No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Analysis on PPPoE Dialing Errors 676 and 691 Due to Various Causes

Publication Date:  2013-10-08 Views:  15 Downloads:  0
Issue Description
1. Patch: V600R002C02SPC700+V600R002SPC031
2. Simplest PPPoE dialing scenario: user-end dialer – Layer 2 switch (or ONU-OLT) – ME60
3. The error 676 or 691 was reported upon user dialing.
No alarm information was on the equipment side. 
Handling Process
None
Root Cause
A PPPoE user dialing process includes two phases: PPPoE discovery and PPP session. Errors 678 and 676 occur during the PPPoE discovery phase and error 691 occurs during the PPP session phase.
1. Error 678 is generally due to Layer 2 unavailability. Its root cause is that after sending PADI, the dialer does not receive PADO from the BAS.
2. Error 676 may be due to restrictions on the BAS or Layer 2 unavailability. The root cause is that after sending PADR, the dialer does not receive PADS from the BAS.
1). Common scenario 1 for error 676:
ppp connection chasten 5 60 300 is configured on ME60. Assumed that a user dialing fails within 60s, the BAS will not respond in the following 300s. In this case, an error 676 will be reported, indicating a dialing failure. This mechanism is designed to prevent repeated user dialing trials and brute force cracking by illegal users, and therefore is a security measure provided by ME60.
2). Common scenario 2 for error 676:
The MAC address of the BAS shifts in the corresponding VLAN to non-upstream ports on the Layer 2 convergence device.
Normally, the MAC address of the BAS is learnt to the upstream ports. If a user pretends to be a gateway (BAS) and constantly sends packets in a VLAN, the MAC address of the real BAS will not be learnt to the upstream ports but to the UNI port. Since PADI packets are broadcast, the PADI packets can be normally sent from the dialer to the BAS. The BAS replies with PADO packets with its MAC address as the source and the dialer MAC address as the destination; these packets can reach their destination even in unicast mode. However, PADR packets from the dialer carry the dialer MAC address as the source and the BAS MAC address as the destination. During Layer 2 forwarding, they reach the convergence device with MAC address shifting, and will be sent to another UNI port upon forwarding table query by destination MAC address. As a result, PADR packets cannot reach the BAS, the dialer cannot receive PADS packets, and the error 676 is reported.
3. When the error 691 occurs, the Layer 2 network between the dialer and the BAS is available and a fault occurs on the network during the user authentication.
1). Common scenario 1 for error 691: The dialing user enters an incorrect user name or password.
2). Common scenario 2 for error 691: The RADIUS is suspended for the dialing user. Note: In inter-board ETH-TRUNK networking, if the user binding is not based on inner/outer labels but on the NAS-Port(5) attribute, configure the nas logic-port parameter. The nas-port information recorded in RADIUS is inconsistent with the information reported upon the user logout, which results in suspension on RADIUS.
3. A special scenario for error 691
The access domain configured on the BAS subinterface has a different name from the domain name carried by the online user data. In this case, the BAS will reject the authentication request from the dialer and the error 691 will be reported.
For example, the online user carries a domain name and PPPoE, and the permit-domain  <domain name>is configured on the port through which the user gets online, where the domain name is different from the actual one.
Solution
1. Troubleshooting for common error 676 scenario 1:
When a user tries but fails to dial in with an incorrect user name or password for five consecutive times, the error 691 will be reported; the error 676 will be reported after the six trial. The fault phenomena persists when the user tries again after 300s. Explain to the customer that this is a normal phenomena due to a protection mechanism on ME60.
2. Troubleshooting for common error 676 scenario 2:
1). On ME60, ran the trace access-user command and found that it had not received PADR from the user side.
2). Queried the MAC address of ME60 on Layer 2 devices one after another and found that the ME60 MAC address was learnt to a downstream port on the convergence switch.
3). Checked and found that one ONU connected to an OLT that was connected to the convergence switch also learnt the ME60 MAC address, and therefore suspected that a user pretended as the gateway sending packets.
4). Disabled the ONU. Then, the ME60 MAC address was learnt to the upstream port on the convergence switch and services were restored.
3. Troubleshooting for a special error 691 scenario:
1). On ME60, ran the trace access-user command and found that the user dialing request was rejected by the domain before authentication was initiated.
2). On ME60, checked the domain and BAS interface configurations and found that the domain was correctly configured, permit-domain was enabled on the BAS interface, but the domain carried in the trace message was different from the value configured by permit-domain.
3). Deleted the permit-domain configuration from the BAS interface or added the domain name carried by the user during dialing.
Suggestions
In PPPoE dialing scenarios, errors 678, 676, and 691 are common errors. Their generation principles are simple but may involve various scenarios. The most effective method to troubleshoot such errors is to trace the user MAC address and run the display aaa online-fail-record command to locate the dialing failure cause. Then, based on the dialing failure cause, further locate the fault on the device or Layer 2 network.

END