Network Router User Manual
1 L2TP troubleshooting
Nortel Secure Router 8000 Series
Troubleshooting - VPN
1-10 Nortel Networks Inc. Issue 5.3 (19 January 2009)
3. Check whether the tunnel authentication and the password are correctly configured on
the LAC and LNS ends. The request for the tunnel authentication can be initiated from
either the LAC or the LNS. If one end starts the tunnel authentication, the tunnel can be
established only when the remote end also starts the tunnel authentication and the
passwords of both ends are consistent. Run the display this command in the L2TP group
view on the LAC and LNS sides to check if the passwords of the tunnels are consistent.
If one end is configured with the tunnel authentication but the passwords on both ends
are inconsistent, use the tunnel password { simple | cipher } password command to
configure the passwords.
4. Check whether the correct virtual template (VT) is bound on the LNS side.
5. If one end is forcibly disconnected, while the remote end does not receive the Disconnect
packet, the tunnel between the two ends cannot be connected. This is because the remote
end requires a period of time to test the disconnection of the link.
6. LNS does not accept the request for the connection of the tunnel from the LACs that
have the same IP addresses. If the two LACs simultaneously send the request for the
connection of the tunnel, the tunnel cannot be established.
Checking the state of PPP negotiation on the LNS side
1. Check that LCP renegotiation or forced CHAP authentication is configured.
Run the display this command in the L2TP group view to check if LCP renegotiation or
forced CHAP authentication is configured. When the device is connected with the LAC
equipment of other companies, the user authentication on the LNS uses the LCP
renegotiation. You can configure the LAC device according to actual requirements.
After you configure LCP renegotiation on the LNS side, you must configure PPP
authentication on the corresponding virtual interface template. Otherwise, the user cannot
pass the authentication.
2. Check that the LNS configures the corresponding user name and the password.
The two cases are as follows:
− For local authentication, check whether the correct user name and password are
configured in the AAA view. If they are incorrect, configure them by using the
local-user user-name password { simple | cipher } password command.
− For RADIUS authentication, see the section about VAS troubleshooting in Nortel
Secure Router 8000 Series Troubleshooting - VAS (NN46240-709).
3. Use the display ip pool command to check whether the address pool is small or no
address pool is configured.
4. Use the display this command in the VT view to check whether the authentication type
is consistent with that of the LAC.
Checking that the LAC can ping through the loopback interface of the LNS
1. Ping the loopback interface from the LAC. If you can ping through the loopback
interface, a reachable route between the LAC and LNS exists. If not, check whether the
static route of the loopback interface on the LNS has been configured by the display ip
routing-table command.
2. If a static route exists, you can use the display this command in the L2TP group view on
the LNS side to check that the L2TP group binds the loopback interface. If no loopback
interface is bound, use the tunnel destination loopback command to bind it.