Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

CCNA Exploration: Accessing the WAN Chapter 2 Case Study

advertisement 
CCNA Exploration: Accessing the WAN Chapter 2 Case Study
Objectives:
Troubleshooting PPP (LCP negotiation).
Intro:
Redish Inc. Is experiencing problems with its VPN access structure and called you for help.
The Scenario:
Redish Inc has a Cisco router (VPN-RTR) which is responsible for terminating all VPN sessions from
remote users. Redish VPN structure uses PPP to encapsulate frames into a PPTP/GRE tunnel. The
relevant portion of Redish Topology is shown below:
Note: Even though PPTP and GRE tunnels are topics not fully covered up to this point in the course, the
knowledge of such protocols is not vital when studying this document. PPTP/GRE tunnel was only
mentioned here to build a more complete scenario. For more information on Cisco PPTP tunnels , please
refer to:
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00801e51e2.s
html
Topology:
© 2009 Cisco Learning Institute
CCNA Exploration: Accessing the WAN Chapter 2 Case Study
Step 1 – Identifying the problem
As you know, a virtual private network (VPN) is a computer network in which some of the links between
nodes are carried by open connections or virtual circuits in some larger network (e.g., the Internet). The
link-layer protocols of the virtual network are said to be tunneled through the larger network when this is
the case. One common application is secure communications through the public Internet, but a VPN need
not have explicit security features, such as authentication or content encryption. VPNs, for example, can
be used to separate the traffic of different user communities over an underlying network with strong
security features.
For some reason Redish Inc. VPN is not working. Remote users trying to establish a VPN connection
between their remote computers and VPN-RTR get an error back and no VPN is established.
Redish Helpdesk staff enabled a few debug commands on VPN-RTR and added the output to the reports
given to you. Since you have full debugs outputs on you, you decide to take a look at them before you go
to Redish main office.
The first thing that catches your eyes is an output of a debug ppp negotiation command. As stated on
the reports, Redish uses Point to Point Tunnel Protocol (PPTP) and Generic Routing Encapsulation
(GRE) to build a tunnel and Point to Point Protocol (PPP) to encapsulate the frames before sending them
through the built tunnel.
The first 12 lines of the debug ppp negotiation output reveal important information. The fact those 12
lines exist alone is already important. Such lines are shown below:
Output 1:
*May 28 22:05:26.143: ppp170 PPP: Send Message[Dynamic Bind Response]
*May 28 22:05:26.143: ppp170 PPP: Using vpn set call direction
*May 28 22:05:26.143: ppp170 PPP: Treating connection as a callin
*May 28 22:05:26.147: ppp170 PPP: Session handle[FD0000A8] Session id[170]
*May 28 22:05:26.147: ppp170 PPP: Phase is ESTABLISHING, Passive Open
*May 28 22:05:26.147: ppp170 LCP: State is Listen
*May 28 22:05:26.203: ppp170 LCP: I CONFREQ [Listen] id 0 len 21
*May 28 22:05:26.203: ppp170 LCP:
MRU 1400 (0x01040578)
*May 28 22:05:26.203: ppp170 LCP:
MagicNumber 0x24C667BB (0x050624C667BB)
*May 28 22:05:26.203: ppp170 LCP:
PFC (0x0702)
*May 28 22:05:26.203: ppp170 LCP:
ACFC (0x0802)
*May 28 22:05:26.203: ppp170 LCP:
Callback 6
(0x0D0306)
© 2009 Cisco Learning Institute
CCNA Exploration: Accessing the WAN Chapter 2 Case Study
Question 1:
Why the existence of such 12 lines is so important?
Answer: A PPTP/GRE tunnel, while being established, creates two channels: a data and a control
channel. Redish employs PPP to encapsulate user data into the data channel. In PPTP tunnels, link-layer
data encapsulation protocol negotiation (in this case PPP) only happens after PPTP/GRE tunnel is
successfully established. The lines shown above show PPP-LCP already negotiating the link which
means the PPTP tunnel was successfully established.
Note: Even though Output 1, 2 and 3 are part of the same output, it was broken down in three parts to
facilitate the troubleshooting.
You decide to analyze the shown output and get even more important information:
The first highlighted line shows VPN-RTR is hosting a session (receiving a connection)
On the second highlighted line, PPP switches to establishing phase. LCP negotiation is about to begin.
On the third highlighted line LCP already took control and started the link parameters negotiation and
configuration.
You move to the next section of the output. Starting by the point where LCP first took control, the section
is shown below:
Output 2:
*May 28 22:05:26.147: ppp170 LCP: State is Listen
*May 28 22:05:26.203: ppp170 LCP: I CONFREQ [Listen] id 0 len 21
*May 28 22:05:26.203: ppp170 LCP:
MRU 1400 (0x01040578)
*May 28 22:05:26.203: ppp170 LCP:
MagicNumber 0x24C667BB (0x050624C667BB)
*May 28 22:05:26.203: ppp170 LCP:
PFC (0x0702)
*May 28 22:05:26.203: ppp170 LCP:
ACFC (0x0802)
*May 28 22:05:26.203: ppp170 LCP:
Callback 6
(0x0D0306)
*May 28 22:05:26.203: ppp170 LCP: O CONFREQ [Listen] id 1 len 15
*May 28 22:05:26.203: ppp170 LCP:
AuthProto MS-CHAP (0x0305C22380)
*May 28 22:05:26.203: ppp170 LCP:
MagicNumber 0x1A5E1754 (0x05061A5E1754)
*May 28 22:05:26.203: ppp170 LCP: O CONFREJ [Listen] id 0 len 7
*May 28 22:05:26.203: ppp170 LCP:
Callback 6
(0x0D0306)
© 2009 Cisco Learning Institute
CCNA Exploration: Accessing the WAN Chapter 2 Case Study
*May 28 22:05:26.207: ppp170 LCP: I CONFNAK [REQsent] id 1 len 9
*May 28 22:05:26.207: ppp170 LCP:
AuthProto MS-CHAP-V2 (0x0305C22381)
*May 28 22:05:26.207: ppp170 LCP: O CONFREQ [REQsent] id 2 len 15
*May 28 22:05:26.207: ppp170 LCP:
AuthProto MS-CHAP (0x0305C22380)
*May 28 22:05:26.207: ppp170 LCP:
MagicNumber 0x1A5E1754 (0x05061A5E1754)
*May 28 22:05:26.219: ppp170 LCP: I CONFNAK [REQsent] id 2 len 9
*May 28 22:05:26.219: ppp170 LCP:
AuthProto MS-CHAP-V2 (0x0305C22381)
*May 28 22:05:26.219: ppp170 LCP: O CONFREQ [REQsent] id 3 len 15
*May 28 22:05:26.219: ppp170 LCP:
AuthProto MS-CHAP (0x0305C22380)
*May 28 22:05:26.219: ppp170 LCP:
MagicNumber 0x1A5E1754 (0x05061A5E1754)
The first highlighted line shows the router received an incoming (letter I) Configure-Request (CONFREQ)
from the client.
The following 5 indented lines represent the options supported and desired by the client:
-
MRU (Maximum Receive Unit) allows a peer to advertise its maximum receive unit
Magic Number is a random number used to detect error conditions such as looped back lines
PFC (Protocol Field Compression) indicates the client is able to receive compressed PPP
protocol fields
ACFC (Address and Control Fields Compression) indicates the client would like to receive PPP
frames without the leading HDLC address and control fields
Callback indicated the client supports callback feature. This feature allows the server to dial back
to a client and assume the costs of the call. Cisco routers don’t implement this feature.
Note: The hexadecimal numbers in parentheses are the actual values sent in the PPP frames’ fields.
The second highlighted line shows the router sent and outgoing (O) Configuration-Request to the client.
Once more the 2 following indented lines represent the options sent into the CONFREQ message:
-
AuthProto (authentication protocol) indicates the VPN server (the router) wants to use MS-CHAP
as authentication protocol.
MagicNumber generated by the server.
Right after this CONFREQ message, the server sends out an outgoing message (O) Configure-Reject
(CONFREJ) regarding a prior received CONFREQ. A CONFREJ message is used by LCP to indicate
which suggested options were not understood or are not supported.
The third highlighted line on output 2 shows the CONFREJ message and the following indented line the
parameters it carries.
© 2009 Cisco Learning Institute
CCNA Exploration: Accessing the WAN Chapter 2 Case Study
In this case, the router VPN-RTR (a Cisco router) communicates to the client it doesn’t support the PPP
callback feature.
The fourth highlighted line in output 2 shows LCP in router receiving a Configuration Not-Acknowledged
(CONFNACK) message from the client. A CONFNACK message is used to communicate to the other
peer about a non-supported option and suggest a different an alternative.
In this case, the client uses a CONFNACK message to communicate MS-CHAP is not supported as
authentication protocol by it to the server while at the same time suggesting the use of MS-CHAP-V2
instead of MS-CHAP.
Question 2:
What is the main difference between a CONFREJ PPP message and a CONFNACK PPP message?
Answer: CONFREJ messages disagree about a specific parameter and don’t suggest an alternate
option. CONFNAK messages also disagree about parameters being negotiated but suggest an alternate
option.
On the fifth highlighted line the router VPN-RTR (the VPN server) send out an outgoing (O) CONFREQ
message, one more time indicating it want to use MS-CHAP as the authentication protocol.
On the sixth highlighted line of output 2 the client, once more, replies with a CONFNAK message
indicating it doesn’t support MS-CHAP and signals the client’s desire to use MS-CHAP-V2 as the
authentication protocol.
The rest of the output shows these messages being exchanged a few more times and since client and
server couldn’t find an authentication protocol they both simultaneously support, LCP finally terminates
the connection. Below is the portion of the output where LCP drops the connection:
Output 3:
*May 28 22:05:26.235: ppp170 LCP: O CONFREQ [ACKsent] id 10 len 15
*May 28 22:05:26.235: ppp170 LCP:
AuthProto MS-CHAP (0x0305C22380)
*May 28 22:05:26.235: ppp170 LCP:
MagicNumber 0x1A5E1754 (0x05061A5E1754)
*May 28 22:05:26.235: ppp170 LCP: I CONFNAK [ACKsent] id 10 len 9
*May 28 22:05:26.235: ppp170 LCP:
AuthProto MS-CHAP-V2 (0x0305C22381)
*May 28 22:05:26.235: ppp170 LCP: Failed to negotiate with peer
*May 28 22:05:26.235: ppp170 PPP: Sending Acct Event[Down] id[AE]
*May 28 22:05:26.235: ppp170 LCP: O TERMREQ [ACKsent] id 11 len 4
*May 28 22:05:26.235: ppp170 PPP: Phase is TERMINATING
© 2009 Cisco Learning Institute
CCNA Exploration: Accessing the WAN Chapter 2 Case Study
*May 28 22:05:26.235: ppp170 LCP: I TERMACK [TERMsent] id 11 len 4
*May 28 22:05:26.235: ppp170 LCP: State is Closed
*May 28 22:05:26.239: ppp170 PPP: Phase is DOWN
*May 28 22:05:26.239: ppp170 PPP: Send Message[Disconnect]
Step 2 – The Solution
After analyzing the Redish Inc. reports, the problem becomes clear: The endpoints of the VPN connection
(server and client) are not able to find an authentication protocol which both ends support and the
connection is terminated.
When you get to Redish main office, you already know what the problem is. After a quick conversation
with Redish IT staff, you learn the rather have MS-CHAP-V2 than MS-CHAP running on their VPNs.
You connect your laptop to the VPN-RTR console port and change the authentication protocol configured
in the router. The commands are listed below for future reference:
VPN-RTR(config)# interface Virtual-Template1
VPN-RTR(config-if)# no ppp authentication ms-chap
VPN-RTR(config-if)# ppp authentication ms-chap-v2
Once the commands are entered you enable the command debug ppp negotiation again and try to
establish a VPN from your laptop. The VPN is successfully established this time. The output presented on
the console window is listed below for future reference:
*May 29 18:24:55.887: ppp7 PPP: Send Message[Dynamic Bind Response]
*May 29 18:24:55.887: ppp7 PPP: Using vpn set call direction
*May 29 18:24:55.887: ppp7 PPP: Treating connection as a callin
*May 29 18:24:55.887: ppp7 PPP: Session handle[3400000D] Session id[7]
*May 29 18:24:55.887: ppp7 PPP: Phase is ESTABLISHING, Passive Open
*May 29 18:24:55.887: ppp7 LCP: State is Listen
*May 29 18:24:55.895: ppp7 LCP: I CONFREQ [Listen] id 0 len 21
*May 29 18:24:55.895: ppp7 LCP:
MRU 1400 (0x01040578)
*May 29 18:24:55.895: ppp7 LCP:
MagicNumber 0x163B146D (0x0506163B146D)
*May 29 18:24:55.895: ppp7 LCP:
PFC (0x0702)
© 2009 Cisco Learning Institute
CCNA Exploration: Accessing the WAN Chapter 2 Case Study
*May 29 18:24:55.895: ppp7 LCP:
ACFC (0x0802)
*May 29 18:24:55.895: ppp7 LCP:
Callback 6
(0x0D0306)
*May 29 18:24:55.895: ppp7 LCP: O CONFREQ [Listen] id 1 len 15
*May 29 18:24:55.895: ppp7 LCP:
AuthProto MS-CHAP-V2 (0x0305C22381)
*May 29 18:24:55.899: ppp7 LCP:
MagicNumber 0x1A77A3F9 (0x05061A77A3F9)
*May 29 18:24:55.899: ppp7 LCP: O CONFREJ [Listen] id 0 len 7
*May 29 18:24:55.899: ppp7 LCP:
Callback 6
(0x0D0306)
*May 29 18:24:55.899: ppp7 LCP: I CONFACK [REQsent] id 1 len 15
*May 29 18:24:55.899: ppp7 LCP:
AuthProto MS-CHAP-V2 (0x0305C22381)
*May 29 18:24:55.899: ppp7 LCP:
MagicNumber 0x1A77A3F9 (0x05061A77A3F9)
*May 29 18:24:55.899: ppp7 LCP: I CONFREQ [ACKrcvd] id 1 len 18
*May 29 18:24:55.899: ppp7 LCP:
MRU 1400 (0x01040578)
*May 29 18:24:55.899: ppp7 LCP:
MagicNumber 0x163B146D (0x0506163B146D)
*May 29 18:24:55.899: ppp7 LCP:
PFC (0x0702)
*May 29 18:24:55.899: ppp7 LCP:
ACFC (0x0802)
*May 29 18:24:55.899: ppp7 LCP: O CONFNAK [ACKrcvd] id 1 len 8
*May 29 18:24:55.899: ppp7 LCP:
MRU 1500 (0x010405DC)
*May 29 18:24:55.899: ppp7 LCP: I CONFREQ [ACKrcvd] id 2 len 18
*May 29 18:24:55.899: ppp7 LCP:
MRU 1400 (0x01040578)
*May 29 18:24:55.903: ppp7 LCP:
MagicNumber 0x163B146D (0x0506163B146D)
*May 29 18:24:55.903: ppp7 LCP:
PFC (0x0702)
*May 29 18:24:55.903: ppp7 LCP:
ACFC (0x0802)
*May 29 18:24:55.903: ppp7 LCP: O CONFNAK [ACKrcvd] id 2 len 8
*May 29 18:24:55.903: ppp7 LCP:
MRU 1500 (0x010405DC)
*May 29 18:24:55.903: ppp7 LCP: I CONFREQ [ACKrcvd] id 3 len 18
*May 29 18:24:55.903: ppp7 LCP:
MRU 1500 (0x010405DC)
*May 29 18:24:55.903: ppp7 LCP:
MagicNumber 0x163B146D (0x0506163B146D)
*May 29 18:24:55.903: ppp7 LCP:
PFC (0x0702)
© 2009 Cisco Learning Institute
CCNA Exploration: Accessing the WAN Chapter 2 Case Study
*May 29 18:24:55.903: ppp7 LCP:
ACFC (0x0802)
*May 29 18:24:55.903: ppp7 LCP: O CONFACK [ACKrcvd] id 3 len 18
*May 29 18:24:55.903: ppp7 LCP:
MRU 1500 (0x010405DC)
*May 29 18:24:55.903: ppp7 LCP:
MagicNumber 0x163B146D (0x0506163B146D)
*May 29 18:24:55.903: ppp7 LCP:
PFC (0x0702)
*May 29 18:24:55.903: ppp7 LCP:
ACFC (0x0802)
*May 29 18:24:55.903: ppp7 LCP: State is Open
*May 29 18:24:55.903: ppp7 PPP: Phase is AUTHENTICATING, by this end
*May 29 18:24:55.903: ppp7 MS-CHAP-V2: O CHALLENGE id 1 len 23 from "VPN-RTR"
*May 29 18:24:55.907: ppp7 LCP: I IDENTIFY [Open] id 4 len 18 magic 0x163B146D M
SRASV5.10
*May 29 18:24:55.907: ppp7 LCP: I IDENTIFY [Open] id 5 len 29 magic 0x163B146D M
SRAS-0-RFLORIANO-CLI
*May 29 18:24:55.907: ppp7 MS-CHAP-V2: I RESPONSE id 1 len 61 from "rem-user1"
*May 29 18:24:55.907: ppp7 PPP: Phase is FORWARDING, Attempting Forward
*May 29 18:24:55.907: ppp7 PPP: Phase is AUTHENTICATING, Unauthenticated User
*May 29 18:24:55.923: ppp7 PPP: Phase is FORWARDING, Attempting Forward
*May 29 18:24:55.923: ppp7 PPP: Send Message[Connect Local]
*May 29 18:24:55.923: Vi3 PPP: Phase is DOWN, Setup
*May 29 18:24:55.927: ppp7 PPP: Bind to [Virtual-Access3]
*May 29 18:24:55.927: Vi3 PPP: Send Message[Static Bind Response]
*May 29 18:24:55.931: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state t
o up
*May 29 18:24:55.931: Vi3 PPP: Phase is AUTHENTICATING, Authenticated User
*May 29 18:24:55.931: Vi3 MS-CHAP-V2: O SUCCESS id 1 len 46 msg is "S=53DC7F42D6
75C5FA2A6BAFB30EAA0E9A0100B0A3"
*May 29 18:24:55.931: Vi3 PPP: Phase is UP
*May 29 18:24:55.931: Vi3 IPCP: O CONFREQ [Closed] id 1 len 10
© 2009 Cisco Learning Institute
CCNA Exploration: Accessing the WAN Chapter 2 Case Study
*May 29 18:24:55.931: Vi3 IPCP:
Address 192.168.171.52 (0x0306C0A8AB34)
*May 29 18:24:55.931: Vi3 CCP: O CONFREQ [Closed] id 1 len 10
*May 29 18:24:55.931: Vi3 CCP:
MS-PPC supported bits 0x01000020 (0x1206010000
20)
*May 29 18:24:55.931: Vi3 PPP: Process pending ncp packets
*May 29 18:24:55.939: Vi3 CCP: I CONFREQ [REQsent] id 6 len 10
*May 29 18:24:55.939: Vi3 CCP:
MS-PPC supported bits 0x010000E1 (0x1206010000
E1)
*May 29 18:24:55.939: Vi3 CCP: O CONFNAK [REQsent] id 6 len 10
*May 29 18:24:55.939: Vi3 CCP:
MS-PPC supported bits 0x01000020 (0x1206010000
20)
*May 29 18:24:55.939: Vi3 CCP: I CONFACK [REQsent] id 1 len 10
*May 29 18:24:55.939: Vi3 CCP:
MS-PPC supported bits 0x01000020 (0x1206010000
20)
*May 29 18:24:55.939: Vi3 IPCP: I CONFREQ [REQsent] id 7 len 34
*May 29 18:24:55.939: Vi3 IPCP:
Address 0.0.0.0 (0x030600000000)
*May 29 18:24:55.939: Vi3 IPCP:
PrimaryDNS 0.0.0.0 (0x810600000000)
*May 29 18:24:55.939: Vi3 IPCP:
PrimaryWINS 0.0.0.0 (0x820600000000)
*May 29 18:24:55.939: Vi3 IPCP:
SecondaryDNS 0.0.0.0 (0x830600000000)
*May 29 18:24:55.939: Vi3 IPCP:
SecondaryWINS 0.0.0.0 (0x840600000000)
*May 29 18:24:55.939: Vi3 IPCP: Pool returned 10.0.0.1
*May 29 18:24:55.939: Vi3 IPCP: O CONFREJ [REQsent] id 7 len 28
*May 29 18:24:55.939: Vi3 IPCP:
PrimaryDNS 0.0.0.0 (0x810600000000)
*May 29 18:24:55.939: Vi3 IPCP:
PrimaryWINS 0.0.0.0 (0x820600000000)
*May 29 18:24:55.939: Vi3 IPCP:
SecondaryDNS 0.0.0.0 (0x830600000000)
*May 29 18:24:55.939: Vi3 IPCP:
SecondaryWINS 0.0.0.0 (0x840600000000)
*May 29 18:24:55.939: Vi3 IPCP: I CONFACK [REQsent] id 1 len 10
*May 29 18:24:55.939: Vi3 IPCP:
Address 192.168.171.52 (0x0306C0A8AB34)
© 2009 Cisco Learning Institute
CCNA Exploration: Accessing the WAN Chapter 2 Case Study
*May 29 18:24:55.943: Vi3 CCP: I CONFREQ [ACKrcvd] id 8 len 10
*May 29 18:24:55.943: Vi3 CCP:
MS-PPC supported bits 0x01000020 (0x1206010000
20)
*May 29 18:24:55.943: Vi3 CCP: O CONFACK [ACKrcvd] id 8 len 10
*May 29 18:24:55.943: Vi3 CCP:
MS-PPC supported bits 0x01000020 (0x1206010000
20)
*May 29 18:24:55.943: Vi3 CCP: State is Open
*May 29 18:24:55.943: Vi3 IPCP: I CONFREQ [ACKrcvd] id 9 len 10
*May 29 18:24:55.943: Vi3 IPCP:
Address 0.0.0.0 (0x030600000000)
*May 29 18:24:55.943: Vi3 IPCP: O CONFNAK [ACKrcvd] id 9 len 10
*May 29 18:24:55.943: Vi3 IPCP:
Address 10.0.0.1 (0x03060A000001)
*May 29 18:24:55.947: Vi3 IPCP: I CONFREQ [ACKrcvd] id 10 len 10
*May 29 18:24:55.947: Vi3 IPCP:
Address 10.0.0.1 (0x03060A000001)
*May 29 18:24:55.947: Vi3 IPCP: O CONFACK [ACKrcvd] id 10 len 10
*May 29 18:24:55.947: Vi3 IPCP:
Address 10.0.0.1 (0x03060A000001)
*May 29 18:24:55.947: Vi3 IPCP: State is Open
*May 29 18:24:55.947: Vi3 IPCP: Install route to 10.0.0.1
*May 29 18:24:56.931: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Ac
cess3, changed state to up
© 2009 Cisco Learning Institute
Related documents
Turning Aspirations into Actions
Turning Aspirations into Actions
Presentation Slides
Presentation Slides
lcp_update
lcp_update
Liquid Crystal Polymer (LCP) Substrates and Packages
Liquid Crystal Polymer (LCP) Substrates and Packages
The LCP ICU
The LCP ICU
Curriculum Map Year 3 - Our Lady of Lourdes RC Primary School
Curriculum Map Year 3 - Our Lady of Lourdes RC Primary School
Year 5
Year 5
medical ethical issues in the elderly
medical ethical issues in the elderly
Download
advertisement