Nortel Secure Router 8000 Series Troubleshooting - VPN Release: Document Revision: 5.3 01.01 www.nortel.
Nortel Secure Router 8000 Series Release: 5.3 Publication: NN46240-710 Document Revision: 01.01 Document status: Standard Document release date: 30 March 2009 Copyright © 2009 Nortel Networks All Rights Reserved.
Nortel Secure Router 8000 Series Troubleshooting - VPN Contents About this document .......................................................................................................................1 1 L2TP troubleshooting................................................................................................................1-5 1.1 L2TP overview ............................................................................................................................................1-5 1.1.
Nortel Secure Router 8000 Series Troubleshooting - VPN 2.3 Troubleshooting cases ...............................................................................................................................2-10 2.3.1 Ping of the peer tunnel fails although the network layer protocols on both ends are up .................2-11 2.3.2 PCs cannot ping through each other although tunnel interfaces on two ends can ping each other successfully .......................................................................
Nortel Secure Router 8000 Series Troubleshooting - VPN 4.2.1 Typical networking............................................................................................................................4-8 4.2.2 Configuration notes .........................................................................................................................4-10 4.2.3 Troubleshooting flowchart ..............................................................................................................4-13 4.2.
Nortel Secure Router 8000 Series Troubleshooting - VPN Figures Figure 1-1 Typical L2TP tunnel modes ............................................................................................................1-5 Figure 1-2 The process flow for setting up an L2TP tunnel .............................................................................1-5 Figure 1-3 Networking of the L2TP tunnel ......................................................................................................
Nortel Secure Router 8000 Series Troubleshooting - VPN Figure 4-7 Multihop connection networking ....................................................................................................4-9 Figure 4-8 Inter-AS networking .....................................................................................................................4-10 Figure 4-9 Troubleshooting flowchart of the MPLS Layer 2 VPN remote connection fault..........................
Nortel Secure Router 8000 Series Troubleshooting - VPN Tables Table 1-1 Description of the output of the display L2tp tunnel command .....................................................1-5 Table 1-2 Description of the output of the display L2tp session command.....................................................1-5 Table 2-1 Description of the display this command output ...........................................................................
Nortel Secure Router 8000 Series Troubleshooting - VPN Contents About this document .......................................................................................................................1 Issue 5.3 (19 January 2009) Nortel Networks Inc.
Nortel Secure Router 8000 Series Troubleshooting - VPN About this document About this document Overview This part describes the organization of this document, product version, intended audience, conventions, and update history. Related versions The following table lists the product versions to which this document relates.
Nortel Secure Router 8000 Series Troubleshooting - VPN About this document Chapter Description 2 This chapter describes the basic knowledge about Generic Routing Encapsulation (GRE), troubleshooting procedures for GRE faults, troubleshooting cases, diagnostic tools, and FAQs.
Nortel Secure Router 8000 Series Troubleshooting - VPN About this document General conventions Convention Description Times New Roman Normal paragraphs use Times New Roman. Boldface Names of files, directories, folders, and users use boldface. For example, log in as user root. Italic Book titles use italics. Courier New Terminal display uses Courier New. Command conventions Convention Description Boldface The keywords of a command line use boldface. Italic Command arguments use italics.
Nortel Secure Router 8000 Series Troubleshooting - VPN About this document Convention Description > Multilevel menus use boldface and a greater-than sign (>) separates the menu choices. For example, choose File > Create > Folder. Keyboard operation Format Description Key Press the key. For example, press Enter and press Tab. Key 1+Key 2 Press the keys concurrently. For example, press Ctrl+Alt+A means you press the three keys at the same time. Key 1, Key 2 Press the keys in turn.
Nortel Secure Router 8000 Series Troubleshooting - VPN Contents 1 L2TP troubleshooting................................................................................................................1-1 1.1 L2TP overview..............................................................................................................................................1-2 1.1.1 Two typical L2TP tunnel modes ..........................................................................................................
Nortel Secure Router 8000 Series Troubleshooting - VPN Figures Figure 1-1 Typical L2TP tunnel modes ..............................................................................................................1-2 Figure 1-2 The process flow for setting up an L2TP tunnel ...............................................................................1-3 Figure 1-3 Networking of the L2TP tunnel ........................................................................................................
Nortel Secure Router 8000 Series Troubleshooting - VPN Tables Table 1-1 Description of the output of the display L2tp tunnel command .....................................................1-20 Table 1-2 Description of the output of the display L2tp session command ....................................................1-21 Issue 5.3 (19 January 2009) Nortel Networks Inc.
Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting 1 L2TP troubleshooting About this chapter The following table lists the contents of this chapter. Section Describes 1.1 L2TP overview This section describes the concepts that you should know before troubleshooting Layer Two Tunneling Protocol (L2TP). 1.
Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting 1.1 L2TP overview L2TP is a VPDN tunnel protocol. This protocol supports transmission in a tunnel that is encapsulated by the PPP link and is applicable to remote access, such as remote user access to the internal source of the enterprise. 1.1.
Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting 1.1.2 L2TP tunnel session setup Figure 1-2 shows the process for setting up an L2TP tunnel.
Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting 10. LNS sends an access request to the RADIUS server for authentication. 11. The RADIUS server reauthenticates this access request and sends back a response if authentication succeeds. 12. If local mandatory CHAP authentication is configured at LNS, LNS authenticates the VPN user by sending a challenge. The VPN user at the PC side sends back a response. 13. LNS resends this access request to the RADIUS server for authentication.
Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting 1.2.2 Configuration notes Item Sub-item Description Configuring AAA Configure the authentication mode To use the default local authentication, you need to configure the user name and the password in the AAA mode. To use any other authentication, such as RADIUS, you must configure the RADIUS authentication. Configuring VT Configuring L2TP Issue 5.
Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting Item Domain Sub-item Description The list separator of the user postfix If you establish the connection with L2TP through the domain, you need to run the l2tp domain command to configure the separator of the user postfix.
Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting [Nortel-LoopBack0] ip address 100.1.1.1 255.255.255.255 [Nortel-LoopBack0] quit As the terminal IP of the tunnel, the interface is responsible for decompressing the L2TP header and preparing for the next forwarding. 4. Configure the attributes on the L2TP group to be consistent with those on the LAC side. # Enable the L2TP. [Nortel] l2tp enable # Set the identifier of the domain to be the @ symbol.
Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting Figure 1-4 The flowchart for diagnosing faults on L2TP Data cannot be transmitted. Is the user address correct? No Configure the correct user address. Yes Is the network free of congestion? No Solve the problem of the network congestion. Yes Does the tunnel exist? No Check every configuration and establish the tunnel. No Reconfigure the PPP parameters on the LNS side.
Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting 1.2.4 Troubleshooting procedures The troubleshooting procedures are as follows.
Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting 3. Check whether the tunnel authentication and the password are correctly configured on the LAC and LNS ends. The request for the tunnel authentication can be initiated from either the LAC or the LNS. If one end starts the tunnel authentication, the tunnel can be established only when the remote end also starts the tunnel authentication and the passwords of both ends are consistent.
Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting Checking the status of PPP negotiation on the LAC side The user needs to pass the PPP authentication on the LAC end before the L2TP tunnel and session are established. The methods are as follows: 1. If the LAC end uses local authentication, you can use the local-user user-name password { simple | cipher } password command in the AAA mode to check that the correct user name and password are configured on the LAC end. 2.
Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting Figure 1-5 Networking of the L2TP access to the Layer 3 VPN Headquarter 01 Modem PC1 WAN PSTN RouterA ISDN LAC RouterB tunnel LNS PC2 Headquarter 02 1.3.2 Configuration notes Item Sub-item Description Configuring AAA Configure the authentication mode To use the default local authentication, you need to configure the user name and the password in the AAA mode.
Nortel Secure Router 8000 Series Troubleshooting - VPN Item Configuring L2TP Issue 5.3 (19 January 2009) 1 L2TP troubleshooting Sub-item Description Bind the VPN Bind the corresponding VPN in the VT view. Enable L2TP L2TP can be configured only after L2TP is enabled. The source interface of the tunnel on the LAC side You can specify the loopback interface, Ethernet interface, and GigabitEthernet interface as the source interface of the tunnel.
Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting Item Sub-item Description Domain — Generally, bind VTs and configure address pools in the domain view when L2TP users access Layer 3 VPN groups. In other cases, bind VTs in the L2TP group view. VPN Configure the VPN instances Configure the VPN instances and then associate them to the VT. The following section describes the configuration based on the preceding networking environment. 1. Configure the user side.
Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting [Nortel] l2tp enable [Nortel] l2tp domain suffix-separator @ [Nortel] l2tp-group 1 [Nortel-l2tp1] tunnel name LNS [Nortel-l2tp1] allow l2tp virtual-template 1 [Nortel-l2tp1] tunnel authentication [Nortel-l2tp1] tunnel password simple 12345 [Nortel-l2tp1] tunnel destination loopback 0 # When the Nortel LAC device is connected with the device of another company, the user authentication on the LNS side uses LCP renegotiation.
Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting # Create two user names and passwords. [Nortel-aaa] local-user vpdn@263.net password simple 11111 [Nortel-aaa] local-user vpdn@163.net password simple 22222 In the preceding configuration, you need to modify the AAA configuration if the LNS end uses RADIUS authentication. 1.3.3 Diagnostic flowchart The diagnostic flowchart is the same as the flowchart shown in Figure 1-4. 1.3.
Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting Fault analysis The establishment of the session indicates that LAC and LNS are reachable. It also indicates that the request for the connection with the L2TP is initiated. Faults on the LNS may cause the disconnection of the session. Enable debugging of the L2TP control on the LNS. By verifying the debugging information, you can determine whether the session is disconnected when the interface receives the Call Down message.
Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting 1.5 FAQs z Q: Why is the interface on the LAC side unable to ping through the loopback interface of the LNS? A: A possible cause is that the LAC has no route to the loopback interface of the LNS. z Q: Why is the PPP negotiation between the user and the LAC unsuccessful? A: A possible cause is that the authentication modes configured on the user and the LAC are different (one is PAP and the other is CHAP).
Nortel Secure Router 8000 Series Troubleshooting - VPN − 1 L2TP troubleshooting In other cases, the authentication mode sent by the LAC is used regardless of the type of authentication mode configured on the VT. When the LCP is configured for renegotiation and no authentication is configured on the VT, the user is authenticated once. In other cases, the user is authenticated twice.
Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting 1.6 Diagnostic tools 1.6.1 Display commands Command Description display l2tp tunnel Displays the L2TP tunnel. display l2tp session Displays the L2TP session. display access-user Displays the access user. display current-configuration configuration | include l2tp Displays the current L2TP configuration. display current-configuration configuration aaa Displays the current AAA configuration.
Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting Table 1-2 Description of the output of the display L2tp session command Item Description Total session The number of sessions LocalSID The ID of the local session (the only identifier of the session) RemoteSID The ID of the remote session (the only identifier of the session) LocalTID The number of the local identifier display access-user # Check the information about the access user.
Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting Authen result : Success Current author method : Local authorization Author result : Success Action flag : Idle Authen state : Authed Author state : Idle Accounting method : No accounting Accounting start time : 2005-11-25 09:04:45 Accounting state : Ready ACL-number : - Priority : - Up CAR enable : NO Up average rate : 0(bps) Up peak rate : 0(bps) Down CAR enable : NO Down average rate : 0(bps) Dow
Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting # domain default domain home ip pool 2 120.1.1.11 120.1.1.20 # # return display current-configuration interface # Check the current interface configuration. display current-configuration interface # interface Pos1/0/0 clock master link-protocol ppp ip address 31.1.1.2 255.255.0.0 # interface Virtual-Template1 ip address 120.1.1.1 255.255.0.0 # interface Pos1/0/0 ip address 19.60.1.12 255.0.0.0 # return 1.6.
Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting *0.2679393 Nortel L2TP/8/L2TDBG: L2TP::Proc Peer control type=1, len = 75 *0.2679473 Nortel L2TP/8/L2TDBG: L2TP::Tunnel 1 rcv SCCRQ in state 1 from 31.1.1.1 *0.2679569 Nortel L2TP/8/L2TDBG: L2TP::Tunnel 1 rcv SCCRQ fill vpn-index 0 *0.2679649 Nortel L2TP/8/L2TDBG: L2TP::Check SCCRQ MSG Type 1 *0.2679729 Nortel L2TP/8/L2TDBG: L2TP::Parse AVP Protocol version: 100 *0.
Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting *0.2683553 Nortel L2TP/8/L2TDBG: L2TP::Parse AVP Last received lcp configure request: 5 6 20 E3 DA 8F *0.2683681 Nortel L2TP/8/L2TDBG: L2TP::Parse AVP Proxy authenticate type 3. *0.2683761 Nortel L2TP/8/L2TDBG: L2TP::Parse AVP Proxy authenticate name:yyh@home. *0.2683857 Nortel L2TP/8/L2TDBG: L2TP::Parse AVP Proxy authentication ID: 40435440. *0.
Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting *0.2700577 Nortel L2TP/8/L2TDBG:Slot=1; L2TP::IPC sent ctrl L2tp down to main len=16 result=0 to main *0.2700705 Nortel L2TP/8/L2TDBG:Slot=1; L2TP::IO: Proc ctrl L2TP_LNSINCALL_CLEAR from main *0.2700801 Nortel L2TP/8/L2TDBG:Slot=1; L2TP::Call 7834 Proc main call clear *0.2700881 Nortel L2TP/8/L2TDBG:Slot=1; L2TP::LNS Link IO Ctrl Recv Phy CMD 2 *0.2700977 Nortel L2TP/8/L2TDBG:Slot=1; L2TP::LNS Link IO Ctrl Recv Phy CMD 11 *0.
Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting PPP Event: Virtual-Template1:0 IPCP Open Event state initial *0.2349601 Nortel PPP/8/debug2:Slot=1; PPP State Change: Virtual-Template1:0 IPCP : initial --> starting *0.2349729 Nortel PPP/8/debug2:Slot=1; PPP Event: Virtual-Template1:0 IPCP Lower Up Event state starting *0.2349889 Nortel PPP/8/debug2:Slot=1; PPP State Change: Virtual-Template1:0 IPCP : starting --> reqsent *0.
Nortel Secure Router 8000 Series Troubleshooting - VPN 1 L2TP troubleshooting Virtual-Template1:0 Input IPCP(8021) Pkt, Len 14 State ackrcvd, code ConfReq(01), id 2, len 10 IP Address(3), len 6, val 00000000 *0.2353057 Nortel PPP/8/debug2:Slot=1; PPP Event: Virtual-Template1:0 IPCP RCR-(Receive Config Bad Request) Event state ackrcvd *0.
Nortel Secure Router 8000 Series Troubleshooting - VPN Contents 2 GRE troubleshooting.................................................................................................................2-1 2.1 GRE overview...............................................................................................................................................2-2 2.1.1 Introduction to GRE.........................................................................................................................
Nortel Secure Router 8000 Series Troubleshooting - VPN Figures Figure 2-1 Format of an encapsulated tunnel packet..........................................................................................2-2 Figure 2-2 Two networks interconnecting through the GRE tunnel...................................................................2-3 Figure 2-3 Typical GRE networking diagram ....................................................................................................
Nortel Secure Router 8000 Series Troubleshooting - VPN Tables Table 2-1 Description of the display this command output .............................................................................2-18 Table 2-2 Description of the display this interface command output .............................................................2-18 Issue 5.3 (30 March 2009) Nortel Networks Inc.
Nortel Secure Router 8000 Series Troubleshooting - VPN 2 GRE troubleshooting 2 GRE troubleshooting About this chapter The following table describes the contents of this chapter. Section Describes 2.1 GRE overview This section provides the knowledge you need before you troubleshoot the Generic Routing Encapsulation (GRE). 2.2 Troubleshooting GRE This section provides notes about configuring GRE, the GRE troubleshooting flowchart, and the troubleshooting procedure in a typical GRE network. 2.
Nortel Secure Router 8000 Series Troubleshooting - VPN 2 GRE troubleshooting 2.1 GRE overview This section covers the following topics: z Introduction to GRE z Related concepts of GRE z Applications of GRE 2.1.1 Introduction to GRE Generic Routing Encapsulation (GRE) encapsulates packets of any network layer, such as Internetwork Packet Exchange (IPX), to enable their transmission by another network layer protocol such as IP.
Nortel Secure Router 8000 Series Troubleshooting - VPN 2 GRE troubleshooting Figure 2-2 Two networks interconnecting through the GRE tunnel Group1 Group2 Internet GRE tunnel NortelA NortelB Encapsulation process After receiving an IP datagram, the interface on Nortel A that connects with Group 1 sends the datagram to the IP module for processing. The IP module determines how to route this datagram based on the destination address contained in the IP header.
Nortel Secure Router 8000 Series Troubleshooting - VPN 2 GRE troubleshooting 2.2 Troubleshooting GRE This section covers the following topics: z Typical networking z Configuration notes z Troubleshooting flowchart z Troubleshooting procedure 2.2.1 Typical networking Figure 2-3 Typical GRE networking diagram Nortel3 POS1/0/0 100.1.1.2/24 POS2/0/0 100.2.1.1/24 POS1/0/0 100.1.1.1/24 POS1/0/0 100.2.1.2/24 Nortel1 Nortel2 Tunnel Tunnel1/0/0 30.1.1.1/24 POS1/0/0 10.1.1.2/24 Tunnel1/0/0 30.1.1.
Nortel Secure Router 8000 Series Troubleshooting - VPN 2 GRE troubleshooting Item Subitem Notes Specifying the source address of the tunnel Source The source address of a tunnel is the IP address of the physical interface that sends the GRE packets.
Nortel Secure Router 8000 Series Troubleshooting - VPN 2 GRE troubleshooting [Nortel1] interface tunnel 1/0/0 [Nortel1-Tunnel1/0/0] ip address 30.1.1.1 255.255.255.0 # Specify the source address of the tunnel. z Configuring the IP address of the interface that sends out packets as the source address:: [Nortel1-Tunnel1/0/0] source 100.1.1.
Nortel Secure Router 8000 Series Troubleshooting - VPN 2 GRE troubleshooting 2.2.3 Troubleshooting flowchart Figure 2-4 shows the troubleshooting flowchart.
Nortel Secure Router 8000 Series Troubleshooting - VPN 2 GRE troubleshooting 2.2.4 Troubleshooting procedure This section provides the troubleshooting steps. Two different situations are possible. Network layer protocol of one end or both ends of the tunnel interface is down Step 1 Check that both ends of the tunnel use a consistent encapsulation type. Run the display this interface command in the tunnel interface view to check the encapsulation type.
Nortel Secure Router 8000 Series Troubleshooting - VPN 2 GRE troubleshooting # Tunnel configuration on Nortel 1 [Nortel1-Tunnel1/0/0] display this # interface Tunnel1/0/0 ip address 30.1.1.1 255.255.255.0 source 100.1.1.1 destination 100.2.1.2 # return # Tunnel configuration on Nortel 2 [Nortel2-Tunnel1/0/0] display this # interface Tunnel1/0/0 ip address 30.1.1.2 255.255.255.0 source 100.2.1.2 destination 100.1.1.
Nortel Secure Router 8000 Series Troubleshooting - VPN 2 GRE troubleshooting 127.0.0.1/32 127.0.0.1 HU t[0] InLoop0 0x0 127.0.0.0/8 127.0.0.1 U t[0] InLoop0 0x0 100.2.1.2/32 127.0.0.1 HU t[0] InLoop0 0x0 100.2.1.0/24 100.2.1.2 U t[0] Pos1/0/0 0x0 10.2.1.2/32 127.0.0.1 HU t[0] InLoop0 0x0 10.2.1.0/24 10.2.1.2 U t[0] Pos2/0/0 0x0 30.1.1.2/32 127.0.0.1 HU t[0] InLoop0 0x0 30.1.1.0/24 30.1.1.
Nortel Secure Router 8000 Series Troubleshooting - VPN z 2 GRE troubleshooting PCs cannot ping through each other although tunnel interfaces on two ends can ping each other successfully 2.3.1 Ping of the peer tunnel fails although the network layer protocols on both ends are up Fault symptom Figure 2-5 Networking diagram of the GRE troubleshooting I Loopback1 1.1.1.1/32 Loopback1 2.2.2.2/32 network Nortel1 Nortel2 GRE Tunnel Tunnel1/0/0 11.1.1.1/24 Tunnel1/0/0 21.1.1.
Nortel Secure Router 8000 Series Troubleshooting - VPN 2 GRE troubleshooting 5 minutes output rate 0 bytes/sec, 0 packets/sec 0 packets input, 0 bytes 0 input error 0 packets output, 0 bytes 0 output error The output of the command on Nortel 2 is as follows: [Nortel2] display interface Tunnel 1/0/0 Tunnel1/0/0 current state : UP Line protocol current state : UP Description : Nortel Series, Tunnel1/0/0 Interface The Maximum Transmit Unit is 1000 bytes Internet Address is 21.1.1.
Nortel Secure Router 8000 Series Troubleshooting - VPN 2 GRE troubleshooting destination 1.1.1.1 gre key 2 # From the preceding display, you can see that the IP addresses of both ends are 24-bit. They IP addresses are not in the same network segment: one is 11.1.1.1 and the other is 21.1.1.1. Use the display fib command on both ends to check whether the route to the peer Tunnel 1/0/0 is configured on both ends.
Nortel Secure Router 8000 Series Troubleshooting - VPN 2 GRE troubleshooting Summary Because the network layer protocols of the tunnel interfaces on both ends of the GRE tunnel are up does not guarantee that the GRE tunnel is configured correctly. Two additional requirements exist: z The GRE keys on both ends are consistent. z The route to the peer tunnel interface is configured on both ends. 2.3.
Nortel Secure Router 8000 Series Troubleshooting - VPN 2 GRE troubleshooting If the PCs cannot ping through each other, check that PC1 specifies Nortel 1 as the default gateway and PC2 specifies Nortel 2 as the default gateway. Troubleshooting procedure Step 1 Check that a route passes through Tunnel 1/0/0 to 10.2.0.0/16 on Nortel 1. Step 2 Check that a route passes through Tunnel 2/0/0 to 10.1.0.0/16 on Nortel 2. Step 3 Check that PC1 specifies Nortel 1 as its default gateway.
Nortel Secure Router 8000 Series Troubleshooting - VPN 2 GRE troubleshooting Q: Why is the tunnel source interface found to be another interface when the display this interface command is run in the interface view? This happens when specifying an IP address as the tunnel source address, and this IP address belongs to some source interface. A: The reason is that after tunnel configuration, the IP address assigned for the tunnel source is transferred to another interface.
Nortel Secure Router 8000 Series Troubleshooting - VPN 2 GRE troubleshooting z On Router C, specify the physical interface of Router C that connects with Router B as the tunnel source interface; specify the physical interface of Router A that connects with Router B as the tunnel destination interface. z Configure a static route from Router A to Router C and from Router C to Router A. You can set up a tunnel that spans multiple routers using the preceding method.
Nortel Secure Router 8000 Series Troubleshooting - VPN 2 GRE troubleshooting Return Table 2-1 Description of the display this command output Item Description ip address 2.2.2.2 255.255.255.0 The IP address of the tunnel interface is 2.2.2.2 and the mask is 255.255.255.0. source Ethernet3/2/0 The source interface of the tunnel interface is Ethernet 3/2/0. destination 192.168.1.1 The destination address of the tunnel interface is 192.168.1.1. gre key 10 The key number of the tunnel interface is 10.
Nortel Secure Router 8000 Series Troubleshooting - VPN 2 GRE troubleshooting Item Description Tunnel source 100.1.1.1 (Serial1/0/0), destination 100.1.1.2 The source address of the tunnel interface is 100.1.1.1 (source interface is Serial 1/0/0) and the destination address is 100.1.1.2. Tunnel protocol/transport GRE/IP , key disabled The tunnel protocol is GRE. The network layer protocol is IP. The GRE key is disabled on the tunnel interface.
Nortel Secure Router 8000 Series Troubleshooting - VPN 2 GRE troubleshooting *0.93688561 PE TUNNEL/8/ATKDBG:Slot=2;Tunnel2/0/0-Out: Mbuf length = 84 from GRE Tunnel out The preceding information shows the tunnel interface (Tunnel2/0/0) on which packets are encapsulated as well as the packet length. *0.93688656 PE TUNNEL/8/ATKDBG:Slot=2;Tunnel2/0/0-Out: GRE/IP encapsulated 192.168.1.3->192.168.1.2(len = 108).
Nortel Secure Router 8000 Series Troubleshooting - VPN 2 GRE troubleshooting 2.5.3 Alarms Item Description Alarm message Same tunnel exist Meaning The same tunnel exists. Possible cause With the same source and the destination address, only one tunnel can establish. You cannot configure the same source and destination address on different tunnel interfaces encapsulated with the same protocol. The source and the destination address identify a tunnel uniquely. Solution Issue 5.
Nortel Secure Router 8000 Series Troubleshooting - VPN Contents 3 BGP/MPLS IP VPN troubleshooting .....................................................................................3-1 3.1 BGP/MPLS IP VPN overview ......................................................................................................................3-2 3.1.1 Introduction to VPN.............................................................................................................................3-2 3.1.
Nortel Secure Router 8000 Series Troubleshooting - VPN Figures Figure 3-1 BGP/MPLS VPN network topology.................................................................................................3-3 Figure 3-2 BGP/MPLS VPN instances ..............................................................................................................3-4 Figure 3-3 BGP/MPLS VPN networking ...........................................................................................................
Nortel Secure Router 8000 Series Troubleshooting - VPN 3 3 BGP/MPLS IP VPN troubleshooting BGP/MPLS IP VPN troubleshooting About this chapter The following table describes the contents of this chapter. Section Describes 3.1 BGP/MPLS IP VPN overview This section describes the knowledge you need before you troubleshoot the Border Gateway Protocol (BGP)/Multiprotocol Label Switching (MPLS) IP virtual private network (VPN). 3.
Nortel Secure Router 8000 Series Troubleshooting - VPN 3 BGP/MPLS IP VPN troubleshooting 3.1 BGP/MPLS IP VPN overview This section covers the following topics: z Introduction to VPN z Network topology z Operation model 3.1.1 Introduction to VPN A public network is a set of uncorrelated systems that can exchange information freely with each other. A private network is owned and managed by a single organization, formed by a group of devices that share information.
Nortel Secure Router 8000 Series Troubleshooting - VPN 3 BGP/MPLS IP VPN troubleshooting 3.1.2 Network topology Figure 3-1 BGP/MPLS VPN network topology VPN1 VPN1 Provider Network CE CE Site1 Site2 P PE PE P P CE CE Site3 Site4 VPN2 VPN2 Figure 3-1 shows a basic BGP/MPLS VPN network topology. In a basic BGP/MPLS VPN network topology, the customer edge (CE) can be a host, switch, or router. An adjacency establishes between the CE and its directly-connected PE.
Nortel Secure Router 8000 Series Troubleshooting - VPN 3 BGP/MPLS IP VPN troubleshooting Figure 3-2 BGP/MPLS VPN instances VPN1 VPN1 Site1 Site2 CE1 CE2 Provider Network VRF1 PE1 PE2 P VRF2 P CE3 VRF1 VRF2 P CE4 Site3 Site4 VPN2 VPN2 Figure 3-2 shows a BGP/MPLS VPN topology. In a basic BGP/MPLS VPN network topology, a service operator provides BGP/MPLS VPN service to multiple enterprises. Two PEs connect with four different customer sites.
Nortel Secure Router 8000 Series Troubleshooting - VPN 3 BGP/MPLS IP VPN troubleshooting routers. The LSPs can implement a variety of Quality of Service (QoS) functions through configuration. Forward data traffic Use Figure 3-2 as an example. If Site 2 has the host (10.2.3.4/16), CE2 performs the longest-match on the destination IP address and forwards packets to PE2. The MPLS uses two layers of labels to forward packets from PE2 to PE1.
Nortel Secure Router 8000 Series Troubleshooting - VPN 3 BGP/MPLS IP VPN troubleshooting Figure 3-3 BGP/MPLS VPN networking Loopack 0 1.1.1.1/32 Loopack 0 2.2.2.2/32 Loopack 0 3.3.3.3/32 GbE1/0/0 203.1.1.2 /24 GbE2/0/0 10.1.1.101/24 PE1 GbE1/0/0 102.1.1.1/24 P GbE2/0/0 10.2.1.202/24 PE2 MPLS Backbone CE1 CE2 vpna Site1 vpna Site2 PC1 PC2 In Figure 3-3, the following solution is used: z CE1 and PC1 belong to Site 1 of vpna; CE2 and PC2 belong to Site 2 of vpna.
Nortel Secure Router 8000 Series Troubleshooting - VPN 3 BGP/MPLS IP VPN troubleshooting Item Subitem Notes MPLS LSR-ID LSR ID is similar to router ID. An LSR ID specifies an address. LDP, by default, uses this address to establish LDP sessions, The reachability to the LSR ID must be ensured. Two ways exist to configure an LSR ID. BGP z Generally, the LSR ID is the address of the loopback interface.
Nortel Secure Router 8000 Series Troubleshooting - VPN 3 BGP/MPLS IP VPN troubleshooting # Specify the import VPN target, which must be consistent with the export VPN target of the peer PE: [PE1-vpn-instance-vpna] vpn-target 100:1 import-extcommunity # Bind the CE-bound interface with the VPN instance.
Nortel Secure Router 8000 Series Troubleshooting - VPN 3 BGP/MPLS IP VPN troubleshooting [PE1-bgp-af-vpnv4] peer 3.3.3.3 enable VPNv4 routes can transport only after an EBGP peer is established in VPNv4 address family. You can view all VPNv4 BGP peers by using the display bgp vpnv4 all peer command. # Import routes of the directly connected network segment between PE and CE to vpna: [PE1-bgp] ipv4-family vpn-instance vpna [PE1-bgp-vpna] import-route direct 3.2.
Nortel Secure Router 8000 Series Troubleshooting - VPN 3 BGP/MPLS IP VPN troubleshooting Figure 3-4 MPLS VPN troubleshooting flowchart Configure the route between the user PC and CE VPN users fail to communicate Ask for technical help No Ping remote CE successfully on CE? Yes Route available betwen user PC and CE ? Yes End No Yes VPN routes distributed to PE by CE? No Check the route between CE and PE Fault removed? No Yes VPN routes distributed to the remote PE by PE? No IBGP peer relat
Nortel Secure Router 8000 Series Troubleshooting - VPN 3 BGP/MPLS IP VPN troubleshooting If reachable routes exist between them, and the ping fails, contact Nortel technical support engineers for technical assistance. z If the ping fails, use the display ip routing-table command on the local CE to view whether routes to the remote CE exist in the local routing table. Use the display ip routing-table command on the remote CE to view whether routes to the local CE exist.
Nortel Secure Router 8000 Series Troubleshooting - VPN 3 BGP/MPLS IP VPN troubleshooting − If BGP VPNv4 peers establish between PEs, check whether VPN targets of the two PEs match. The export VPN target of the local PE must be consistent with the import VPN target of the remote PE. The import VPN target of local PE must be consistent with the export VPN target. If not, modify the configuration.
Nortel Secure Router 8000 Series Troubleshooting - VPN 3 BGP/MPLS IP VPN troubleshooting Step 3 Check that an LSP is established between PEs. Network traffic on the MPLS VPN is transferred to the remote through LSPs on the public network. In actual configuration, the next hop of the private network route must be bound with the LSP.
Nortel Secure Router 8000 Series Troubleshooting - VPN 3 BGP/MPLS IP VPN troubleshooting Check if the forwarding entry is correct on PE. Use the display fib vpn-instance vpn-instance-name command to view the forwarding information base (FIB) of the VPN on the Main Processing Unit (MPU). For example: display fib vpn-instance vpna Destination/Mask Nexthop 202.2.4.1/32 127.0.0.1 Flag TimeStamp HU t[172572] Interface InLoop0 TunnelID 0x6002000 202.2.4.0/24 202.2.4.
Nortel Secure Router 8000 Series Troubleshooting - VPN 3 BGP/MPLS IP VPN troubleshooting z An arbitrary IGP runs between PE1, P, and PE2 to transfer routing information of the public network. z Both MPLS and MPLS LDP are enabled on PE1, P, and PE2 individually. Fault symptoms: PE1 has the private network route sent from CE1 while PE2 and CE2 do not have this route. Fault analysis A public network tunnel is a necessity when private network traffic traverses the public network to the remote.
Nortel Secure Router 8000 Series Troubleshooting - VPN 3 BGP/MPLS IP VPN troubleshooting ip address 192.168.1.2 255.255.255.0 mpls # The preceding display shows that MPLS LDP is not enabled in the interface view. Troubleshooting procedure Step 1 Use the display ip routing-table vpn-instance command on the remote PE to view whether there are local VPN routes in the VPN routing table. If local VPN routes exist, it implies that the routes in the RM are active; otherwise, the routes are inactive.
Nortel Secure Router 8000 Series Troubleshooting - VPN 3 BGP/MPLS IP VPN troubleshooting 3.3.2 CEs cannot communicate Fault symptom Figure 3-6 BGP/MPLS VPN networking diagram Loopback 1 Loopback 1 PE1 PE2 P1 P2 CE1 CE2 The BGP/MPLS VPN service is configured in the network as shown in Figure 3-6. CE1 and CE2 belong to the same VPN. After the configuration, CE1 cannot successfully ping CE2. Fault analysis Consider the configuration of PE2 as an example.
Nortel Secure Router 8000 Series Troubleshooting - VPN 3 BGP/MPLS IP VPN troubleshooting Troubleshooting procedure z Do as follows on the two PEs. Step 1 Use the interface loopback interface-number command in the system view. Step 2 Use the ip address ip-address 32 command to configure an IP address for the loopback interface. Step 3 Use the quit command to return to the system view. Step 4 Use the bgp as-number command to enter the BGP view.
Nortel Secure Router 8000 Series Troubleshooting - VPN 3 BGP/MPLS IP VPN troubleshooting ----End Summary When jumbo packets cannot be received, check whether the MTU is too small. 3.3.4 PE cannot ping through the remote CE network segment Fault symptom Figure 3-7 PE cannot ping through the remote CE network segment vpn1 Site1 CE1 vpn1 Backbone Site3 GbE1/0/0 10.1.1.1/24 GbE1/0/0 10.3.1.1/24 PE1 GbE2/0/0 10.2.1.
Nortel Secure Router 8000 Series Troubleshooting - VPN 3 BGP/MPLS IP VPN troubleshooting Troubleshooting procedure Step 1 Ensure the remote CE uses the Up private network addresses of the local PE. Using the import-route direct command in the BGP VPN instance view on the local PE can ensure that all the private network routes of the local PE can be advertised through MP-BGP.
Nortel Secure Router 8000 Series Troubleshooting - VPN 3 BGP/MPLS IP VPN troubleshooting The route is conveyed to the RM. According to the BGP next hop, the RM fixes on the iterative next hop and the egress. If there are multiple load-balancing paths between the PE and ASBR, BGP chooses only one path while the RM iterates multiple IGP paths. From the multiple Interior Gateway Protocol (IGP) paths, the RM selects one path to fill out the iterative next hop and egress.
Nortel Secure Router 8000 Series Troubleshooting - VPN 3 BGP/MPLS IP VPN troubleshooting z The undo policy vpn-target command is not configured for BGP on ASBR. Q: LDP configuration between routers is correct, and the route is correct but the establishment of LSP fails. What is the reason? A: The reason can be that the next hop of the route mismatches with the next hop of the LSP. To validate the LSP, the next hop of the LSP must exactly match with the next hop of the route.
Nortel Secure Router 8000 Series Troubleshooting - VPN 3 BGP/MPLS IP VPN troubleshooting 3.5 Diagnostic tools 3.5.1 display commands Command Description display interface Ethernet Displays detailed information about the Ethernet interface. display interface Displays detailed information about all interfaces. display ip routing-table vpn-instance vpn-instance-name Displays information about the routes in the active state in the routing table.
Nortel Secure Router 8000 Series Troubleshooting - VPN 3 BGP/MPLS IP VPN troubleshooting Command Description debugging mpls management Debugs MPLS BGP/LDP messages. debugging mpls packet Debugs MPLS packets. debugging bgp graceful-restart Enables BGP Graceful Restart debugging. debugging bgp event Debugs BGP Finite State Machine (FSM) events. debugging bgp peer-ip-address all Enables all debugging of a specified BGP peer. 3.5.
Nortel Secure Router 8000 Series Troubleshooting - VPN 3 BGP/MPLS IP VPN troubleshooting Item Description Alarm message Error: VPN-Target list is full Meaning Targets are full and you cannot configure more. Possible cause You can configure up to 16 targets only. Solution Delete one or more existing VPN targets. Item Description Alarm message Warning - Maximum Route Limit xxx Reached - Allowing Route to be added Meaning In the VPN1 routing table, the number of routes reaches the limit.
Nortel Secure Router 8000 Series Troubleshooting - VPN 3 BGP/MPLS IP VPN troubleshooting Item Description Alarm message BGP ILM Creation Failed Meaning No more LSPs can be created. Possible cause The number of created LSPs reaches the maximum limit defined in the paf file. Solution Increase the number of allowed LSPs defined in the paf file. Item Description Log message BGP_L3VPN: Allocate token failed Meaning Applying for tokens from LSPM fails.
Nortel Secure Router 8000 Series Troubleshooting - VPN 3 BGP/MPLS IP VPN troubleshooting Item Description Possible cause The number of routes reaches the limit defined in the permit file. Solution Purchase a new permit file. Item Description Log message BGP xxx: Receiving unsupported capability xxx. Identified in OPEN MSG from x.x.x.x Meaning Open packets with the unsupported capability are received. Possible cause Inconsistent capability is configured at the two peer routers.
Nortel Secure Router 8000 Series Troubleshooting - VPN Contents 4 MPLS L2VPN troubleshooting................................................................................................4-1 4.1 MPLS Layer 2 VPN overview ......................................................................................................................4-2 4.1.1 Introduction to MPLS Layer 2 VPN ....................................................................................................4-2 4.1.
Nortel Secure Router 8000 Series Troubleshooting - VPN Figures Figure 4-1 MPLS LAYER 2 VPN networking ...................................................................................................4-2 Figure 4-2 MPLS Layer 2 VPN label stack processing......................................................................................4-3 Figure 4-3 Martini signaling process..................................................................................................................
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 4 MPLS L2VPN troubleshooting MPLS L2VPN troubleshooting About this chapter The following table describes the contents of this chapter. Section Describes 4.1 MPLS Layer 2 VPN overview This section describes the knowledge you need before you troubleshoot a Multiprotocol Label Switching (MPLS) Layer 2 virtual private network (VPN). 4.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting 4.1 MPLS Layer 2 VPN overview This section covers the following topics: z Introduction to MPLS Layer 2 VPN z CCC MPLS Layer 2 VPN z SVC MPLS Layer 2 VPN z Martini MPLS Layer 2 VPN z PWE3 MPLS Layer 2 VPN z Kompella MPLS Layer 2 VPN z MPLS Layer 2 VPN IP-interworking 4.1.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting The MPLS Layer 2 VPN also uses a label stack to implement transparent transmission of packets across the MPLS network. z The outer label, called the tunnel label, is used to transport packets from one PE to another PE. z The inner label, called the VC label, is used to distinguish connections in different VPNs. According to the VC label, the receiving PE determines the CE where the packet is forwarded.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting 4.1.3 SVC MPLS Layer 2 VPN SVC is another type of static MPLS Layer 2 VPN. The SVC transfers Layer 2 VPN information without using the signaling protocol but it requires manual configuration of VC label information.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting Figure 4-3 Martini signaling process Create PW Mapping Create PW Mapping AC/TNL Down Withdraw Release 4.1.5 PWE3 MPLS Layer 2 VPN Pseudo-Wire Emulation Edge-to-Edge (PWE3) is an extension of Martini mode. The PWE3 sets up a PW on the control plane by using LDP.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting 4.1.6 Kompella MPLS Layer 2 VPN Overview Kompella mode implements Layer 2 VPN in an end-to-end fashion and uses BGP to transport Layer 2 information and VC labels. Unlike Martini mode, Kompella MPLS Layer 2 VPN requires dividing the entire operator network into many VPNs, and globally numbering CEs within these VPNs instead of processing the connection between CEs directly.
Nortel Secure Router 8000 Series Troubleshooting - VPN z 4 MPLS L2VPN troubleshooting The minimum VLAN IDs of the neighboring PE and CE must be the same; while that of the CEs on two ends of the tunnel can be different. The processing of ARP packets: z After IP-interworking encapsulation, the Ethernet interface will have ARP entries that are different from ordinary entries.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting z Typical networking z Configuration notes z Troubleshooting flowchart z Troubleshooting procedure 4.2.1 Typical networking Local cross-connection networking Figure 4-5 Local cross-connection networking CE 2 POS1/0/0 100.1.1.2/24 local connection CE 1 POS 1/0/0 100.1.1.1/24 POS 2/0/0 POS 1/0/0 PE Only the CCC mode and the Kompella mode support local cross-connection.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting Multihop connection networking Figure 4-7 Multihop connection networking Loopback0 2.2.2.9/32 Loopback0 1.1.1.9/32 Loopback0 3.3.3.9/32 P1 S-PE Loopback0 4.4.4.9/32 P2 Loopback0 5.5.5.9/32 Multi-Hop-PW U-PE1 U-PE2 CE-B CE-A The networking shown in Figure 4-7 applies for multihop PWE3, including LDP-PW, and static-PW. A PW is configured on the interface of U-PE.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting Inter-AS networking Figure 4-8 Inter-AS networking AS 100 Loopback1 2.2.2.9/32 Loopback1 3.3.3.9/32 POS2/0/0 192.1.1.1/24 Loopback1 1.1.1.9/32 AS 200 POS2/0/0 192.1.1.2/24 ASBR -PE1 Loopback1 4.4.4.9/32 ASBR-PE2 PE1 PE2 GbE2/0/0 10.1.1.2/24 GbE2/0/0 10.2.1.2/24 GbE1/0/0 10.1.1.1/24 GbE1/0/0 10.2.1.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting Item Subitem Notes Configuring BGP AS You must specify the same AS for all related PEs and Ps. (remote connection using BGP as the signaling) Interface used for BGP connection You must specify the loopback interface (with a 32-bit mask) as the egress interface of the session that is used to establish an IBGP connection between PEs.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting Item Subitem Notes Configuring switching VC For the multi-hop PW, you need to configure switching VCs. Configuring receiving and sending labels For the static remote connection, the receiving and sending label need to be configured manually. The configuration changes with MPLS Layer 2 VPN implementation mode.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting 4.2.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting Local connection Figure 4-10 Troubleshooting flowchart of the MPLS Layer 2 VPN local connection fault CEs cannot access each other No AC is Up? Ensure AC is Up CEs can access each other? Yes No Yes Yes L2VPN connection is Up? Ensure AC interfaces of CE on same segment No Encapsu -lation is correct? No Re-configure the type CEs can access each other? Yes No Yes Heteromedia Yes interconnect? Remove AC link neg
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting z In CCC mode, use the display ccc command or the display layer 2 vpn ccc-interface vc-type command. z In SVC mode, use the display mpls static-l2vc command. z In Martini mode, use the display mpls l2vc command. z In Kompella mode, use the display mpls layer 2 vpn connection command.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting z Remote CCC connection: Run the display ccc command to check that the label at both ends match. For a same CCC connection, the egress label of one end must be the ingress label of another end as shown in Figure 4-12. Figure 4-12 Sketch map of the CCC remote connection label CE 1 to CE 2 O-Label I-Label O-Label I-Label 200 200 201 201 I-Label O-Label I-Label O-Label 100 100 101 101 CE 2 to CE 1 2.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting If the fault is still not rectified, check that the local PE is configured with the IP address of the remote CE. If the fault persists, contact Nortel technical personnel. ----End 4.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting Local VC MTU : 1500 Remote VC MTU : 0 Local VCCV : Disable Remote VCCV : None Local Frag : Disable Remote Frag : None Local Ctrl Word : Disable Remote Ctrl Word : None Tunnel Policy : -- Traffic Behavior : -PW Template Name : -VC tunnel/token info : 0 tunnels/tokens Create time : 0 days, 0 hours, 0 minutes, 9 seconds UP time : 0 days, 0 hours, 0 minutes, 0 seconds Last change time : 0 days, 0 hours, 0 mi
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting Troubleshooting procedure Step 1 Specify P2P as the link layer protocol of an ATM subinterface. Step 2 Reconfigure the PW. ----End Summary If you configure PWE3, you must specify P2P as the link layer protocol for the subinterface to create a PW on an ATM subinterface. 4.3.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting [S-PE] mpls switch-l2vc 3.3.3.3 100 trans 100 recv 100 between 1.1.1.1 100 trans 100 recv 100 encapsulation ppp Fault analysis The VC ID is optional for the static PWE3. The static PW without a VC ID cannot be switched with the dynamic PW. If you configure the mixed PW switching, specify a non-zero VC ID for the static PW. Otherwise, the multihop PW (MH-PW) cannot be located.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting 4.3.3 Switch-L2VC is down after PW switching configuration Fault symptom Figure 4-14 Networking diagram of Switch-L2VC troubleshooting MPLS Backbone Loopback0 2.2.2.9/32 Loopback0 1.1.1.9/32 Loopback0 3.3.3.9/32 POS2/0/0 10.1.1.1/24 POS1/0/0 20.1.1.2/24 POS1/0/0 10.1.1.2/24 U-PE1 POS1/0/0 POS2/0/0 S-PE 20.1.1.1/24 POS2/0/0 U-PE2 PW PW POS1/0/0 100.1.1.2/24 POS1/0/0 100.1.1.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting Fault analysis The Secure Router 8000 Series does not necessarily require a VC peer to use the remote MPLS LSR ID. When using the MPLS LDP, you must use the LSR-ID specified in the MPLS LDP view as the LSR-ID. Therefore, the VC peer can be the remote MPLS LSR ID or the 32-bit mask address of a loopback interface. Establish the session between the two ends by using the remote peer command.
Nortel Secure Router 8000 Series Troubleshooting - VPN *Client Interface 4 MPLS L2VPN troubleshooting : Atm2/1/0.100 Session State : down AC Status : up VC State : down VC ID VC Type : 100 : atm aal5 sdu Destination : 2.2.2.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting # Reset the PW template: reset pw pw-template pwt1 # Display the configuration and find that the peer IP address of the PW does not change: display mpls l2vc 100 Total ldp vc : 1 *Client Interface 0 up 1 down : Atm2/1/0.100 Session State : down AC Status : up VC State : down VC ID : 1 VC Type Destination : atm aal5 sdu : 2.2.2.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting VC Type Destination : atm aal5 sdu : 2.2.2.2 Local VC Label : 119811 Remote VC Label : 0 Control Word : Disable Local VC MTU : 1500 Remote VC MTU : 0 Tunnel Policy Name : -- Traffic Behavior Name: -PW Template Name : pwt1 Create time : 0 days, 0 hours, 0 minutes, 4 seconds UP time : 0 days, 0 hours, 0 minutes, 0 seconds Last change time : 0 days, 0 hours, 0 minutes, 4 seconds [PE-Atm2/1/0.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting 4.3.5 VC is up but the PPP session cannot establish Fault symptom Figure 4-15 Networking diagram PE1 PE2 GbE2/0/0 POS1/0/0 POS1/0/0 GbE2/0/0 POS1/0/0 POS1/0/0 CE1 CE2 The CE and PE connect through a POS interface. The PE and PE connect through a GbE interface. The VC is Up, but the PPP session cannot be Up. If a POS interface connects PEs, the PPP session between CE and PE goes Up.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting 4.3.6 VC under the interface is missing after the link protocol changes Fault symptom The configuration is as follows. # Configure MPLS Layer 2 VC on an interface on PE that connects the AC. Set the VC ID to 100: [PE-Pos4/0/0] mpls l2vc 1.1.1.8 100 # View the configuration of the interface: [PE-Pos4/0/0] display this # interface Pos4/0/0 link-protocol fr mpls l2vc 1.1.1.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting Session State : down AC State : down VC State VC ID : down : 100 VC Type : hdlc Destination : 2.2.2.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting Last change time : 0 days, 0 hours, 8 minutes, 26 seconds Fault analysis If an interface (POS 4/1/0 for example) on PE has an HDLC-type PW with the ID of 1, and you change the link layer protocol of another interface (POS 4/0/0 for example) to HDLC, the system deletes the PW under POS 4/0/0 automatically. The reason is that the two PWs have the same VC ID and the same VC type.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting Session State : up AC Status : up VC State : down VC ID : 100 VC Type : ethernet Destination : 2.2.2.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting Session State : up AC Status : up VC State : up VC ID : 100 VC Type : ethernet Destination : 1.1.1.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting Code Length Description 0x02 4 Maximum number of concatenated ATM cells 0x03 Up to 82 Optional Interface Description string 0x04 4 CEP/TDM payload bytes 0x05 4 CEP options 0x06 4 Requested VLAN ID 0x07 6 CEP/TDM bit-rate 0x08 4 Frame-Relay DLCI Length 0x09 4 Fragmentation indicator 0x0A 4 FCS retention indicator 0x0B 4/8/12 TDM options 0x0C 4 Virtual Circuit Connectivity Verification (VCC
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting 4.3.8 Ethernet interconnects with ATM, the VC is up, but the ping between CEs fails Scenario Figure 4-17 Networking diagram PE1 PE2 Backbone GbE1/0/0 ATM1/0/0 GbE1/0/0 ATM1/0/0 CE1 CE2 As shown in Figure 4-17, Ethernet interconnects ATM. After Layer 2 VPN IP-interworking is configured, the VC at both ends is Up, but the ping between CEs fails.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting Figure 4-18 IP address configuration diagram PE1 GbE1/0/0 10.1.1.2/24 PE2 Backbone GbE1/0/0 10.1.1.1/24 ATM1/0/0 10.1.1.1/24 ATM1/0/0 10.1.1.2/24 CE1 z CE2 Use static MAP. Configure the map ip peer-ce-address broadcast command or the map ip default broadcast command in the PVC view of the ATM interface at both ends of the AC.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting 4.3.9 CEs cannot communicate by using the accessing mode of VLAN Fault symptom CEs adopt the accessing mode of VLAN. After the VLAN ID is changed, CEs on two ends cannot communicate. Fault analysis To modify the VLAN ID, you need to modify VC IDs of the AC interfaces along the packet-sending direction in turn.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting Tunnel Policy Name : -- Traffic Behavior : -- PW Template Name : -- Create time : 0 days, 0 hours, 0 minutes, 17 seconds UP time : 0 days, 0 hours, 0 minutes, 17 seconds Last change time : 0 days, 0 hours, 0 minutes, 17 seconds Fault analysis Check the label of the static VC on the PE of the opposite end: [PE2] display mpls static-l2vc Total svc connections: *Client Interface 1, 1 up, 0 down : Ethernet1/0/1
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting 4.3.11 VC is down though AC is up Fault symptom After the configuration of Layer 2 VC, the AC is Up. However, the ping of the peer fails. After using the display mpls l2vc command, you will find the status of the VC is Down and all the remote VC label and the remote VC MTU are zeros, which are invalid.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting z Control word z MTU Thus, the VC status can be Up only when those parameters are consistent on both ends. 4.3.12 Large-sized packets are lost between CEs on two ends of Layer 2 VPN Fault symptom After the Layer 2 VPN is set up between CEs, some large-sized packets are lost. Fault analysis The cause can be due to the fragmentation of the large-sized packets.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting 4.3.13 Failure to establish the MPLS LDP session between PEs when RIP-1 is used in the Layer 2 VPN backbone Fault symptom Figure 4-19 Networking diagram of the Layer 2 VPN backbone adopting RIP Loopback0 1.1.1.1/32 Loopback0 2.2.2.2/32 POS2/0/0 100.1.1.1/24 PE-A POS3/0/0 1.1.2.3/16 POS2/0/0 100.1.1.2/24 POS1/0/0 POS1/0/0 POS1/0/0 10.1.1.1/24 POS3/0/0 1.1.2.4/16 PE-B P POS1/0/0 10.1.1.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting LAM : Label Advertisement Mode SsnAge Unit : DDD:HH:MM Fault analysis Check the routing table on PE-B. The display is as follows: [PE-B] display ip routing-table Routing Tables: Public Destinations : 10 Destination/Mask Routes : 10 Proto Pre Cost NextHop Interface 1.0.0.0/8 RIP 100 1 100.1.1.1 Pos2/0/0 1.1.0.0/16 Direct 0 0 1.1.2.3 Pos3/0/0 1.1.2.3/32 Direct 0 0 127.0.0.1 InLoopBack0 1.1.2.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting You can use the undo mpls Layer 2 VPN default martini command to restore PWE3 mode. If a VC has been configured, such a type of switching cannot be done. Q: In what cases do I configure local-ce and local-mac in different media interworking? A: You must configure the local-ce and local-mac when you configure IP-interworking encapsulation on an Layer 2 VPN Ethernet interface or subinterface on PE.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting Q: What is the function of the control word in Layer 2 VPN? A: The control word on the PWE3 control plane is represented by a bit. The VC can be Up only when the control word at both ends is the same. If the forwarding plane supports the control word, a 32-bit field is added to the data packet to show the packet order. Generally, disorder can occur in the case of load balancing.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting [Nortel] mpls switch-l2vc 1.1.1.1 2345 between 2.2.2.2 1234 encapsulation ip-interworking [Nortel] mpls switch-l2vc 1.1.140.3 2345 between 1.1.140.2 1234 encapsulation hdlc A combination of VC ID and VC type identifies a VC uniquely in PWE3. When the VC ID is the same, but the VC type differs, two VCs are determined.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting For a VLANIF interface, the VLAN packet does not carry a VLAN tag by default. If PWE3 is configured in tag mode, the forwarding engine adds a default VLAN tag to packets. The main Ethernet interface can emulate the default VLAN and make packets be in default VLAN mode.
Nortel Secure Router 8000 Series Troubleshooting - VPN 4 MPLS L2VPN troubleshooting Local Frag : Disable Remote Frag : Disable Local Ctrl Word : Disable Remote Ctrl Word : Disable Tunnel Policy : -- Traffic Behavior : -PW Template Name : -VC tunnel/token info : 1 tunnels/tokens NO.
Nortel Secure Router 8000 Series Troubleshooting - VPN Contents 5 VPLS troubleshooting...............................................................................................................5-1 5.1 VPLS overview .............................................................................................................................................5-2 5.1.1 Related concepts of VPLS ...................................................................................................................
Nortel Secure Router 8000 Series Troubleshooting - VPN Figures Figure 5-1 Basic VPLS networking....................................................................................................................5-4 Figure 5-2 Hierarchical VPLS Networking........................................................................................................5-5 Figure 5-3 VPLS troubleshooting flowchart ....................................................................................................
Nortel Secure Router 8000 Series Troubleshooting - VPN 5 VPLS troubleshooting 5 VPLS troubleshooting About this chapter The following table describes the contents of this chapter. Section Describes 5.1 VPLS overview This section describes the knowledge you need before you troubleshoot VPLS. 5.2 VPLS troubleshooting This section provides notes about configuring VPLS, the VPLS troubleshooting flowchart, and the troubleshooting procedure in a typical VPLS network. 5.
Nortel Secure Router 8000 Series Troubleshooting - VPN 5 VPLS troubleshooting 5.1 VPLS overview This section covers the following topics: z Related concepts of VPLS z Encapsulation type z MTU The development of Ethernet has made it a dominant LAN technology and it is increasingly applied as an access solution in the Metropolitan Area Network (MAN) and in the Wide Area Network (WAN).
Nortel Secure Router 8000 Series Troubleshooting - VPN 5 VPLS troubleshooting An AC can be either a physical link or a logical link. AC transfers frames between CE and PE. You can specify a remote PE as the AC side of the local VPLS (upe often used). The specified PE need not fully connect with other PEs or perform split horizon. Similar to that in the distance vector (DV) routing protocol, the split horizon in VPLS can reduce the bandwidth consumption and prevent the loop.
Nortel Secure Router 8000 Series Troubleshooting - VPN 5 VPLS troubleshooting 5.1.3 MTU In VPLS, the maximum transmission unit (MTU) refers to the maximum transmission unit of the link layer. The encapsulation type and the MTU are both regarded as the Layer 2 information and are processed. The MTU of respective VPLS must be consistent in a same VPN. If inconsistency occurs, the PW cannot be set up successfully. 5.
Nortel Secure Router 8000 Series Troubleshooting - VPN 5 VPLS troubleshooting This networking simulates the three constitutional parts of a VPLS networking: PE, provider router (P), and CE. This solution also meets the conditions of making a VPLS VSI Up: tunnel, AC access, and PW. Hierarchical VPLS Figure 5-2 Hierarchical VPLS Networking PE1 Core layer PE2 PE3 UPE1 UPE2 Convergence layer Convergence layer CE1 CE2 The traditional LDP signaling requires that: z PEs fully connect in a VPLS.
Nortel Secure Router 8000 Series Troubleshooting - VPN 5 VPLS troubleshooting 5.2.2 Configuration notes Item Subitem Notes VSI VSI creation When you create a VSI, you need to specify a name for it. If you use BGP as the signaling protocol, choose the keyword auto; if you use LDP, choose the keyword static. VPLS encapsulation type and MTU of the VSI By default, the encapsulation type is VLAN and the MTU is 1500 bytes.
Nortel Secure Router 8000 Series Troubleshooting - VPN Item 5 VPLS troubleshooting Subitem Notes MAC address learning mode There are two VPLS MAC address learning modes: z qualified: In this mode, the MAC address learning is based on the VLAN. Different VLANs in a same VSI instance can have different MAC address tables. z unqualified: In this mode, the MAC address learning is based on the VSI. It is the default mode. MAC address learning mode does not affect interworking.
Nortel Secure Router 8000 Series Troubleshooting - VPN 5 VPLS troubleshooting Item Subitem Notes VSI (in BGP signaling mode) VPN-Target The VPN target is a label filtering policy used by VPLS in BGP signaling mode. Two VPN-target formats exist: AS:nn and IP:nn. AS represents the autonomous system number; nn is the user-defined figure; IP represents a local IP address.
Nortel Secure Router 8000 Series Troubleshooting - VPN 5 VPLS troubleshooting Item Subitem Notes AC Binding of VSI and AC Use the l2 binding vsi vsi-name command to bind the CE-bound interface with a VSI. Ensure that the AC interface is physically Up. (A logical interface is also required to be Up.) If the AC access mode is VLAN, you must configure a subinterface. If the mode is ATM, you need to configure a virtual circuit.
Nortel Secure Router 8000 Series Troubleshooting - VPN 5 VPLS troubleshooting 5.2.
Nortel Secure Router 8000 Series Troubleshooting - VPN 5 VPLS troubleshooting If the output does not include the Interface Name, it indicates that the VSI is not bound with the AC. You need to bind the CE-bound interface with the VSI. For details, see 5.2.2 Configuration notes. Step 2 Check the status of the session. If the session is not set up, use the display ip routing-table command to check the route to the remote peer. If no route exists, configure a dynamic routing protocol or static route.
Nortel Secure Router 8000 Series Troubleshooting - VPN 5 VPLS troubleshooting 5.3.1 A VSI cannot be up in LDP signaling mode Fault symptom Figure 5-4 VPLS networking diagram Loopback1 1.1.1.9/32 Loopback1 2.2.2.9/32 POS2/0/0 168.1.1.1/24 PE1 POS2/0/0 169.1.1.1/24 POS1/0/0 168.1.1.2/24 Ethernet1/0/0 Loopback1 3.3.3.9/32 P CE1 POS1/0/0 169.1.1.2/24 PE2 Ethernet2/0/0 CE2 VPLS in LDP signaling mode is configured on both PE1 and PE2. After the configuration, the VSI cannot be Up.
Nortel Secure Router 8000 Series Troubleshooting - VPN 5 VPLS troubleshooting Encapsulation Type : vlan MTU VSI State : 1500 : down VSI ID : 1 *peer Router ID : 2.2.2.9 VC Label : 17408 Session : up Tunnel ID : 0x6002001, Interface Name State : Ethernet2/0/0 : up The AC at both ends is Up. The tunnel at both ends of a PW is existent, and the tunnel ID is not 0x0. Step 2 Run the display vsi remote ldp command on PE2.
Nortel Secure Router 8000 Series Troubleshooting - VPN 5 VPLS troubleshooting z The IP address of the specified peer is incorrect. z The address of the peer is not the peer LSR-ID. The LDP session cannot establish. z The LSR-ID of the peer is redefined. Then the LDP session cannot be set up. To enable the VSI status to be Up, at least two ACs must be Up, or at least one AC Up and one PW Up. To locate this type of problem, begin by checking the status of the AC and that of the PW.
Nortel Secure Router 8000 Series Troubleshooting - VPN 5 VPLS troubleshooting If the BGP peer is set up, use the display current-configuration | begin vsi vsi-name command to check the encapsulation modes of PEs on both ends. If the modes are different, reconfigure them to be consistent. ----End If the fault persists, contact the Nortel technical personnel. Troubleshooting procedure Step 1 Use the display vsi command to check that the status of the PW is Up.
Nortel Secure Router 8000 Series Troubleshooting - VPN 5 VPLS troubleshooting BGP RD : 1:1 SiteID/Range/Offset : 1/10/0 Import vpn target : 2:2, Export vpn target : 2:2, Local Label Block : 19456/10/0, Interface Name State : Ethernet6/0/1 : up The display of PE2 is as follows: ***VSI Name : bgp1 VSI Index : 0 PW Signaling : bgp Member Discovery Style : auto PW MAC Learn Style : unqualify Encapsulation Type : vlan MTU VSI State : 1500 : down BGP RD : 1:2 SiteID/Range/Offset : 2/10
Nortel Secure Router 8000 Series Troubleshooting - VPN 5 VPLS troubleshooting Summary The differences between VPLS configuration in BGP signaling mode and that in LDP signaling mode are: the BGP mode requires that the VPLS address family be configured and the remote peer be enabled in the address family. When you use BGP signaling, check that the BGP VPLS peer is specified and the remote label block is received.
Nortel Secure Router 8000 Series Troubleshooting - VPN 5 VPLS troubleshooting Q: Different types of AC interfaces are bound at both ends. Does this affect the status of a VSI? A: No, it will not. At present, the Secure Router 8000 Series supports only two types of AC interfaces: z Ethernet z VLAN Q: Different types of AC interfaces are bound at both ends. Does this affect the interworking? A: No, it will not. Q: Different MAC address learning modes are configured at both ends.
Nortel Secure Router 8000 Series Troubleshooting - VPN 5 VPLS troubleshooting Q: The LSP token is inconsistent with the token of the current tunnel in the VPLS MID table. Why does this happen? A: The LSP token refers to the token value of the PW in the multicast mnformation description (MID) table, and cannot be compared with the tunnel value. Q: What is the relationship between the site, range, and offset in BGP mode? A: Site refers to the label block sent to a certain peer.
Nortel Secure Router 8000 Series Troubleshooting - VPN 5 VPLS troubleshooting 5.5 Diagnostic tools 5.5.1 display commands Command Description display vsi vsi-name verbose Displays current VSI configuration. If you do not specify a vsi-name, information on all VSIs appears. display vsi remote [ ldp | bgp ] Displays the labels received by the remote. You can choose LDP or BGP. display vpls fib verbose Displays the detailed information about the VPLS_FIB.
Nortel Secure Router 8000 Series Troubleshooting - VPN 5 VPLS troubleshooting VPLS belongs to the Layer 2 VPN. Therefore, the debugging commands of the Layer 2 VPN also apply to VPLS. Issue 5.3 (30 March 2009) Nortel Networks Inc.
Nortel Secure Router 8000 Series Troubleshooting - VPN Copyright © 2009 Nortel Networks All Rights Reserved. Printed in Canada, India, and the United States of America Release: 5.3 Publication: NN46240-710 Document Revision: 01.01 Document status: Standard Document release date: 30 March 2009 To provide feedback or to report a problem in this document, go to www.nortel.com/documentfeedback. www.nortel.