration...
Current configuration : 246 bytes
!
interface BRI0
ip address 10.0.0.1 255.255.255.0
encapsulation ppp
dialer idle-timeout 0
dialer map ip 10.0.0.2 name r2 broadcast
dialer-group 1
isdn switch-type basic-ni
isdn spid1 0835866101 8358661
isdn spid2 0835866301 8358663
end
Ping is unsuccessful, following is debug ip packet output during the ping on
r1 and debug ppp neg output on r2 during the ping.
r2#debug ppp neg
PPP protocol negotiation debugging is on
r2#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
01:02:59: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
01:02:59: BR0:1 PPP: Treating connection as a callout
01:02:59: BR0:1 PPP: Phase is ESTABLISHING, Active Open
01:02:59: BR0:1 PPP: No remote authentication for call-out
01:02:59: BR0:1 LCP: O CONFREQ [Closed] id 13 len 10
01:02:59: BR0:1 LCP: MagicNumber 0x09189392 (0x050609189392)
01:02:59: BR0:1 LCP: I CONFREQ [REQsent] id 18 len 10
01:02:59: BR0:1 LCP: MagicNumber 0x00693BE8 (0x050600693BE8)
01:02:59: BR0:1 LCP: O CONFACK [REQsent] id 18 len 10
01:02:59: BR0:1 LCP: MagicNumber 0x00693BE8 (0x050600693BE8)
01:02:59: BR0:1 LCP: I CONFACK [ACKsent] id 13 len 10
01:02:59: BR0:1 LCP: MagicNumber 0x09189392 (0x050609189392)
01:02:59: BR0:1 LCP: State is Open
01:02:59: BR0:1 PPP: Phase is UP
01:02:59: BR0:1 IPCP: O CONFREQ [Closed] id 8 len 10
01:02:59: BR0:1 IPCP: Address 10.0.0.2 (0x03060A000002)
01:02:59: BR0:1 CDPCP: O CONFREQ [Closed] id 8 len 4
01:02:59: BR0:1 IPCP: I CONFREQ [REQsent] i.d 8 len 10
01:02:59: BR0:1 IPCP: Address 10.0.0.1 (0x03060A000001)
01:02:59: BR0:1 IPCP: O CONFACK [REQsent] id 8 len 10
01:02:59: BR0:1 IPCP: Address 10.0.0.1 (0x03060A000001)
01:02:59: BR0:1 CDPCP: I CONFREQ [REQsent] id 8 len 4
01:02:59: BR0:1 CDPCP: O CONFACK [REQsent] id 8 len 4
01:02:59: BR0:1 IPCP: I CONFACK [ACKsent] id 8 len 10
01:02:59: BR0:1 IPCP: Address 10.0.0.2 (0x03060A000002)
01:02:59: BR0:1 IPCP: State is Open
01:02:59: BR0:1 CDPCP: I CONFACK [ACKsent] id 8 len 4
01:02:59: BR0:1 CDPCP: State is Open
01:02:59: BR0 IPCP: Install route to 10.0.0.1
01:03:00: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed
state to up...
01:03:05: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358661 r1.
Success rate is 0 percent (0/5)
r2#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r2#
r1#debug ip pack
IP packet debugging is on
r1#
01:01:32: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
01:01:33: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed
state to up
r1#
01:01:34: IP: s=10.0.0.2 (BRI0), d=10.0.0.1 (BRI0), len 100, rcvd 3
01:01:34: IP: s=10.0.0.1 (local), d=10.0.0.2 (BRI0), len 100, sending
01:01:34: IP: s=10.0.0.1 (local), d=10.0.0.2 (BRI0), len 100, encapsulation
failed
r1#
01:01:36: IP: s=10.0.0.2 (BRI0), d=10.0.0.1 (BRI0), len 100, rcvd 3
01:01:36: IP: s=10.0.0.1 (local), d=10.0.0.2 (BRI0), len 100, sending
01:01:36: IP: s=10.0.0.1 (local), d=10.0.0.2 (BRI0), len 100, encapsulation
failed
r1#
01:01:38: IP: s=10.0.0.2 (BRI0), d=10.0.0.1 (BRI0), len 100, rcvd 3
01:01:38: IP: s=10.0.0.1 (local), d=10.0.0.2 (BRI0), len 100, sending
01:01:38: IP: s=10.0.0.1 (local), d=10.0.0.2 (BRI0), len 100, encapsulation
failed
r1#
01:01:38: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358662
r1#
01:01:40: IP: s=10.0.0.2 (BRI0), d=10.0.0.1 (BRI0), len 100, rcvd 3
01:01:40: IP: s=10.0.0.1 (local), d=10.0.0.2 (BRI0), len 100, sending
01:01:40: IP: s=10.0.0.1 (local), d=10.0.0.2 (BRI0), len 100, encapsulation
failed
r1#
01:01:43: IP: s=10.0.0.2 (BRI0), d=10.0.0.1 (BRI0), len 100, rcvd 3
01:01:43: IP: s=10.0.0.1 (local), d=10.0.0.2 (BRI0), len 100, sending
01:01:43: IP: s=10.0.0.1 (local), d=10.0.0.2 (BRI0), len 100, encapsulation
failed
r1#
01:01:45: IP: s=10.0.0.2 (BRI0), d=10.0.0.1 (BRI0), len 100, rcvd 3
01:01:45: IP: s=10.0.0.1 (local), d=10.0.0.2 (BRI0), len 100, sending
01:01:45: IP: s=10.0.0.1 (local), d=10.0.0.2 (BRI0), len 100, encapsulation
failed
r1#
01:01:47: IP: s=10.0.0.2 (BRI0), d=10.0.0.1 (BRI0), len 100, rcvd 3
01:01:47: IP: s=10.0.0.1 (local), d=10.0.0.2 (BRI0), len 100, sending
01:01:47: IP: s=10.0.0.1 (local), d=10.0.0.2 (BRI0), len 100, encapsulation
failed
r1#
01:01:49: IP: s=10.0.0.2 (BRI0), d=10.0.0.1 (BRI0), len 100, rcvd 3
01:01:49: IP: s=10.0.0.1 (local), d=10.0.0.2 (BRI0), len 100, sending
01:01:49: IP: s=10.0.0.1 (local), d=10.0.0.2 (BRI0), len 100, encapsulation
failed
r1#
01:01:51: IP: s=10.0.0.2 (BRI0), d=10.0.0.1 (BRI0), len 100, rcvd 3
01:01:51: IP: s=10.0.0.1 (local), d=10.0.0.2 (BRI0), len 100, sending
01:01:51: IP: s=10.0.0.1 (local), d=10.0.0.2 (BRI0), len 100, encapsulation
failed
r1#und all
All possible debugging has been turned off
r1#
Now i add ppp auth chap on r1 and ping is successful:
r1#sh run int bri0
Building configuration...
Current configuration : 271 bytes
!
interface BRI0
ip address 10.0.0.1 255.255.255.0
encapsulation ppp
dialer idle-timeout 0
dialer map ip 10.0.0.2 name r2 broadcast
dialer-group 1
isdn switch-type basic-ni
isdn spid1 0835866101 8358661
isdn spid2 0835866301 8358663
ppp authentication chap
end
r2#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 36/36/36 ms
r2#
01:09:12: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
r2#
01:09:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed
state to up
r2#
01:09:18: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358661 r1
r2#
So what's up?
I have also tried ppp auth chap on just r2, but no go. Same results with
pap auth.
What am I missing?
TIA,
Joe Martin
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Brian Dennis
Sent: June 03, 2003 1:57 PM
To: 'Joe Martin'; 'CCIE GroupStudy'
Subject: RE: Interesting ISDN/PPP Finding
Joe,
Can you send us the configs when you get back to your routers?
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Joe Martin
Sent: Tuesday, June 03, 2003 11:58 AM
To: Daniel Free; CCIE GroupStudy
Subject: RE: Interesting ISDN/PPP Finding
Daniel,
Yes, dialer-list and dialer-group were both there.
Thanks,
Joe Martin
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Daniel Free
Sent: June 03, 2003 10:20 AM
To: Joe Martin; CCIE GroupStudy; brian@labforge.com
Subject: Re: Interesting ISDN/PPP Finding
Hi Joe,
I went through the same experience. One question,
when you added the dialer map to R1 with no number did you also add
"dialer-group 1" and a
global dialer-list? This seemed to fix the problem
for me. Let us know. Thanks.
Danny
----- Original Message -----
From: "Joe Martin" <jmartin@capitalpremium.net>
To: "CCIE GroupStudy" <ccielab@groupstudy.com>; <brian@labforge.com>
Sent: Tuesday, June 03, 2003 10:57 AM
Subject: Interesting ISDN/PPP Finding
> Let me run this past everyone and see what y'all think.
>
> r1------ISDN-------r2
>
> Both are using ppp encap. R2 is configured with a dialer map pointing
to
r1
> ip add and number, no auth.
> No dialer maps, strings on r1.
>
> R2 pings R1, isdn dials up and ping is successful.
>
> I then add a dialer map on r1 pointing to r2 ip add but no number.
Nothing
> else is changed. Now when r2 pings r1 the isdn dials up successfully,
but
no
> ping replies from r1.
>
> A debug on r1 shows "encapsulation failed".
>
> If I then add ppp auth chap on both routers or on just r1 (called
router),
> then the ping is successful.
>
> If I have auth only on r2, then ping is unsuccessful.
>
> What I found is that no matter how I configured it, r1 would not reply
to
a
> ping if it was configured with a dialer map but no authentication. If
r1
> did not authenticate the calling router (that is to say issue a chap
> challenge), then I would get the encapsulation failed.
>
> My question then is: Why is the dialer map on the called router
causing a
> need for authentication in order for a layer 3 packet to be forwarded?
>
> Again, in every scenario, with or with out dialer map on r1, and with
or
> with out authen, the isdn call was successful. There appeared to be
no
> layer 2 issues (other than the encap failed from the debug ip pack), a
debug
> ppp neg showed that the isdn/ppp connection was fine everytime.
>
> Unfortunately I am not in front of my routers so I cannot supply
configs,
> but surely they are fine if the only change I make is a "ppp auth
chap"
> command on r1 to make everything work.
>
> What your call?
>
> TIA,
>
> Joe Martin
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************
This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:52 GMT-3