Cisco – 7609 + SIP-400 PPPoE: cannot route to the Internet

ciscocisco-7600pppoetroubleshooting

I am trying to configure a 7609 router with a SUP7203BXL, SIP-400 and SPA5xGE as BRAS. The configuration is at the bottom of the question.

The sessions are created, but the clients can't reach Internet. (The 7609 itself can reach internet.) I have a 7206VXR working with the same configuration.

I can see a difference between them.

Virtual-Interfaces in the 7200 appear with the public IP address that Radius gives them, but the Virtual-Interfaces in the 7609 have the local pool which I configured for the template.

I imagine that the 7609 works in a different way so that the configuration running on the 7200 had to be changed.

How can I solve this problem?

Configuration:

version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service counters max age 10
!
hostname R7609
!
boot-start-marker
boot system disk0:c7600s72033-advipservicesk9-mz.122-33.SRE1.bin
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default none
aaa authentication ppp default group radius
aaa accounting network default
 action-type start-stop
 group radius
!
!
aaa session-id common
!
ip source-route
!
!
ip domain name 7609PPP.com
ip name-server Y.Y.Y.40
ip name-server Y.Y.Y.20
!
!
!
vtp mode transparent
mls flow ip interface-full
no mls flow ipv6
no mls acl tcam share-global
mls cef error action freeze
multilink bundle-name authenticated
!
!
spanning-tree mode rapid-pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
diagnostic bootup level complete
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
!
redundancy
 main-cpu
  auto-sync running-config
 mode sso
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
!
!
bba-group pppoe Servidor_PPPoE
 virtual-template 1
 sessions per-mac limit 1
 sessions per-vlan limit 6000
!         
!
!
interface Loopback1
 ip address X.X.X.X 255.255.255.0 secondary
 ip address 10.10.0.1 255.255.0.0
 no ip redirects
!
interface GigabitEthernet5/1
 no ip address
 shutdown
!
interface GigabitEthernet5/2
 no ip address
 shutdown
!
interface GigabitEthernet8/0/0
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet8/0/1
 description PPPOE_IN
 no ip address
 negotiation auto
 pppoe enable group Servidor_PPPoE
!
interface GigabitEthernet8/0/1.100
 description VLAN_PPPOE
 encapsulation dot1Q 100
 pppoe enable group Servidor_PPPoE
!
interface GigabitEthernet8/0/2
 no ip address
 negotiation auto
!
interface GigabitEthernet8/0/2.10
 description PPPOE_Out
 encapsulation dot1Q 10
 ip address Y.Y.Y.1 255.255.255.0
!
interface GigabitEthernet8/0/3
 no ip address
 negotiation auto
!
interface GigabitEthernet8/0/3.55
 description To_Radius
 encapsulation dot1Q b
 ip address 172.20.3.7 255.255.255.192
!
interface GigabitEthernet8/0/4
 no ip address
 shutdown
 negotiation auto
!
interface Virtual-Template1
 description Template_PPPoE
 ip unnumbered Loopback1
 ip policy route-map toallot
 peer default ip address pool PPPoE_pool
 ppp authentication pap
!
interface Vlan1
 no ip address
!
ip local pool PPPoE_pool 10.10.0.10 10.10.255.254
!
route-map toallot permit 10
 match ip address 100
 set ip next-hop Z.Z.Z.1
!
access-list 100 permit ip any any
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Z.Z.Z.1
ip route 192.168.50.0 255.255.255.248 172.20.3.1
radius-server attribute nas-port format d
radius-server attribute 31 mac format unformatted
radius-server attribute 31 send nas-port-detail mac-only
radius-server host 172.20.3.12 auth-port 1812 acct-port 1813 key --------

Best Answer

I used to have lots of strange issues with SIP400 cards and 7609 chassis...

Not sure if this one is matching the behaviour but please check it:

CSCsb69734

SIP400: Sub-int IP state up but not reachable after SSO & reload

Symptom:

In rare situations, the 7600-SIP-400 SPA-2X1GE sub-interfaces can be unreachable even when the interface state is up. Ping or even control plane traffic (such as OSPF hellos) do not pass through the sub-interface but traffic passes through the main interface.

Conditions:

The problem might be encountered when a SSO switchover is done concurrently on one of the routers and line card/SPA reset is done on the directly connected interface on the other router.

Workaround:

When the interface is manually reset the problem disappears (i.e. shutdown, then no shutdown on the interface). A SPA/line card reset also solves the problem.

Further Problem Description:

This problem is seen with IP & IPv6 configurations on the subinterface.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Best Answer

Related Solutions

Cisco – Using RADIUS to restrict SSID on Cisco Aironet

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Related Topic