某局点MSR做L2TP拨号失败问题处理经验案例

 某局点使用MSR36做L2TP拨号的LNS侧设备，客户反馈拨号一直不成功。

无

1.首先检查相关L2TP配置，没有发现明显错误：

# 创建本地PPP用户vpdnuser，设置密码为Hello。

<LNS> system-view

[LNS] local-user vpdnuser class network

[LNS-luser-network-vpdnuser] password cipher $c$3$S3wwvYm3Vlqvai8ca+sDr+Y2n/ojwEJlZA==

[LNS-luser-network-vpdnuser] service-type ppp

[LNS-luser-network-vpdnuser] quit

# 配置ISP域system对PPP用户采用本地验证。

[LNS] domain system

[LNS-isp-system] authentication ppp local

[LNS-isp-system] quit

# 开启L2TP功能。

[LNS] l2tp enable

#配置PPP地址池。

[LNS] ip pool aaa 192.168.0.10 192.168.0.20

[LNS] ip pool aaa gateway 192.168.0.1

# 创建接口Virtual-Template1，PPP认证方式为CHAP，并使用地址池aaa为Client端分配IP地址。

[LNS] interface virtual-template 1

 [LNS-virtual-template1] ppp authentication-mode chap domain system

[LNS-virtual-template1] remote address pool aaa

[LNS-virtual-template1] quit

# 创建LNS模式的L2TP组1，配置隧道本端名称为LNS，指定接收呼叫的虚拟模板接口为VT1，并配置隧道对端名称为LAC。

[LNS] l2tp-group 1 mode lns

[LNS-l2tp1] tunnel name LNS

[LNS-l2tp1] mandatory-lcp

[LNS-l2tp1] allow l2tp virtual-template 1 remote LAC

# 启用隧道验证功能，并设置隧道验证密钥为aabbcc。

[LNS-l2tp1] tunnel authentication

[LNS-l2tp1] tunnel password  cipher $c$3$EStTgOsOePuaX7Tqde9j92pLGni+sNh0yA==

[LNS-l2tp1] quit

 2.收集debug信息看交互的过程

 *Aug 03 09:24:23:354 2017 ZCSW L2TP/7/L2TDBG:  L2TP_PAYLOAD: Recv data Len = 38
*Aug 03 09:24:23:354 2017 ZCSW L2TP/7/L2TDBG:  L2TP_EVENT: Received message type: 4
*Aug 03 09:24:23:354 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Received a SCCRQ or StopCCN, sending it to the upper layer
*Aug 03 09:24:23:354 2017 ZCSW L2TP/7/L2TDBG:  L2TP_EVENT: Received message type: 4
*Aug 03 09:24:23:354 2017 ZCSW L2TP/7/L2TDBG:  L2TP_EVENT: Board 0 recv from SOCK call ID=0 tunnel ID=4 MsgType = 4 Length = 38
*Aug 03 09:24:23:355 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Proc a control message from the peer: type=4, len = 38
*Aug 03 09:24:23:452 2017 ZCSW L2TP/7/L2TDBG:  L2TP_PAYLOAD: Recv data Len = 65
*Aug 03 09:24:23:452 2017 ZCSW L2TP/7/L2TDBG:  L2TP_EVENT: Received message type: 1
*Aug 03 09:24:23:452 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Received a SCCRQ or StopCCN, sending it to the upper layer
*Aug 03 09:24:23:452 2017 ZCSW L2TP/7/L2TDBG:  L2TP_EVENT: Received message type: 1
*Aug 03 09:24:23:452 2017 ZCSW L2TP/7/L2TDBG:  L2TP_EVENT: Board 0 recv from SOCK call ID=0 tunnel ID=0 MsgType = 1 Length = 65
*Aug 03 09:24:23:523 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Proc a control message from the peer: type=1, len = 65
*Aug 03 09:24:23:523 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Tunnel 1 recv SCCRQ when in state 1  from 115.168.112.133
*Aug 03 09:24:23:523 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Checked SCCRQ MSG TYPE = 1
*Aug 03 09:24:23:523 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Parse AVP Protocol version:  100
*Aug 03 09:24:23:523 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Parse AVP Framing capability : 1
*Aug 03 09:24:23:523 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Parse AVP Host name, value: fjlac
*Aug 03 09:24:23:523 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Tunnel password of the L2TP group: ******
*Aug 03 09:24:23:523 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Parse AVP Remote call number, value: 6320
*Aug 03 09:24:23:589 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Parse AVP receive window size, value: 20
*Aug 03 09:24:23:589 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Put AVP Message Type: START_CONTROL_CONNECTION_REPLY
*Aug 03 09:24:23:589 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Put AVP Protocol version:  100
*Aug 03 09:24:23:589 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Put AVP Framing capability :3
*Aug 03 09:24:23:589 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Put AVP Host name: fjpost
*Aug 03 09:24:23:589 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Put AVP Assigned Tunnel ID: 1
*Aug 03 09:24:23:589 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Put AVP Bearer capability: 3
*Aug 03 09:24:23:589 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Put AVP Receive window size: 20
*Aug 03 09:24:23:589 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Put AVP Challenge :D8 57 40 A7 BA 6F F7 87 25 DE 32 C8 FE 8C 29 94 
*Aug 03 09:24:23:589 2017 ZCSW L2TP/7/L2TDBG:  L2TP_PAYLOAD: Tunnel 1 sent control (SendUp & RcvLow): Ns (0) Nr (1)
*Aug 03 09:24:23:598 2017 ZCSW L2TP/7/L2TDBG:  L2TP_PAYLOAD: Tunnel 1 first ctrl in send window, started ack timer
*Aug 03 09:24:23:598 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Tunnel 1 sent SCCRP to Tunnel 6320
*Aug 03 09:24:23:598 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Tunnel 1 started the Hello timer (60 seconds)
*Aug 03 09:24:23:620 2017 ZCSW L2TP/7/L2TDBG:  L2TP_PAYLOAD: Recv data Len = 42
*Aug 03 09:24:23:643 2017 ZCSW L2TP/7/L2TDBG:  L2TP_EVENT: Received message type: 3
*Aug 03 09:24:23:643 2017 ZCSW L2TP/7/L2TDBG:  L2TP_EVENT: Board 0 recv from SOCK call ID=0 tunnel ID=1 MsgType = 3 Length = 42
*Aug 03 09:24:23:662 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Proc a control message from the peer: type=3, len = 42
*Aug 03 09:24:23:662 2017 ZCSW L2TP/7/L2TDBG:  L2TP_PAYLOAD: Tunnel 1: flow ctrl msg: Ns (1) Nr (1) from the peer
*Aug 03 09:24:23:662 2017 ZCSW L2TP/7/L2TDBG:  L2TP_PAYLOAD: Tunnel 1 (SendLow=0 SendUp=1) proc ack Nr=1 from the peer
*Aug 03 09:24:23:662 2017 ZCSW L2TP/7/L2TDBG:  L2TP_PAYLOAD: Tunnel 1 recv a proper ACK: Nr(1) and cleared the acked packet
*Aug 03 09:24:23:662 2017 ZCSW L2TP/7/L2TDBG:  L2TP_PAYLOAD: Tunnel 1 send window empty. ACK timer turned off
*Aug 03 09:24:23:662 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Tunnel 1 recv SCCCN when in state 3
*Aug 03 09:24:23:662 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Tunnel 1 started the Hello timer (60 seconds)
*Aug 03 09:24:23:662 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Checked SCCCN MSG TYPE = 3
*Aug 03 09:24:23:662 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Parse AVP Challenge response F0 7F 22 37 23 3D A1 5B 4D 47 9E 34 C8 10 20 30 
*Aug 03 09:24:23:665 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: CHAP response failed the authentication
*Aug 03 09:24:23:665 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Challenge: D8 57 40 A7 BA 6F F7 87 25 DE 32 C8 FE 8C 29 94 
*Aug 03 09:24:23:665 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Challenge ID: 3
*Aug 03 09:24:23:665 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Challenge secret: $c$3$4LHbOZfBGIM+y4qMelY222+JsUSd4wGWkA==
*Aug 03 09:24:23:665 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Challenge length: 16
*Aug 03 09:24:23:665 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Response should be : BC 49 73 C7 C2 52 C5 8B 85 9B 2E FD 1B A4 AC 97 
*Aug 03 09:24:23:665 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Calls on tunnel 1 cleared because 1
*Aug 03 09:24:23:665 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Tunnel 1 sent StopCCN to Tunnel 6320
*Aug 03 09:24:23:665 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Put AVP Message Type: STOP_CONTROL_CONNECTION_NOTIFICATION
*Aug 03 09:24:23:689 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Put AVP Assigned Tunnel ID: 1
*Aug 03 09:24:23:689 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Put AVP Result code: RESULT_GENERAL_ERROR
*Aug 03 09:24:23:689 2017 ZCSW L2TP/7/L2TDBG:  L2TP_PAYLOAD: Tunnel 1 sent control (SendUp & RcvLow): Ns (1) Nr (2)
*Aug 03 09:24:23:689 2017 ZCSW L2TP/7/L2TDBG:  L2TP_PAYLOAD: Tunnel 1 first ctrl in send window, started ack timer
*Aug 03 09:24:23:974 2017 ZCSW L2TP/7/L2TDBG:  L2TP_EVENT: Cleared Tunnel remote ID:6320, local ID:1
*Aug 03 09:24:23:995 2017 ZCSW L2TP/7/L2TDBG:  L2TP_PAYLOAD: Recv data Len = 12
*Aug 03 09:24:24:105 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: Received ctrl message is ZLB, discard it
*Aug 03 09:24:24:126 2017 ZCSW L2TP/7/L2TDBG:  L2TP_PAYLOAD: Recv data Len = 69
*Aug 03 09:24:24:231 2017 ZCSW L2TP/7/L2TDBG:  L2TP_EVENT: Received message type: 10
*Aug 03 09:24:24:335 2017 ZCSW L2TP/7/L2TDBG:  L2TP_ERROR:Failed to get the descriptor for this ctrl message
*Aug 03 09:24:24:577 2017 ZCSW L2TP/7/L2TDBG: because the message isn&＃39;t SCCRQ or StopCCN. The message was discarded

3.搜索fail、error等关键字，找到以下报错：

*Aug 03 09:24:23:665 2017 ZCSW L2TP/7/L2TDBG:  L2TP_CONTROL: CHAP response failed the authentication
    *Aug 03 09:24:24:335 2017 ZCSW L2TP/7/L2TDBG:  L2TP_ERROR:Failed to get the descriptor for this ctrl message

4.NAS-Initiated模式L2TP隧道的建立过程为：

(1)     远端系统Host A发起呼叫，请求建立连接。

(2)     Host A和LAC（Device A）进行PPP LCP协商。

(3)     LAC对Host A提供的PPP用户信息进行PAP或CHAP认证。

(4)     LAC将认证信息（用户名、密码）发送给RADIUS服务器进行认证。

(5)     RADIUS服务器认证该用户，并返回认证结果。

(6)     如果认证通过，且根据用户名或用户所属ISP域判断该用户为L2TP用户，则LAC向LNS（Device B）发起L2TP隧道建立请求。

(7)     在需要对隧道进行认证的情况下，LAC和LNS分别发送CHAP challenge信息，以验证对方身份。隧道验证通过后，LAC和LNS之间成功建立了L2TP隧道。

(8)     LAC和LNS在L2TP隧道上协商建立L2TP会话。

(9)     LAC将PPP用户信息和PPP协商参数等传送给LNS。

(10)     LNS将认证信息发送给RADIUS服务器进行认证。

(11)     RADIUS服务器认证该用户，并返回认证结果。

(12)     认证通过后，LNS为Host A分配一个企业网内部的IP地址。

(13)     获得IP地址后，PPP用户可以通过Host A访问企业内部资源。

在步骤(12)和(13)中，LAC负责在Host A和LNS之间转发报文。Host A和LAC之间交互的是PPP数据帧，LAC和LNS之间交互的是L2TP数据报文。

5.第一条报错提示在步骤（7）隧道认证阶段发生了错误，因为从配置的文本中是看不到密钥，所以我们将两边的密钥都重新配置为aabbcc测试,发现能正常建立起来拨号。

[ZCSW-l2tp1] tunnel password simple aabbcc

[LAC-l2tp1] tunnel password simple aabbcc

修改两边隧道密码解决

拨号业务涉及到两边的密钥一致问题，但是在文本配置中是检查不出来的，如果拨号不成功可以先将两边的密钥删除重新配置为一致观察，如果还不行再收集debug信息查看交互的过程。