Contents
- VPDN Tunnel Management
- Finding Feature Information
- Prerequisites for VPDN Tunnel Management
- Information About VPDN Tunnel Management
- Termination of VPDN Tunnels
- VPDN Session Limits
- Control Packet Parameters for VPDN Tunnels
- L2TP Congestion Avoidance
- How L2TP Congestion Avoidance Works
- VPDN Extended Failover
- How VPDN Extended Failover Works
- Failover Through an LTS
- VPDN Event Logging
- How to Manage VPDN Tunnels
- Manually Terminating VPDN Tunnels
- Enabling Soft Shutdown of VPDN Tunnels
- Verifying the Soft Shutdown of VPDN Tunnels
- Limiting the Number of Allowed Simultaneous VPDN Sessions
- Restrictions
- Configuring Global VPDN Session Limits
- Configuring VPDN Session Limits in a VPDN Template
- Configuring Session Limits for a VPDN Group
- Verifying VPDN Session Limits
- Configuring L2TP Control Packet Parameters for VPDN Tunnels
- Configuring L2F Control Packet Parameters for VPDN Tunnels
- Configuring L2TP Congestion Avoidance
- Configuring VPDN Failure Event Logging
- Enabling Generic VPDN Event Logging
- Configuration Examples for VPDN Tunnel Management
- Example Manually Terminating VPDN Tunnels
- Example Enabling Soft Shutdown of VPDN Tunnels
- Examples Configuring VPDN Session Limits
- Example Verifying Session Limits for a VPDN Group
- Example Configuring L2F Control Packet Timers and Retry Counters for VPDN Tunnels
- Example Configuring L2TP Control Packet Timers and Retry Counters for VPDN Tunnels
- Example Configuring Verifying and Debugging L2TP Congestion Avoidance
- Example Configuring VPDN Failure Event Logging
- Examples Configuring Generic VPDN Event Logging
- Additional References
- Feature Information for VPDN Tunnel Management
VPDN Tunnel Management
This module contains information about managing virtual private dialup network (VPDN) tunnels and monitoring VPDN events. The tasks documented in this module should be performed only after configuring and deploying a VPDN.
- Finding Feature Information
- Prerequisites for VPDN Tunnel Management
- Information About VPDN Tunnel Management
- How to Manage VPDN Tunnels
- Configuration Examples for VPDN Tunnel Management
- Additional References
- Feature Information for VPDN Tunnel Management
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for VPDN Tunnel Management
Before you can perform the tasks in this module, you must configure a VPDN deployment. For an overview of VPDN deployments, see the VPDN Technology Overview module.
Information About VPDN Tunnel Management
- Termination of VPDN Tunnels
- VPDN Session Limits
- Control Packet Parameters for VPDN Tunnels
- L2TP Congestion Avoidance
- VPDN Extended Failover
- VPDN Event Logging
Termination of VPDN Tunnels
VPDN tunnels can be terminated manually or through a soft shutdown. Manual termination of a VPDN tunnel results in the immediate shutdown of the specified VPDN tunnel and all sessions within that tunnel, resulting in a sudden disruption of VPDN services. Enabling soft shutdown on a router prevents the establishment of new VPDN sessions in all VPDN tunnels that terminate on that router, but does not affect existing sessions. Opting to terminate a VPDN tunnel by enabling soft shutdown prevents the disruption of established sessions that occurs when a VPDN tunnel is manually terminated.
VPDN Session Limits
The number of simultaneous VPDN sessions that can be established on a router can be manually configured, providing network administrators more control over the network. VPDN session limits can increase performance and reduce latency for routers that are otherwise forced to operate at high capacity.
The maximum number of VPDN sessions can be configured globally, at the level of a VPDN group, or for all VPDN groups associated with a particular VPDN template.
The hierarchy for the application of VPDN session limits is as follows:
Globally configured session limits take precedence over session limits configured for a VPDN group or in a VPDN template. The total number of sessions on a router cannot exceed a configured global session limit.
Session limits configured for a VPDN template are enforced for all VPDN groups associated with that VPDN template. The total number of sessions for all of the associated VPDN groups cannot exceed the configured VPDN template session limit.
Session limits configured for a VPDN group are enforced for that VPDN group.
Control Packet Parameters for VPDN Tunnels
Certain control packet timers, retry counters, and the advertised control packet receive window size can be configured for Layer 2 Transport Protocol (L2TP) or Layer 2 Forwarding (L2F) VPDN tunnels. Adjustments to these parameters allow fine-tuning of router performance to suit the particular needs of the VPDN deployment.
L2TP Congestion Avoidance
L2TP congestion avoidance provides packet flow control and congestion avoidance by throttling L2TP control messages as described in RFC 2661. Throttling L2TP control message packets prevents input buffer overflows on the peer tunnel endpoint, which can result in dropped sessions.
Before the introduction of L2TP congestion avoidance, the window size used to send packets between the network access server (NAS) and the tunnel server was set to the value advertised by the peer endpoint and was never changed. Configuring L2TP congestion avoidance allows the L2TP packet window to be dynamically resized using a sliding window mechanism. The window size grows larger when packets are delivered successfully, and is reduced when dropped packets must be retransmitted.
L2TP congestion avoidance is useful in networks with a relatively high rate of calls being placed by either tunnel endpoint. L2TP congestion avoidance is also useful on highly scalable platforms that support many simultaneous sessions.
How L2TP Congestion Avoidance Works
TCP/IP and RFC 2661 define two algorithms--slow start and congestion avoidance--used to throttle control message traffic between a NAS and a tunnel server. Slow start and congestion avoidance are two independent algorithms that work together to control congestion. Slow start and congestion avoidance require that two variables, a slow start threshold (SSTHRESH) size and a congestion window (CWND) size, be maintained by the sending device for each connection.
The congestion window defines the number of packets that can be transmitted before the sender must wait for an acknowledgment from its peer. The size of the congestion window expands and contracts, but can never exceed the size of the peer device’s advertised receive window.
The slow start threshold defines the point at which the sending device switches operation from slow start mode to congestion avoidance mode. When the congestion window size is smaller than the slow start threshold, the device operates in slow start mode. When the congestion window size equals the slow start threshold, the device switches to congestion avoidance mode.
When a new connection is established, the sending device initially operates in slow start mode. The congestion window size is initialized to one packet, and the slow start threshold is set to the receive window size advertised by the peer tunnel endpoint (the receiving side).
The sending device begins by transmitting one packet and waiting for it to be acknowledged. When the acknowledgment is received, the congestion window size is incremented from one to two, and two packets can be sent. When those two packets are each acknowledged, the congestion window is increased to four. The congestion window doubles for each complete round trip, resulting in an exponential increase in size.
When the congestion window size reaches the slow start threshold value, the sending device switches over to operate in congestion avoidance mode. Congestion avoidance mode slows down the rate at which the congestion window size grows. In congestion avoidance mode, for every acknowledgment received the congestion window increases at the rate of 1 divided by the congestion window size. This results in linear, rather than exponential, growth of the congestion window size.
At some point, the capacity of the peer device will be exceeded and packets will be dropped. This indicates to the sending device that the congestion window has grown too large. When a retransmission event is detected, the slow start threshold value is reset to half of the current congestion window size, the congestion window size is reset to one, and the device switches operation to slow start mode (if it was not already operating in that mode).
VPDN Extended Failover
Before Cisco IOS Release 12.2(13)T, L2TP failover described only one scenario: During tunnel establishment, if a router sent a Start-Control-Connection-Request (SCCRQ) message a number of times and received no response from the peer, the router could then “fail over” to the IP address of another peer (if so configured) and attempt tunnel establishment with that peer.
Cisco IOS Release 12.2(13)T extended L2TP failover to accommodate these scenarios:
During tunnel establishment, a router receives a StopCCN message from its peer.
During session establishment, a router receives a CDN message from its peer.
In either case, the router marks the peer IP address as busy for 60 seconds during which no attempt to establish a session or tunnel will be made to that peer. The router then selects an alternate peer to contact. If a tunnel is already established to this alternate peer, the router uses the existing tunnel to bring up the new session. Otherwise, the router will send an SCCRQ message to the alternate peer to initiate tunnel establishment.
Beginning with Cisco IOS Release 12.2(31)ZV, the VPDN Extended Failover feature extends the Result Code and Error Code values to include all L2TP CDN result codes, generating a failover if the L2TP session is not established.
These L2TP CDN result codes are exceptions for failover because they are considered session-specific errors:
L2TP_RESULT_CDN_CARRIER_LOSS(1)
L2TP_RESULT_CDN_NO_CARRIER(7)
L2TP_RESULT_CDN__BUSY(8)
L2TP_RESULT_CDN_NO_DIAL_TONE(9)
L2TP_RESULT_CDN_TIMEOUT(10)
L2TP_RESULT_CDN_BAD_FRAMING(11)
How VPDN Extended Failover Works
The VPDN Extended Failover feature extends L2TP failover to occur if during tunnel establishment an LNS receives a StopCCN message from its peer or during session establishment an LNS receives a CDN message from its peer. In either case, the LNS selects an alternate peer to contact.
A Result Code attribute-value pair (AVP) is included in both the StopCCN and CDN control messages that indicates the reason for tunnel or session termination, respectively. This AVP might also include an optional Error Code, which further describes the nature of the termination. The various Result Code and Error Code values were standardized in RFC 2661.
Failover Through an LTS
The VPDN Extended Failover feature provides support for failover when using an L2TP Tunnel Switch (LTS) by using this error code:
L2TP_VENDOR_ERROR_GROUP_BUSY(6)
This error indicates that all of the IP addresses specified in the VPDN group are busy.
In addition, the IP address of the LNS or LTS is placed on the busy list, even when an L2TP session is established, when these CDN messages are received:
L2TP_RESULT_CDN_ERROR L2TP_ERROR_VENDOR_SPECIFIC L2TP_ERROR_VENDOR_GROUP_BUSY L2TP_ERROR_VENDOR_SLIMIT
VPDN Event Logging
There are two types of VPDN event logging available, VPDN failure event logging and generic VPDN event logging. The logging of VPDN failure events is enabled by default. Generic VPDN event logging is disabled by default, and must be explicitly enabled before generic event messages can be viewed.
How to Manage VPDN Tunnels
- Manually Terminating VPDN Tunnels
- Enabling Soft Shutdown of VPDN Tunnels
- Verifying the Soft Shutdown of VPDN Tunnels
- Limiting the Number of Allowed Simultaneous VPDN Sessions
- Verifying VPDN Session Limits
- Configuring L2TP Control Packet Parameters for VPDN Tunnels
- Configuring L2F Control Packet Parameters for VPDN Tunnels
- Configuring L2TP Congestion Avoidance
- Configuring VPDN Failure Event Logging
- Enabling Generic VPDN Event Logging
Manually Terminating VPDN Tunnels
Manual termination of a VPDN tunnel results in the immediate shutdown of the specified VPDN tunnel and all sessions within that tunnel, resulting in a sudden disruption of VPDN services. Before manually terminating a VPDN tunnel, consider performing the task in the Enabling Soft Shutdown of VPDN Tunnels instead.
A manually terminated VPDN tunnel can be restarted immediately when a user logs in. Manually terminating and restarting a VPDN tunnel while VPDN event logging is enabled can provide useful troubleshooting information about VPDN session establishment.
Perform this task to manually shut down a specific VPDN tunnel, resulting in the termination of the tunnel and all sessions in that tunnel. You can perform this task on these devices:
 Note | For Point-to-Point Tunneling Protocol (PPTP) tunnels and client-initiated L2TP tunnels, you can perform this task only on the tunnel server. |
1.
enable
DETAILED STEPS
Enabling Soft Shutdown of VPDN Tunnels
Enabling soft shutdown of VPDN tunnels on a router prevents the establishment of new VPDN sessions in all VPDN tunnels that terminate on that router, but does not affect existing sessions. Opting to terminate a VPDN tunnel by enabling soft shutdown prevents the disruption of established sessions that occurs when a VPDN tunnel is manually terminated. Enabling soft shutdown on a router or access server will affect all of the tunnels terminating on that device. There is no way to enable soft shutdown for a specific tunnel. If you want to shut down a specific tunnel on a device without affecting any other tunnels, perform the task in the Manually Terminating VPDN Tunnels instead.
When soft shutdown is performed on a NAS, the potential session will be authorized before it is refused. This authorization ensures that accurate accounting records can be kept.
When soft shutdown is performed on a tunnel server, the reason for the session refusal will be returned to the NAS. This information is recorded in the VPDN history failure table.
Note | Enabling soft shutdown of VPDN tunnels does not affect the establishment of Multichassis Multilink PPP (MMP) tunnels. |
Perform this task to prevent new sessions from being established in any VPDN tunnel terminating on the router without disturbing service for existing sessions. You can perform this task on these devices:
The tunnel server
The NAS when it is functioning as a tunnel endpoint
Note |
|
1.
enable
2.
configure
terminal
3.
vpdn
softshut
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
|
| Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
| Step 3 |
vpdn
softshut
Example: Router(config)# vpdn softshut |
Prevents new sessions from being established on a VPDN tunnel without disturbing existing sessions. |
Verifying the Soft Shutdown of VPDN Tunnels
Perform this task to ensure that soft shutdown is working properly.
1. Establish a VPDN session by dialing in to the NAS using an allowed username and password.
2.
enable
3.
configure
terminal
4.
vpdn
softshut
5.
exit
6.
show
vpdn
7. Attempt to establish a new VPDN session by dialing in to the NAS using a second allowed username and password.
8.
show
vpdn
history
failure
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | Establish a VPDN session by dialing in to the NAS using an allowed username and password. |
|
| Step 2 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
|
| Step 3 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
| Step 4 |
vpdn
softshut
Example: Router(config)# vpdn softshut |
Prevents new sessions from being established on a VPDN tunnel without disturbing existing sessions. You can issue this command on either the NAS or the tunnel server. |
| Step 5 |
exit
Example: Router(config)# exit |
Exits to privileged EXEC mode. |
| Step 6 |
show
vpdn
Example: Router# show vpdn |
Displays information about active L2TP or L2F tunnels and message identifiers in a VPDN. Issue this command to verify that the original session is active: |
| Step 7 | Attempt to establish a new VPDN session by dialing in to the NAS using a second allowed username and password. |
If soft shutdown has been enabled, a system logging (syslog) message appears on the console of the soft shutdown router. |
| Step 8 |
show
vpdn
history
failure
Example: Router# show vpdn history failure |
Displays the content of the history failure table. |
Limiting the Number of Allowed Simultaneous VPDN Sessions
The number of simultaneous VPDN sessions that can be established on a router can be manually configured, providing network administrators more control over the network. VPDN session limits can increase performance and reduce latency for routers that are otherwise forced to operate at high capacity.
The maximum number of VPDN sessions can be configured globally, at the level of a VPDN group, or for all VPDN groups associated with a particular VPDN template.
The hierarchy for the application of VPDN session limits is as follows:
Globally configured session limits take precedence over session limits configured for a VPDN group or in a VPDN template. The total number of sessions on a router cannot exceed a configured global session limit.
Session limits configured for a VPDN template are enforced for all VPDN groups associated with that VPDN template. The total number of sessions for all of the associated VPDN groups cannot exceed the configured VPDN template session limit.
Session limits configured for a VPDN group are enforced for that VPDN group.
For an example of the interactions of global, template-level, and group-level VPDN session limits, see the "Examples Configuring VPDN Session Limits" section.
Perform any or all of the following optional tasks to configure VPDN session limits:
You can perform these tasks on the NAS or the tunnel server.
- Restrictions
- Configuring Global VPDN Session Limits
- Configuring VPDN Session Limits in a VPDN Template
- Configuring Session Limits for a VPDN Group
Restrictions
For PPTP tunnels and client-initiated L2TP tunnels, you can perform these tasks only on the tunnel server.
Configuring Global VPDN Session Limits
Perform this task to limit the total number of VPDN sessions allowed on the router.
1.
enable
2.
configure
terminal
3.
vpdn
session-limit
sessions
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
|
| Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
| Step 3 |
vpdn
session-limit
sessions
Example: Router(config)# vpdn session-limit 6 |
Limits the number of simultaneous VPDN sessions globally on the router. |
Configuring VPDN Session Limits in a VPDN Template
Perform this task to configure a session limit in a VPDN template. The session limit is applied across all VPDN groups associated with the VPDN template.
A VPDN template must be configured. See the "Creating a VPDN Template" section in the "Configuring Additional VPDN Features" module.
If you configure a named VPDN template, you must associate the desired VPDN groups with the VPDN template. See the "Associating a VPDN Group with a VPDN Template" section in the "Configuring Additional VPDN Features" module.
1.
enable
2.
configure
terminal
3.
vpdn-template
[name]
4.
group
session-limit
sessions
DETAILED STEPS
Configuring Session Limits for a VPDN Group
Perform this task to limit the number of VPDN sessions at the VPDN group level.
1.
enable
2.
configure
terminal
3.
vpdn-group
name
4.
session-limit
number
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
|
| Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
| Step 3 |
vpdn-group
name
Example: Router(config)# vpdn-group 1 |
Creates a VPDN group and enters VPDN group configuration mode. |
| Step 4 |
session-limit
number
Example: Router(config-vpdn)# session-limit 2 |
Limits the number of sessions that are allowed through a specified VPDN group. |
Verifying VPDN Session Limits
Perform this task to ensure that VPDN sessions are being limited properly.
Note | If you use a Telnet session to connect to the NAS, enable the terminal monitor command, which ensures that your EXEC session is receiving the logging and debug output from the NAS. |
1.
enable
2.
configure
terminal
3.
vpdn
session-limit
sessions
4. Establish a VPDN session by dialing in to the NAS using an allowed username and password.
5. Attempt to establish a new VPDN session by dialing in to the NAS using a second allowed username and password.
6.
exit
7.
show
vpdn
history
failure
DETAILED STEPS
Configuring L2TP Control Packet Parameters for VPDN Tunnels
Control packet timers, retry counters, and the advertised control packet receive window size can be configured for L2TP VPDN tunnels. Adjustments to these parameters allow fine-tuning of router performance to suit the particular needs of the VPDN deployment.
Perform this task to configure control packet parameters if your VPDN configuration uses L2TP tunnels. The configuration of each parameter is optional. If a parameter is not manually configured, the default value will be used.
You can perform this task on these devices:
Load balancing must be enabled for the configuration of the l2tp tunnel retransmit initial timeout command or the l2tp tunnel retransmit initial retries command to have any effect.
Note | For client-initiated L2TP tunnels, you can perform this task only on the tunnel server. |
1.
enable
2.
configure
terminal
3.
vpdn-group
name
4.
l2tp
tunnel
hello
seconds
5.
l2tp
tunnel
receive
window
packets
6.
l2tp
tunnel
retransmit
retries
number
7.
l2tp
tunnel
retransmit
timeout
{min |
max}
seconds
8.
l2tp
tunnel
timeout
no-session
{seconds |
never}
9.
l2tp
tunnel
timeout
setup
seconds
10.
l2tp
tunnel
zlb
delay
seconds
11.
l2tp
tunnel
retransmit
initial
timeout
{min |
max}
seconds
12.
l2tp
tunnel
retransmit
initial
retries
number
13.
l2tp
tunnel
busy
timeout
seconds
DETAILED STEPS
Configuring L2F Control Packet Parameters for VPDN Tunnels
Certain control packet timers and retry counters can be configured for L2F VPDN tunnels. Adjustments to these parameters allow fine-tuning of router performance to suit the particular needs of the VPDN deployment.
Perform this task to configure control packet timers and retry counters if your VPDN configuration uses L2F tunnels. The configuration of each parameter is optional. If a parameter is not manually configured, the default values will be used.
You can perform this task on the NAS or the tunnel server.
Note | Load balancing must be enabled for the configuration of the l2f tunnel retransmit initial retries command to have any effect. |
1.
enable
2.
configure
terminal
3.
vpdn-group
name
4.
l2f
tunnel
timeout
setup
seconds
5.
l2f
tunnel
retransmit
initial
retries
number
6.
l2f
tunnel
busy
timeout
seconds
7.
l2f
tunnel
retransmit
retries
number
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode. | ||
| Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. | ||
| Step 3 |
vpdn-group
name
Example: Router(config)# vpdn-group group1 |
Creates a VPDN group and enters VPDN group configuration mode. | ||
| Step 4 |
l2f
tunnel
timeout
setup
seconds
Example: Router(config-vpdn)# l2f tunnel timeout setup 25 |
(Optional) Sets the amount of time that the router will wait for a confirmation message after sending out the initial control packet before considering a router busy. | ||
| Step 5 |
l2f
tunnel
retransmit
initial
retries
number
Example: Router(config-vpdn)# l2f tunnel retransmit initial retries 5 |
(Optional) Sets the number of times that the router will attempt to send the initial control packet for tunnel establishment before considering a router busy.
| ||
| Step 6 |
l2f
tunnel
busy
timeout
seconds
Example: Router(config-vpdn)# l2f tunnel busy timeout 90 |
(Optional) Configures the amount of time that the router will wait before attempting to recontact a router that was previously busy. | ||
| Step 7 |
l2f
tunnel
retransmit
retries
number
Example: Router(config-vpdn)# l2f tunnel retransmit retries 10 |
(Optional) Sets the number of times the router will attempt to resend tunnel control packets before tearing the tunnel down. |
Configuring L2TP Congestion Avoidance
Perform this task to configure L2TP congestion avoidance on a tunnel endpoint, allowing dynamic throttling of the L2TP control packet window size.
You can perform this task on these devices:
This task need be performed only on the sending device.
Note |
|
1.
enable
2.
configure
terminal
3.
l2tp
congestion-control
4.
exit
5.
show
vpdn
tunnel
l2tp
all
6.
debug
vpdn
l2x-events
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode. |
| Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
| Step 3 |
l2tp
congestion-control
Example: Router(config)# l2tp congestion-control |
Enables L2TP congestion avoidance. |
| Step 4 |
exit
Example: Router(config)# exit |
Exits to privileged EXEC mode. |
| Step 5 |
show
vpdn
tunnel
l2tp
all
Example: Router# show vpdn tunnel l2tp all |
Displays information about all active L2TP VPDN tunnels. |
| Step 6 |
debug
vpdn
l2x-events
Example: Router(config)# debug vpdn l2x-events |
Displays troubleshooting information for protocol-specific VPDN tunneling events. |
Configuring VPDN Failure Event Logging
Logging of a failure event to the history table is triggered by event logging by the syslog facility. The syslog facility creates a history failure table, which keeps records of failure events. The table defaults to a maximum of 20 entries, but the size of the table can be configured to retain up to 50 entries.
Failure entries are kept chronologically in the history table. Each entry records the relevant information of a failure event. Only the most recent failure event per user, unique to its name and tunnel client ID (CLID), is kept. When the total number of entries in the table reaches the configured maximum table size, the oldest record is deleted and a new entry is added.
The logging of VPDN failure events to the VPDN history failure table is enabled by default. You need enable VPDN failure event logging only if it has been previously disabled. Perform this task to enable VPDN failure event logging, to configure the maximum number of entries the history failure table can hold, and to display and clear the contents of the VPDN history failure table.
1.
enable
2.
configure
terminal
3.
vpdn
history
failure
4.
vpdn
history
failure
table-size
entries
5.
exit
6.
show
vpdn
history
failure
7.
clear
vpdn
history
failure
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode. | ||
| Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. | ||
| Step 3 |
vpdn
history
failure
Example: Router(config)# vpdn history failure |
(Optional) Enables logging of VPDN failure events to the history failure table.
| ||
| Step 4 |
vpdn
history
failure
table-size
entries
Example: Router(config)# vpdn history failure table-size 50 |
(Optional) Sets the history failure table size.
| ||
| Step 5 |
exit
Example: Router# exit |
Exits to privileged EXEC mode. | ||
| Step 6 |
show
vpdn
history
failure
Example: Router# show vpdn history failure |
(Optional) Displays the contents of the history failure table. | ||
| Step 7 |
clear
vpdn
history
failure
Example: Router# clear vpdn history failure |
(Optional) Clears the contents of the history failure table. |
Enabling Generic VPDN Event Logging
Generic VPDN events are a mixture of error, warning, notification, and information reports logged by the syslog facility. When VPDN event logging is enabled locally or at a remote tunnel endpoint, VPDN event messages are printed to the console as the events occur. VPDN event messages can also be reported to a remote authentication, authorization, and accounting (AAA) server in a AAA vendor-specific attribute (VSA), allowing the correlation of VPDN call success rates with accounting records.
1.
enable
2.
configure
terminal
3.
vpdn
logging
[accounting |
local |
remote |
tunnel-drop |
user]
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode. | ||
| Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. | ||
| Step 3 |
vpdn
logging
[accounting |
local |
remote |
tunnel-drop |
user]
Example: Router(config)# vpdn logging remote |
(Optional) Enables the logging of generic VPDN events.
|
Configuration Examples for VPDN Tunnel Management
- Example Manually Terminating VPDN Tunnels
- Example Enabling Soft Shutdown of VPDN Tunnels
- Examples Configuring VPDN Session Limits
- Example Verifying Session Limits for a VPDN Group
- Example Configuring L2F Control Packet Timers and Retry Counters for VPDN Tunnels
- Example Configuring L2TP Control Packet Timers and Retry Counters for VPDN Tunnels
- Example Configuring Verifying and Debugging L2TP Congestion Avoidance
- Example Configuring VPDN Failure Event Logging
- Examples Configuring Generic VPDN Event Logging
Example Manually Terminating VPDN Tunnels
The following example manually terminates all L2TP tunnels that terminate on the router:
Router# clear vpdn tunnel l2tp all
The following example manually terminates the L2F tunnel with the tunnel ID 32:
Router# clear vpdn tunnel l2f id 32
Example Enabling Soft Shutdown of VPDN Tunnels
The following example enables soft shutdown of all VPDN tunnels that terminate on the device that the command is issue on:
Router# configure terminal Router(config)# vpdn softshut !The following syslog message will appear on the device whenever an attempt is made to !establish a new VPDN session after soft shutdown is enabled. ! 00:11:17:%VPDN-6-SOFTSHUT:L2TP HGW tunnelserver1 has turned on softshut and rejected user user2@cisco.com
Examples Configuring VPDN Session Limits
The following example configures a VPDN group named customer7 with a group-level session limit of 25. No more than 25 sessions can be associated with this VPDN group.
Router(config)# vpdn-group customer7 Router(config-vpdn)# session-limit 25
A VPDN template named customer4 is then created, and a session limit of 8 is configured at the VPDN template-level. Two VPDN groups are associated with the VPDN template, each with a VPDN group-level session limit of 5.
Router(config)# vpdn-template customer4 Router(config-vpdn-templ)# group session-limit 8 ! Router(config)# vpdn-group customer4_l2tp Router(config-vpdn)# source vpdn-template customer4 Router(config-vpdn)# session-limit 5 ! Router(config)# vpdn-group customer4_l2f Router(config-vpdn)# source vpdn-template customer4 Router(config-vpdn)# session-limit 5
With this configuration, if the VPDN group named customer4_l2tp has 5 active sessions, the VPDN group named customer4_l2f might establish only 3 sessions. The VPDN group named customer7 might still have up to 25 active sessions.
If a global limit of 16 VPDN sessions is also configured, the global limit takes precedence over the configured VPDN group and VPDN template session limits.
Router# configure terminal Router(config)# vpdn session-limit 16
The three VPDN groups will be able to establish a total of 16 sessions between them. For example, if the VPDN group named customer4_l2tp has the maximum allowable number of active sessions (5 sessions), and the VPDN group named customer4_l2f has 2 active sessions, the VPDN group named customer7 might establish only up to 9 sessions.
Example Verifying Session Limits for a VPDN Group
Example of the show vpdn group command output (with resource manager enabled)
The following example creates the VPDN group named l2tp and restricts it to three sessions. When resource manager is enable, the configured session limit is displayed when the show vpdn group command is issued.
Router# configure terminal Router(config)# vpdn-group l2tp Router(config-vpdn)# accept-dialin Router(config-vpdn-acc-in)# protocol l2tp Router(config-vpdn-acc-in)# virtual-template 5 Router(config-vpdn-acc-in)# exit Router(config-vpdn)# terminate-from hostname host1 Router(config-vpdn)# session-limit 3 Router(config-vpdn)# end Router# show vpdn group l2tp Tunnel (L2TP) ------ dnis:cg1 dnis:cg2 dnis:jan cisco.com Endpoint Session Limit Priority Active Sessions Status Reserved Sessions -------- ------------- -------- --------------- ------ ----------------- 172.21.9.67 3 1 0 OK - --------------- ------------- --------------- ----------------- Total * 0 0
Example of the show vpdn group command output for session-limit information on an LNS (with or without resource manager enabled)
The new display for show vpdn group provides group session-limit information on the LNS:
Router# show vpdn group VPDN group vg1 Group session limit 65535 Active sessions 1 Active tunnels 1 VPDN group vg2 Group session limit 65535 Active sessions 1 Active tunnels 1
Example Configuring L2F Control Packet Timers and Retry Counters for VPDN Tunnels
The following example configures all of the available L2F control packet timers and retry counters for the VPDN group named l2f:
Router# configure terminal
Router(config)# vpdn-group l2f
Router(config-vpdn)# l2f tunnel timeout setup 25 Router(config-vpdn)# l2f tunnel retransmit initial retries 5 Router(config-vpdn)# l2f tunnel busy timeout 90 Router(config-vpdn)# l2f tunnel retransmit retries 10
Example Configuring L2TP Control Packet Timers and Retry Counters for VPDN Tunnels
The following example configures custom values for all of the available L2TP control packet parameters for the VPDN group named l2tp:
Router# configure terminal
Router(config)# vpdn-group l2tp
Router(config-vpdn)# l2tp tunnel hello 90 Router(config-vpdn)# l2tp tunnel receive window 500 Router(config-vpdn)# l2tp tunnel retransmit retries 8 Router(config-vpdn)# l2tp tunnel retransmit timeout min 2 Router(config-vpdn)# l2tp tunnel timeout no-session 500 Router(config-vpdn)# l2tp tunnel timeout setup 25 Router(config-vpdn)# l2tp tunnel zlb delay 4 Router(config-vpdn)# l2tp tunnel retransmit initial timeout min 2 Router(config-vpdn)# l2tp tunnel retransmit initial retries 5 Router(config-vpdn)# l2tp tunnel busy timeout 90
Example Configuring Verifying and Debugging L2TP Congestion Avoidance
The following example configures a basic dial-in L2TP VPDN tunnel, sets the receive window size to 500 on the tunnel server (the receiving device), and enables L2TP congestion avoidance on the NAS (the sending device):
Tunnel Server Configuration
Router(config)# vpdn enable ! Router(config)# vpdn-group 1 Router(config-vpdn)# accept-dialin Router(config-vpdn-acc-in)# protocol l2tp Router(config-vpdn-acc-in)# virtual-template 1 ! Router(config-vpdn)# terminate from hostname NAS1 Router(config-vpdn)# l2tp tunnel receive-window 500
NAS Configuration
Router(config)# vpdn enable ! Router(config)# vpdn-group 1 Router(config-vpdn)# request-dialin Router(config-vpdn-req-in)# protocol l2tp Router(config-vpdn-req-in)# domain cisco.com ! Router(config-vpdn)# initiate-to ip 172.22.66.25 Router(config-vpdn)# local name NAS1 ! Router(config)# l2tp congestion-control
The following example shows L2TP tunnel activity, including the information that L2TP congestion control is enabled. Note that the slow start threshold is set to the same size as the remote receive window size. The Remote RWS value advertised by the remote peer is shown in the Remote RWS field. When the actual RWS value differs from the advertised value, the actual RWS value will be displayed as In Use Remote RWS <value>.
Router# show vpdn tunnel l2tp all
L2TP Tunnel Information Total tunnels 1 sessions 1
Tunnel id 30597 is up, remote id is 45078, 1 active sessions
Tunnel state is established, time since change 00:08:27
Tunnel transport is UDP (17)
Remote tunnel name is LAC1
Internet Address 172.18.184.230, port 1701
Local tunnel name is LNS1
Internet Address 172.18.184.231, port 1701
Tunnel domain unknown
VPDN group for tunnel is 1
L2TP class for tunnel is
4 packets sent, 3 received
194 bytes sent, 42 received
Last clearing of "show vpdn" counters never
Control Ns 2, Nr 4
Local RWS 1024 (default), Remote RWS 256
In Use Remote RWS 15
Control channel Congestion Control is enabled
Congestion Window size, Cwnd 3
Slow Start threshold, Ssthresh 256
Mode of operation is Slow Start
Tunnel PMTU checking disabled
Retransmission time 1, max 2 seconds
Unsent queuesize 0, max 0
Resend queuesize 0, max 1
Total resends 0, ZLB ACKs sent 2
Current nosession queue check 0 of 5
Retransmit time distribution: 0 0 0 0 0 0 0 0 0
Sessions disconnected due to lack of resources 0
Control message authentication is disabled
The following partial output from the debug vpdn l2x-events command shows that congestion occurred. The congestion window size and the slow start threshold have been reset due to a packet retransmission event.
Router# debug vpdn l2x-events ! *Jul 15 19:02:57.963: Tnl 47100 L2TP: Congestion Control event received is retransmission *Jul 15 19:02:57.963: Tnl 47100 L2TP: Congestion Window size, Cwnd 1 *Jul 15 19:02:57.963: Tnl 47100 L2TP: Slow Start threshold, Ssthresh 2 *Jul 15 19:02:57.963: Tnl 47100 L2TP: Remote Window size, 500 *Jul 15 19:02:57.963: Tnl 47100 L2TP: Control channel retransmit delay set to 4 seconds *Jul 15 19:03:01.607: Tnl 47100 L2TP: Update ns/nr, peer ns/nr 2/5, our ns/nr 5/2 !
The following partial output from the debug vpdn l2x-events command shows that traffic has been restarted with L2TP congestion avoidance operating in slow start mode.
Router# debug vpdn l2x-events ! *Jul 15 14:45:16.123: Tnl 30597 L2TP: Control channel retransmit delay set to 2 seconds *Jul 15 14:45:16.123: Tnl 30597 L2TP: Tunnel state change from idle to wait-ctl-reply *Jul 15 14:45:16.131: Tnl 30597 L2TP: Congestion Control event received is positive acknowledgement *Jul 15 14:45:16.131: Tnl 30597 L2TP: Congestion Window size, Cwnd 2 *Jul 15 14:45:16.131: Tnl 30597 L2TP: Slow Start threshold, Ssthresh 500 *Jul 15 14:45:16.131: Tnl 30597 L2TP: Remote Window size, 500 *Jul 15 14:45:16.131: Tnl 30597 L2TP: Congestion Ctrl Mode is Slow Start !
Example Configuring VPDN Failure Event Logging
The following example first disables and then reenables VPDN failure event logging, and sets the maximum number of entries in the VPDN history failure table to 50. The contents of the history failure table are displayed and then cleared.
Router# configure terminal Router(config)# no vpdn history failure Router(config)# vpdn history failure Router(config)# vpdn history failure table-size 50 Router(config)# end Router# show vpdn history failure ! Table size: 50 Number of entries in table: 1 User: user@cisco.com, MID = 1 NAS: isp, IP address = 172.21.9.25, CLID = 1 Gateway: hp-gw, IP address = 172.21.9.15, CLID = 1 Log time: 13:08:02, Error repeat count: 1 Failure type: The remote server closed this session Failure reason: Administrative intervention ! Router# clear vpdn history failure
Examples Configuring Generic VPDN Event Logging
The following example enables VPDN logging locally:
Router# configure terminal Router(config)# vpdn logging local
The following example disables VPDN event logging locally, enables VPDN event logging at the remote tunnel endpoint, and enables the logging of both VPDN user and VPDN tunnel-drop events to the remote router:
Router# configure terminal Router(config)# no vpdn logging local Router(config)# vpdn logging remote Router(config)# vpdn logging user Router(config)# vpdn logging tunnel-drop
The following example disables the logging of VPDN events at the remote tunnel endpoint, and enables the logging of VPDN event log messages to the AAA server:
Router# configure terminal Router(config)# no vpdn logging local Router(config)# no vpdn logging remote Router(config)# vpdn logging accounting
Additional References
Related Documents
|
Related Topic |
Document Title |
|---|---|
|
Cisco IOS commands |
|
|
VPDN commands |
Cisco IOS VPDN Command Reference |
|
VPDN technology overview |
VPDN Technology Overview module |
|
Technical support documentation for VPDNs |
Virtual Private Dial-up Network (VPDN) |
|
Dial Technologies commands |
Cisco IOS Dial Technologies Command Reference |
Standards
|
Standard |
Title |
|---|---|
|
TCP/IP; slow start and congestion avoidance algorithms |
TCP/IP Illustrated, Volume 1 , by W Richard Stevens |
MIBs
|
MIB |
MIBs Link |
|---|---|
|
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
|
RFC |
Title |
|---|---|
|
RFC 2341 |
Cisco Layer Two Forwarding (Protocol) L2F |
|
RFC 2637 |
Point-to-Point Tunneling Protocol (PPTP) |
|
RFC 2661 |
Layer Two Tunneling Protocol L2TP |
Technical Assistance
|
Description |
Link |
|---|---|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for VPDN Tunnel Management
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to . An account on Cisco.com is not required.|
Feature Name |
Software Releases |
Feature Configuration Information |
|---|---|---|
|
VPDN Extended Failover |
12.2(34)SB 12.2(31)ZV 12.2(33)SRE 12.2(33)XNE |
This feature enables a failover with an LNS, if the LNS receives a valid L2TP CDN or stopCNN message before the LNS establishes a session. |
|
L2TP Congestion Avoidance |
12.2(28)SB |
This feature provides packet flow control and congestion avoidance by throttling Layer 2 Transport Protocol (L2TP) control messages as described in RFC 2661. The following commands were introduced or modified by this feature: debug vpdn, l2tp congestion-control. |
|
Session Limit per VRF |
12.2(13)T |
This feature allows you to apply session limits on all VPDN groups associated with a common VPDN template. You can limit the number of VPDN sessions that terminate in a single VPN Routing and Forwarding (VRF) instance. The following commands were introduced or modified by this feature: group session-limit, source vpdn-template, vpdn-template. |
|
Timer and Retry Enhancements for L2TP and L2F |
12.2(4)T 12.2(28)SB |
This feature allows the user to configure certain adjustable timers and counters for L2TP and L2F. The following commands were introduced by this feature: l2f tunnel busy timeout, l2f tunnel retransmit initial retries, l2f tunnel retransmit retries, l2f tunnel timeout setup, l2tp tunnel busy timeout, l2tp tunnel retransmit initial retries, l2tp tunnel retransmit initial timeout. |
|
VPDN Group Session Limiting |
12.2(4)T 12.2(28)SB |
This feature allows the user to configure a limit on the number of L2F or L2TP VPDN sessions allowed for each VPDN group. The following command was introduced by this feature: session-limit (VPDN). |