No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
What Are the Causes for L2TP VPN Establishment Failure?

What Are the Causes for L2TP VPN Establishment Failure?

Possible Causes

  • There is no reachable route between the two ends. For example, this may occur when multiple default routes are configured.
  • The tunnel authentication mode is incorrect.
  • The gateway address is not configured in the IP address pool. As a result, the gateway address is allocated to a client.
  • The SA statistics function is enabled on the LNS interface connecting to L2TP users, preventing the interface from forwarding packets.

Troubleshooting Procedure

  1. Run the ping or tracert command to check whether routes are reachable.
  2. Run the display current-configuration command to check the configurations of the L2TP group and VT interface are correct.

    <LAC> display current-configuration | begin l2tp-group
    l2tp-group 1 
     start l2tp ip 202.1.1.1 fullusername huawei   
     tunnel password cipher %^%#B^5:IPR>B$z[&KF_EKB(>:T">;z`ZJY+X.&_5jlH%^%#   //The tunnel password must be the same as that configured on the LNS.
     tunnel name LAC
    
    <LNS> display current-configuration | begin l2tp-group
    l2tp-group 1 
     allow l2tp virtual-template 1 remote LAC   //The LAC specifies the remote tunnel name whose connection request is accepted by the local end. It must be the same as the tunnel name on the LAC.
     tunnel password cipher %^%#B^5:IPR>B$z[&KF_EKB(>:T">;z`ZJY+X.&_5jlH%^%#   //The tunnel password must be the same as that configured on the LAC.
     tunnel name LNS
    
    <LAC> display current-configuration interface virtual-template
    interface Virtual-Template1   //Specifies information displayed on the VT interface that dials up upon receiving a call request.
     ppp authentication-mode chap   //The authentication mode must be the same as that configured on the LNS.
    # 
    interface Virtual-Template2   //Specifies information displayed on the VT interface that automatically dials up to initiate a connection request.
     ppp chap user huawei   //The virtual PPP user name must be the same as the PPP user name configured on the LNS.
     ppp chap password cipher %^%#1HIL-jW9hLZlF'8@8+*"-UwS04'e`'+9\0*=#3Z-%^%#   //The password of the virtual PPP user must be the same as the PPP password configured on the LNS.
     ip address ppp-negotiate 
     l2tp-auto-client enable
    <LNS> display current-configuration interface virtual-template
    interface Virtual-Template1   //Specifies information displayed on the VT interface that dials up upon receiving a call request and the VT interface that automatically dials up to initiate a connection request.
     ppp authentication-mode chap   //The authentication mode must be the same as that configured on the LAC.
     remote address pool lns 
     ip address 12.1.1.1 255.255.255.0

    In the Client-LNS scenario, use l2tp-group 1, so the remote tunnel name does not need to be specified. Clients running Windows 7 do not support tunnel authentication. Configure undo tunnel authentication on the LNS to disable tunnel authentication.

    In the Client-LAC-LNS scenario, ensure that the remote tunnel name, tunnel authentication mode, and PPP authentication parameters on the LAC are the same as those configured on the LNS.

  3. Run the display ip pool command to view information about the configured address pool and IP addresses in it, including the address pool name, lease, lock status, and status of IP addresses.

    If the gateway address has been allocated to a client because it is not configured in the IP address pool, run the gateway-list command to configure the gateway address, and allocate it to the remote user.

  4. Run the undo sa application-statistic enable command to disable the SA statistics function on the interface.

    After the SA statistics function is enabled on an interface, you can view the statistics on packets of different SA application protocols. However, the SA statistics function affects packet forwarding; therefore, you need to disable the SA statistics function.

Additional Information

Packet fragmentation consumes considerable CPU resources, resulting in degraded quality of services. To ensure high quality of services, consider the following when configuring L2TP:

  • MTU

    MTU (maximum transmission unit) determines the maximum number of bytes that can be transmitted on a link at a time. The MTU value varies according to the interface type. For example, the default MTU for Ethernet interfaces is 1500 bytes. The MTU of a link depends on the interface with the smaller MTU. If the size of packets to be sent by an interface exceeds the MTU of the interface, the device fragments encrypted packets before transmitting them. After receiving all the fragments of an IP packet, the interface reassembles the fragments before decrypting the packet. Fragmentation and reassembly consume CPU resources.

  • TCP MSS

    TCP MSS specifies the maximum segment size of TCP packets. If the total packet length (TCP MSS plus all the header lengths) is greater than the link MTU, data packets are fragmented for transmission. Fragmentation and encryption/decryption of packets consume CPU resources of devices on the transmission link. High CPU resource consumption may cause packet loss.

    Some upper-layer applications, such as application layer protocols like HTTP, set the Don't Fragment (DF) field in the IP packet header to 1, preventing TCP packets from being fragmented. If the DF field is set to 1 and the interface MTU is less than the MSS, the device will discard TCP packets because it cannot fragment them.

Translation
Download
Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 449107

Downloads: 4305

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next