b.turnbow at twt
Jun 15, 2012, 7:31 AM
Post #10 of 13
> Thanks for the reply.
> What I noticed today was,
> I tried to authenticate one vrf-enabled l2tp session and one global (no-
> The one with VRF can't authenticate. Giving me the error of "LNS no
> resources for user..."
> But the one with no-vrf was able to authenticate successfully.
The below config only shows one virtual template, do you have a second for the VRF ?
I believe you need to differentiate .
> My tcpdump on the radius server says Authentication Request, and
> Authentication Accept.
> Router debug also shows CHAP login response is PASS.
> I tried also using my other LNS (NPE-G1) and any vrf-enabled session is
> Both VRF-enabled and GLobal L2tp session terminates on the same vpdn-group.
> I have similar config on both LNS routers.
> Here's my LNS config:
> vpdn-group 1
> protocol l2tp
> virtual-template 1
> terminate-from hostname LNS1
> source-ip x.x.x.x
> local name ABC
> lcp renegotiation on-mismatch
> l2tp tunnel password 7 09123456
> l2tp tunnel timeout no-session 600
> ip tos reflect
> interface Virtual-Template1
> mtu 1462
> ip unnumbered Loopback0
> ip tcp adjust-mss 1422
> peer default ip address pool LNSPool
> keepalive 60
> ppp authentication chap radius-ppp
> Here's the debug pp/aaa/vpdn output:
> Jun 15 09:34:07.823: VPDN Received L2TUN socket message Incoming Jun 15
> 09:34:07.823: AAA/BIND(000001E7): Bind i/f Jun 15 09:34:07.823: VPDN
> uid:393 L2TUN socket session accept requested Jun 15 09:34:07.823: VPDN
> uid:393 Setting up dataplane for L2-L2, no idb Jun 15 09:34:07.827: VPDN
> Received L2TUN socket message Connected Jun 15 09:34:07.827:
> AAA/BIND(000001E7): Bind i/f Virtual-Template1 Jun 15 09:34:07.827: VPDN
> uid:393 VPDN session up Jun 15 09:34:07.831: AAA/AUTHEN/PPP (000001E7):
> Pick method list 'radius-ppp'
> Jun 15 09:34:07.831: ppp393 PPP: Sent CHAP LOGIN Request Jun 15
> 09:34:07.831: ppp393 PPP: Received LOGIN Response PASS Jun 15 09:34:07.835:
> VPDN uid:393 disconnect (L2X) IETF: 9/nas-error Ascend: 62/VPDN No
> Resources Jun 15 09:34:07.835: VPDN uid:393 vpdn shutdown session,
> result=4, error=4, vendor_err=0, syslog_error_code=15, syslog_key_type=1
> Jun 15 09:34:07.835: %VPDN-3-NORESOURCE: L2TP LNS no resources for user
> xyz [at] test; Result 4, Error 4, SSS Manager disconnected session Jun 15
> 09:34:07.835: VPDN uid:393 VPDN/AAA: accounting stop sent Jun 15
> 09:34:07.835: ppp393 CHAP: O FAILURE id 1 len 26 msg is "Authentication
> From: Oliver Boehmer (oboehmer) <oboehmer [at] cisco>
> To: ar <ar_djp [at] yahoo>; Tim Warnock <timoid [at] timoid>
> Cc: cisco-nsp <cisco-nsp [at] puck>
> Sent: Friday, June 15, 2012 7:19 PM
> Subject: RE: [c-nsp] LNS Error %VPDN-3-NORESOURCE:
> > I tried SRE6 already.
> > I got the same error.
> > Unfortunately I dont have any TAC support for this box.
> > Could this be a possible NPE-G2 problem?
> > #sho ver
> > Cisco IOS Software, 7200 Software (C7200P-ADVIPSERVICESK9-M), Version
> > 12.2(33)SRE6, RELEASE SOFTWARE (fc1)
> > Jun 14 23:10:54.455: ppp76 PPP: Sent CHAP LOGIN Request Jun 14
> > 23:10:54.455: ppp76 PPP: Received LOGIN Response PASS Jun 14
> > 23:10:54.459: %VPDN-3-NORESOURCE: L2TP LNS LNS1 no resources
> for user
> > test [at] xyz; Result 4, Error 4, SSS Manager disconnected session Jun
> > 14 23:10:54.459: ppp76 CHAP: O FAILURE id 1 len 26 msg is
> > "Authentication failure"
> don't think this is related to the platform, some debugs are in order to
> find out what's happening (my l2tp/vpdn skills are a bit rusty, though
> debug radius
> debug aaa author
> debug aaa per-user
> debug vpdn event
> debug vpdn error
> debug vpdn l2x-ev
> debug vpdn l2x-er
> debug vpdn sss err
> debug vpdn sss ev
> can you share the full configs of both devices offline/unicast?
> cisco-nsp mailing list cisco-nsp [at] puck
> archive at http://puck.nether.net/pipermail/cisco-nsp/
This e-mail is intended only for the addressee named above.
As this e-mail may contain confidential or privileged information,
if you are not the named addressee, you are not authorized to retain, read,
copy or disseminate this message or any part of it.
Please consider your environmental responsibility before printing this e-mail.
cisco-nsp mailing list cisco-nsp [at] puck
archive at http://puck.nether.net/pipermail/cisco-nsp/