PPPoE Problems on Cisco 2911 Router (TPG EFM / Business Ethernet Broadband)

TPG are a great cheap little ISP, however their support is not crash hot nor their guidance on how to configure network gear to work with them. Basically TPG provide a fairly cheap unlimited data-plan for businesses under the name of EFM (Ethernet First Mile). When you get this service from TPG we received an abrupt email saying simply:

Network Details: 

• Username: user@pig.tpg.com.au
• Password: password 
• CE IP Address: 1.1.1.1/30 
• PE IP Address: 1.1.1.2/30

Then a "test and validate it works within 2 days otherwise we assume it is operational and will start billing" line. So I suppose I need to test this...

The inclusion of the username/password was a little different to what I expected from TPG. I assumed that we'd just get an Ethernet feed and connect into that with an IP address, no questions or authentication asked... however the inclusion of a username/password indicated that a PPPoE connection was required (not that TPG tell you that anywhere from what I can see).

This was not expected... but it was not that big a deal either. I grabbed a 2911 we had sitting around in our lab, connect it up and started googling away for a solution. Guides came up pretty quick for ISR routers with PPPoE... but when trying to apply these configurations to our router I noted that it refused to accept a section frequently referenced in these guides:

vpdn enable
no vpdn logging
vpdn−group pppoe
 request−dialin
  protocol pppoe

Now the section refused is the last line. 2911's don't have the PPPoE option here. You can type protocol but the only option after that is l2tp which didn't help here. Turns out this is another ISR G2 thing. To force the PPPoE to take place you instead have to do the following:

bba-group pppoe global virtual-template 1
vpdn enablevpdn-group 1

Below is the full sample configuration I used:

bba-group pppoe global
 virtual-template 1
!
vpdn enable
vpdn-group 1
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Dialer1
 ip address 1.1.1.1 255.255.255.252
 ip mtu 1492
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username user@pig.tpg.com.au password 0 password
 no cdp enable
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
dialer-list 1 protocol ip permit

Hopefully this saves someone else some hassle. Thanks for reading.

ASA - How to get automatic email notification of firewall failover events?

ASAs have a habit of automatically failing over quietly and efficiently without anybody knowing about it. Sometimes this occurs because an upstream/downstream device rebooted or a switch failed momentarily. What's annoying is that the firewall can failover without you knowing about it at all... sometimes you get stuck focusing on the other issue and never notice the firewalls are in a failed state. I've seen customers who have (thinking they were running on their primary firewall) rebooted their failover infrastructure to find they've caused a short outage to their network.

There are a few ways to find out when an ASA has failed-over without looking at the box or logging into it and doing a "show failover". Firstly you could invest in commercial software/etc... which most smaller companies can't afford to run/maintain ($$$). Open source options might appeal to those inclined. Another way to do this "cheaply" is to use the "logging mail" function which, when a syslog event matching a syslog ID list occurs, sends an email to a recipient with the logging event/s.

So which syslog IDs do you match? Well you have a few options here, you could run a few tests and see what log events occur OR you can find the ASA syslog event list for your ASA code version and figure out the syslog codes that are appropriate.

The table linked specifies HA events as starting with 101, 102, 103, 104, 210, 311, 709. It also says that error codes are between 100000-999999. As you're probably aware there are different "logging" levels that can be applied/viewed/etc... these are typically referenced as a number between 0 - 7 (where 0=Emergencies, 1=Alerts and 7=Debug). It turns out that 1xxxxx numbers are therefore the "Alert" (1) messages and likely the ones we want to see.

So if we matched 101xxx, 102xxx, 103xxx, 104xxx we'll probably see what we want to see. Further snooping/sniffing of alerts tells me that 105xxx is likely needed as well.

logging list SMTP-FAILOVER message 101000-101999
logging list SMTP-FAILOVER message 102000-102999
logging list SMTP-FAILOVER message 103000-103999
logging list SMTP-FAILOVER message 104000-104999
logging list SMTP-FAILOVER message 105000-105999
logging mail SMTP-FAILOVER
logging from-address ASAFirewallAlarm@company.com.au
logging recipient-address SupportTeam@company.com.au level alerts
smtp-server 10.1.1.1

Note: In the above you need a SMTP server configured/available for emailing to work.

I haven't tested the above configuration exactly but have tested a very similar one on a customer's network. It works like a charm!

Hope it helps! Thanks for reading.

How to generate TCP traffic to/from a Cisco router

Found a nifty hidden command on Cisco IOS routers that generates TCP traffic from router to router.

TTCP Receiver
To setup a server to accept a connection do the following on a router:

R2#ttcp receive

ttcp-r: buflen=8192, align=16384/0, port=5001

rcvwndsize=4128, delayedack=yes  tcp

ttcp-r: accept from 10.2.1.2 (mss 536, sndwnd 4128, rcvwnd 3592)

ttcp-r: 16777216 bytes in 1296360 ms (1296.360 real seconds) (~11 kB/s) +++

ttcp-r: 32293 I/O calls

ttcp-r: 0 sleeps (0 ms total) (0 ms average)

TTCP Transmitter
To initiate a connection do the following on a second router:

R6#ttcp tran 2.2.2.2

ttcp-t: buflen=8192, nbuf=2048, align=16384/0, port=5001  tcp  -> 2.2.2.2

ttcp-t: connect (mss 536, sndwnd 4128, rcvwnd 4128)

ttcp-t: 16777216 bytes in 1296140 ms (1296.140 real seconds) (~11 kB/s) +++

ttcp-t: 2048 I/O calls

ttcp-t: 0 sleeps (0 ms total) (0 ms average)

You can just use TTCP command by itself to access more specific configuration options (change port/etc).

R2#ttcp

transmit or receive [receive]:

perform tcp half close [n]:

receive buflen [8192]:

bufalign [16384]:

bufoffset [0]:

port [5001]:

sinkmode [y]:

rcvwndsize [4128]:

delayed ACK [y]:

show tcp information at end [n]:

To quit the connection you do the “Ctrl+Shift+6, X” break sequence and you get the following:

ttcp-t: buflen=8192, nbuf=2048, align=16384/0, port=5002  tcp  -> 3.3.3.3

ttcp-t: connect (mss 536, sndwnd 4128, rcvwnd 4128)

ttcp-t: 16777216 bytes in 1415708 ms (1415.708 real seconds) (~10 kB/s) +++

ttcp-t: 2048 I/O calls

ttcp-t: 0 sleeps (0 ms total) (0 ms average)

The rate is presented in Bytes per second…  so to get bits per second :

(Total bytes transmitted * 8) / Total Seconds = bits per second.

Summary
This was very handy in a virtual lab when trying to generate traffic matching QoS marking/scheduling policy. Throughput-wise I’ve been able to generate around 450Kbps in the virtual lab which is good enough for my situation/testing. Since it is pretty raw you have to figure out optimal TCP sliding window sizes in order to congest links with more latency. This is more of a consideration for doing it on live routers with some real distance between them (i.e. RTT higher than 50ms). 

You can also configure a PC to be a receiver/transmitter as well but I haven't tried this. I believe there is an application you can get from Cisco's download page.

Full details here: http://www.cisco.com/en/US/tech/tk801/tk36/technologies_tech_note09186a0080094694.shtml

Thanks for reading.

Setting up SecureCRT - Change Default Appearance + Auto-create Log File On Connect

This is just a collection of convenient settings I've found elsewhere on the Internet. SecureCRT is a nice little piece of software to have in sitting on your laptop to connect to console/Telnet/SSH sessions you frequent/etc. Some of the settings I'd prefer to change from the default, mainly around appearance and with it not automatically creating a log file on connect.

Change Default Appearance
To change the default colour theme do the following:

1. Go to Options > Global Options
2. Under General > Default Session on left
3. Click Edit Default Settings
4. Navigate to Appearance in left pane
5. Select the desired Color Theme in the drop down box

Turn on Auto-Create Log with Automatic Log File Name

To setup SecureCRT to log everything (trust me, it's useful from time to time)... pretty much follow the first 3 steps above then:

1. Navigate to Log File in left pane
2. Under the Log File Name entry box, type in the path and name of the log file to use. For me I said the following: "C:\Console Logs\%Y-%M-%D.%h:%m - %H -- %S.txt"

The % variables are all listed in the help file as follows:

• %H - hostname
• %S - session name
• %Y - four-digit year
• %M - two-digit month
• %D - two-digit day of the month
• %h - two-digit hour
• %m - two-digit minute
• %s - two-digit seconds
• %t - three-digit milliseconds
• %% - percent (%)
• %envvar% - environment variable

Thanks for reading. Hope it helps.