L2TP Dialup Failure Due to Incorrect UDP Port Mapping of the NAT Server on the AR G3 Router

Publication Date:  2015-06-09 Views:  164 Downloads:  0
Issue Description
As shown in the following figure, the AR functions as the enterprise egress router, and the branch and headquarters establish an L2TP tunnel. Users on outbound interface GE1/0/0 connect to the network through PPPoE dialup.



The private network user (PC1) can successfully connect to the network through L2TP dialup. When the public network user (PC2) performs L2TP dialup (packets from PC2 to the LAC are forwarded through GE1/0/0), error 800 is displayed. Log in to the AR to collect L2TP debugging information. There is no L2TP debugging information on the AR.
Handling Process
1. PC1 can successfully connect to the network through L2TP dialup, indicating that the L2TP configuration is correct.

2. Check the public network interface configuration. There is one UDP port mapping.

interface Dialer1 (The dialup configuration is omitted.)
link-protocol ppp
nat server protocol tcp global interface Dialer 1 www inside 192.168.10.2 www
nat server protocol tcp global interface Dialer 1 pop3 inside 192.168.10.2 pop3
nat server protocol tcp global interface Dialer 1 smtp inside 192.168.10.2 smtp
nat server protocol tcp global interface Dialer 1 ftp inside 192.168.10.2 ftp
nat server protocol udp global interface Dialer 1 any inside 192.168.10.2 any
nat outbound 2001

The L2TP tunnel uses UDP port 1701, and all UDP ports of the NAT server are mapped to the private network. When PC2 initiates L2TP dialup to the LNS, the packets reaching GE1/0/0 of the LAC map the NAT server mapping entry. The LAC maps packets to the private network. As a result, packets cannot reach the LNS and PC2 fails to perform L2TP dialup. The fault is rectified after the following configuration is deleted.

nat server protocol udp global interface Dialer 1 any inside 192.168.33.2 any
Root Cause
The AR is configured with port mapping, so packets from the public network are mapped to other network devices.
Suggestions
The common troubleshooting for L2TP dialup failure is as follows:

1. Check the L2TP configuration.

2. If the L2TP configuration is correct, run the debugging ppp all and debugging l2tp all commands to collect debugging information for fault location.

3. If debugging information cannot be collected, check whether packets reach the LNS, are rejected by the LNS, and are forwarded to other network devices.

4. When port mapping is configured on the NAT server, consider service features especially L2TP and Telnet. Prevent service exceptions or interruptions.

END