- Read Me First
- Preparing for Broadband Access Aggregation
- Providing Protocol Support for Broadband Access Aggregation of PPPoE Sessions
- PPP for IPv6
- DHCP for IPv6 Broadband
- Providing Protocol Support for Broadband Access Aggregation of PPP over ATM Sessions
- Providing Connectivity Using ATM Routed Bridge Encapsulation over PVCs
- PPPoE Circuit-Id Tag Processing
- Configuring PPP over Ethernet Session Limit Support
- PPPoE Session Limit Local Override
- PPPoE QinQ Support
- PPP-Max-Payload and IWF PPPoE Tag Support
- PPPoE Session Limiting on Inner QinQ VLAN
- PPPoE Agent Remote-ID and DSL Line Characteristics Enhancement
- Enabling PPPoE Relay Discovery and Service Selection Functionality
- Configuring Cisco Subscriber Service Switch Policies
- AAA Improvements for Broadband IPv6
- Per Session Queueing and Shaping for PPPoEoVLAN Using RADIUS
- 802.1P CoS Bit Set for PPP and PPPoE Control Frames
- PPP over Ethernet Client
- PPPoE Smart Server Selection
- Monitoring PPPoE Sessions with SNMP
- PPPoE on ATM
- PPPoE on Ethernet
- PPPoE over VLAN Enhancements Configuration Limit Removal and ATM Support
- ADSL Support in IPv6
- Broadband IPv6 Counter Support at LNS
- PPP IP Unique Address and Prefix Detection
- PPP IPv4 Address Conservation in Dual Stack Environments
- TR-069 Agent
- Broadband High Availability Stateful Switchover
- Broadband High Availability In-Service Software Upgrade
- Controlling Subscriber Bandwidth
- PPPoE Service Selection
- Disabling AC-name and AC-cookie Tags from PPPoE PADS
- Finding Feature Information
- Prerequisites for Configuring a Subscriber Service Switch Policy
- Restrictions for Configuring a Subscriber Service Switch Policy
- Information About the Subscriber Service Switch
- How to Configure a Subscriber Service Switch Policy
- Configuration Examples for Configuring a Subscriber Service Switch Policy
- LAC Domain Authorization Example
- Domain Preauthorization RADIUS User Profile Example
- Subscriber Service Switch Preauthorization Example
- Verify Subscriber Service Switch Call Operation Example
- Troubleshooting the Subscriber Service Switch Examples
- Troubleshooting the Subscriber Service Switch Operation Example
- Troubleshooting the Subscriber Service Switch on the LAC--Normal Operation Example
- Troubleshooting the Subscriber Service Switch on the LAC--Authorization Failure Example
- Troubleshooting the Subscriber Service Switch on the LAC--Authentication Failure Example
- Troubleshooting the Subscriber Service Switch on the LNS--Normal Operation Example
- Troubleshooting the Subscriber Service Switch on the LNS--Tunnel Failure Example
Configuring Cisco Subscriber Service Switch Policies
The Subscriber Service Switch provides the framework for the management and scalability of PPP sessions that are switched from one virtual PPP link to another. It gives Internet service providers (ISPs) the flexibility to determining which services to provide to subscribers, the number of subscribers, and how to define the services. The primary focus of the Subscriber Service Switch is to direct PPP from one point to another using a Layer 2 subscriber policy. The policy manages tunneling of PPP in a policy-based bridging fashion.
- Finding Feature Information
- Prerequisites for Configuring a Subscriber Service Switch Policy
- Restrictions for Configuring a Subscriber Service Switch Policy
- Information About the Subscriber Service Switch
- How to Configure a Subscriber Service Switch Policy
- Configuration Examples for Configuring a Subscriber Service Switch Policy
- Where to Go Next
- Additional References
- Feature Information for Configuring a Subscriber Service Switch Policy
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Configuring a Subscriber Service Switch Policy
Before configuring a Subscriber Service Switch policy, you must understand the concepts presented in the "Understanding Broadband Access Aggregation" module.
Before configuring a Subscriber Service Switch policy, you must perform the PPP over Ethernet (PPPoE) configuration procedures in the "Providing Protocol Support for Broadband Access Aggregation of PPPoE Sessions" module or perform the PPP over ATM (PPPoA) configuration procedures in the "Providing Protocol Support for Broadband Access Aggregation of PPP over ATM Sessions" module.
Restrictions for Configuring a Subscriber Service Switch Policy
The Subscriber Service Switch provides the framework for the management and scalability of PPP sessions that are switched from one virtual PPP link to another. The Subscriber Server Switch provides the infrastructure for any protocol to plug into; however, the initial implementation provides switching PPP over Ethernet and PPP over ATM session to a Layer 2 Tunneling Protocol (L2TP) device such as an L2TP access concentrator (LAC) switch, and switching L2TP sessions to an L2TP tunnel switch only.
Information About the Subscriber Service Switch
The Subscriber Service Switch was developed in response to a need by Internet service providers (ISPs) for increased scalability and extensibility for remote access service selection and Layer 2 subscriber policy management. This Layer 2 subscriber policy is needed to manage tunneling of PPP in a policy-based bridging fashion.
- Benefits of the Subscriber Service Switch
- Backward Compatibility of Subscriber Service Switch Policies
- Debug Commands Available for Subscriber Service Switch
Benefits of the Subscriber Service Switch
The Subscriber Service Switch provides the framework for the management and scalability of PPP sessions that are switched from one virtual PPP link to another. It gives Internet service providers (ISPs) the flexibility to determining which services to provide to subscribers, the number of subscribers, and how to define the services. In the past, remote access service selection was largely determined by the telephone number dialed or the PPP username and password entered during a PPP authentication cycle. However, broadband, cable, Virtual Private Network (VPN), and wireless access methods have created an environment where PPP sessions may be tunneled over a variety of protocols and media. The multitude of protocols, management domains, network infrastructure, and variety of services has created a complex environment for directing a subscriber to a given service or application. The problem is further complicated by the much greater density of total PPP sessions that can be transported over shared media versus traditional point-to-point links. The Subscriber Service Switch can provide a flexible and extensible decision point linking an incoming subscriber (typically a PPP session over some physical or virtual link) to another tunneled link or local termination for Layer 3 processing.
The Subscriber Service Switch is also scalable in situations where a subscriber’s Layer 2 service is switched across virtual links. Examples include switching among PPPoA, PPPoE, L2TP, Layer 2 Forwarding Protocol (L2F), Point-to-Point Tunneling Protocol (PPTP), generic routing encapsulation (GRE), and General Packet Radio Service (GPRS) Tunneling Protocol (GTP wireless data standard).
The figure below shows how the Subscriber Service Switch provides its own centralized switching path that bypasses the virtual-access-based switching available earlier. In the figure below, the Subscriber Service Switch is switching data traffic from personal computers in a home and corporate office and from a wireless user.
Protocols that register with the Subscriber Service Switch application programming interface (API) can take advantage of this switching path. Bypassing the virtual access interface in this manner helps the Cisco IOS XE software to scale to the increased number of sessions that the market demands. The Subscriber Service Switch also improves network performance. For example, benchmark testing indicates that performance of L2TP multihop tasks occurs twice as fast in networks with the Subscriber Service Switch as in networks without it.
Backward Compatibility of Subscriber Service Switch Policies
All of the existing virtual private dialup network (VPDN), Multichassis Multilink PPP (MMLP), and local termination policies and configurations are maintained in the implementation of the Subscriber Service Switch; however, default policies may be overridden by the following configurations or events:
Resource Manager (RM) VPDN authorization is attempted before VPDN authorization.
VPDN authorization is attempted before Stack Group Forwarding (SGF) MMLP.
VPDN service authorization is attempted only when the vpdn enable command is configured.
RM VPDN service authorization is attempted only if RM is enabled.
SGF authorization is attempted only when the sgbp member command is configured and one or both of the following service keys are available from the subscriber: unauthenticated PPP name and endpoint discriminator.
The dnis and domain service keys, in that order, are used to authorize VPDN service, provided that VPDN service is enabled.
An unauthenticated PPP name is always reduced to a domain name by taking all characters from the right of the PPP name up to a configurable delimiter character (default is the @ character). Only the domain portion is used to locate a service.
If the vpdn authen-before-forward command is configured as a global configuration command, the authenticated PPP name is used to authorize VPDN service.
The vpdn-group command can define four configurations:
Authorization for VPDN call termination (using the accept-dialin and accept-dialout keywords).
Authorization for VPDN subscriber service (using the request-dialin and request-dialout keywords).
A directive to collect further service keys and reauthorize (using the authen-before-forward keyword).
A tunnel configuration.
The Subscriber Service Switch adds a general configuration framework to replace the first three aspects of a VPDN group.
If VPDN and SGF services either are not configured or cannot be authorized, local PPP termination service is selected. Further PPP authorization is still required to complete local termination.
A two-phase authorization scheme is enabled by the vpn domain authorization command. An NAS-Port-ID (NAS port identifier) key is used to locate the first service record, which contains a restricted set of values for the domain substring of the unauthenticated PPP name. This filtered service key then locates the final service. Cisco refers to this scheme as domain preauthorization.
Domain preauthorization will occur only when the NAS-Port-ID key is available.
When domain preauthorization is enabled, both authenticated and unauthenticated domain names are checked for restrictions.
It is possible to associate a fixed service with an ATM permanent virtual circuit (PVC), thus affecting any subscribers carried by the PVC. The vpn service command, in ATM VC or VC class configuration mode, and the associated key make up the generic service key.
When the generic service key is available, it will be used for authorization instead of the unauthenticated domain name.
If either the vpdn authen-before-forward or per vpdn-group authen-before-forward command is configured, the authenticated username is required and will be used to authorize VPDN service.
To determine whether the authen-before-forward command is configured in a VPDN group (using the vpdn-group command), an unauthenticated username or the generic service key is required as the initial-want key set.
When the global vpdn authen-before-forward command is not configured, the generic service key, if one is available, is used to determine whether the authen-before-forward function is configured in the VPDN group (using the vpdn-group command). If the generic service key is not available, the unauthenticated username will be used.
If an accounting-enabled key is available, the unauthenticated username is required.
VPDN multihop is allowed only when VPDN multihop is enabled.
SGF on the L2TP network server (LNS) is allowed only when VPDN multihop is enabled on the LNS.
Forwarding of SGF calls on the LAC is allowed only if VPDN multihop is enabled on the LAC.
SGF-to-SGF multihop is not allowed.
When PPP forwarding is configured, both Multilink PPP (MLP) and non-MLP calls are forwarded to the winner of the Stack Group Bidding Protocol (SGBP) bid.
Authentication is always required for forwarded Packet Data Serving Node (PDSN) calls.
When the directed-request function is enabled and activated using the ip host command, VPDN service authorization occurs only when the vpdn authorize directed-request command is used.
Fixed legacy policy is still maintained for RM.
Debug Commands Available for Subscriber Service Switch
The Subscriber Service Switch feature introduces five new EXEC mode debug commands to enable diagnostic output about Subscriber Service Switch call operation, as follows:
debug sss aaa authorization event --Displays messages about AAA authorization events that are part of normal call establishment.
debug sss aaa authorization fsm --Displays messages about AAA authorization state changes.
debug sss error --Displays diagnostic information about errors that may occur during Subscriber Service Switch call setup.
debug sss event --Displays diagnostic information about Subscriber Service Switch call setup events.
debug sss fsm --Displays diagnostic information about the Subscriber Service Switch call setup state.
The following EXEC mode debug commands already exist:
debug redundancy - This command is available on platforms that support redundancy.
debug sss elog --Collects SSS performance event data.
debug sss feature --Enables debug for SSS feature events
debug sss packet --Enables packet level event and information debugging for the Subscriber Service Switch.
debug sss policy --Enables debug for SSS policy module events.
debug sss service --Enables debug for service manager event.
These commands were designed to be used with debug commands that exist for troubleshooting PPP and other Layer 2 call operations. The table below lists some of these debug commands.
Command |
Purpose |
---|---|
debug ppp negotiation |
Allows you to check that a client is passing PPP negotiation information. |
debug pppoe errors |
Displays PPPoE error messages. |
debug pppoe events |
Displays protocol event information. |
debug vpdn call events |
Enables VPDN call event debugging. |
debug vpdn call fsm |
Enables VPDN call setup state debugging. |
debug vpdn elog |
Enables VPDN performance event data collection. |
debug vpdn events |
Displays PPTP tunnel event change information. |
debug vpdn 12x-data |
Enables L2F and L2TP event and data debugging. |
debug vpdn l2x-errors |
Displays L2F and L2TP protocol errors that prevent tunnel establishment or normal operation. |
debug vpdn l2x-events |
Displays L2F and L2TP events that are part of tunnel establishment or shutdown. |
debug vpdn 12x-packets |
Enables L2F and L2TP packet level debugging. |
debug vpdn errors |
Displays PPTP protocol error messages. |
debug vpdn message |
Enables VPDN inter processing message debugging. |
debug vpdn packet |
Enables VPDN packet level debugging. |
debug vpdn scalability |
Enables VPDN scalability debugging. |
debug vpdn sss errors |
Displays diagnostic information about errors that may occur during VPDN Subscriber Service Switch call setup. |
debug vpdn sss events |
Displays diagnostic information about VPDN Subscriber Service Switch call setup events. |
Note | The debug commands are intended only for troubleshooting purposes, because the volume of output generated by the software can result in severe performance degradation on the router. |
How to Configure a Subscriber Service Switch Policy
The Subscriber Service Switch architecture is transparent, and existing PPP, VPDN, PPPoE, PPPoA, and authentication, authorization, and accounting (AAA) call configurations will continue to work in this environment. You can, however, enable Subscriber Service Switch preauthorization and Subscriber Service Switch type authorization. You may also find it helpful to verify Subscriber Service Switch call operation.
- Enabling Domain Preauthorization on a NAS
- Creating a RADIUS User Profile for Domain Preauthorization
- Enabling a Subscriber Service Switch Preauthorization
- Troubleshooting the Subscriber Service Switch
Enabling Domain Preauthorization on a NAS
Perform the following task to enable the NAS to perform domain authorization before tunneling.
1.
enable
2.
configure
terminal
3. vpdn authorize domain
4.
exit
5. Router# show running-config
DETAILED STEPS
What to Do Next
Create a RADIUS user profile for domain preauthorization. See the next section for more information.
Creating a RADIUS User Profile for Domain Preauthorization
The table below contains the attributes needed to enable domain preauthorization in a RADIUS user file. Refer to the Cisco IOS XE Security Configuration Guide for information about creating a RADIUS user profile.
Enabling a Subscriber Service Switch Preauthorization
When Subscriber Service Switch preauthorization is enabled on an LAC, local configurations for session limit per VC and per VLAN are overwritten by the per-NAS-port session limit downloaded from the server. Perform this task to enable preauthorization.
1.
enable
2.
configure
terminal
3.
subscriber
access
{pppoe | pppoa} pre-authorize nas-port-id[aaa-method-list]
4.
show
sss
session
[all]
5. exit
DETAILED STEPS
What to Do Next
Information about troubleshooting a network running the Subscriber Service Switch can be found in the next section.
Troubleshooting the Subscriber Service Switch
Perform this task to troubleshoot the Subscriber Service Switch. Examples of normal and failure operations can be found in the Troubleshooting the Subscriber Service Switch Examples. Reports from debug commands should be sent to technical personnel at Cisco Systems for evaluation.
Perform the following task to troubleshoot a network running the Subscriber Service Switch.
1.
enable
2.
configure
terminal
3.
no
logging
console
4. Use Telnet to access a router port and repeat Steps 2 and 3.
5.
terminal
monitor
6.
exit
7.
debug
sss
command-option
8.
configure
terminal
9.
no
terminal
monitor
10.
exit
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
| ||
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. | ||
Step 3 |
no
logging
console
Example: Router(config)# no logging console |
Disables all logging to the console terminal.
| ||
Step 4 | Use Telnet to access a router port and repeat Steps 2 and 3. |
Enters global configuration mode in a recursive Telnet session, which allows the output to be redirected away from the console port. | ||
Step 5 |
terminal
monitor
Example: Router(config)# terminal monitor |
Enables logging output on the virtual terminal. | ||
Step 6 |
exit
Example: Router(config)# exit |
Exits to privileged EXEC mode. | ||
Step 7 |
debug
sss
command-option
Example: Router# debug sss error |
Enables the debug command.
| ||
Step 8 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. | ||
Step 9 |
no
terminal
monitor
Example: Router(config)# no terminal monitor |
Disables logging on the virtual terminal. | ||
Step 10 |
exit
Example: Router(config)# exit |
Exits to privileged EXEC mode. |
Configuration Examples for Configuring a Subscriber Service Switch Policy
- LAC Domain Authorization Example
- Domain Preauthorization RADIUS User Profile Example
- Subscriber Service Switch Preauthorization Example
- Verify Subscriber Service Switch Call Operation Example
- Troubleshooting the Subscriber Service Switch Examples
LAC Domain Authorization Example
The following example shows the configuration necessary for the LAC to participate in domain preauthorization:
! aaa new-model aaa authorization network default local group radius ! vpdn authorize domain ! radius-server host 10.9.9.9 auth-port 1645 acct-port 1646 radius-server attribute nas-port format d radius-server key MyKey radius-server vsa send authentication !
Domain Preauthorization RADIUS User Profile Example
The following example shows a typical domain preauthorization RADIUS user profile:
user = nas-port:10.9.9.9:0/0/0/30.33 profile_id = 826 profile_cycle = 1 radius=Cisco { check_items= { 2=cisco } reply_attributes= { 9,1="vpdn:vpn-domain-list=example1.com,example2.com" 6=5 } } }
Subscriber Service Switch Preauthorization Example
The following partial example signals the Subscriber Service Switch to preauthorize the NAS-Port-ID string before authorizing the domain name. This policy applies only to all sessions with a PPPoE access type.
vpdn-group 3 accept dialin protocol pppoe virtual-template 1 ! ! Signals Subscriber Service Switch to preauthorize the NAS-Port-ID string before ! authorizing the domain name. subscriber access pppoe pre-authorize nas-port-id mlist-llid !
Verify Subscriber Service Switch Call Operation Example
The following example command output from the show sss session all command provides an extensive report of Subscriber Service Switch session activity. Each section shows the unique identifier for each session, which can be used to correlate that particular session with the session information retrieved from other show commands or debug command traces. See the following show vpdn session command output for an example of this unique ID correlation.
Router# show sss session all Current SSS Information: Total sessions 9 SSS session handle is 40000013, state is connected, service is VPDN Unique ID is 9 SIP subscriber access type(s) are PPPoE/PPP Identifier is nobody3@example.com Last Changed 00:02:49 Root SIP Handle is DF000010, PID is 49 AAA unique ID is 10 Current SIP options are Req Fwding/Req Fwde SSS session handle is B0000017, state is connected, service is VPDN Unique ID is 10 SIP subscriber access type(s) are PPPoE/PPP Identifier is nobody3@example.com Last Changed 00:02:05 Root SIP Handle is B9000015, PID is 49 AAA unique ID is 11 Current SIP options are Req Fwding/Req Fwded SSS session handle is D6000019, state is connected, service is VPDN Unique ID is 11 SIP subscriber access type(s) are PPPoE/PPP Identifier is nobody3@example.com Last Changed 00:02:13 Root SIP Handle is D0000016, PID is 49 AAA unique ID is 12 Current SIP options are Req Fwding/Req Fwded SSS session handle is 8C000003, state is connected, service is VPDN Unique ID is 3 SIP subscriber access type(s) are PPPoE/PPP Identifier is user3@example.com Last Changed 2d21h Root SIP Handle is D3000002, PID is 49 AAA unique ID is 3 Current SIP options are Req Fwding/Req Fwded SSS session handle is BE00000B, state is connected, service is Local Term Unique ID is 6 SIP subscriber access type(s) are PPPoE/PPP Identifier is user1 Last Changed 00:03:56 Root SIP Handle is A9000009, PID is 49 AAA unique ID is 7 Current SIP options are Req Fwding/Req Fwded SSS session handle is DC00000D, state is connected, service is Local Term Unique ID is 7 SIP subscriber access type(s) are PPPoE/PPP Identifier is user2 Last Changed 00:03:57 Root SIP Handle is 2C00000A, PID is 49 AAA unique ID is 8 Current SIP options are Req Fwding/Req Fwded SSS session handle is DB000011, state is connected, service is VPDN Unique ID is 8 SIP subscriber access type(s) are PPPoE/PPP Identifier is nobody3@example.com Last Changed 00:02:58 Root SIP Handle is 1000000F, PID is 49 AAA unique ID is 9 Current SIP options are Req Fwding/Req Fwded SSS session handle is 3F000007, state is connected, service is Local Term Unique ID is 2 SIP subscriber access type(s) are PPP Identifier is user1 Last Changed 00:05:30 Root SIP Handle is 8A000009, PID is 92 AAA unique ID is 1 Current SIP options are Req Fwding/Req Fwded SSS session handle is 97000005, state is connected, service is VPDN Unique ID is 4 SIP subscriber access type(s) are PPP Identifier is nobody2@example.com Last Changed 00:07:16 Root SIP Handle is 32000000, PID is 92 AAA unique ID is 5 Current SIP options are Req Fwding/Req Fwded
Correlating the Unique ID in show vpdn session Command Output
The following partial sample output from the show vpdn session command provides extensive reports on call activity for all L2TP, L2F, and PPPoE sessions, and identifies the unique ID for each session.
Router# show vpdn session all L2TP Session Information Total tunnels 1 sessions 4 Session id 5 is up, tunnel id 13695 Call serial number is 3355500002 Remote tunnel name is User03 Internet address is 10.0.0.63 Session state is established, time since change 00:03:53 52 Packets sent, 52 received 2080 Bytes sent, 1316 received Last clearing of "show vpdn" counters never Session MTU is 1464 bytes Session username is nobody3@example.com Interface Remote session id is 692, remote tunnel id 58582 UDP checksums are disabled SSS switching enabled No FS cached header information available Sequencing is off Unique ID is 8 Session id 6 is up, tunnel id 13695 Call serial number is 3355500003 Remote tunnel name is User03 Internet address is 10.0.0.63 Session state is established, time since change 00:04:22 52 Packets sent, 52 received 2080 Bytes sent, 1316 received Last clearing of "show vpdn" counters never Session MTU is 1464 bytes Session username is nobody3@example.com Interface Remote session id is 693, remote tunnel id 58582 UDP checksums are disabled SSS switching enabled No FS cached header information available Sequencing is off Unique ID is 9
Troubleshooting the Subscriber Service Switch Examples
This section provides the following debugging session examples for a network running the Subscriber Service Switch:
Reports from debug commands should be sent to technical personnel at Cisco Systems for evaluation.
- Troubleshooting the Subscriber Service Switch Operation Example
- Troubleshooting the Subscriber Service Switch on the LAC--Normal Operation Example
- Troubleshooting the Subscriber Service Switch on the LAC--Authorization Failure Example
- Troubleshooting the Subscriber Service Switch on the LAC--Authentication Failure Example
- Troubleshooting the Subscriber Service Switch on the LNS--Normal Operation Example
- Troubleshooting the Subscriber Service Switch on the LNS--Tunnel Failure Example
Troubleshooting the Subscriber Service Switch Operation Example
The following example shows the debug commands used and sample output for debugging Subscriber Service Switch operation:
Router# debug sss event Router# debug sss error Router# debug sss state Router# debug sss aaa authorization event Router# debug sss aaa authorization fsm SSS: SSS events debugging is on SSS error debugging is on SSS fsm debugging is on SSS AAA authorization event debugging is on SSS AAA authorization FSM debugging is on *Mar 4 21:33:18.248: SSS INFO: Element type is Access-Type, long value is 3 *Mar 4 21:33:18.248: SSS INFO: Element type is Switch-Id, long value is -1509949436 *Mar 4 21:33:18.248: SSS INFO: Element type is Nasport, ptr value is 6396882C *Mar 4 21:33:18.248: SSS INFO: Element type is AAA-Id, long value is 7 *Mar 4 21:33:18.248: SSS INFO: Element type is AAA-ACCT_ENBL, long value is 1 *Mar 4 21:33:18.248: SSS INFO: Element type is AccIe-Hdl, ptr value is 78000006 *Mar 4 21:33:18.248: SSS MGR [uid:7]: Event service-request, state changed from wait-for-req to wait-for-auth *Mar 4 21:33:18.248: SSS MGR [uid:7]: Handling Policy Authorize (1 pending sessions) *Mar 4 21:33:18.248: SSS PM [uid:7]: Need the following key: Unauth-User *Mar 4 21:33:18.248: SSS PM [uid:7]: Received Service Request *Mar 4 21:33:18.248: SSS PM [uid:7]: Event <need keys>, State: initial-req to need-init-keys *Mar 4 21:33:18.248: SSS PM [uid:7]: Policy reply - Need more keys *Mar 4 21:33:18.248: SSS MGR [uid:7]: Got reply Need-More-Keys from PM *Mar 4 21:33:18.248: SSS MGR [uid:7]: Event policy-or-mgr-more-keys, state changed from wait-for-auth to wait-for-req *Mar 4 21:33:18.248: SSS MGR [uid:7]: Handling More-Keys event *Mar 4 21:33:20.256: SSS INFO: Element type is Unauth-User, string value is nobody@example.com *Mar 4 21:33:20.256: SSS INFO: Element type is AccIe-Hdl, ptr value is 78000006 *Mar 4 21:33:20.256: SSS INFO: Element type is AAA-Id, long value is 7 *Mar 4 21:33:20.256: SSS INFO: Element type is Access-Type, long value is 0 *Mar 4 21:33:20.256: SSS MGR [uid:7]: Event service-request, state changed from wait-for-req to wait-for-auth *Mar 4 21:33:20.256: SSS MGR [uid:7]: Handling Policy Authorize (1 pending sessions) *Mar 4 21:33:20.256: SSS PM [uid:7]: Received More Initial Keys *Mar 4 21:33:20.256: SSS PM [uid:7]: Event <rcvd keys>, State: need-init-keys to check-auth-needed *Mar 4 21:33:20.256: SSS PM [uid:7]: Handling Authorization Check *Mar 4 21:33:20.256: SSS PM [uid:7]: Event <send auth>, State: check-auth-needed to authorizing *Mar 4 21:33:20.256: SSS PM [uid:7]: Handling AAA service Authorization *Mar 4 21:33:20.256: SSS PM [uid:7]: Sending authorization request for 'example.com' *Mar 4 21:33:20.256: SSS AAA AUTHOR [uid:7]:Event <make request>, state changed from idle to authorizing *Mar 4 21:33:20.256: SSS AAA AUTHOR [uid:7]:Authorizing key example.com *Mar 4 21:33:20.260: SSS AAA AUTHOR [uid:7]:AAA request sent for key example.com *Mar 4 21:33:20.260: SSS AAA AUTHOR [uid:7]:Received an AAA pass *Mar 4 21:33:20.260: SSS AAA AUTHOR [uid:7]:Event <found service>, state changed from authorizing to complete *Mar 4 21:33:20.260: SSS AAA AUTHOR [uid:7]:Found service info for key example.com *Mar 4 21:33:20.260: SSS AAA AUTHOR [uid:7]:Event <free request>, state changed from complete to terminal *Mar 4 21:33:20.260: SSS AAA AUTHOR [uid:7]:Free request *Mar 4 21:33:20.264: SSS PM [uid:7]: Event <found>, State: authorizing to end *Mar 4 21:33:20.264: SSS PM [uid:7]: Handling Service Direction *Mar 4 21:33:20.264: SSS PM [uid:7]: Policy reply - Forwarding *Mar 4 21:33:20.264: SSS MGR [uid:7]: Got reply Forwarding from PM *Mar 4 21:33:20.264: SSS MGR [uid:7]: Event policy-start-service-fsp, state changed from wait-for-auth to wait-for-service *Mar 4 21:33:20.264: SSS MGR [uid:7]: Handling Connect-Forwarding-Service event *Mar 4 21:33:20.272: SSS MGR [uid:7]: Event service-fsp-connected, state changed from wait-for-service to connected *Mar 4 21:33:20.272: SSS MGR [uid:7]: Handling Forwarding-Service-Connected event
Troubleshooting the Subscriber Service Switch on the LAC--Normal Operation Example
The following example shows the debug commands used and sample output indicating normal operation of the Subscriber Service Switch on the LAC:
Router# debug sss event Router# debug sss error Router# debug sss aaa authorization event Router# debug sss aaa authorization fsm Router# debug pppoe events Router# debug pppoe errors Router# debug ppp negotiation Router# debug vpdn l2x-events Router# debug vpdn l2x-errors Router# debug vpdn sss events Router# debug vpdn sss errors Router# debug vpdn call events Router# debug vpdn call fsm Router# debug vpdn events Router# debug vpdn errors SSS: SSS events debugging is on SSS error debugging is on SSS AAA authorization event debugging is on SSS AAA authorization FSM debugging is on PPPoE: PPPoE protocol events debugging is on PPPoE protocol errors debugging is on PPP: PPP protocol negotiation debugging is on VPN: L2X protocol events debugging is on L2X protocol errors debugging is on VPDN SSS events debugging is on VPDN SSS errors debugging is on VPDN call event debugging is on VPDN call FSM debugging is on VPDN events debugging is on VPDN errors debugging is on *Nov 15 12:23:52.523: PPPoE 0: I PADI R:0000.0c14.71d0 L:ffff.ffff.ffff 1/32 ATM4/0.132 *Nov 15 12:23:52.523: PPPoE 0: O PADO R:0000.0c14.71d0 L:00b0.c2e9.c870 1/32 ATM4/0.132 *Nov 15 12:23:52.527: PPPoE 0: I PADR R:0000.0c14.71d0 L:00b0.c2e9.c870 1/32 ATM4/0.132 *Nov 15 12:23:52.527: PPPoE : encap string prepared *Nov 15 12:23:52.527: [13]PPPoE 10: Access IE handle allocated *Nov 15 12:23:52.527: [13]PPPoE 10: pppoe SSS switch updated *Nov 15 12:23:52.527: [13]PPPoE 10: Service request sent to SSS *Nov 15 12:23:52.527: [13]PPPoE 10: Created R:00b0.c2e9.c870 L:0000.0c14.71d0 1/32 ATM4/0.132 *Nov 15 12:23:52.547: SSS INFO: Element type is Access-Type, long value is 3 *Nov 15 12:23:52.547: SSS INFO: Element type is Switch-Id, long value is 2130706444 *Nov 15 12:23:52.547: SSS INFO: Element type is Nasport, ptr value is 63C07288 *Nov 15 12:23:52.547: SSS INFO: Element type is AAA-Id, long value is 14 *Nov 15 12:23:52.547: SSS INFO: Element type is AccIe-Hdl, ptr value is B200000C *Nov 15 12:23:52.547: SSS MGR [uid:13]: Handling Policy Authorize (1 pending sessions) *Nov 15 12:23:52.547: SSS PM [uid:13]: RM/VPDN disabled: RM/VPDN author not needed *Nov 15 12:23:52.547: SSS PM [uid:13]: Received Service Request *Nov 15 12:23:52.547: SSS PM [uid:13]: Handling Authorization Check *Nov 15 12:23:52.547: SSS PM [uid:13]: Policy requires 'Unauth-User' key *Nov 15 12:23:52.547: SSS PM [uid:13]: Policy reply - Need more keys *Nov 15 12:23:52.547: SSS MGR [uid:13]: Got reply Need-More-Keys from PM *Nov 15 12:23:52.547: SSS MGR [uid:13]: Handling More-Keys event *Nov 15 12:23:52.547: [13]PPPoE 10: State REQ_NASPORT Event MORE_KEYS *Nov 15 12:23:52.547: [13]PPPoE 10: O PADS R:0000.0c14.71d0 L:00b0.c2e9.c870 1/32 ATM4/0.132 *Nov 15 12:23:52.547: ppp13 PPP: Using default call direction *Nov 15 12:23:52.547: ppp13 PPP: Treating connection as a dedicated line *Nov 15 12:23:52.547: ppp13 PPP: Phase is ESTABLISHING, Active Open *Nov 15 12:23:52.547: ppp13 LCP: O CONFREQ [Closed] id 1 len 19 *Nov 15 12:23:52.547: ppp13 LCP: MRU 1492 (0x010405D4) *Nov 15 12:23:52.547: ppp13 LCP: AuthProto CHAP (0x0305C22305) *Nov 15 12:23:52.547: ppp13 LCP: MagicNumber 0xB0EC4557 (0x0506B0EC4557) *Nov 15 12:23:52.547: [13]PPPoE 10: State START_PPP Event DYN_BIND *Nov 15 12:23:52.547: [13]PPPoE 10: data path set to PPP *Nov 15 12:23:52.571: ppp13 LCP: I CONFREQ [REQsent] id 1 len 14 *Nov 15 12:23:52.571: ppp13 LCP: MRU 1492 (0x010405D4) *Nov 15 12:23:52.571: ppp13 LCP: MagicNumber 0x0017455D (0x05060017455D) *Nov 15 12:23:52.571: ppp13 LCP: O CONFACK [REQsent] id 1 len 14 *Nov 15 12:23:52.571: ppp13 LCP: MRU 1492 (0x010405D4) *Nov 15 12:23:52.571: ppp13 LCP: MagicNumber 0x0017455D (0x05060017455D) *Nov 15 12:23:54.543: ppp13 LCP: TIMEout: State ACKsent *Nov 15 12:23:54.543: ppp13 LCP: O CONFREQ [ACKsent] id 2 len 19 *Nov 15 12:23:54.543: ppp13 LCP: MRU 1492 (0x010405D4) *Nov 15 12:23:54.543: ppp13 LCP: AuthProto CHAP (0x0305C22305) *Nov 15 12:23:54.543: ppp13 LCP: MagicNumber 0xB0EC4557 (0x0506B0EC4557) *Nov 15 12:23:54.543: ppp13 LCP: I CONFACK [ACKsent] id 2 len 19 *Nov 15 12:23:54.543: ppp13 LCP: MRU 1492 (0x010405D4) *Nov 15 12:23:54.543: ppp13 LCP: AuthProto CHAP (0x0305C22305) *Nov 15 12:23:54.543: ppp13 LCP: MagicNumber 0xB0EC4557 (0x0506B0EC4557) *Nov 15 12:23:54.543: ppp13 LCP: State is Open *Nov 15 12:23:54.543: ppp13 PPP: Phase is AUTHENTICATING, by this end *Nov 15 12:23:54.543: ppp13 CHAP: O CHALLENGE id 1 len 25 from "7200" *Nov 15 12:23:54.547: ppp13 CHAP: I RESPONSE id 1 len 38 from "nobody@example.com" *Nov 15 12:23:54.547: ppp13 PPP: Phase is FORWARDING, Attempting Forward *Nov 15 12:23:54.547: SSS INFO: Element type is Unauth-User, string value is nobody@example.com *Nov 15 12:23:54.547: SSS INFO: Element type is AccIe-Hdl, ptr value is B200000C *Nov 15 12:23:54.547: SSS INFO: Element type is AAA-Id, long value is 14 *Nov 15 12:23:54.547: SSS INFO: Element type is Access-Type, long value is 0 *Nov 15 12:23:54.547: SSS MGR [uid:13]: Handling Policy Authorize (1 pending sessions) *Nov 15 12:23:54.547: SSS PM [uid:13]: Received More Keys *Nov 15 12:23:54.547: SSS PM [uid:13]: Handling Authorization Check *Nov 15 12:23:54.547: SSS PM [uid:13]: Handling AAA service Authorization *Nov 15 12:23:54.547: SSS PM [uid:13]: Sending authorization request for 'example.com' *Nov 15 12:23:54.547: SSS AAA AUTHOR [uid:13]:Event <make request>, state changed from idle to authorizing *Nov 15 12:23:54.547: SSS AAA AUTHOR [uid:13]:Authorizing key example.com *Nov 15 12:23:54.547: SSS AAA AUTHOR [uid:13]:AAA request sent for key example.com *Nov 15 12:23:54.551: SSS AAA AUTHOR [uid:13]:Received an AAA pass *Nov 15 12:23:54.551: SSS AAA AUTHOR [uid:13]:Event <found service>, state changed from authorizing to complete *Nov 15 12:23:54.551: SSS AAA AUTHOR [uid:13]:Found service info for key example.com *Nov 15 12:23:54.551: SSS AAA AUTHOR [uid:13]:Event <free request>, state changed from complete to terminal *Nov 15 12:23:54.551: SSS AAA AUTHOR [uid:13]:Free request *Nov 15 12:23:54.551: SSS PM [uid:13]: Handling Service Direction *Nov 15 12:23:54.551: SSS PM [uid:13]: Policy reply - Forwarding *Nov 15 12:23:54.551: SSS MGR [uid:13]: Got reply Forwarding from PM *Nov 15 12:23:54.551: SSS MGR [uid:13]: Handling Connect-Service event *Nov 15 12:23:54.551: VPDN CALL [uid:13]: Event connect req, state changed from idle to connecting *Nov 15 12:23:54.551: VPDN CALL [uid:13]: Requesting connection *Nov 15 12:23:54.551: VPDN CALL [uid:13]: Call request sent *Nov 15 12:23:54.551: VPDN MGR [uid:13]: Event client connect, state changed from idle to connecting *Nov 15 12:23:54.551: VPDN MGR [uid:13]: Initiating compulsory connection to 192.168.8.2 *Nov 15 12:23:54.551: Tnl/Sn61510/7 L2TP: Session FS enabled *Nov 15 12:23:54.551: Tnl/Sn61510/7 L2TP: Session state change from idle to wait-for-tunnel *Nov 15 12:23:54.551: uid:13 Tnl/Sn61510/7 L2TP: Create session *Nov 15 12:23:54.551: uid:13 Tnl/Sn61510/7 L2TP: O ICRQ to rp1 9264/0 *Nov 15 12:23:54.551: [13]PPPoE 10: Access IE nas port called *Nov 15 12:23:54.555: Tnl61510 L2TP: Control channel retransmit delay set to 1 seconds *Nov 15 12:23:54.555: uid:13 Tnl/Sn61510/7 L2TP: Session state change from wait-for-tunnel to wait-reply *Nov 15 12:23:54.555: [13]PPPoE 10: State LCP_NEGO Event PPP_FWDING *Nov 15 12:23:54.559: uid:13 Tnl/Sn61510/7 L2TP: O ICCN to rp1 9264/13586 *Nov 15 12:23:54.559: Tnl61510 L2TP: Control channel retransmit delay set to 1 seconds *Nov 15 12:23:54.559: uid:13 Tnl/Sn61510/7 L2TP: Session state change from wait-reply to established *Nov 15 12:23:54.559: uid:13 Tnl/Sn61510/7 L2TP: VPDN session up *Nov 15 12:23:54.559: VPDN MGR [uid:13]: Event peer connected, state changed from connecting to connected *Nov 15 12:23:54.559: VPDN MGR [uid:13]: Succeed to forward nobody@example.com *Nov 15 12:23:54.559: VPDN MGR [uid:13]: accounting start sent *Nov 15 12:23:54.559: VPDN CALL [uid:13]: Event connect ok, state changed from connecting to connected *Nov 15 12:23:54.559: VPDN CALL [uid:13]: Connection succeeded *Nov 15 12:23:54.559: SSS MGR [uid:13]: Handling Service-Connected event *Nov 15 12:23:54.559: ppp13 PPP: Phase is FORWARDED, Session Forwarded *Nov 15 12:23:54.559: [13]PPPoE 10: State LCP_NEGO Event PPP_FWDED *Nov 15 12:23:54.563: [13]PPPoE 10: data path set to SSS Switch *Nov 15 12:23:54.563: [13]PPPoE 10: Connected Forwarded
Troubleshooting the Subscriber Service Switch on the LAC--Authorization Failure Example
The following is sample output indicating call failure due to authorization failure:
*Nov 15 12:37:24.535: PPPoE 0: I PADI R:0000.0c14.71d0 L:ffff.ffff.ffff 1/32 ATM4/0.132 *Nov 15 12:37:24.535: PPPoE 0: O PADO R:0000.0c14.71d0 L:00b0.c2e9.c870 1/32 ATM4/0.132 *Nov 15 12:37:24.539: PPPoE 0: I PADR R:0000.0c14.71d0 L:00b0.c2e9.c870 1/32 ATM4/0.132 *Nov 15 12:37:24.539: PPPoE : encap string prepared *Nov 15 12:37:24.539: [18]PPPoE 15: Access IE handle allocated *Nov 15 12:37:24.539: [18]PPPoE 15: pppoe SSS switch updated *Nov 15 12:37:24.539: PPPoE 15: AAA pppoe_aaa_acct_get_retrieved_attrs *Nov 15 12:37:24.539: [18]PPPoE 15: AAA pppoe_aaa_acct_get_nas_port_details *Nov 15 12:37:24.539: [18]PPPoE 15: AAA pppoe_aaa_acct_get_dynamic_attrs *Nov 15 12:37:24.539: [18]PPPoE 15: AAA pppoe_aaa_acct_get_dynamic_attrs *Nov 15 12:37:24.539: [18]PPPoE 15: AAA unique ID allocated *Nov 15 12:37:24.539: [18]PPPoE 15: No AAA accounting method list *Nov 15 12:37:24.539: [18]PPPoE 15: Service request sent to SSS *Nov 15 12:37:24.539: [18]PPPoE 15: Created R:00b0.c2e9.c870 L:0000.0c14.71d0 1/32 ATM4/0.132 *Nov 15 12:37:24.559: SSS INFO: Element type is Access-Type, long value is 3 *Nov 15 12:37:24.559: SSS INFO: Element type is Switch-Id, long value is -738197487 *Nov 15 12:37:24.559: SSS INFO: Element type is Nasport, ptr value is 63C0E590 *Nov 15 12:37:24.559: SSS INFO: Element type is AAA-Id, long value is 19 *Nov 15 12:37:24.559: SSS INFO: Element type is AccIe-Hdl, ptr value is 5B000011 *Nov 15 12:37:24.559: SSS MGR [uid:18]: Handling Policy Authorize (1 pending sessions) *Nov 15 12:37:24.559: SSS PM [uid:18]: RM/VPDN disabled: RM/VPDN author not needed *Nov 15 12:37:24.559: SSS PM [uid:18]: Received Service Request *Nov 15 12:37:24.559: SSS PM [uid:18]: Handling Authorization Check *Nov 15 12:37:24.559: SSS PM [uid:18]: Policy requires 'Unauth-User' key *Nov 15 12:37:24.559: SSS PM [uid:18]: Policy reply - Need more keys *Nov 15 12:37:24.559: SSS MGR [uid:18]: Got reply Need-More-Keys from PM *Nov 15 12:37:24.559: SSS MGR [uid:18]: Handling More-Keys event *Nov 15 12:37:24.559: [18]PPPoE 15: State REQ_NASPORT Event MORE_KEYS *Nov 15 12:37:24.559: [18]PPPoE 15: O PADS R:0000.0c14.71d0 L:00b0.c2e9.c870 1/32 ATM4/0.132 *Nov 15 12:37:24.559: ppp18 PPP: Using default call direction *Nov 15 12:37:24.559: ppp18 PPP: Treating connection as a dedicated line *Nov 15 12:37:24.559: ppp18 PPP: Phase is ESTABLISHING, Active Open *Nov 15 12:37:24.559: ppp18 LCP: O CONFREQ [Closed] id 1 len 19 *Nov 15 12:37:24.559: ppp18 LCP: MRU 1492 (0x010405D4) *Nov 15 12:37:24.559: ppp18 LCP: AuthProto CHAP (0x0305C22305) *Nov 15 12:37:24.559: ppp18 LCP: MagicNumber 0xB0F8A971 (0x0506B0F8A971) *Nov 15 12:37:24.559: [18]PPPoE 15: State START_PPP Event DYN_BIND *Nov 15 12:37:24.559: [18]PPPoE 15: data path set to PPP *Nov 15 12:37:24.563: ppp18 LCP: I CONFREQ [REQsent] id 1 len 14 *Nov 15 12:37:24.563: ppp18 LCP: MRU 1492 (0x010405D4) *Nov 15 12:37:24.563: ppp18 LCP: MagicNumber 0x0023A93E (0x05060023A93E) *Nov 15 12:37:24.563: ppp18 LCP: O CONFACK [REQsent] id 1 len 14 *Nov 15 12:37:24.563: ppp18 LCP: MRU 1492 (0x010405D4) *Nov 15 12:37:24.563: ppp18 LCP: MagicNumber 0x0023A93E (0x05060023A93E) *Nov 15 12:37:26.523: ppp18 LCP: I CONFREQ [ACKsent] id 2 len 14 *Nov 15 12:37:26.523: ppp18 LCP: MRU 1492 (0x010405D4) *Nov 15 12:37:26.523: ppp18 LCP: MagicNumber 0x0023A93E (0x05060023A93E) *Nov 15 12:37:26.523: ppp18 LCP: O CONFACK [ACKsent] id 2 len 14 *Nov 15 12:37:26.527: ppp18 LCP: MRU 1492 (0x010405D4) *Nov 15 12:37:26.527: ppp18 LCP: MagicNumber 0x0023A93E (0x05060023A93E) *Nov 15 12:37:26.575: ppp18 LCP: TIMEout: State ACKsent *Nov 15 12:37:26.575: ppp18 LCP: O CONFREQ [ACKsent] id 2 len 19 *Nov 15 12:37:26.575: ppp18 LCP: MRU 1492 (0x010405D4) *Nov 15 12:37:26.575: ppp18 LCP: AuthProto CHAP (0x0305C22305) *Nov 15 12:37:26.575: ppp18 LCP: MagicNumber 0xB0F8A971 (0x0506B0F8A971) *Nov 15 12:37:26.575: ppp18 LCP: I CONFACK [ACKsent] id 2 len 19 *Nov 15 12:37:26.575: ppp18 LCP: MRU 1492 (0x010405D4) *Nov 15 12:37:26.575: ppp18 LCP: AuthProto CHAP (0x0305C22305) *Nov 15 12:37:26.575: ppp18 LCP: MagicNumber 0xB0F8A971 (0x0506B0F8A971) *Nov 15 12:37:26.575: ppp18 LCP: State is Open *Nov 15 12:37:26.575: ppp18 PPP: Phase is AUTHENTICATING, by this end *Nov 15 12:37:26.575: ppp18 CHAP: O CHALLENGE id 1 len 25 from "7200" *Nov 15 12:37:26.579: ppp18 CHAP: I RESPONSE id 1 len 38 from "nobody@example.com" Nov 15 12:37:26.579: ppp18 PPP: Phase is FORWARDING, Attempting Forward *Nov 15 12:37:26.579: SSS INFO: Element type is Unauth-User, string value is nobody@example.com *Nov 15 12:37:26.579: SSS INFO: Element type is AccIe-Hdl, ptr value is 5B000011 *Nov 15 12:37:26.579: SSS INFO: Element type is AAA-Id, long value is 19 Nov 15 12:37:26.579: SSS INFO: Element type is Access-Type, long value is 0 *Nov 15 12:37:26.579: SSS MGR [uid:18]: Handling Policy Authorize (1 pending sessions) *Nov 15 12:37:26.579: SSS PM [uid:18]: Received More Keys *Nov 15 12:37:26.579: SSS PM [uid:18]: Handling Authorization Check *Nov 15 12:37:26.579: SSS PM [uid:18]: Handling AAA service Authorization *Nov 15 12:37:26.579: SSS PM [uid:18]: Sending authorization request for 'example.com' *Nov 15 12:37:26.579: SSS AAA AUTHOR [uid:18]:Event <make request>, state changed from idle to authorizing *Nov 15 12:37:26.579: SSS AAA AUTHOR [uid:18]:Authorizing key example.com *Nov 15 12:37:26.579: SSS AAA AUTHOR [uid:18]:AAA request sent for key example.com *Nov 15 12:37:26.587: SSS AAA AUTHOR [uid:18]:Received an AAA failure *Nov 15 12:37:26.587: SSS AAA AUTHOR [uid:18]:Event <service not found>, state changed from authorizing to complete *Nov 15 12:37:26.587: SSS AAA AUTHOR [uid:18]:No service authorization info found *Nov 15 12:37:26.587: SSS AAA AUTHOR [uid:18]:Event <free request>, state changed from complete to terminal *Nov 15 12:37:26.587: SSS AAA AUTHOR [uid:18]:Free request *Nov 15 12:37:26.587: SSS PM [uid:18]: Handling Next Authorization Check *Nov 15 12:37:26.587: SSS PM [uid:18]: Default policy: SGF author not needed *Nov 15 12:37:26.587: SSS PM [uid:18]: Handling Default Service *Nov 15 12:37:26.587: SSS PM [uid:18]: Policy reply - Local terminate *Nov 15 12:37:26.591: SSS MGR [uid:18]: Got reply Local-Term from PM *Nov 15 12:37:26.591: SSS MGR [uid:18]: Handling Send-Client-Local-Term event *Nov 15 12:37:26.591: ppp18 PPP: Phase is AUTHENTICATING, Unauthenticated User Nov 15 12:37:26.595: ppp18 CHAP: O FAILURE id 1 len 25 msg is "Authentication failed" *Nov 15 12:37:26.599: ppp18 PPP: Sending Acct Event[Down] id[13] *Nov 15 12:37:26.599: ppp18 PPP: Phase is TERMINATING *Nov 15 12:37:26.599: ppp18 LCP: O TERMREQ [Open] id 3 len 4 *Nov 15 12:37:26.599: ppp18 LCP: State is Closed *Nov 15 12:37:26.599: ppp18 PPP: Phase is DOWN *Nov 15 12:37:26.599: ppp18 PPP: Phase is TERMINATING *Nov 15 12:37:26.599: [18]PPPoE 15: State LCP_NEGO Event PPP_DISCNCT *Nov 15 12:37:26.599: [18]PPPoE 15: O PADT R:0000.0c14.71d0 L:00b0.c2e9.c870 1/32 ATM4/0.132 *Nov 15 12:37:26.599: [18]PPPoE 15: Destroying R:0000.0c14.71d0 L:00b0.c2e9.c870 1/32 ATM4/0.132 *Nov 15 12:37:26.599: [18]PPPoE 15: AAA account stopped *Nov 15 12:37:26.599: SSS MGR [uid:18]: Processing a client disconnect *Nov 15 12:37:26.599: SSS MGR [uid:18]: Handling Send-Service-Disconnect event
Troubleshooting the Subscriber Service Switch on the LAC--Authentication Failure Example
The following is sample output indicating call failure due to authentication failure at the LNS:
*Nov 15 12:45:02.067: PPPoE 0: I PADI R:0000.0c14.71d0 L:ffff.ffff.ffff 1/32 ATM4/0.132 *Nov 15 12:45:02.071: PPPoE 0: O PADO R:0000.0c14.71d0 L:00b0.c2e9.c870 1/32 ATM4/0.132 *Nov 15 12:45:02.071: PPPoE 0: I PADR R:0000.0c14.71d0 L:00b0.c2e9.c870 1/32 ATM4/0.132 *Nov 15 12:45:02.071: PPPoE : encap string prepared *Nov 15 12:45:02.071: [21]PPPoE 18: Access IE handle allocated *Nov 15 12:45:02.071: [21]PPPoE 18: pppoe SSS switch updated *Nov 15 12:45:02.071: PPPoE 18: AAA pppoe_aaa_acct_get_retrieved_attrs *Nov 15 12:45:02.071: [21]PPPoE 18: AAA pppoe_aaa_acct_get_nas_port_details *Nov 15 12:45:02.071: [21]PPPoE 18: AAA pppoe_aaa_acct_get_dynamic_attrs *Nov 15 12:45:02.071: [21]PPPoE 18: AAA pppoe_aaa_acct_get_dynamic_attrs *Nov 15 12:45:02.071: [21]PPPoE 18: AAA unique ID allocated *Nov 15 12:45:02.071: [21]PPPoE 18: No AAA accounting method list *Nov 15 12:45:02.071: [21]PPPoE 18: Service request sent to SSS *Nov 15 12:45:02.071: [21]PPPoE 18: Created R:00b0.c2e9.c870 L:0000.0c14.71d0 1/32 ATM4/0.132 *Nov 15 12:45:02.091: SSS INFO: Element type is Access-Type, long value is 3 *Nov 15 12:45:02.091: SSS INFO: Element type is Switch-Id, long value is 1946157076 *Nov 15 12:45:02.091: SSS INFO: Element type is Nasport, ptr value is 63B34170 *Nov 15 12:45:02.091: SSS INFO: Element type is AAA-Id, long value is 22 *Nov 15 12:45:02.091: SSS INFO: Element type is AccIe-Hdl, ptr value is 71000014 *Nov 15 12:45:02.091: SSS MGR [uid:21]: Handling Policy Authorize (1 pending sessions) *Nov 15 12:45:02.091: SSS PM [uid:21]: RM/VPDN disabled: RM/VPDN author not needed *Nov 15 12:45:02.091: SSS PM [uid:21]: Received Service Request *Nov 15 12:45:02.091: SSS PM [uid:21]: Handling Authorization Check *Nov 15 12:45:02.091: SSS PM [uid:21]: Policy requires 'Unauth-User' key *Nov 15 12:45:02.091: SSS PM [uid:21]: Policy reply - Need more keys *Nov 15 12:45:02.091: SSS MGR [uid:21]: Got reply Need-More-Keys from PM *Nov 15 12:45:02.091: SSS MGR [uid:21]: Handling More-Keys event *Nov 15 12:45:02.091: [21]PPPoE 18: State REQ_NASPORT Event MORE_KEYS *Nov 15 12:45:02.091: [21]PPPoE 18: O PADS R:0000.0c14.71d0 L:00b0.c2e9.c870 1/32 ATM4/0.132 *Nov 15 12:45:02.091: ppp21 PPP: Using default call direction *Nov 15 12:45:02.091: ppp21 PPP: Treating connection as a dedicated line *Nov 15 12:45:02.091: ppp21 PPP: Phase is ESTABLISHING, Active Open *Nov 15 12:45:02.091: ppp21 LCP: O CONFREQ [Closed] id 1 len 19 *Nov 15 12:45:02.091: ppp21 LCP: MRU 1492 (0x010405D4) *Nov 15 12:45:02.091: ppp21 LCP: AuthProto CHAP (0x0305C22305) *Nov 15 12:45:02.091: ppp21 LCP: MagicNumber 0xB0FFA4D8 (0x0506B0FFA4D8) *Nov 15 12:45:02.091: [21]PPPoE 18: State START_PPP Event DYN_BIND *Nov 15 12:45:02.091: [21]PPPoE 18: data path set to PPP *Nov 15 12:45:02.095: ppp21 LCP: I CONFREQ [REQsent] id 1 len 14 *Nov 15 12:45:02.095: ppp21 LCP: MRU 1492 (0x010405D4 *Nov 15 12:45:02.095: ppp21 LCP: MagicNumber 0x002AA481 (0x0506002AA481) *Nov 15 12:45:02.095: ppp21 LCP: O CONFACK [REQsent] id 1 len 14 *Nov 15 12:45:02.095: ppp21 LCP: MRU 1492 (0x010405D4) *Nov 15 12:45:02.095: ppp21 LCP: MagicNumber 0x002AA481 (0x0506002AA481) *Nov 15 12:45:02.315: Tnl41436 L2TP: I StopCCN from rp1 tnl 31166 *Nov 15 12:45:02.315: Tnl41436 L2TP: Shutdown tunnel *Nov 15 12:45:02.315: Tnl41436 L2TP: Tunnel state change from no-sessions-left to idle *Nov 15 12:45:04.055: ppp21 LCP: I CONFREQ [ACKsent] id 2 len 14 *Nov 15 12:45:04.055: ppp21 LCP: MRU 1492 (0x010405D4) *Nov 15 12:45:04.059: ppp21 LCP: MagicNumber 0x002AA481 (0x0506002AA481) *Nov 15 12:45:04.059: ppp21 LCP: O CONFACK [ACKsent] id 2 len 14 *Nov 15 12:45:04.059: ppp21 LCP: MRU 1492 (0x010405D4) *Nov 15 12:45:04.059: ppp21 LCP: MagicNumber 0x002AA481 (0x0506002AA481) *Nov 15 12:45:04.079: ppp21 LCP: TIMEout: State ACKsent *Nov 15 12:45:04.079: ppp21 LCP: O CONFREQ [ACKsent] id 2 len 19 *Nov 15 12:45:04.079: ppp21 LCP: MRU 1492 (0x010405D4) *Nov 15 12:45:04.079: ppp21 LCP: AuthProto CHAP (0x0305C22305) *Nov 15 12:45:04.079: ppp21 LCP: MagicNumber 0xB0FFA4D8 (0x0506B0FFA4D8) *Nov 15 12:45:04.079: ppp21 LCP: I CONFACK [ACKsent] id 2 len 19 *Nov 15 12:45:04.079: ppp21 LCP: MRU 1492 (0x010405D4) *Nov 15 12:45:04.079: ppp21 LCP: AuthProto CHAP (0x0305C22305) *Nov 15 12:45:04.079: ppp21 LCP: MagicNumber 0xB0FFA4D8 (0x0506B0FFA4D8) *Nov 15 12:45:04.079: ppp21 LCP: State is Open *Nov 15 12:45:04.079: ppp21 PPP: Phase is AUTHENTICATING, by this end *Nov 15 12:45:04.079: ppp21 CHAP: O CHALLENGE id 1 len 25 from "7200" *Nov 15 12:45:04.083: ppp21 CHAP: I RESPONSE id 1 len 38 from "nobody@example.com" *Nov 15 12:45:04.083: ppp21 PPP: Phase is FORWARDING, Attempting Forward *Nov 15 12:45:04.083: SSS INFO: Element type is Unauth-User, string value is nobody@example.com *Nov 15 12:45:04.083: SSS INFO: Element type is AccIe-Hdl, ptr value is 71000014 *Nov 15 12:45:04.083: SSS INFO: Element type is AAA-Id, long value is 22 *Nov 15 12:45:04.083: SSS INFO: Element type is Access-Type, long value is 0 *Nov 15 12:45:04.083: SSS MGR [uid:21]: Handling Policy Authorize (1 pending sessions) *Nov 15 12:45:04.083: SSS PM [uid:21]: Received More Keys *Nov 15 12:45:04.083: SSS PM [uid:21]: Handling Authorization Check *Nov 15 12:45:04.083: SSS PM [uid:21]: Handling AAA service Authorization *Nov 15 12:45:04.083: SSS PM [uid:21]: Sending authorization request for 'example.com' *Nov 15 12:45:04.083: SSS AAA AUTHOR [uid:21]:Event <make request>, state changed from idle to authorizing *Nov 15 12:45:04.083: SSS AAA AUTHOR [uid:21]:Authorizing key example.com *Nov 15 12:45:04.083: SSS AAA AUTHOR [uid:21]:AAA request sent for key example.com *Nov 15 12:45:04.095: SSS AAA AUTHOR [uid:21]:Received an AAA pass *Nov 15 12:45:04.095: SSS AAA AUTHOR [uid:21]:Event <found service>, state changed from authorizing to complete *Nov 15 12:45:04.095: SSS AAA AUTHOR [uid:21]:Found service info for key example.com *Nov 15 12:45:04.095: SSS AAA AUTHOR [uid:21]:Event <free request>, state changed from complete to terminal *Nov 15 12:45:04.095: SSS AAA AUTHOR [uid:21]:Free request *Nov 15 12:45:04.095: SSS PM [uid:21]: Handling Service Direction *Nov 15 12:45:04.095: SSS PM [uid:21]: Policy reply - Forwarding *Nov 15 12:45:04.095: SSS MGR [uid:21]: Got reply Forwarding from PM *Nov 15 12:45:04.099: SSS MGR [uid:21]: Handling Connect-Service event *Nov 15 12:45:04.099: VPDN CALL [uid:21]: Event connect req, state changed from idle to connecting *Nov 15 12:45:04.099: VPDN CALL [uid:21]: Requesting connection *Nov 15 12:45:04.099: VPDN CALL [uid:21]: Call request sent *Nov 15 12:45:04.099: VPDN MGR [uid:21]: Event client connect, state changed from idle to connecting *Nov 15 12:45:04.099: VPDN MGR [uid:21]: Initiating compulsory connection to 192.168.8.2 *Nov 15 12:45:04.099: Tnl/Sn31399/10 L2TP: Session FS enabled *Nov 15 12:45:04.099: Tnl/Sn31399/10 L2TP: Session state change from idle to wait-for-tunnel *Nov 15 12:45:04.099: uid:21 Tnl/Sn31399/10 L2TP: Create session *Nov 15 12:45:04.099: Tnl31399 L2TP: SM State idle *Nov 15 12:45:04.099: Tnl31399 L2TP: O SCCRQ *Nov 15 12:45:04.099: Tnl31399 L2TP: Control channel retransmit delay set to 1 seconds *Nov 15 12:45:04.099: Tnl31399 L2TP: Tunnel state change from idle to wait-ctl-reply *Nov 15 12:45:04.099: Tnl31399 L2TP: SM State wait-ctl-reply *Nov 15 12:45:04.099: [21]PPPoE 18: State LCP_NEGO Event PPP_FWDING *Nov 15 12:45:04.107: Tnl31399 L2TP: I SCCRP from rp1 *Nov 15 12:45:04.107: Tnl31399 L2TP: Got a challenge from remote peer, rp1 *Nov 15 12:45:04.107: Tnl31399 L2TP: Got a response from remote peer, rp1 *Nov 15 12:45:04.107: Tnl31399 L2TP: Tunnel Authentication success *Nov 15 12:45:04.107: Tnl31399 L2TP: Tunnel state change from wait-ctl-reply to established *Nov 15 12:45:04.107: Tnl31399 L2TP: O SCCCN to rp1 tnlid 9349 *Nov 15 12:45:04.107: Tnl31399 L2TP: Control channel retransmit delay set to 1 seconds *Nov 15 12:45:04.107: Tnl31399 L2TP: SM State established *Nov 15 12:45:04.107: uid:21 Tnl/Sn31399/10 L2TP: O ICRQ to rp1 9349/0 *Nov 15 12:45:04.107: [21]PPPoE 18: Access IE nas port called *Nov 15 12:45:04.107: uid:21 Tnl/Sn31399/10 L2TP: Session state change from wait-for-tunnel to wait-reply *Nov 15 12:45:04.115: uid:21 Tnl/Sn31399/10 L2TP: O ICCN to rp1 9349/13589 *Nov 15 12:45:04.115: Tnl31399 L2TP: Control channel retransmit delay set to 1 seconds *Nov 15 12:45:04.115: uid:21 Tnl/Sn31399/10 L2TP: Session state change from wait-reply to established *Nov 15 12:45:04.115: uid:21 Tnl/Sn31399/10 L2TP: VPDN session up *Nov 15 12:45:04.115: VPDN MGR [uid:21]: Event peer connected, state changed from connecting to connected *Nov 15 12:45:04.115: VPDN MGR [uid:21]: Succeed to forward nobody@example.com *Nov 15 12:45:04.115: VPDN MGR [uid:21]: accounting start sent *Nov 15 12:45:04.115: [21]PPPoE 18: AAA pppoe_aaa_acct_get_dynamic_attrs *Nov 15 12:45:04.115: [21]PPPoE 18: AAA pppoe_aaa_acct_get_dynamic_attrs *Nov 15 12:45:04.115: VPDN CALL [uid:21]: Event connect ok, state changed from connecting to connected *Nov 15 12:45:04.115: VPDN CALL [uid:21]: Connection succeeded *Nov 15 12:45:04.115: SSS MGR [uid:21]: Handling Service-Connected event *Nov 15 12:45:04.115: ppp21 PPP: Phase is FORWARDED, Session Forwarded *Nov 15 12:45:04.115: [21]PPPoE 18: State LCP_NEGO Event PPP_FWDED *Nov 15 12:45:04.115: [21]PPPoE 18: data path set to SSS Switch *Nov 15 12:45:04.119: [21]PPPoE 18: Connected Forwarded *Nov 15 12:45:04.119: ppp21 PPP: Process pending packets *Nov 15 12:45:04.139: uid:21 Tnl/Sn31399/10 L2TP: Result code(2): 2: Call disconnected, refer to error msg *Nov 15 12:45:04.139: Error code(6): Vendor specific *Nov 15 12:45:04.139: Optional msg: Locally generated disconnect *Nov 15 12:45:04.139: uid:21 Tnl/Sn31399/10 L2TP: I CDN from rp1 tnl 9349, cl 13589 01:06:21: %VPDN-6-CLOSED: L2TP LNS 192.168.8.2 closed user nobody@example.com; Result 2, Error 6, Locally generated disconnect *Nov 15 12:45:04.139: uid:21 Tnl/Sn31399/10 L2TP: disconnect (L2X) IETF: 18/host-request Ascend: 66/VPDN Local PPP Disconnect *Nov 15 12:45:04.139: uid:21 Tnl/Sn31399/10 L2TP: Destroying session *Nov 15 12:45:04.139: uid:21 Tnl/Sn31399/10 L2TP: Session state change from established to idle *Nov 15 12:45:04.139: VPDN MGR [uid:21]: Event peer disconnect, state changed from connected to disconnected *Nov 15 12:45:04.139: VPDN MGR [uid:21]: Remote disconnected nobody@example.com *Nov 15 12:45:04.139: VPDN MGR [uid:21]: accounting stop sent *Nov 15 12:45:04.139: Tnl31399 L2TP: Tunnel state change from established to no-sessions-left *Nov 15 12:45:04.143: Tnl31399 L2TP: No more sessions in tunnel, shutdown (likely) in 15 seconds *Nov 15 12:45:04.143: VPDN CALL [uid:21]: Event server disc, state changed from connected to disconnected *Nov 15 12:45:04.143: VPDN CALL [uid:21]: Server disconnected call *Nov 15 12:45:04.143: VPDN CALL [uid:21]: Event free req, state changed from disconnected to terminal *Nov 15 12:45:04.143: VPDN CALL [uid:21]: Free request *Nov 15 12:45:04.143: SSS MGR [uid:21]: Handling Send Client Disconnect *Nov 15 12:45:04.143: [21]PPPoE 18: State CNCT_FWDED Event SSS_DISCNCT *Nov 15 12:45:04.143: ppp21 PPP: Sending Acct Event[Down] id[16] *Nov 15 12:45:04.143: ppp21 PPP: Phase is TERMINATING *Nov 15 12:45:04.143: ppp21 LCP: State is Closed *Nov 15 12:45:04.143: ppp21 PPP: Phase is DOWN *Nov 15 12:45:04.143: [21]PPPoE 18: O PADT R:0000.0c14.71d0 L:00b0.c2e9.c870 1/32 ATM4/0.132 *Nov 15 12:45:04.143: [21]PPPoE 18: Destroying R:0000.0c14.71d0 L:00b0.c2e9.c870 1/32 ATM4/0.132 *Nov 15 12:45:04.143: [21]PPPoE 18: AAA pppoe_aaa_acct_get_dynamic_attrs *Nov 15 12:45:04.143: [21]PPPoE 18: AAA pppoe_aaa_acct_get_dynamic_attrs *Nov 15 12:45:04.143: [21]PPPoE 18: AAA account stopped *Nov 15 12:45:14.139: Tnl31399 L2TP: I StopCCN from rp1 tnl 9349 *Nov 15 12:45:14.139: Tnl31399 L2TP: Shutdown tunnel *Nov 15 12:45:14.139: Tnl31399 L2TP: Tunnel state change from no-sessions-left
Troubleshooting the Subscriber Service Switch on the LNS--Normal Operation Example
The following example shows the debug commands used and sample output indicating normal operation of the Subscriber Service Switch on the LNS:
Router# debug sss event Router# debug sss error Router# debug sss fsm Router# debug ppp negotiation Router# debug vpdn l2x-events Router# debug vpdn l2x-errors Router# debug vpdn sss events Router# debug vpdn sss errors Router# debug vpdn sss fsm SSS: SSS events debugging is on SSS error debugging is on SSS fsm debugging is on PPP: PPP protocol negotiation debugging is on VPN: L2X protocol events debugging is on L2X protocol errors debugging is on VPDN SSS events debugging is on VPDN SSS errors debugging is on VPDN SSS FSM debugging is on 3d17h: Tnl9264 L2TP: I ICRQ from server1 tnl 61510 3d17h: Tnl/Sn9264/13586 L2TP: Session FS enabled 3d17h: Tnl/Sn9264/13586 L2TP: Session state change from idle to wait-connect 3d17h: Tnl/Sn9264/13586 L2TP: New session created 3d17h: Tnl/Sn9264/13586 L2TP: O ICRP to server1 61510/7 3d17h: Tnl9264 L2TP: Control channel retransmit delay set to 1 seconds 3d17h: Tnl/Sn9264/13586 L2TP: I ICCN from server1 tnl 61510, cl 7 3d17h: nobody@example.com Tnl/Sn9264/13586 L2TP: Session state change from wait-connect to wait-for-service-selection 3d17h: VPDN SSS []: Event start sss, state changed from IDLE to SSS 3d17h: VPDN SSS [uid:707]: Service request sent to SSS 3d17h: SSS INFO: Element type is Access-Type, long value is 4 3d17h: SSS INFO: Element type is Switch-Id, long value is 1493172561 3d17h: SSS INFO: Element type is Tunnel-Name, string value is server1 3d17h: SSS INFO: Element type is Can-SIP-Redirect, long value is 1 3d17h: SSS INFO: Element type is AAA-Id, long value is 16726 3d17h: SSS INFO: Element type is AccIe-Hdl, ptr value is D1000167 3d17h: SSS MGR [uid:707]: Event service-request, state changed from wait-for-req to wait-for-auth 3d17h: SSS MGR [uid:707]: Handling Policy Authorize (1 pending sessions) 3d17h: SSS PM [uid:707]: RM/VPDN disabled: RM/VPDN author not needed 3d17h: SSS PM [uid:707]: Multihop disabled: AAA author not needed 3d17h: SSS PM [uid:707]: Multihop disabled: SGF author not needed 3d17h: SSS PM [uid:707]: No more authorization methods left to try, providing default service 3d17h: SSS PM [uid:707]: Received Service Request 3d17h: SSS PM [uid:707]: Event <found>, State: initial-req to end 3d17h: SSS PM [uid:707]: Handling Service Direction 3d17h: SSS PM [uid:707]: Policy reply - Local terminate 3d17h: SSS MGR [uid:707]: Got reply Local-Term from PM 3d17h: SSS MGR [uid:707]: Event policy-connect local, state changed from wait-for-auth to connected 3d17h: SSS MGR [uid:707]: Handling Send-Client-Local-Term event 3d17h: VPDN SSS [uid:707]: Event connect local, state changed from SSS to PPP 3d17h: ppp707 PPP: Phase is ESTABLISHING 3d17h: ppp707 LCP: I FORCED rcvd CONFACK len 15 3d17h: ppp707 LCP: MRU 1492 (0x010405D4) 3d17h: ppp707 LCP: AuthProto CHAP (0x0305C22305) 3d17h: ppp707 LCP: MagicNumber 0xB0EC4557 (0x0506B0EC4557) 3d17h: ppp707 LCP: I FORCED sent CONFACK len 10 3d17h: ppp707 LCP: MRU 1492 (0x010405D4) 3d17h: ppp707 LCP: MagicNumber 0x0017455D (0x05060017455D) 3d17h: ppp707 PPP: Phase is FORWARDING, Attempting Forward 3d17h: VPDN SSS [uid:707]: Event dyn bind resp, state changed from PPP to PPP 3d17h: ppp707 PPP: Phase is AUTHENTICATING, Unauthenticated User 3d17h: ppp707 PPP: Phase is FORWARDING, Attempting Forward 3d17h: VPDN SSS [uid:707]: Event connect local, state changed from PPP to PPP 3d17h: VPDN SSS [Vi4.2]: Event vaccess resp, state changed from PPP to PPP 3d17h: VPDN SSS [Vi4.2]: Event stat bind resp, state changed from PPP to CNCT 3d17h: Vi4.2 Tnl/Sn9264/13586 L2TP: Session state change from wait-for-service-selection to established 3d17h: Vi4.2 PPP: Phase is AUTHENTICATING, Authenticated User 3d17h: Vi4.2 CHAP: O SUCCESS id 1 len 4 3d17h: Vi4.2 PPP: Phase is UP 3d17h: Vi4.2 IPCP: O CONFREQ [Closed] id 1 len 10 3d17h: Vi4.2 IPCP: Address 172.16.0.0 (0x030681010000) 3d17h: Vi4.2 PPP: Process pending packets 3d17h: Vi4.2 IPCP: I CONFREQ [REQsent] id 1 len 10 3d17h: Vi4.2 IPCP: Address 10.0.0.0 (0x030600000000) 3d17h: Vi4.2 AAA/AUTHOR/IPCP: Start. Her address 10.0.0.0, we want 10.0.0.0 3d17h: Vi4.2 AAA/AUTHOR/IPCP: Done. Her address 10.0.0.0, we want 10.0.0.0 3d17h: Vi4.2 IPCP: Pool returned 10.1.1.3 3d17h: Vi4.2 IPCP: O CONFNAK [REQsent] id 1 len 10 3d17h: Vi4.2 IPCP: Address 10.1.1.3 (0x03065B010103) 3d17h: Vi4.2 IPCP: I CONFACK [REQsent] id 1 len 10 3d17h: Vi4.2 IPCP: Address 172.16.0.0 (0x030681010000) 3d17h: Vi4.2 IPCP: I CONFREQ [ACKrcvd] id 2 len 10 3d17h: Vi4.2 IPCP: Address 10.1.1.3 (0x03065B010103) 3d17h: Vi4.2 IPCP: O CONFACK [ACKrcvd] id 2 len 10 3d17h: Vi4.2 IPCP: Address 10.1.1.3 (0x03065B010103) 3d17h: Vi4.2 IPCP: State is Open 3d17h: Vi4.2 IPCP: Install route to 10.1.1.3
Troubleshooting the Subscriber Service Switch on the LNS--Tunnel Failure Example
The following is sample output indicating tunnel failure on the LNS:
3d17h: L2TP: I SCCRQ from server1 tnl 31399 3d17h: Tnl9349 L2TP: Got a challenge in SCCRQ, server1 3d17h: Tnl9349 L2TP: New tunnel created for remote server1, address 192.168.8.1 3d17h: Tnl9349 L2TP: O SCCRP to server1 tnlid 31399 3d17h: Tnl9349 L2TP: Control channel retransmit delay set to 1 seconds 3d17h: Tnl9349 L2TP: Tunnel state change from idle to wait-ctl-reply 3d17h: Tnl9349 L2TP: I SCCCN from server1 tnl 31399 3d17h: Tnl9349 L2TP: Got a Challenge Response in SCCCN from server1 3d17h: Tnl9349 L2TP: Tunnel Authentication success 3d17h: Tnl9349 L2TP: Tunnel state change from wait-ctl-reply to established 3d17h: Tnl9349 L2TP: SM State established 3d17h: Tnl9349 L2TP: I ICRQ from server1 tnl 31399 3d17h: Tnl/Sn9349/13589 L2TP: Session FS enabled 3d17h: Tnl/Sn9349/13589 L2TP: Session state change from idle to wait-connect 3d17h: Tnl/Sn9349/13589 L2TP: New session created 3d17h: Tnl/Sn9349/13589 L2TP: O ICRP to server1 31399/10 3d17h: Tnl9349 L2TP: Control channel retransmit delay set to 1 seconds 3d17h: Tnl/Sn9349/13589 L2TP: I ICCN from server1 tnl 31399, cl 10 3d17h: nobody@example.com Tnl/Sn9349/13589 L2TP: Session state change from wait-connect to wait-for-service-selection 3d17h: VPDN SSS []: Event start sss, state changed from IDLE to SSS 3d17h: VPDN SSS [uid:709]: Service request sent to SSS 3d17h: SSS INFO: Element type is Access-Type, long value is 4 3d17h: SSS INFO: Element type is Switch-Id, long value is -1912602284 3d17h: SSS INFO: Element type is Tunnel-Name, string value is server1 3d17h: SSS INFO: Element type is Can-SIP-Redirect, long value is 1 3d17h: SSS INFO: Element type is AAA-Id, long value is 16729 3d17h: SSS INFO: Element type is AccIe-Hdl, ptr value is 8D00016A 3d17h: SSS MGR [uid:709]: Event service-request, state changed from wait-for-req to wait-for-auth 3d17h: SSS MGR [uid:709]: Handling Policy Authorize (1 pending sessions) 3d17h: SSS PM [uid:709]: RM/VPDN disabled: RM/VPDN author not needed 3d17h: SSS PM [uid:709]: Multihop disabled: AAA author not needed 3d17h: SSS PM [uid:709]: Multihop disabled: SGF author not needed d17h: SSS PM [uid:709]: No more authorization methods left to try, providing default service 3d17h: SSS PM [uid:709]: Received Service Request 3d17h: SSS PM [uid:709]: Event <found>, State: initial-req to end 3d17h: SSS PM [uid:709]: Handling Service Direction 3d17h: SSS PM [uid:709]: Policy reply - Local terminate 3d17h: SSS MGR [uid:709]: Got reply Local-Term from PM 3d17h: SSS MGR [uid:709]: Event policy-connect local, state changed from wait-for-auth to connected 3d17h: SSS MGR [uid:709]: Handling Send-Client-Local-Term event 3d17h: VPDN SSS [uid:709]: Event connect local, state changed from SSS to PPP 3d17h: ppp709 PPP: Phase is ESTABLISHING 3d17h: ppp709 LCP: I FORCED rcvd CONFACK len 15 3d17h: ppp709 LCP: MRU 1492 (0x010405D4) 3d17h: ppp709 LCP: AuthProto CHAP (0x0305C22305) 3d17h: ppp709 LCP: MagicNumber 0xB0FFA4D8 (0x0506B0FFA4D8) 3d17h: ppp709 LCP: I FORCED sent CONFACK len 10 3d17h: ppp709 LCP: MRU 1492 (0x010405D4) 3d17h: ppp709 LCP: MagicNumber 0x002AA481 (0x0506002AA481) 3d17h: ppp709 PPP: Phase is FORWARDING, Attempting Forward 3d17h: VPDN SSS [uid:709]: Event dyn bind resp, state changed from PPP to PPP 3d17h: ppp709 PPP: Phase is AUTHENTICATING, Unauthenticated User 3d17h: ppp709 CHAP: O FAILURE id 1 len 25 msg is "Authentication failed" 3d17h: ppp709 PPP: Sending Acct Event[Down] id[4159] 3d17h: ppp709 PPP: Phase is TERMINATING 3d17h: ppp709 LCP: O TERMREQ [Open] id 1 len 4 3d17h: ppp709 LCP: State is Closed 3d17h: ppp709 PPP: Phase is DOWN 3d17h: ppp709 PPP: Phase is TERMINATING 3d17h: VPDN SSS [uid:709]: Event peer disc, state changed from PPP to DSC 3d17h: nobody@example.com Tnl/Sn9349/13589 L2TP: disconnect (AAA) IETF: 17/user-error Ascend: 26/PPP CHAP Fail 3d17h: nobody@example.com Tnl/Sn9349/13589 L2TP: O CDN to server1 31399/10 3d17h: Tnl9349 L2TP: Control channel retransmit delay set to 1 seconds 3d17h: nobody@example.com Tnl/Sn9349/13589 L2TP: Destroying session 3d17h: nobody@example.com Tnl/Sn9349/13589 L2TP: Session state change from wait-for-service-selection to idle 3d17h: VPDN SSS [uid:709]: Event vpdn disc, state changed from DSC to END 3d17h: Tnl9349 L2TP: Tunnel state change from established to no-sessions-left 3d17h: Tnl9349 L2TP: No more sessions in tunnel, shutdown (likely) in 10 seconds 3d17h: SSS MGR [uid:709]: Processing a client disconnect 3d17h: SSS MGR [uid:709]: Event client-disconnect, state changed from connected to end 3d17h: SSS MGR [uid:709]: Handling Send-Service-Disconnect event 3d17h: Tnl9349 L2TP: O StopCCN to server1 tnlid 31399 3d17h: Tnl9349 L2TP: Control channel retransmit delay set to 1 seconds 3d17h: Tnl9349 L2TP: Tunnel state change from no-sessions-left to shutting-down 3d17h: Tnl9349 L2TP: Shutdown tunnel
Where to Go Next
If you want to establish PPPoE session limits for sessions on a specific permanent virtual circuit or VLAN configured on an L2TP access concentrator, refer to the "Establishing PPPoE Session Limits per NAS Port" module.
If you want to use service tags to enable a PPPoE server to offer PPPoE clients a selection of service during call setup, refer to the "Offering PPPoE Clients a Selection of Services During Call Setup" module.
If you want to enable an L2TP access concentrator to relay active discovery and service selection functionality for PPPoE over a L2TP control channel to an LNS or tunnel switch, refer to the "Enabling PPPoE Relay Discovery and Service Selection Functionality" module.
If you want to configure a transfer upstream of the PPPoX session speed value, refer to the "Configuring Upstream Connections Speed Transfer" module.
If you want to use the Simple Network Management Protocol (SNMP) to monitor PPPoE sessions, refer to the "Monitoring PPPoE Sessions with SNMP" module.
If you want to identify a physical subscribe line for RADIUS communication with a RADIUS server, refer to the "Identifying a Physical Subscriber Line for RADIUS Access and Accounting" module.
If you want to configure a Cisco Subscriber Service Switch, see the "Configuring Cisco Subscriber Service Switch Policies" module.
Additional References
The following sections provide references related to configuring Cisco Subscriber Service Switch policies.
Related Documents
Related Topic |
Document Title |
---|---|
Broadband access aggregation concepts |
Understanding Broadband Access Aggregation module |
Tasks for preparing for broadband access aggregation. |
Preparing for Broadband Access Aggregation module |
Broadband access commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples |
Cisco IOS Broadband Access Aggregation and DSL Command Reference |
Configuration procedure for PPPoE. |
Providing Protocol Support for Broadband Access Aggregation of PPPoE Sessions |
Configuration procedures for PPPoA. |
Providing Protocol Support for Broadband Access Aggregation of PPP over ATM Sessions |
Standards
Standards |
Title |
---|---|
None |
-- |
MIBs
MIBs |
MIBs Link |
---|---|
None |
To locate and download MIBs for selected platforms, Cisco IOS XE software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
RFCs |
Title |
---|---|
RFC 2661 |
Layer Two Tunneling Protocol L2TP |
RFC 2341 |
Cisco Layer Two Forwarding (Protocol) L2F |
RFC 2516 |
A Method for Transmitting PPP Over Ethernet (PPPoE) (PPPoE Discovery) |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for Configuring a Subscriber Service Switch Policy
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Configuration Information |
---|---|---|
Subscriber Service Switch
|
Cisco IOS XE Release 2.1 |
The Subscriber Service Switch provides the framework for the management and scalability of PPP sessions that are switched from one virtual PPP link to another. It gives Internet service providers (ISPs) the flexibility to determining which services to provide to subscribers, the number of subscribers, and how to define the services. The primary purpose of the Subscriber Service Switch is to direct PPP from one point to another using a Layer 2 subscriber policy. This feature was integrated into Cisco IOS XE Release 2.1. |