L2TP Service Forwarding Failure Due to Incorrect Private Route Configuration When Multiple Branches Connect to the Headquarters

Publication Date:  2015-06-25 Views:  865 Downloads:  0
Issue Description
As shown in the following figure, multiple enterprise branches connect to the enterprise headquarters. When only one enterprise branch connects to the enterprise headquarters, the enterprise branch can communicate with the enterprise headquarters. When two or more enterprise branches connect to the enterprise headquarters, all L2TP services are interrupted.



LNS main configuration:

l2tp enable
#
ip pool 1
gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.0
#
aaa
local-user huawei password cipher %#%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%#%#
local-user huawei service-type ppp
#
interface Virtual-Template1
ppp authentication-mode chap
remote address pool 1
ip address 10.1.1.1 255.255.255.0
ospf network-type p2mp
ospf timer hello 10
ospf p2mp-mask-ignore
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.2.1 255.255.255.0
#
l2tp-group 1
allow l2tp virtual-template 1
tunnel password cipher %@%@EB~j7Je>;@>uNr''D=J<]\WL%@%@
tunnel name lns
#
ip route-static 1.1.2.1 255.255.255.255 1.1.1.2
ip route-static 1.1.3.1 255.255.255.255 1.1.1.2
ip route-static 10.1.10.0 255.255.255.0 Virtual-Template1
ip route-static 10.1.20.0 255.255.255.0 Virtual-Template1
#
Handling Process
1. Check the L2TP tunnel status. On the headquarters and branch, the L2TP tunnel and session have been established.

[LNS] display l2tp tunnel

Total tunnel : 2
LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName
1        1         1.1.2.1          1701   1        lac_1
2        1         1.1.3.1          1701   1        lac_2
[LAC_1] display l2tp tunnel

Total tunnel : 1
LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName
1        1         1.1.1.1          42246  1        lns
[LAC_2] display l2tp tunnel

Total tunnel : 1
LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName
1        1         1.1.1.1          42246  1        lns

2. Check the routing table. In the routes from the enterprise headquarters to the two enterprise branches, the next hops are both virtual template interface 1. In the routes from the two enterprise branches to the enterprise headquarters, the next hops are both virtual template interface 1. Here lists private network routes.

[LNS]display ip routing-table                                          
Route Flags: R - relay, D - download to fib                                    
------------------------------------------------------------------------------ 
Routing Tables: Public                                                         
         Destinations : 19       Routes : 19                                   
                                                                               
Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
………..
10.1.10.0/24        Static   60   0         D   10.1.1.1        Virtual-Template1
10.1.20.0/24        Static   60   0         D   10.1.1.1        Virtual-Template1
………..
[LAC_1]display ip routing-table                                          
Route Flags: R - relay, D - download to fib                                    
------------------------------------------------------------------------------ 
Routing Tables: Public                                                         
         Destinations : 14       Routes : 14                                   
                                                                               
Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
………..
10.1.2.0/24        Static   60   0         D   10.1.1.254      Virtual-Template1
………..
[LAC_2]display ip routing-table                                          
Route Flags: R - relay, D - download to fib                                    
------------------------------------------------------------------------------ 
Routing Tables: Public                                                         
         Destinations : 14       Routes : 14                                   
                                                                               
Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
………..
10.1.2.0/24        Static   60   0         D   10.1.1.253      Virtual-Template1
………..

3. On the LNS, ping the private gateway address of the remote device, with the private gateway address as the source address. The two branches cannot ping each other.

Question: There are routes and tunnels are set up. Why does the ping operation fail? When a single LAC connects to the enterprise headquarters, why does the ping operation succeed?

On the LNS, the next hops of the static routes to branches point to virtual template interface 1. When there is only one tunnel, packets can be directly forwarded to the remote end.

When there are multiple tunnels, there is no more information used to guide forwarding of packets received on virtual template interface 1. In this case, packets may be discarded.

The configured static routes on the LNS are incorrect.

4. Modify the static route configuration on the LNS, and specify the next hop as the remote virtual template interface in the static route.

ip route-static 10.1.10.0 255.255.255.0 10.1.1.253
ip route-static 10.1.20.0 255.255.255.0 10.1.1.254

After the modification, the ping operations between branches succeed.

This solution has a defect. You need to obtain the address of the virtual template interface of a branch, and then configure a route. Because the address obtained by the virtual template interface may change, the maintenance workload is heavy.

It is recommended that a dynamic routing protocol be configured on the LNS and LAC to advertise private network segments and virtual template interface addresses and to learn the private network route to the remote end. When adding a branch, you only need to perform configurations on the LAC. The configuration does not need to be changed regardless of whether the IP address of the virtual template interface on the LAC changes. The maintenance workload is greatly reduced. OSPF is used as an example.

LNS configuration:

ospf 10
area 0.0.0.0
  network 10.1.1.0 0.0.0.255
  network 10.1.2.0 0.0.0.255
LAC_1 configuration:
ospf 10
area 0.0.0.0
  network 10.1.1.0 0.0.0.255
  network 10.1.10.0 0.0.0.255
LAC_1 configuration:
ospf 10
area 0.0.0.0
  network 10.1.1.0 0.0.0.255
  network 10.1.20.0 0.0.0.255
Root Cause
The next hop in the static route from the LNS to the branch is incorrect.
Suggestions
When multiple branches connect to the headquarters through L2TP dialup, you are advised to configure a dynamic routing protocol to advertise private network routes. This can greatly reduce the maintenance workload.

END