Debugging a Virtual Access Service Managed Gateway

Transcription

1 Debugging a Virtual Access Service Managed Gateway Issue: 1.0 Date: 09 July 2013

2 Table of Contents 1 About this document Scope WAN connectivity ADSL Active data connections ADSL bandwidth DSL spectrum analyzer Line history PPP LCP Authentication IPCP MLPPP G modem Signal strength G status GSM status PSTN modem IPSec Phase I PFS Phase II Port forwarding Port forwarding using CLI Port forwarding using the web interface... 29

3 1: About this document 1 About this document 1.1 Scope This guide explains the various tools on a Service Managed Gateway (SMG) that will enable you to debug issues within the following features: WAN connectivity IPSec Port forwarding This document is for engineers who have previous experience configuring and managing SMG routers.

4 2 WAN connectivity Virtual Access routers enable WAN connections and other types of networks, so that users and devices in one location can communicate with users and devices in other locations. 2.1 ADSL Active data connections The Active Data Connections page shows the type of connection, IP address, ADSL rates and data uptime duration. The Duration field is a useful support tool as it shows how long the data connection has been up. From the Start page, click Status. In the Status menu, click Active Data Connections. The Active Data Connections page appears. Figure 1: The active data connections table ADSL bandwidth The ADSL bandwidth graph displays transmitted and received ADSL bandwidth in real time. This is useful for monitoring real-time usage of the WAN link. Note: you can only view ADSL bandwidth information if your router has an ADSL interface. In the Status menu, click ADSL Bandwidth. The ADSL Bandwidth page appears.

5 Figure 2: The ADSL bandwidth page Command line: sh stats adslbw Figure 3: Output for the command line sh stats adslbw DSL spectrum analyzer The DSL Line Spectrum is part of the ADSL service management support, which allows you to easily establish the source of a fault. The DSL Spectrum Analyzer provides a graphical real-time display of the line spectrum. This enables you to check for a good ADSL connection at the expected upload and download trained rates. It is also possible to upload the spectrum data so that a record of the line quality can be stored at installation. Then if there are problems the recorded spectrum can be compared to the current data. In the Status menu, select ADSL Line Spectrum. The ADSL Line Spectrum page appears.

6 Figure 4: The DSL spectrum analyzer page

7 Command line: show stats adsl adsl-0 Figure 5: Output of the command line show stats adsl Use the command show stats adsl-1 to view line 2 statistics. The ADSL Tx and Rx counters measure the number of transmitted and received packets on the ADSL interface. This view also contains FEC, HEC, CRC and BER error counters as well as detailed ADSL information. This information is critical in determining the quality of an ADSL circuit for VoIP. To view the ADSL Tx and Rx statistics, from the Start page, click Advanced-> Expert View. In the top menu, click Operations. In the Operations menu, click performance-> interface stats > adsl stats > statistics.

8 Figure 6: Output of view stats adsl Important elements to check are outlined below. ADSL mode: interleaved or fast as outlined above. Note that ADSL2+ circuits will always display fast. To determine if interleaved is on, check if FEC errors are incrementing Noise margin: the higher this value the better. This value is determined by the DSLAM SNR rate. The router will train the ADSL line according to this value. The lower the SNR, the higher the training rate but this may introduce excessive line errors which can be checked below. Attenuation: the lower this value the better. This value is an indication of the quality of a line. The further you are away from the exchange, the higher this

9 value will be and the possibly more loss experienced. Attenuation figures above 60dB will cause poor voice quality Error detection and correction: the number of CRC errors will indicate an error detection which required retransmission. The number of FECs will indicate the number of times the decoder detected an error and corrected it. HEC shows the number of error corrections in an ATM cell header. BER shows a ratio of error bits to transmitted bits Line history The Line History view gives a history of ADSL connectivity over a number of days. The applet displays in horizontal blocks of 24 for each hour of the day. You can use the zoom facility to view detailed information for any hour during that period. This tool is useful as the first stop in support. Support teams can view how long the ADSL has been active and how long it has been down, or both. You can also download this line history information in text format. In the Status menu, click Line History. The Line History page appears. Figure 7: The line history page To zoom in on any particular hour of any of the days displayed, either click the box and then click Zoom In, or double-click the box.

10 Downloaded line history appears in the following format. Interface Connection time adsl-0 08:34:13 adsl-0 08:34:25 adsl-0 22:34:55 adsl-0 22:35:08 adsl-0 08:09:01 Connection date Disconnection time Disconnection date Duration time Tx Speed Rx Speed Description Dec 25, :34:25 Dec 25, :00: Connection Lost Dec 25, :34:55 Dec 28, :00: Connection opened, G.DMT, Fast Dec 28, :35:08 Dec 28, :00: Connection Lost Dec 28, :09:01 Jan 01, :33: Connection opened, G.DMT, Fast Jan 01, :09:13 Jan 01, :00: Connection Lost Command line: show line history Figure 8: Output of the command line show line history PPP Point to point protocol consists of three layers: LCP Authentication IPCP LCP Link Control protocol or LCP is the first layer between the CPE and the core network. A number of configurable parameters are set at LCP layer. The CPE will send out a configure request and the core network will acknowledge or nak it To debug LCP, type in the following command lines. Command line: ++all 6 Command line: ++PPPLCP Command line: ++LCP The following sample shows the output of the above debug command line.

11 12:23:10 LCP Tx ppp-1: configure request id=[185] 12:23:10 LCP Tx Opt = Maximum Receive Unit, Len = 4, Value = :23:10 LCP Rx ppp-1: configure request id=[1] 12:23:10 LCP Rx Opt = Maximum Receive Unit, Len = 4, Value = :23:10 LCP Rx Opt = Authentication Protocol, Len = 5, Value = c :23:10 LCP Rx Opt = Magic Number, Len = 6, Value = b6 25 f :23:10 LCP Tx ppp-1: configure reject id=[1] 12:23:10 LCP Tx Opt = Magic Number, Len = 6, Value = b6 25 f :23:10 LCP Rx ppp-1: configure ack id=[185] 12:23:10 LCP Rx Opt = Maximum Receive Unit, Len = 4, Value = :23:10 LCP Rx ppp-1: configure request id=[2] 12:23:10 LCP Rx Opt = Maximum Receive Unit, Len = 4, Value = :23:10 LCP Rx Opt = Authentication Protocol, Len = 5, Value = c :23:10 LCP Tx ppp-1: configure ack id=[2] 12:23:10 LCP Tx Opt = Maximum Receive Unit, Len = 4, Value = :23:10 LCP Tx Opt = Authentication Protocol, Len = 5, Value = c :23:10 lcp up ppp-1 12:23:10 PPP Debug LCP Layer Up Authentication During PPP negotiation PAP or CHAP authentication is used. PAP or password authentication is rarely used in the Virtual Access CPE configuration deployment. CHAP or Challenge Handshake Authentication Protocol is widely used in the VA CPE configuration deployment Once the Lick has established at LCP then the core network will either challenge the CPE or the CPE authenticates itself by sending the username and password To debug authentication, type in the following command lines. Command line: ++all 6 Command line: ++auth The following sample shows the output of the above debug command line. 12:23:10 CHAP rx i/f ppp-1: [Challenge] 12:23:10 PPP Debug Authenticate Request 12:23:10 CHAP tx i/f ppp-1: [Response] 12:23:11 LCP Tx ppp-1: echo request id=[187] 12:23:12 CHAP rx i/f ppp-1: [Success] 12:23:12 PPP Debug Authenticate ACK Received IPCP Internet protocol control protocol is the final layer of PPP.

12 To debug IPCP, type the following command lines. Command line: ++all 6 Command line: ++IPCP The following sample shows the output of the above debug command line. 12:23:12 IPCP tx ppp-1: configure request id=[188] 12:23:12 IPCP tx Opt = Address, Len = 6, Value = :23:12 IPCP tx Opt = Primary DNS Address, Len = 6, Value = :23:12 IPCP tx Opt = Secondary DNS Address, Len = 6, Value = :23:12 IPCP rx ppp-1: configure request id=[1] 12:23:12 IPCP rx Opt = Address, Len = 6, Value = :23:12 PPP Debug NCP IP Routing Reject 12:23:12 IPCP tx ppp-1: configure reject id=[1] 12:23:12 IPCP tx Opt = Address, Len = 6, Value = :23:12 LCP Tx ppp-1: echo request id=[189] 12:23:12 IPCP rx ppp-1: configure reject id=[188] 12:23:12 IPCP rx Opt = Secondary DNS Address, Len = 6, Value = :23:12 IPCP tx ppp-1: configure request id=[190] 12:23:12 IPCP tx Opt = Address, Len = 6, Value = :23:12 IPCP tx Opt = Primary DNS Address, Len = 6, Value = :23:12 IPCP rx ppp-1: configure request id=[2] 12:23:12 PPP Debug NCP Configuration ACK 12:23:12 IPCP tx ppp-1: configure ack id=[2] 12:23:12 LCP Rx ppp-1: echo reply id=[189] 12:23:12 IPCP rx ppp-1: configure nak id=[190] 12:23:12 IPCP rx Opt = Address, Len = 6, Value = :23:12 IPCP rx Opt = Primary DNS Address, Len = 6, Value = :23:12 IPCP tx ppp-1: configure request id=[191] 12:23:12 IPCP tx Opt = Address, Len = 6, Value = :23:12 IPCP tx Opt = Primary DNS Address, Len = 6, Value = :23:12 IPCP rx ppp-1: configure ack id=[191] 12:23:12 IPCP rx Opt = Address, Len = 6, Value = :23:12 IPCP rx Opt = Primary DNS Address, Len = 6, Value = :23:12 ncp up ppp-1 12:23:12 PPP Debug NCP Layer Up The following command lines show a sample debug of PPP. Command line: ++all 6 Command line: ++PPP Command line: ++PPPlcp Command line: ++auth Command line: ++IPCP The following sample shows the output of the above debug command line.

13 12:23:10 LCP Tx ppp-1: configure request id=[185] 12:23:10 LCP Tx Opt = Maximum Receive Unit, Len = 4, Value = :23:10 LCP Rx ppp-1: configure request id=[1] 12:23:10 LCP Rx Opt = Maximum Receive Unit, Len = 4, Value = :23:10 LCP Rx Opt = Authentication Protocol, Len = 5, Value = c :23:10 LCP Rx Opt = Magic Number, Len = 6, Value = b6 25 f :23:10 LCP Tx ppp-1: configure reject id=[1] 12:23:10 LCP Tx Opt = Magic Number, Len = 6, Value = b6 25 f :23:10 LCP Rx ppp-1: configure ack id=[185] 12:23:10 LCP Rx Opt = Maximum Receive Unit, Len = 4, Value = :23:10 LCP Rx ppp-1: configure request id=[2] 12:23:10 LCP Rx Opt = Maximum Receive Unit, Len = 4, Value = :23:10 LCP Rx Opt = Authentication Protocol, Len = 5, Value = c :23:10 LCP Tx ppp-1: configure ack id=[2] 12:23:10 LCP Tx Opt = Maximum Receive Unit, Len = 4, Value = :23:10 LCP Tx Opt = Authentication Protocol, Len = 5, Value = c :23:10 lcp up ppp-1 12:23:10 PPP Debug LCP Layer Up 12:23:10 CHAP rx i/f ppp-1: [Challenge] 12:23:10 PPP Debug Authenticate Request 12:23:10 CHAP tx i/f ppp-1: [Response] 12:23:11 LCP Tx ppp-1: echo request id=[187] 12:23:12 CHAP rx i/f ppp-1: [Success] 12:23:12 PPP Debug Authenticate ACK Received 12:23:12 IPCP tx ppp-1: configure request id=[188] 12:23:12 IPCP tx Opt = Address, Len = 6, Value = :23:12 IPCP tx Opt = Primary DNS Address, Len = 6, Value = :23:12 IPCP tx Opt = Secondary DNS Address, Len = 6, Value = :23:12 IPCP rx ppp-1: configure request id=[1] 12:23:12 IPCP rx Opt = Address, Len = 6, Value = :23:12 PPP Debug NCP IP Routing Reject 12:23:12 IPCP tx ppp-1: configure reject id=[1] 12:23:12 IPCP tx Opt = Address, Len = 6, Value = :23:12 LCP Tx ppp-1: echo request id=[189] 12:23:12 IPCP rx ppp-1: configure reject id=[188] 12:23:12 IPCP rx Opt = Secondary DNS Address, Len = 6, Value = :23:12 IPCP tx ppp-1: configure request id=[190] 12:23:12 IPCP tx Opt = Address, Len = 6, Value = :23:12 IPCP tx Opt = Primary DNS Address, Len = 6, Value = :23:12 IPCP rx ppp-1: configure request id=[2] 12:23:12 PPP Debug NCP Configuration ACK 12:23:12 IPCP tx ppp-1: configure ack id=[2] 12:23:12 LCP Rx ppp-1: echo reply id=[189] 12:23:12 IPCP rx ppp-1: configure nak id=[190] 12:23:12 IPCP rx Opt = Address, Len = 6, Value =

14 12:23:12 IPCP rx Opt = Primary DNS Address, Len = 6, Value = :23:12 IPCP tx ppp-1: configure request id=[191] 12:23:12 IPCP tx Opt = Address, Len = 6, Value = :23:12 IPCP tx Opt = Primary DNS Address, Len = 6, Value = :23:12 IPCP rx ppp-1: configure ack id=[191] 12:23:12 IPCP rx Opt = Address, Len = 6, Value = :23:12 IPCP rx Opt = Primary DNS Address, Len = 6, Value = :23:12 ncp up ppp-1 12:23:12 PPP Debug NCP Layer Up 12:23:13 LCP Tx ppp-1: echo request id=[192] 12:23:13 LCP Rx ppp-1: echo reply id=[192] 12:23:14 LCP Tx ppp-1: echo request id=[193] 12:23:14 LCP Rx ppp-1: echo reply id=[193] 12:23:15 LCP Tx ppp-1: echo request id=[194] 12:23:15 LCP Rx ppp-1: echo reply id=[194] 12:23:16 LCP Tx ppp-1: echo request id=[195] 12:23:16 LCP Rx ppp-1: echo reply id=[195] To check the status of PPP, type the following command. Command line: show ppp options ppp-1 The following command line shows a sample of the output of PPP status. LCP Configured MRU 1482 LCP Configured MRRU 1486 LCP Tx Accepted MRU 1500 LCP Tx Accepted MRRU 1486 LCP Rx Accepted MRU 1486 LCP Rx Accepted Authentication Protocol c22305 LCP Rx Accepted MRRU 1524 LCP Rx Accepted Endpoint Discriminator 01 6c 6e IPCP Configured Address IPCP Configured Primary DNS Address IPCP Configured Secondary DNS Address IPCP Tx Accepted Address IPCP Tx Accepted Primary DNS Address IPCP Tx Accepted Secondary DNS Address CCP Configured Stacker LZS Compression MLPPP Multilink PPP is the bonding of two or more ADSL lines. The most common issue is MRRU values that have not been configured correctly or the LNS not set up correctly, both of which are out of the scope of this document. To check the status of MLPPP, type the following command.

15 Command line: show stats mlppp all The following command line shows a sample of the output of MLPPP status.

16 Bundle Uptime: 001:19:20:40 (DDD:HH:MM:SS) Active links: 2 (2) Username: Endpoint Discriminator: 01 6c 6e Local MRRU: 1486 Remote MRRU: 1524 Transmitted Packets: Received Packets: Received Fragmented Packets: 0 Bundle Id: 1 Member Links: 2 Last Processed Seq: MRRU: 1524 MP header format: Long Total Pkts Tx / Rx: / Total Bytes Tx / Rx: / Total Frags Tx / Rx: / Single Frags Tx / Rx: / NULL Frags Tx / Rx: 0 / 0 Dropped Pkts Tx / Rx: 0 / 0 Non-MP Pkts Tx / Rx: / RX out of sequence frags: RX pkts discarded (frag loss): 0 RX frags discarded (frag loss): 0 RX pkts expired: RX pkts arrived too late: 3196 Maximum too late arrival(ms): 262 Sequence queue bypassed: Sequence queue overflow: 36 Link ppp-1 ppp-2 Bundle ID 1 1 Uptime (DDD:HH:MM:SS) 001:19:20:40 000:02:06:28 Last Received Seq Load Balance Bytes Tx Bytes Tx Bytes Rx Frags Tx Frags Rx Single Frags Tx Single Frags Rx NULL Frags Tx 0 0 NULL Frags Rx 0 0 Dropped Pkts Tx 0 0 Dropped Pkts Rx 0 0 Non-MP Pkts Tx

17 Non-MP Pkts Rx The following command lines show a sample debug of MLPPP. Command line: ++all 6 Command line: ++PPP Command line: ++PPPLCP Command line: ++auth Command line: ++IPCP Command line: ++MLPPP The following command line shows a sample of the output of MLPPP.

18 13:03:27 LCP Tx ppp-2: configure request id=[122] 13:03:27 LCP Tx Opt = Maximum Receive Unit, Len = 4, Value = :03:27 POE link up ppp-2 13:03:28 LCP Rx ppp-2: configure request id=[6] 13:03:28 LCP Rx Opt = Maximum Receive Unit, Len = 4, Value = :03:28 LCP Rx Opt = Authentication Protocol, Len = 5, Value = c :03:28 LCP Rx Opt = Magic Number, Len = 6, Value = 5e f4 ef 4a 13:03:28 LCP Tx ppp-2: configure reject id=[6] 13:03:28 LCP Tx Opt = Magic Number, Len = 6, Value = 5e f4 ef 4a 13:03:28 LCP Rx ppp-2: configure ack id=[122] 13:03:28 LCP Rx Opt = Maximum Receive Unit, Len = 4, Value = :03:28 LCP Rx ppp-2: configure request id=[7] 13:03:28 LCP Rx Opt = Maximum Receive Unit, Len = 4, Value = :03:28 LCP Rx Opt = Authentication Protocol, Len = 5, Value = c :03:28 LCP Tx ppp-2: configure ack id=[7] 13:03:28 LCP Tx Opt = Maximum Receive Unit, Len = 4, Value = :03:28 LCP Tx Opt = Authentication Protocol, Len = 5, Value = c :03:28 lcp up ppp-2 13:03:28 PPP Debug LCP Layer Up 13:03:28 PPP Debug Authenticate Request 13:03:28 LCP Tx ppp-1: echo request id=[140] 13:03:28 LCP Tx ppp-2: echo request id=[123] 13:03:28 LCP Rx ppp-1: echo reply id=[140] 13:03:28 LCP Rx ppp-2: echo reply id=[123] 13:03:28 LCP Rx ppp-2: configure request id=[1] 13:03:28 LCP Rx Opt = Authentication Protocol, Len = 5, Value = c :03:28 LCP Rx Opt = Magic Number, Len = 6, Value = bd 73 3a f2 13:03:28 LCP Rx Opt = MLPPP MRRU, Len = 4, Value = :03:28 LCP Rx Opt = MLPPP EPDM, Len = 7, Value = 01 6c 6e :03:28 PPP Debug EPDM accepted 13:03:28 lcp down ppp-2 13:03:28 PPP Debug LCP Layer Down 13:03:28 LCP Tx ppp-2: configure request id=[124] 13:03:28 LCP Tx Opt = Maximum Receive Unit, Len = 4, Value = :03:28 LCP Tx Opt = MLPPP MRRU, Len = 4, Value = :03:28 LCP Tx Opt = MLPPP EPDM, Len = 15, Value = :03:28 LCP Tx ppp-2: configure reject id=[1] 13:03:28 LCP Rx ppp-2: configure nak id=[124] 13:03:28 LCP Rx Opt = Maximum Receive Unit, Len = 4, Value = :03:28 PPP Debug LCP NAK 13:03:28 LCP Tx ppp-2: configure request id=[125] 13:03:28 LCP Tx Opt = Maximum Receive Unit, Len = 4, Value = :03:28 LCP Tx Opt = MLPPP MRRU, Len = 4, Value = :03:28 LCP Tx Opt = MLPPP EPDM, Len = 15, Value = :03:28 LCP Rx ppp-2: configure request id=[2]

19 13:03:28 LCP Rx Opt = Authentication Protocol, Len = 5, Value = c :03:28 LCP Rx Opt = Magic Number, Len = 6, Value = bd 73 3a f2 13:03:28 LCP Rx Opt = MLPPP MRRU, Len = 4, Value = :03:28 LCP Rx Opt = MLPPP EPDM, Len = 7, Value = 01 6c 6e :03:28 PPP Debug EPDM accepted 13:03:28 LCP Tx ppp-2: configure reject id=[2] 13:03:28 LCP Tx Opt = Magic Number, Len = 6, Value = bd 73 3a f2 13:03:28 LCP Rx ppp-2: configure ack id=[125] 13:03:28 LCP Rx Opt = Maximum Receive Unit, Len = 4, Value = :03:28 LCP Rx Opt = MLPPP MRRU, Len = 4, Value = :03:28 LCP Rx Opt = MLPPP EPDM, Len = 15, Value = :03:28 LCP Rx ppp-2: configure request id=[3] 13:03:28 LCP Rx Opt = Authentication Protocol, Len = 5, Value = c :03:28 LCP Rx Opt = MLPPP MRRU, Len = 4, Value = :03:28 LCP Rx Opt = MLPPP EPDM, Len = 7, Value = 01 6c 6e :03:28 PPP Debug EPDM accepted 13:03:28 LCP Tx ppp-2: configure nak id=[3] 13:03:28 LCP Tx Opt = Maximum Receive Unit, Len = 4, Value = :03:28 LCP Rx ppp-2: configure request id=[4] 13:03:28 LCP Rx Opt = Maximum Receive Unit, Len = 4, Value = :03:28 LCP Rx Opt = Authentication Protocol, Len = 5, Value = c :03:28 LCP Rx Opt = MLPPP MRRU, Len = 4, Value = :03:28 LCP Rx Opt = MLPPP EPDM, Len = 7, Value = 01 6c 6e :03:28 PPP Debug EPDM accepted 13:03:28 LCP Tx ppp-2: configure ack id=[4] 13:03:28 LCP Tx Opt = Maximum Receive Unit, Len = 4, Value = :03:28 LCP Tx Opt = Authentication Protocol, Len = 5, Value = c :03:28 LCP Tx Opt = MLPPP MRRU, Len = 4, Value = :03:28 LCP Tx Opt = MLPPP EPDM, Len = 7, Value = 01 6c 6e :03:28 lcp up ppp-2 13:03:28 PPP Debug LCP Layer Up 13:03:28 PPP Debug Authenticate Request 13:03:28 PPP Debug Authenticate ACK Received 13:03:28 MP (Link added): port 1 to bundle (id=1) 13:03:28 ncp up ppp-2 13:03:28 PPP Debug NCP Layer Up 13:03:29 LCP Tx ppp-1: echo request id=[141] 13:03:29 LCP Tx ppp-2: echo request id=[126] 13:03:29 LCP Rx ppp-1: echo reply id=[141] 13:03:29 LCP Rx ppp-2: echo reply id=[126] 2.2 3G modem Depending on the hardware model some Virtual Access routers have optional 3G modems. The most common issues are signal strength and SIM registration.

20 Depending on the provider, the SIM will be allocated a public or Private IP address which may or may not be reachable from the internet Signal strength Signal Strength Description > -113dBm, < -89 dbm Low signal strength - connection not reliable >= -89 dbm, < -69 dbm Medium signal strength - Good connection >= -69 dbm High signal strength - Excellent connection Table 1: Samples of signal strength and their values G status Depending on the hardware model, the modem interface will be assigned to either modem-0 or modem-1

21 Command line: show modem interface status modem-0 Modem state: Activated Connected: Yes Call state: Connected GSM status SIM status: Ready Signal quality: -63 dbm Network registration: Registered - home network GPRS network registration: Registered - home network Operator: vodafone IE Operator selection: Automatic Radio access technology: UMTS: HSDPA IMEI: Mobile country code: 272 Mobile network code: 01 Location area code: 0BCC Cell identifier: 000AA787 Active SIM: SIM1 IMSI: ICCID: Scrambling Code: Not known or not detectable RSCP: Not known or not detectable Ec/Io: Not known or not detectable SIM switch enabled: No Automatic reset enabled: No Number of resets: 0 Number of remote disconnects: 0 The following command lines show a sample debug of 3G. Command line: ++all 6 Command line: ++modem Command line: ++PPP Command line: ++PPPLCP Command line: ++Auth Command line: ++IPCP The following command line shows a sample of the output of GM status.

22 04:16:23 Modem Tx: AT+CGREG?;+CREG?;+CSQ;+COPS=3,0;+COPS?;+COPS=3,2;+COPS? 04:16:23 Modem Rx: AT+CGREG?;+CREG?;+CSQ;+COPS=3,0;+COPS?;+COPS=3,2;+COPS? 04:16:23 Modem Rx: +CGREG: 2,1,"0BCC","000AA787",4 04:16:23 Modem Rx: +CREG: 0,1 04:16:23 Modem Rx: +CSQ: 25,99 04:16:23 Modem Rx: +COPS: 0,0,"vodafone IE",2 04:16:23 Modem Rx: +COPS: 0,2,"27201",2 04:16:23 Modem Rx: OK 04:16:26 modem-0: Connecting GPRS/UMTS () 04:16:26 Modem Tx: AT+CPIN? 04:16:26 Modem Rx: AT+CPIN? 04:16:26 Modem Rx: +CPIN: READY 04:16:26 Modem Rx: OK 04:16:26 modem-0: SIM ready 04:16:26 Modem Tx: AT+CGDCONT=1,"IP","" 04:16:26 Modem Rx: AT+CGDCONT=1,"IP","" 04:16:26 Modem Rx: OK 04:16:26 Modem Tx: ATD*99# 04:16:26 Modem Rx: ATD*99# 04:16:27 Modem Rx: CONNECT 04:16:27 LCP Tx ppp-1: configure request id=[17] 04:16:27 LCP Tx Opt = Async Control Character Map, Len = 6, Value = :16:27 LCP Tx Opt = Maximum Receive Unit, Len = 4, Value = :16:27 LCP Tx Opt = Protocol Field Compression, Len = 2, Value = none 04:16:27 modem-0: Outgoing call connected 04:16:27 LCP Rx ppp-1: configure request id=[1] 04:16:27 LCP Rx Opt = Authentication Protocol, Len = 5, Value = c :16:27 LCP Rx Opt = Address and Control Field Compression, Len = 2, Value = 04:16:27 LCP Rx Opt = Protocol Field Compression, Len = 2, Value = none 04:16:27 LCP Rx Opt = Async Control Character Map, Len = 6, Value = :16:27 LCP Rx Opt = Magic Number, Len = 6, Value = f :16:27 LCP Tx ppp-1: configure reject id=[1] 04:16:27 LCP Tx Opt = Address and Control Field Compression, Len = 2, Value = 04:16:27 LCP Tx Opt = Protocol Field Compression, Len = 2, Value = none 04:16:27 LCP Tx Opt = Async Control Character Map, Len = 6, Value = :16:27 LCP Tx Opt = Magic Number, Len = 6, Value = f :16:27 LCP Rx ppp-1: configure request id=[2] 04:16:27 LCP Rx Opt = Authentication Protocol, Len = 5, Value = c :16:27 LCP Tx ppp-1: configure ack id=[2] 04:16:27 LCP Tx Opt = Authentication Protocol, Len = 5, Value = c :16:30 LCP Tx ppp-1: configure request id=[18] 04:16:30 LCP Tx Opt = Async Control Character Map, Len = 6, Value = :16:30 LCP Tx Opt = Maximum Receive Unit, Len = 4, Value = :16:30 LCP Tx Opt = Protocol Field Compression, Len = 2, Value = none 04:16:30 LCP Rx ppp-1: configure ack id=[18]

23 04:16:30 LCP Rx Opt = Async Control Character Map, Len = 6, Value = :16:30 LCP Rx Opt = Maximum Receive Unit, Len = 4, Value = :16:30 LCP Rx Opt = Protocol Field Compression, Len = 2, Value = none 04:16:30 lcp up ppp-1 04:16:30 PPP Debug LCP Layer Up 04:16:30 CHAP rx i/f ppp-1: [Challenge] 04:16:30 PPP Debug Authenticate Request 04:16:30 CHAP tx i/f ppp-1: [Response] 04:16:30 CHAP rx i/f ppp-1: [Success] 04:16:30 PPP Debug Authenticate ACK Received 04:16:30 IPCP tx ppp-1: configure request id=[19] 04:16:30 IPCP tx Opt = Address, Len = 6, Value = :16:30 IPCP tx Opt = Compression Protocol, Len = 6, Value = 00 2d 0f 01 04:16:30 IPCP tx Opt = Primary DNS Address, Len = 6, Value = :16:30 IPCP tx Opt = Secondary DNS Address, Len = 6, Value = :16:30 Modem Rx: *EPSB: 3 04:16:32 Modem Rx: *EPSB: 5 04:16:32 Modem Rx: *EPSB: 6 04:16:33 IPCP tx ppp-1: configure request id=[20] 04:16:33 IPCP tx Opt = Address, Len = 6, Value = :16:33 IPCP tx Opt = Compression Protocol, Len = 6, Value = 00 2d 0f 01 04:16:33 IPCP tx Opt = Primary DNS Address, Len = 6, Value = :16:33 IPCP tx Opt = Secondary DNS Address, Len = 6, Value = :16:33 IPCP rx ppp-1: configure request id=[1] 04:16:33 PPP Debug NCP Configuration ACK 04:16:33 IPCP tx ppp-1: configure ack id=[1] 04:16:33 IPCP rx ppp-1: configure nak id=[20] 04:16:33 IPCP rx Opt = Address, Len = 6, Value = :16:33 IPCP rx Opt = Primary DNS Address, Len = 6, Value = :16:33 IPCP rx Opt = Secondary DNS Address, Len = 6, Value = :16:33 IPCP tx ppp-1: configure request id=[21] 04:16:33 IPCP tx Opt = Address, Len = 6, Value = :16:33 IPCP tx Opt = Compression Protocol, Len = 6, Value = 00 2d 0f 01 04:16:33 IPCP tx Opt = Primary DNS Address, Len = 6, Value = :16:33 IPCP tx Opt = Secondary DNS Address, Len = 6, Value = :16:33 IPCP rx ppp-1: configure ack id=[21] 04:16:33 IPCP rx Opt = Address, Len = 6, Value = :16:33 IPCP rx Opt = Compression Protocol, Len = 6, Value = 00 2d 0f 01 04:16:33 IPCP rx Opt = Primary DNS Address, Len = 6, Value = :16:33 IPCP rx Opt = Secondary DNS Address, Len = 6, Value = :16:33 ncp up ppp-1 04:16:33 PPP Debug NCP Layer Up

24 2.3 PSTN modem Some Virtual Access routers have a PSTN modem, which by default is configured to allow dial in access or out of band management. The modem interface is assigned to a configured PPP interface and the same PPP debugging will apply. Some common faults are incorrect cabling or disconnected cables, PSTN fault and micro filter faults. These can lead to a slow speed connection in which the router will not be contactable due to the poor quality of the line. The following command lines show a sample debug of PSTN modem. Command line: ++all 6 Command line: ++modem Command line: ++PPP Command line: ++PPPLCP Command line: ++Auth Command line: ++IPCP super> connect p1 The following shows a sample of the output of PSTN modem.

25 13:18:48 Modem: Dial ( ) 13:18:48 Modem Tx: atv0w2e0 Connect initiated successfully 13:18:48 Modem Rx: 0 13:18:48 Modem Tx: ats7=30dt :19:19 Modem Rx: 84 13:19:19 LCP Tx ppp-1: configure request id=[189] 13:19:19 Modem: Outgoing Call Connected bps 13:19:21 LCP Tx ppp-1: configure request id=[190] 13:19:21 LCP Rx ppp-1: configure request id=[8] 13:19:21 LCP Tx ppp-1: configure ack id=[8] 13:19:21 LCP Rx ppp-1: configure ack id=[190] 13:19:21 lcp up ppp-1 13:19:21 PPP Debug LCP Layer Up 13:19:21 IPCP tx ppp-1: configure request id=[191] 13:19:21 IPCP rx ppp-1: configure request id=[9] 13:19:21 IPCP rx Opt = Address, Len = 6, Value = :19:21 PPP Debug NCP NAK 13:19:21 IPCP tx ppp-1: configure nak id=[9] 13:19:21 IPCP tx Opt = Address, Len = 6, Value = :19:21 IPCP rx ppp-1: configure ack id=[191] 13:19:22 IPCP rx ppp-1: configure request id=[10] 13:19:22 IPCP rx Opt = Address, Len = 6, Value = :19:22 PPP Debug NCP Configuration ACK 13:19:22 IPCP tx ppp-1: configure ack id=[10] 13:19:22 IPCP tx Opt = Address, Len = 6, Value = :19:22 ncp up ppp-1 13:19:22 PPP Debug NCP Layer Up

26 3: IPSec 3 IPSec 3.1 Phase I A hybrid protocol called Internet Key exchange (IKE) establishes and maintains unidirectional communication in an IPSec environment. Phase I establishes IKE. There are two ways of implementing Phase I: Main mode Aggressive mode Main mode Most common use of main mode is when both ends of the tunnel are using fixed IP addresses. In main mode, a secure channel is established by sending three packets of data from the initiator and three from the responder. The most common failures for main mode messages between 1 and 4 are: Remote peer not configured to accept VPN negotiations Differing exchange types DH group mismatch Encryption Algorithms are wrong The most common failure for main mode messages 5 and 6 are Pre-shared keys not matching The following command lines show a sample debug of Phase I. Command line: ++all 6 Command line: ++ike The following shows a sample of the output of Phase I debug.

27 3: IPSec 17:32:45 IKE: MM Msg1 sent for policy 1 17:32:45 IKE: MM Msg2 received for policy 1 17:32:45 IKE: Vendor VA1 17:32:45 IKE: Vendor DPD 17:32:45 IKE: MM Msg3 sent for policy 1 17:32:45 IKE: MM msg4 received for policy 1 17:32:45 IKE: Vendor VA1 17:32:45 IKE: Vendor DPD 17:32:45 IKE: ID: IPv4 address, :32:45 IKE: Diffie-Hellman negotiated, MM Msg 5 sent for policy 1 17:32:46 IKE: MM Msg6 received for policy 1 17:32:46 IKE: ID: IPv4 address, :32:46 IKE: Main Mode completed for policy 1 Aggressive mode Most common use of main mode is when one end of the tunnel is using fixed IP addresses and the other is dynamic In aggressive mode, a secure channel is established by sending two packets of data from the initiator and three from the responder. This is faster than main mode, but also less secure The most common failures for aggressive mode messages between 1 and 4 are: Remote peer not configured to accept VPN negotiations Differing exchange types DH group mismatch Encryption algorithms are wrong The most common failure for aggressive mode messages 5 and 6 are pre-shared keys not matching PFS Perfect Forward Secrecy (PFS) is a means of generating new keys that are unrelated to previously used keys. This means that if an unauthorized party cracks one key, they have no basis for cracking the next one used. To increase security, Virtual Access routers support PFS and automatically changes keys regularly. 3.2 Phase II Phase II establishes the encryption domains and is configured using SPD policies. When Phase I is completed, the IPSec connection automatically moves on to Phase II. If any further failures occur the issue lies with Phase II settings.

28 3: IPSec In Phase II, when quick mode message 1 is received by the responder it will always state the subnet which is set in the packet it receives. This is useful as it will mean that the verification of SPD Subnet Addresses is easy. The most common failures for SPD within Phase II are: Security protocol does not match ESP authentication set to no on one side of the tunnel Difference in Encryption Algorithms setting Difference in Addresses in SPD apply polices The following command lines show a sample debug of Phase II Command line: ++all 6 Command line: ++SPD The following command line shows a sample of the output of phase II debug. 17:32:46 IKE: Sending initial contact 17:32:46 IKE: ID: IPv4 address, :32:46 IKE: ID: IPv4 address, :32:46 IKE: QM Msg1 sent for policy 1 17:32:46 IKE: QM Msg 2 received for policy 1 17:32:46 IKE: ID: IPv4 address, :32:46 IKE: ID: IPv4 address, :32:46 IKE: QM Msg3 sent for policy 1 17:32:46 SPD: Phase 2 tunnel up for spd policy 1 17:32:46 IKE: Quick Mode completed for policy 1 17:32:46 Link up 01-VPN-IKE1 Src= Dest=

29 4: Port forwarding 4 Port forwarding 4.1 Port forwarding using CLI Port forwarding can be configured under the incoming address translation table. To check to see if port forwarding is enabled, type the following command line and check the output is the same as the sample below. Command line: show IPAT incoming all The following shows a sample of the output of port forwarding enabled. Entry Interface Prot Local host Port Gateway address Port ppp-1 UDP ppp-1 UDP ppp-1 TCP ppp-1 TCP ppp-1 TCP ppp-1 TCP Port forwarding using the web interface To enable port forwarding using the webs interface, from the Start page, click Advanced>expert view>system>ip>address translation>table. Configure the target WAN interface, port number and LAN interface and port number.