From: Volkov, Dmitry (IDS Canada) (dmitry_volkov@ca.ml.com)
Date: Mon Jul 21 2003 - 16:14:39 GMT-3
Group, Subj needs clarification. Any help is very appreciated
ACS has checked on "tacacs+ settings (user setup)" the following options for
user "test1" :
PPP IP, PPP Mult. PPP LCP +No callback veify+enabled as well as dial string
5550131 in the field "Callback using this number"
I did several setups with AAA (tacacs+) ISDN Callback + PPP Mult.
1) Client legacy with dialer map, Server LEGACY NO DIALER MAP (ACS provides
dialstring)
2) Client legacy with dialer map, Server ROTARY GROUP dialer profile (ACS
provides dialstring)
3) Client legacy with dialer map, Server DIALER POOL dialer profile (ACS
provides dialstring)
4) Client legacy with dialer map, Server LEGACY WITH DIALER MAP (local auth)
dialstring locally
5) Client legacy with dialer map, Server LEGACY WITH DIALER MAP (tacacs auth
on ACS) dialstring locally
6) Client with dialer profile, Server ROTARY GROUP dialer profile (ACS
provides dialstring)
7) Client with dialer profile, Server DIALER POOL dialer profile (ACS
provides dialstring)
Tests 1-3 :
Client calls Server, Callback is negotiated, Server disconnects call, Server
calls back, 1 BRI channel is UP
Looking at debug (see below) and "sh isdn act" I can see that
above-mentioned has happened.
However output "sh dialer" shows: "Dial reason: dialer session 0xABC" -
Anyway it seems Callback works.
After load threshold is exceeded - Client calls Server and Callback is NOT
negotiated. Server says "No callback configured for user test1". As result
both channels UP in two directions :
Ch 1 (Server-->Client) - callback , Ch2 (Server<----Client) - no callback,
multilink
Tests 1-3 "sh dialer" shows:
BRI1/0:1 - Dialer state is data link layer up ; Interface bound to profile
Di1 ;Connected to 5550131 (test1)
BRI1/0:2 - Dialer state is multilink member; Dial reason: dialer session
0x960 Interface bound to profile Di1
Connected to 5550131 (test1)
Test 4-5:
everything works fine. Both channels "sh dialer" output say:"Dial reason:
Callback return call"
Tests 6-7:
Client calls server, callback negotiated, server disconnects, client calls
again (interest packets) through the same 1st channel, the same time server
calls to client beginning callback/multilink via 2nd ch and brings 2nd
channel UP (Server gets callback dialstring from ACS). 1st channel stays
down. I believe callback has happened because I see in "sh isdn act" that
server called client.
Tests 6-7 "sh dialer" shows:
BRI1/0:1 - Dialer state is data link layer up; Interface bound to profile
Di1
Connected to 5550131 (test1)
BRI1/0:2 - Dialer state is multilink member; Dial reason: dialer session
0x12C0
Interface bound to profile Di1; Connected to 5550131 (test1)
CONCLUSION: I was not able to have multilink working together with Callback
when ACS provided dialstring via tacacs+ and it also didn't work when client
used dialer profiles, the same time when I provided callback string locally
via dialer maps/dialer strings and did authen via tacacs - Multilink worked
fine (with callback)only when I had legacy DDR on client.
What is wrong (configs, IOS, ISDN sim)??? I tried a few IOS versions -
result was about the same, sometimes even worst :(
Another questions regarding dialer profiles: I saw many times
recommendations
to put ppp callback accept/request, ppp authentication chap ,,, ppp
multilink
under physical int (BRI) as well. However I tried NOT to put these commnads
there and I had the same result as when I put them.
Also well known axample at CCO
http://www.cisco.com/en/US/tech/tk713/tk507/technologies_configuration_examp
le09186a00800946ff.shtml they put only "ppp auth chap" under BRI. Is it IOS
dependent ?
Short excerption from debug on Server (tests 1-3) is below:
Client
Jul 20 17:07:03 UTC: BR0:1 DDR: Callback negotiated - waiting for server
disconnect
Jul 20 17:07:03 UTC: %ISDN-6-DISCONNECT: Interface BRI0:1 disconnected from
5550121 server, call lasted 4 seconds
Jul 20 17:07:03 UTC: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down
Jul 20 17:07:03 UTC: DDR: Callback client for server 5550121 creat
Jul 20 17:07:09 UTC: Vi1 DDR: Callback received from server 5550121
Jul 20 17:07:27 UTC: BR0:2 DDR: Callback negotiated - waiting for server
disconnect
Server
Jul 20 17:07:03 UTC: BR1/0:1 AAA/AUTHOR/LCP: Processing AV service=ppp
Jul 20 17:07:03 UTC: BR1/0:1 AAA/AUTHOR/LCP: Processing AV protocol=lcp
Jul 20 17:07:03 UTC: BR1/0:1 AAA/AUTHOR/LCP: Processing AV
callback-dialstring=5550131
Jul 20 17:07:03 UTC: BR1/0:1 AAA/AUTHOR/LCP: Processing AV
nocallback-verify=1
Jul 20 17:07:03 UTC: BR1/0:1 CHAP: O SUCCESS id 1 len 4
Jul 20 17:07:03 UTC: 320: Same state, 0
Jul 20 17:07:03 UTC: DSES 320: Session create
Jul 20 17:07:03 UTC: AAA/MEMORY: dup_user (0x62BD31F0) user='test1' ruser=''
port='BRI1/0:1' rem_addr='5550131' authen_type=CHAP service=PPP priv=1
source='create callback'
Jul 20 17:07:03 UTC: BR1/0:1 DDR: PPP callback Callback server starting to
test1 5550131
Jul 20 17:07:03 UTC: BR1/0:1 DDR: disconnecting call
Jul 20 17:07:03 UTC: %ISDN-6-DISCONNECT: Interface BRI1/0:1 disconnected
from 5550131 test1, call lasted 4 se
Jul 20 17:07:05 UTC: Di1 DDR: beginning callback to test1 5550131
Jul 20 17:07:09 UTC: Di1: Call connected, 0 packets unqueued, 0 transmitted,
0 discarded
Jul 20 17:07:09 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface
BRI1/0:1, changed state to up
Jul 20 17:07:11 UTC: %ISDN-6-CONNECT: Interface BRI1/0:1 is now connected to
5550131 test1
Jul 20 17:07:27 UTC: BR1/0:2 DDR: No callback configured for user test1.
+++++++++++++++++++++++++++++++++++++++
CONFIGS
CALLBACK CLIENT (tests 1-5)
hostname client
username server password 0 cisco
!
interface BRI0
ip address 133.33.33.2 255.255.255.0
encapsulation ppp
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
ip ospf cost 9999
ip ospf demand-circuit
dialer map ip 133.33.33.1 name server broadcast 5550121
dialer load-threshold 10 either
dialer-group 1
isdn switch-type basic-ni
isdn spid1 42255501310101 5550131
isdn spid2 42255501320101 5550132
no peer neighbor-route
ppp callback request
ppp authentication chap callin
ppp chap hostname test1
ppp multilink
end
CALLBACK CLIENT (tests 6,7)
interface BRI0
no ip address
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-ni
isdn spid1 42255501310101 5550131
isdn spid2 42255501320101 5550132
ppp callback request
ppp authentication chap callin
ppp multilink
!
interface Dialer1
ip address 133.33.33.2 255.255.255.0
encapsulation ppp
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
ip ospf cost 9999
ip ospf demand-circuit
dialer pool 1
dialer string 5550121
dialer hold-queue 20
dialer load-threshold 10 either
dialer-group 1
no peer neighbor-route
ppp callback request
ppp authentication chap callin
ppp chap hostname test1
ppp multilink
client#sh isdn act
----------------------------------------------------------------------------
----
ISDN ACTIVE CALLS
----------------------------------------------------------------------------
----
Call Calling Called Remote Seconds Seconds Seconds Charges
Type Number Number Name Used Left Idle
Units/Currency
----------------------------------------------------------------------------
----
In 5550121 ---N/A--- server 366 Unavail -
Out 5550121 server 275 Unavail - 0
----------------------------------------------------------------------------
----
client#sh dialer
BRI0 - dialer type = ISDN
Dial String Successes Failures Last DNIS Last status
5550122 0 0 never -
5550121 10 0 00:04:41 successful
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.
BRI0:1 - dialer type = ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (5 secs)
Dialer state is multilink member
Connected to 5550121 (server)
BRI0:2 - dialer type = ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (5 secs)
Dialer state is multilink member
Dial reason: Multilink bundle overloaded
Connected to 5550121 (server)
+++++++++++++++++++++++++++++++
CALLBACK SERVER
hostname server
aaa new-model
aaa authentication ppp lab1 group tacacs+
aaa authorization network lab1 group tacacs+
!
========================
1) LEGACY NO DIALER MAP
interface BRI1/0
ip address 133.33.33.1 255.255.255.0
encapsulation ppp
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
ip ospf cost 9999
ip ospf demand-circuit
dialer idle-timeout 0
dialer enable-timeout 2
isdn switch-type basic-ni
isdn spid1 42255501210101 5550121
isdn spid2 42255501220101 5550122
no peer neighbor-route
no cdp enable
ppp callback accept
ppp authentication chap callin lab1
ppp authorization lab1
ppp multilink
end
========================
2) ROTARY GROUP
interface BRI1/0
no ip address
encapsulation ppp
dialer rotary-group 1
isdn switch-type basic-ni
isdn spid1 42255501210101 5550121
isdn spid2 42255501220101 5550122
no cdp enable
ppp callback accept
ppp authentication chap callin lab1
ppp multilink
end
interface Dialer1
ip address 133.33.33.1 255.255.255.0
encapsulation ppp
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
ip ospf cost 9999
ip ospf demand-circuit
dialer in-band
dialer idle-timeout 0
dialer enable-timeout 2
no peer neighbor-route
no cdp enable
ppp callback accept
ppp authentication chap callin lab1
ppp authorization lab1
ppp multilink
end
========================
3) DIALER POOL:
interface BRI1/0
no ip address
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-ni
isdn spid1 42255501210101 5550121
isdn spid2 42255501220101 5550122
ppp callback accept
ppp authentication chap callin lab1
ppp multilink
end
!
interface Dialer1
ip address 133.33.33.1 255.255.255.0
encapsulation ppp
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
ip ospf cost 9999
ip ospf demand-circuit
dialer pool 1
dialer idle-timeout 0
dialer enable-timeout 2
no peer neighbor-route
no cdp enable
ppp callback accept
ppp authentication chap callin lab1
ppp authorization lab1
ppp multilink
end
========================
4)& 5) LEGACY WITH DIALER MAP
username test1 password cisco
!
interface BRI1/0
ip address 133.33.33.1 255.255.255.0
encapsulation ppp
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
ip ospf cost 9999
ip ospf demand-circuit
dialer callback-secure
dialer idle-timeout 0
dialer enable-timeout 2
dialer map ip 133.33.33.2 name test1 class ccie broadcast 5550131
isdn switch-type basic-ni
isdn spid1 42255501210101 5550121
isdn spid2 42255501220101 5550122
no peer neighbor-route
no cdp enable
ppp callback accept
ppp authentication chap callin (lab1 - for test 5)
ppp authorization lab1 -- for test 5
ppp multilink
!
map-class dialer ccie
dialer callback-server username
server#sh dialer
========================
6)& 7) DIALER PROFILES
interface BRI1/0
no ip address
encapsulation ppp
dialer rotary-group 1 (7) or dialer pool-member 1 (6)
isdn switch-type basic-ni
isdn spid1 42255501210101 5550121
isdn spid2 42255501220101 5550122
no cdp enable
ppp callback accept
ppp authentication chap callin lab1
ppp authorization lab1
ppp multilink
end
!
interface Dialer1
ip address 133.33.33.1 255.255.255.0
encapsulation ppp
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
ip ospf cost 9999
ip ospf demand-circuit
dialer in-band (test 7) or dialer pool 1 (test 6)
dialer idle-timeout 0
dialer enable-timeout 5
dialer string 5550131 class ccie (when callback string locally)
no peer neighbor-route
no cdp enable
ppp callback accept
ppp authentication chap callin lab1
ppp authorization lab1
ppp multilink
end
BRI1/0 - dialer type = ISDN
Dial String Successes Failures Last DNIS Last status
5550131 3 0 00:00:51 successful
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.
BRI1/0:1 - dialer type = ISDN
Idle timer (never), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (2 secs)
Dialer state is multilink member
Dial reason: Callback return call
Connected to 5550131 (test1)
BRI1/0:2 - dialer type = ISDN
Idle timer (never), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (2 secs)
Dialer state is multilink member
Dial reason: Callback return call
Connected to 5550131 (test1)
=========================
server#sh isdn act
----------------------------------------------------------------------------
----
ISDN ACTIVE CALLS
----------------------------------------------------------------------------
----
Call Calling Called Remote Seconds Seconds Seconds Charges
Type Number Number Name Used Left Idle
Units/Currency
----------------------------------------------------------------------------
----
Out 5550131 test1 328 Unavail - 0
In 5550132 ---N/A--- test1 237 Unavail -
----------------------------------------------------------------------------
----
server#sh dialer
BRI1/0 - dialer type = ISDN
Dial String Successes Failures Last DNIS Last status
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.
BRI1/0:1 - dialer type = ISDN
Idle timer (never), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (2 secs)
Dialer state is multilink member
Dial reason: dialer session 0x960
Connected to 5550131 (test1)
BRI1/0:2 - dialer type = ISDN
Idle timer (never), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (2 secs)
Dialer state is multilink member
Connected to 5550132 (test1)
This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:47 GMT-3