Routing

Hi,

Set up: 

Laptop -> Cisco 1841 (PPP PAP client) -> Cisco 1841 (LAC) -> Juniper MX240 (LNS) -> MX240 (Core) -> SRX1500 -> RADIUS

When powering up all the devices I get an L2TP tunnel and authentication accept from the RADIUS. No problem there. When I look at the routing table on the Core MX I can see all routes from the Radius back to the LNS and I can ping everywhere, except for the client address issued to the PPP interface on the PAP Client. With a "show ip int brief" I can see the allocaiton of the address from the pool configured on the LNS. So, to get around this issue, I configured a static route on the MX240 (LNS) pointing to the network with a next-hop address of the tunnel interface. I then configured a routing-policy that had an accept/ reject term associated. 

Strangely, even though the authenticaiton still worked and the PAP client still had the IP address assigned (showing connectivity in bothe directions from the PAP client to the RADIUS), there were routes suddenly missing on the MX240 Core.... the route for the PAP PPP Client was now there and could be ping'd but now the routes for the MX240 LNS loopback and tunnel interface were missing, even though the L2TP still worked. I tried this with the following two methods:

set policy-options policy-statement term 1 from instance master

ISIS Traceoptions showed routes were being rejected because of this.... So I then tried:

set policy-options policy-statement term 1 from instance inet.0

This seemed to cause the same issue.... very strange behaviour and I am hoping someone can tell me the best way forward to advertise a network at the far end on the client, so I can test IPv6 to IPv4 and vice versa.... I can't do this until I can advertise the networks.....

Thanks

As an add on to this, with a little more information......

I believe that the required network advertisements will take place via BGP once it is configured, but I cannot do that yet until it is connected to the secondary ISP (Wholesale) and I don't want to do that until tested. I can get another 1841 and see if I can configure BGP on it and advertise the networks..... see what happens from there....

Hi,

For every PPP subscribers terminating on LNS there will have access-internal route. We redistribute the same using export policy.

Not sure why you need instance master for redistributing subscribers route to core.

Suppose we've 16k subscribers terminating on LNS. Redistributing 16k access-internal is not an ideal solution as it can cause CPU related issue due to frequent login/logout of subscribers. In this scenario, we uses aggregate route to redistribute subscriber aggregate route as there will be contributing access-internal route.

Note: For  network behind subscriber, we uses framed-route. This is pushed via radius during subscriber login. framed-route will create access route which is redistributed in same way like access-internal.

Example is shown below

"Framed-Route" = "X.X.X.0/24 1 tag 66 distance 10"
 
X.X.X.X/32      *[Access-internal/12] 00:00:31
                      Private unicast
X.X.X.0/24      *[Access/10] 00:00:31, metric 1, tag 66
                      Private unicast

Regards,

Rahul N

Hi Rahul,

Our end resolution, as we have already diuscussed, is that we will supply the CPE (or CE) with the following configuration:

CE to Provider Edge -- IPv6

CE facing customer circuits - IPv6 and IPv4

So, given the above, what we are going to be testing is connectvity from a pure IPv6 client to an IPv4 only client at the far end and vice-versa.

I took the code from the Juniper Website and change it slightly to suit our needs. The weird thing is, even though the routes don't seem to exist, I can still ping the address. I will take some screenshots and post here.

Thanks for the other information Rahul... much appreciated as always.

Thanks

Hi Rahul,

Strangely all the routes have come back now....

As mentioned, I need to test IPv6 and as such have changed my pool address assignment from IPv4 to IPv6 as per below:

I removed these commands:

delete access address-assignment pool POOL family inet network 192.168.85.0/24
delete access address-assignment pool POOL family inet range lns low 192.168.85.1
delete access address-assignment pool POOL family inet range lns high 192.168.85.254

And replaced the pool with:

set access address-assignment pool POOL family inet6 prefix 2a05:d840:0100::/48
set access address-assignment pool POOL family inet6 range lns low 2a05:d840:0100:ffff:ffff:ffff:0000:0001/48
set access address-assignment pool POOL family inet6 range lns high 2a05:d840:0100:ffff:ffff:ffff:0000:0050/48

No IP address is being aassigned to the PPP Client.... any idea why please Rahul?

Thanks

Clive

Here is my current configuration. Juniper does not make it clear in its website reference IPv6 configuration:

set dynamic-profiles dyn-hex-lns-profile routing-instances "$junos-routing-instance" interface "$junos-interface-name"
set dynamic-profiles dyn-hex-lns-profile routing-instances "$junos-routing-instance" routing-options access route $junos-framed-route-ip-address-prefix next-hop "$junos-framed-route-nexthop"
set dynamic-profiles dyn-hex-lns-profile routing-instances "$junos-routing-instance" routing-options access route $junos-framed-route-ip-address-prefix metric "$junos-framed-route-cost"
set dynamic-profiles dyn-hex-lns-profile routing-instances "$junos-routing-instance" routing-options access route $junos-framed-route-ip-address-prefix preference "$junos-framed-route-distance"
set dynamic-profiles dyn-hex-lns-profile routing-instances "$junos-routing-instance" routing-options access-internal route $junos-subscriber-ip-address qualified-next-hop "$junos-interface-name"
set dynamic-profiles dyn-hex-lns-profile interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" dial-options l2tp-interface-id l2tp-encapsulation
set dynamic-profiles dyn-hex-lns-profile interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" dial-options dedicated
set dynamic-profiles dyn-hex-lns-profile interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" no-traps
set dynamic-profiles dyn-hex-lns-profile interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet unnumbered-address "$junos-loopback-interface"

set system services subscriber-management enable

set chassis fpc 1 pic 2 tunnel-services bandwidth 1g
set chassis fpc 1 pic 2 inline-services bandwidth 1g
set chassis fpc 1 pic 2 max-queues-per-interface 8
set chassis network-services enhanced-ip
set services l2tp tunnel-group LAC l2tp-access-profile l2tp-profile
set services l2tp tunnel-group LAC aaa-access-profile aaa-profile
set services l2tp tunnel-group LAC local-gateway address 195.80.0.29
set services l2tp tunnel-group LAC service-device-pool lns
set services l2tp tunnel-group LAC dynamic-profile dyn-hex-lns-profile
set services l2tp traceoptions file ninel2tp
set services l2tp traceoptions file size 100m
set services l2tp traceoptions level all
set services l2tp traceoptions flag all
set services service-device-pools pool lns interface si-1/2/0

set interfaces si-1/2/0 hierarchical-scheduler maximum-hierarchy-levels 2
set interfaces si-1/2/0 encapsulation generic-services
set interfaces si-1/2/0 unit 0 family inet
set interfaces si-1/2/0 unit 0 family inet6

set protocols ppp-service traceoptions file jpppd
set protocols ppp-service traceoptions file size 800m
set protocols ppp-service traceoptions file files 15
set protocols ppp-service traceoptions level all
set protocols ppp-service traceoptions flag all
set policy-options policy-statement export-statics term 1 from protocol static
set policy-options policy-statement export-statics term 1 then accept
set access group-profile l2tp-group-profile ppp idle-timeout 200
set access group-profile l2tp-group-profile ppp ppp-options pap
set access group-profile l2tp-group-profile ppp ppp-options mtu 1430
set access group-profile l2tp-group-profile ppp keepalive 30
set access group-profile l2tp-group-profile ppp primary-dns 8.8.8.8
set access group-profile l2tp-group-profile ppp secondary-dns 8.8.4.4
set access profile l2tp-profile client 21HEX l2tp maximum-sessions-per-tunnel 4000
set access profile l2tp-profile client 21HEX l2tp interface-id l2tp-encapsulation
set access profile l2tp-profile client 21HEX l2tp shared-secret "$9$uQmC0EyMWxdwgX7gJUH5T9Ap0RhylK8xN"
set access profile l2tp-profile client 21HEX user-group-profile l2tp-group-profile
set access profile aaa-profile authentication-order radius
set access profile aaa-profile radius authentication-server 172.16.16.36
set access profile aaa-profile radius-server 172.16.16.36 secret "$9$NS-YoDjqfQnk.nCpBSy8X7-s2oJGiqm"
set access address-assignment pool POOL family inet6 prefix 2a05:d840:0100::/48
set access address-assignment pool POOL family inet6 range lns low 2a05:d840:0100:ffff:ffff:ffff:0000:0001/48
set access address-assignment pool POOL family inet6 range lns high 2a05:d840:0100:ffff:ffff:ffff:0000:0050/48

There are a couple of commands tht could be changed I believe. Like the Unnumbered command... should that be changed to an inet6 commad reference?

Thanks

Hi,

You need following configuration to bring IPv6 up. Hope you're requesting only NDRA prefix.

Define family  IPv6 and RA under Dynamic-profile.

LNS# show dynamic-profiles dyn-lns-profile | no-more
interfaces {
    "$junos-interface-ifd-name" {
        unit "$junos-interface-unit" {
            dial-options {
                l2tp-interface-id l2tp-encapsulation;
            }
            family inet {
                unnumbered-address "$junos-loopback-interface";
            }
            family inet6 {
                unnumbered-address "$junos-loopback-interface";
            }
        }
    }
}
protocols {
    router-advertisement {
        interface "$junos-interface-name" {
            prefix $junos-ipv6-ndra-prefix;
        }
    }
}

Define IPv6 address matching the pool under lo0 /128.

Define NDRA prefix pool under Access Stanza.

{master}[edit access]
LNS# show
 address-assignment {
    neighbor-discovery-router-advertisement POOL

Regards,

Rahul

Hi Rahul,

As always, your help is brilliant.....

There is a problem with the configuration supplied, or there is on my system anyway..... where you have said to set the NDRA, as follows:

set protocols router-advertisement interface $junos-interface-name prefix $junos-ipv6-ndra-prefix

It does not like this command because after the "Prefix" command it is expecting an actual prefix or host name, so the erro I get is as follows:

[edit protocols router-advertisement interface "$junos-interface-name"]
Clive@HEX-LNS-02# set prefix ?
Possible completions:
  <prefix>             Prefix to be advertised
[edit protocols router-advertisement interface "$junos-interface-name"]
Clive@HEX-LNS-02# set prefix $junos-ipv6-ndra-prefix
                             ^
invalid ip address or hostname: $junos-ipv6-ndra-prefix at '$junos-ipv6-ndra-prefix'

Is there a way around this issue please Rahul?

Also, is this a config for a statically assigned IPv6 address please?

Thanks

Hi,

It should be configured under dynamic-profile not under global protocol stanza as shown below. You need to configure RA else subscriber will not come up.

LNS# show dynamic-profiles dyn-lns-profile | no-more
interfaces {
    "$junos-interface-ifd-name" {
        unit "$junos-interface-unit" {
            dial-options {
                l2tp-interface-id l2tp-encapsulation;
            }
            family inet {
                unnumbered-address "$junos-loopback-interface";
            }
            family inet6 {
                unnumbered-address "$junos-loopback-interface";
            }
        }
    }
}
protocols {
    router-advertisement {
        interface "$junos-interface-name" {
            prefix $junos-ipv6-ndra-prefix;
        }
    }
}

Regards,

Rahul

Hi Rahul,

Many apologies. My error completely in mis-reading what you had written. I have now completed that configuration and will do some tests....

I think as we are supplying the customer with a CPE that is pre-configured.... as I mentioned, the interface facing us as an ISP will be IPv6 only. The itnerface that faces the customer will be IPv4 and IPv6..... so the test I need to complete is to ensure that an IPv6 only address can connect with an IPv4 only address on the other side of our ISP network.

I have dual stack IP's assigned to all the interfaces across the network, so I am hoping this will work.

I think we will also have to test the AAA server and its ability to deal with the IPv6 addressing, so I will be looking at the "framed-ipv6-prefix" attribute.... will update on here later...

Thank you

Hi,

Just FYI.....

framed-ipv6-route is supported from 16.1. I would prefer latest 16.1R5 or 16.1R6

You also need to tune dynamic-profile configuration and add rib for IPv6

LNS# show dynamic-profiles
lns-client-profile {
    routing-instances {
        "$junos-routing-instance" {
            interface "$junos-interface-name";
            routing-options {
                rib "$junos-ipv6-rib" {
                    access {
                        route $junos-framed-route-ipv6-address-prefix {
                            qualified-next-hop "$junos-interface-name";
                            metric "$junos-framed-route-ipv6-cost";
                            preference "$junos-framed-route-ipv6-distance";
                            tag "$junos-framed-route-ipv6-tag";
                        }
                    }
                    access-internal {
                        route $junos-subscriber-ipv6-address {
                            qualified-next-hop "$junos-interface-name";
                        }
                    }
                }
                access {
                    route $junos-framed-route-ip-address-prefix {
                        qualified-next-hop "$junos-interface-name";
                        metric "$junos-framed-route-cost";
                        preference "$junos-framed-route-distance";
                    }
                }
                access-internal {
                    route $junos-subscriber-ip-address {
                        qualified-next-hop "$junos-interface-name";
                    }
                }
            }
        }
    }

Please read below KB in case of any queries.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB31778

Regards,

Rahul N

Hi Rahul,

I have comleted the configuration as you stated but still have no IPv6 connectivity, no tunnels, no authentication and no address assigned when looking at the PPP client.

I may be making an error on the client itself, but Cisco is not really telling me what should be configured on the PPP client. My configuration is as follows:

PPP Client: (Cisco 2691 (as IPv6 was required))

interface Serial0/0
 ip address negotiated
 encapsulation ppp
 clock rate 2000000
 ppp pap sent-username testuser@network.com password 0 testing123

Maybe NDRA needs configuring on there somwewhere. This confguration works fine with IPv4 and an address is allocated when I complete the "show ip int brief" command. Obviously with IPv6 it is "show ipv6 int brief"......

LAC Config: (Cisco 2691):

vpdn enable
!
vpdn-group TESTNETWORK
 request-dialin
  protocol l2tp
  domain network.com
 initiate-to ip 195.80.0.29
 local name 21HEX
 l2tp tunnel password 7 071B245F5A001702464058

interface FastEthernet0/0
 ip address 195.80.0.30 255.255.255.252
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 encapsulation ppp
 serial restart-delay 0
 ppp authentication pap callin

And the Juniper LNS configuration:

Clive@HEX-LNS-02# show dynamic-profiles dyn-hex-lns-profile
routing-instances {
    "$junos-routing-instance" {
        interface "$junos-interface-name";
        routing-options {
            access {
                route $junos-framed-route-ip-address-prefix {
                    next-hop "$junos-framed-route-nexthop";
                    metric "$junos-framed-route-cost";
                    preference "$junos-framed-route-distance";
                }
            }
            access-internal {
                route $junos-subscriber-ip-address {
                    qualified-next-hop "$junos-interface-name";
                }
            }
        }
    }
}
interfaces {
    "$junos-interface-ifd-name" {
        unit "$junos-interface-unit" {
            dial-options {
                l2tp-interface-id l2tp-encapsulation;
                dedicated;
            }
            no-traps;
            family inet {
                unnumbered-address "$junos-loopback-interface";
            }
            family inet6 {
                unnumbered-address "$junos-loopback-interface";
            }
        }
    }
}
protocols {
    router-advertisement {
        interface "$junos-interface-name" {
            prefix $junos-ipv6-ndra-prefix;
        }
    }
}

services {
        ssh;
        subscriber-management {
            enable;

chassis {
    aggregated-devices {
        ethernet {
            device-count 2;
        }
    }
    fpc 1 {
        pic 2 {
            tunnel-services {
                bandwidth 1g;
            }
            inline-services {
                bandwidth 1g;
            }
            max-queues-per-interface 8;
        }
    }
    network-services enhanced-ip;

services {
    l2tp {
        tunnel-group LAC {
            l2tp-access-profile l2tp-profile;
            aaa-access-profile aaa-profile;
            local-gateway {
                address 195.80.0.29;
            }
            service-device-pool lns;
            dynamic-profile dyn-hex-lns-profile;
        }
        traceoptions {
            file ninel2tp size 100m;
            level all;
            flag all;
        }
    }
    service-device-pools {
        pool lns {
            interface si-1/2/0;

interfaces {
    ge-1/2/0 {
        gigether-options {
            802.3ad ae0;
        }
    }
    si-1/2/0 {
        hierarchical-scheduler maximum-hierarchy-levels 2;
        encapsulation generic-services;
        unit 0 {
            family inet;
            family inet6;

lo0 {
        unit 0 {
            family inet {
                address 195.80.0.253/32;
            }
            family iso {
                address 49.0001.2a05.0008.000e.00;
            }
            family inet6 {
                address 2a05:d840:0100:ffff:ffff:ffff:0000:0049/128;

ccess {
    group-profile l2tp-group-profile {
        ppp {
            idle-timeout 200;
            ppp-options {
                pap;
                mtu 1430;
            }
            keepalive 30;
            primary-dns 8.8.8.8;
            secondary-dns 8.8.4.4;
        }
    }
    profile l2tp-profile {
        client 21HEX {
            l2tp {
                maximum-sessions-per-tunnel 4000;
                interface-id l2tp-encapsulation;
                shared-secret "$9$uQmC0EyMWxdwgX7gJUH5T9Ap0RhylK8xN"; ## SECRET-DATA
            }
            user-group-profile l2tp-group-profile;
        }
    }
    profile aaa-profile {
        authentication-order radius;
        radius {
            authentication-server 172.16.16.36;
        }
        radius-server {
            172.16.16.36 secret "$9$NS-YoDjqfQnk.nCpBSy8X7-s2oJGiqm"; ## SECRET-DATA
        }
    }
    address-assignment {
        neighbor-discovery-router-advertisement POOL;
        pool POOL {
            family inet6 {
                prefix 2a05:d840:0100::/48;
                range lns {
                    low 2a05:d840:0100:ffff:ffff:ffff:0000:0001/48;
                    high 2a05:d840:0100:ffff:ffff:ffff:0000:0050/48;

Again, apologies for asking the questions, but I just cannot seem to get this working and feel that this may be down to the client now.... with the NDRA access?

Thanks very much Rahul

Clive

Hi Clive,

I am not familier with cisco client configuration. May be you can try adding below knobs and check once.

ipv6 address FE80::10 link-local
ipv6 address autoconfig default
ipv6 enable

Regards,

Rahul N

Hi Rahul

Something is not right from the Cisco end, I think.

Le tme hsow you how everything is connected (I am using certain things because of interface speeds):

Cisco 2691 (PPP Client) --> Cisco 2691 (LAC) --> Cisco 3750 (Because of required gig connectivity) -->MX240 (LNS)

So, when running wireshark tracing on the 3750 while IPv4 was used, I could see all the different packets traversing the links including the AAA Access-Accept.... This was good

Now I have changed it to IPv6 and monitoring the same port, all I see are the ping packets I am testing with and the odd CDP and that is it.... there is absolutely nothing coming across from the PPP Client or the LAC...... very strange...... I can see that there may be an issue with regards to IP, but if it is in a tunnel there should be no issue.... but the Client or the LAC is not, or does not appear to be, forwarding anything to the LNS.

Hi Rahul,

Okay. An update.... I removed the IPv6 configuration and got IPv4 working again. I then re-configured IPv6 as you have mentioned and well, typically, it started working, kind of...

So, where am I now.... I am in the situation where the PPP Client Serial interface goes UP and then DOWN and then UP and then DOWN..... I think I know what this is given my experience a few days ago from IPv4 and that is authentication. 

Okay, I configured IPv6 on the SRX to RADIUS interface and also to the CORE interface. I have also configured an IPv6 address on the second RADIUS ethernet card. I have set, in RIB 6.0, the static route to the RADIUS and injected into IS-IS.

The ipv6 routes are advertised correctly by IS-IS throughout the network, however, although I can ping the SRX interface that faces the RADIUS, which is on the same network, I cannot ping the RADIUS. I believe this is because of, maybe, some policies stopping it, even though this is basic permit any any any at the moment.... any special IPv6 requirements on an SRX?

Thanks

Clive

Hi Clive,

Regarding the PPP client going up and down. How authentication will play a role here when same is working fine for IPv4? Did you tried to make authentication as none and checked?

set access profile NONE authentication-order none

set acces-profile NONE

For IPv6 routing, do you have return route from radius i.e. any default IPv6 route pointing to eth2?

tcpdump on eth2 showing ICMP packet reaching radius?

Regards,

Rahul

Hi Rahul,

I shall try it with none, but it's weird.

From the LNS, I can ping the SRX interface that faces the RADIUS. It is on the same /48 prefix that the RADIUS interface is on. I cannot ping the RADIUS interface.

If I ping directly from the SRX, with no source, I can ping the RADIUS interface. If I use the source address of xe-0/0/16 (address where packets are arriving and exiting through the core) it does not ping. To check the gateway, I can ping from the RADIUS to the SRX interface.

The LNS is the furthest away from the RADIUS box and this is the resultant route:

2a05:d840:50::/48  *[IS-IS/15] 00:12:17, metric 30
                    > to fe80::4e16:fcff:fe20:7c0 via ae0.0

Results of ping to SRX Interface and RADIUS Interface:

SRX:

Clive@HEX-LNS-02# run ping inet6 2a05:d840:0050:ffff:ffff:ffff:0000:0003
PING6(56=40+8+8 bytes) 2a05:d840:8:ffff:ffff:ffff:0:e --> 2a05:d840:50:ffff:ffff:ffff:0:3
16 bytes from 2a05:d840:50:ffff:ffff:ffff:0:3, icmp_seq=0 hlim=63 time=416.218 ms
16 bytes from 2a05:d840:50:ffff:ffff:ffff:0:3, icmp_seq=1 hlim=63 time=0.794 ms
16 bytes from 2a05:d840:50:ffff:ffff:ffff:0:3, icmp_seq=2 hlim=63 time=0.787 ms
16 bytes from 2a05:d840:50:ffff:ffff:ffff:0:3, icmp_seq=3 hlim=63 time=0.751 ms
16 bytes from 2a05:d840:50:ffff:ffff:ffff:0:3, icmp_seq=4 hlim=63 time=0.740 ms
16 bytes from 2a05:d840:50:ffff:ffff:ffff:0:3, icmp_seq=5 hlim=63 time=5.873 ms

RADIUS:

Clive@HEX-LNS-02# run ping inet6 2a05:d840:0050:ffff:ffff:ffff:0000:0002
PING6(56=40+8+8 bytes) 2a05:d840:8:ffff:ffff:ffff:0:e --> 2a05:d840:50:ffff:ffff:ffff:0:2
^C
--- 2a05:d840:0050:ffff:ffff:ffff:0000:0002 ping6 statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

From SRX to RADIUS:

Clive@HEX-SRX-02# run ping inet6 2a05:d840:0050:ffff:ffff:ffff:0000:0002
PING6(56=40+8+8 bytes) 2a05:d840:50:ffff:ffff:ffff:0:3 --> 2a05:d840:50:ffff:ffff:ffff:0:2
16 bytes from 2a05:d840:50:ffff:ffff:ffff:0:2, icmp_seq=0 hlim=64 time=0.869 ms
16 bytes from 2a05:d840:50:ffff:ffff:ffff:0:2, icmp_seq=1 hlim=64 time=0.639 ms
16 bytes from 2a05:d840:50:ffff:ffff:ffff:0:2, icmp_seq=2 hlim=64 time=0.745 ms

As you can see, that is strange..... what's even more weird is the routing. Look at the routes from the LNS to the SRX and the RADIUS (should take the same hops):

To RADIUS interface:

Clive@HEX-SRX-02# run traceroute 2a05:d840:0050:ffff:ffff:ffff:0000:0002
traceroute6 to 2a05:d840:0050:ffff:ffff:ffff:0000:0002 (2a05:d840:50:ffff:ffff:ffff:0:2) from 2a05:d840:8:ffff:ffff:ffff:0:e, 64 hops max, 12 byte packets
 1  2a05:d840:8:ffff:ffff:ffff:0:10 (2a05:d840:8:ffff:ffff:ffff:0:10)  0.787 ms  0.546 ms  0.554 ms
 2  2a05:d840:40:ffff:ffff:ffff:0:1 (2a05:d840:40:ffff:ffff:ffff:0:1)  0.535 ms  0.500 ms  0.468 ms
 3  * * *

And to the SRX interface:

Clive@HEX-LNS-02# run traceroute 2a05:d840:0050:ffff:ffff:ffff:0000:0003
traceroute6 to 2a05:d840:0050:ffff:ffff:ffff:0000:0003 (2a05:d840:50:ffff:ffff:ffff:0:3) from 2a05:d840:8:ffff:ffff:ffff:0:e, 64 hops max, 12 byte packets
 1  2a05:d840:8:ffff:ffff:ffff:0:10 (2a05:d840:8:ffff:ffff:ffff:0:10)  0.905 ms  0.554 ms  0.549 ms
 2  2a05:d840:50:ffff:ffff:ffff:0:3 (2a05:d840:50:ffff:ffff:ffff:0:3)  1.039 ms  0.904 ms  0.849 ms

I'll do some more investigating and will let you know.

Thanks Rahul

Clive

Hi Rahul,

Apologies for questions.... I am missing something somewhere and cannot see the wood for the trees:

MX240(LNS) (int ae0) --> (int ae0) MX240(CORE) (xe-1/2/9) --> (int xe-0/0/16) SRX1500 (Int ge-0/0/2) --> (int em2) RADIUS

On the LNS, I can see the route for the IPv6 network at the RADIUS in IS-IS as expected. On the SRX I have set up a static route in inet6.0 RIB and am redistributing into IS-IS. 

From the LNS I can ping the SRX Interface ge-0/0/2, which is on the same network as int em2 on the RADIUS and, as mentioned, the network is advertised on the SRX and the next-hop is the ge-0/0/2 interface.

I cannot ping the em2 interface from the LNS.

I have enabled IPv6 flow-based mode on the SRX and therefore the SRX should be forwarding packets. I will try and set up a different system off the ge-0/0/2 port and see if the RADIUS is causing the issue, but for now, here is the SRX basic config. Please can you let me know if there is something obvious that is wrong.

Thanks Rahul

Clive

SRX Config:

Clive@HEX-SRX-02# run show configuration | display set
set version 15.1X49-D110.4
set system host-name HEX-SRX-02
set system time-zone GMT
set system root-authentication encrypted-password "$5$qLsCZZS8$z.eXq.iH9bq7jaEylLsrM4uvwzoqWhsnroIjEZNWs6C"
set system name-server 208.67.222.222
set system name-server 208.67.222.220
set system login user Clive uid 2000
set system login user Clive class super-user
set system login user Clive authentication encrypted-password "$5$h/zFGlrV$dCjgDP2H9Y.ATAsS8TL9syhNNZKiygL0JdU8vIDVWsD"
set system login user Jim uid 2002
set system login user Jim class super-user
set system login user Jim authentication encrypted-password "$5$.KlIEL5y$uXd.LxHmgsJnTfMGXXRsvw2w9JrNLMaLlJq.VZ/e2v2"
set system login user Lee uid 2004
set system login user Lee class super-user
set system login user Lee authentication encrypted-password "$5$/aIRta9Q$tj4CeZBzHmEcRPWBw7brNlSE.rwI953jZjWQrtS3jH/"
set system login user Oliver uid 2001
set system login user Oliver class super-user
set system login user Oliver authentication encrypted-password "$5$.1Lb5XCf$.xjkLRhzVXSXtnLsITPB9w.uDNy0why7SKCOnWW/M52"
set system login user Stephen uid 2003
set system login user Stephen class super-user
set system login user Stephen authentication encrypted-password "$5$BXCsVaI6$90FkTRFCJVHnF9u005UL61lU3UBBe2NjNDawHzjgZn7"
set system services ssh
set system services xnm-clear-text
set system services dhcp-local-server group jdhcp-group interface ge-0/0/1.0
set system services web-management http interface fxp0.0
set system services web-management https system-generated-certificate
set system services web-management https interface fxp0.0
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system max-configurations-on-flash 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set security forwarding-options family inet6 mode flow-based
set security forwarding-options family iso mode packet-based
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic system-services ping
set security zones security-zone trust host-inbound-traffic system-services traceroute
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone trust interfaces ge-0/0/2.0
set security zones security-zone trust interfaces ge-0/0/3.0
set security zones security-zone trust interfaces xe-0/0/16.0
set security zones security-zone trust interfaces xe-0/0/17.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp
set interfaces ge-0/0/0 enable
set interfaces ge-0/0/0 unit 0 family inet dhcp-client
set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24
set interfaces ge-0/0/2 unit 0 family inet address 172.16.16.40/24
set interfaces ge-0/0/2 unit 0 family iso
set interfaces ge-0/0/2 unit 0 family inet6 address 2a05:d840:0050:ffff:ffff:ffff:0000:0003/48
set interfaces ge-0/0/3 unit 0 family inet address 192.168.4.1/24
set interfaces xe-0/0/16 unit 0 family inet address 195.80.0.33/30
set interfaces xe-0/0/16 unit 0 family iso
set interfaces xe-0/0/16 unit 0 family inet6 address 2a05:d840:0040:ffff:ffff:ffff:0000:0001/48
set interfaces xe-0/0/17 unit 0 family inet address 192.168.5.1/24
set interfaces fxp0 unit 0 family inet address 185.89.120.11/24
set interfaces lo0 unit 0 family inet address 195.80.0.250/32
set interfaces lo0 unit 0 family iso address 49.0001.1958.0001.2500.00
set routing-options rib inet6.0 static route 2a05:d840:50::/48 next-hop 2a05:d840:0050:ffff:ffff:ffff:0000:0003
set routing-options static route 172.16.16.0/24 next-hop 172.16.16.40
set protocols isis traceoptions file isisdebug
set protocols isis traceoptions flag hello detail
set protocols isis export export_statics
set protocols isis level 1 authentication-key "$9$3zJMnA0B1hrK8Rh2aUH5TRhSylM"
set protocols isis level 1 authentication-type md5
set protocols isis level 2 authentication-key "$9$XNrxVYg4ZjkPaZA0IcvMaZUDi."
set protocols isis level 2 authentication-type md5
set protocols isis interface ge-0/0/2.0
set protocols isis interface xe-0/0/16.0
set protocols isis interface lo0.0 passive
set policy-options policy-statement export_statics term 1 from protocol static
set policy-options policy-statement export_statics term 1 then accept
set access address-assignment pool junosDHCPPool family inet network 192.168.2.0/24
set access address-assignment pool junosDHCPPool family inet range junosRange low 192.168.2.2
set access address-assignment pool junosDHCPPool family inet range junosRange high 192.168.2.254

Hi Clive,

Why you static route on SRX1500?

SRX1500 should advertise the subnet via ISIS and LNS should have isis route for 2a05:d840:0050::/48. SRX1500 and radius is P2P. All you need is return route from radius.

Can you remove the static route and try to ping SRX1500 [ge-0/0/2] from LNS? In case of any issues, please provide the output of show route from SRX1500 and LNS.

Regards,

Rahul N

Hi Rahul,

Please accepy my apologies as I had been reliably informed by the Centos engineer that a default gateway had been applied. I did quesiton him several times to check. The last time he informed me there was NO default gateway. Well, now there is a default gateway and I can ping it from the LNS. So, now we have the next issue (we will get this working with your expert help Rahul 🙂  )....

The client config on the RADIUS is set to the ae0 interface of the LNS as IPv4....... we need it to dual stack really..... when I look at the wireshark trace I see a malformed packet and I think it is because an IPv4 accept is being sent back.

So, on the RADIUS, while running radiusd -X I see the authenticaiton packet arrive and it is accepted, but on the PPP Client I see the LCP packets being dropped and the Wireshark showing "malformed packets"..... could this because of an issue between IPv6 pool on the LNS and the client on the RADIUS being IPv4?

Thanks

Clive

Perfect !!

Please confirm if PPP client is coming up after making the authentication none.

I need authd logs and wireshark to troubleshoot the radius issue.

Regards,

Rahul N

Hi Rahul,

It can't be the RADIUS (I don't think) as the issue still exists.... it certainly seems to be an IP issue..... Here is the Cisco Debug from the PPP Client:

*Mar  4 21:44:32.300: Se0/0 PPP: Outbound cdp packet dropped
*Mar  4 21:45:26.800: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down
*Mar  4 21:45:28.108: Se0/0 PPP: Outbound cdp packet dropped
*Mar  4 21:45:28.108: Se0/0 PPP: Authorization required
*Mar  4 21:45:28.108: Se0/0 PPP: No authorization without authentication
*Mar  4 21:45:28.108: Se0/0 PAP: Using hostname from interface PAP
*Mar  4 21:45:28.108: Se0/0 PAP: Using password from interface PAP
*Mar  4 21:45:28.108: Se0/0 PAP: O AUTH-REQ id 219 len 36 from "testuser@network.com"
*Mar  4 21:45:28.128: Se0/0 PPP: Authorization required
*Mar  4 21:45:28.152: Se0/0 PPP: No authorization without authentication
*Mar  4 21:45:28.152: Se0/0 PAP: Using hostname from interface PAP
*Mar  4 21:45:28.152: Se0/0 PAP: Using password from interface PAP
*Mar  4 21:45:28.152: Se0/0 PAP: O AUTH-REQ id 220 len 36 from "testuser@network.com"
*Mar  4 21:45:28.256: Se0/0 PAP: I AUTH-ACK id 220 len 5
*Mar  4 21:45:29.256: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
*Mar  4 21:45:29.256: Se0/0 PPP: Outbound cdp packet dropped
*Mar  4 21:45:31.300: Se0/0 PPP: Outbound cdp packet dropped
*Mar  4 21:45:32.300: Se0/0 PPP: Outbound cdp packet dropped

And  please find attached the wireshark trace taken between the LAC and the LNS.

For FYI purposes, the tunnel peer addresses are IPv4 but I do not think that should make any difference (or maybe it does require IPv6 also).

Thanks Rahul

Clive

Sorry Rahul..... It won't let me upload the Wireshark.... do you have an e-mail address I can send it to please?

Hi Clive,

Please share the PCAP to understand the issue.

Regards,

Rahul

Hi Rahul,

Okay. We have progressed.

I have set a static IPv6 address on the PPP Client Serial Interface, then I enabled IPv6 and also set a default IPv6 route (ipv6 route ::/0 serial 0/0).

I also reconfigured the AAA RADIUS.

We now have a tunnel up and we have authentication but we do not have any route available for the said serial ppp interface. We cannot ping anything the far side of the tunnel.

Will that happen on the RADIUS please?

I think we will be sending the CPE out fully configured with an IPv6 address anyway.

Thanks Rahul

Clive

Hi Clive,

Please check your private message. I've updated there.

Regards,

Rahul

Hi Rahul,

Thank you for the private message. It was very much appreciated.

If I explain what our end result needs to be, then that may help showing what I am trying to achieve.

The CPE will be issued to the customer fully managed (from my understanding). Because the interface facing the LAC will be a PPP interface, we cannot hardcode an IPv6 address there. We will have a specific IPv6 address oer customer that needs to be allocated to that customer when the PPP connection is made. It cannot come from a pool, just a 1 off IPv6 address.

We will need to allocate that address, I think, via the RADIUS, and that is now, I bleive, where we are. But firstly, I need to get the pool of addresses working that you kindly sent the configuration for. Once I get that working, I think the rest will fall into place.

From your experience of working with Juniper, what is the ideal/best way to allocate the specific, single IPv6 address to the  CPE PPP Interface please?

Thanks

Clive

Hi Clive,

Your understanding is correct. You need to assign IPv6 address to PPP client. PPP NCP for IPV6 is different compared to IPv4.

IPCP negotiate IP and IPv6CP negotiate interface-id. Address assigned for IPv6 is done in two way. WAN [NDRA] and LAN [DHCPv6 PD]

We usually assign /64 prefix to WAN as part of NDRA. In the latest logs, i didn't CPE is initiating NCP phase. All i see is PAP ack.

Did you validated the reason for that why PPP client not initiating NCP phase?

Once NDRA prefix is assigned to PPP client, MX will create access route and same can be redistributed to ISIS.

You can assign the address via address-pool or via radius.

Regards,

Rahul

Hi Rahul,

I don't know why... I have no envelope sign so cannot access my PM... good job I have them forwarded to my e-mail 🙂  Secondly, I have e-mailed my wireshark trace to you.

Thanks

Clive

With absolute expert help from Rahul, I have now managed to solve the issue of IPv6 and ISIS export policies.

We created the pool and prefic on the LNS

We created the PPP IPv6 subscriber interface on the PPP Client

We created the correct routes on the PPP Client

We created the correct high and low prefix on the LNS pool

We created the redistribution of the routes into ISIS on the LNS

It is way too much onformaiton to put all in here, but please PM me if you require the configs we used and explanation.

As I mentioned, Rahul has been superb in this process.