forked from spinesystemspublic/documentation
Check for pppoe servers
This commit is contained in:
Denys Fedoryshchenko
@@ -172,64 +172,6 @@ Most important message here is:
|
||||
```
|
||||
As you can see, CHAP authentication failed. This is because of wrong password, MAC mismatch, or duplicate session (check billing logs).
|
||||
|
||||
|
||||
|
||||
### Troubleshooting examples
|
||||
|
||||
Verify if PPPoE handshake is working:
|
||||
The only fact is important is to trace sequence for specific user MAC if he sends correct PADI and receives correct PADO, and then sends PADR. For example:
|
||||
```
|
||||
tcpdump -ni bond0.2529 -vvv -e pppoed and ether host 6c:3b:6b:81:XX:XX
|
||||
|
||||
21:35:47.131362 6c:3b:6b:81:XX:XX (oui Unknown) > Broadcast, ethertype PPPoE D (0x8863), length 60: PPPoE PADI [Host-Uniq 0x500FF5C517B8000005020600] [Service-Name "pr"]
|
||||
21:35:47.131408 90:e2:ba:ae:XX:XX (oui Unknown) > 6c:3b:6b:81:XX:XX (oui Unknown), ethertype PPPoE D (0x8863), length 80: PPPoE PADO [AC-Name "united"] [Service-Name "pr"] [AC-Cookie 0x6F71CC054D13DCE911CC1341F1FBDCE7A16830B204F2BEF7] [Host-Uniq 0x500FF5C517B8000005020600]
|
||||
21:35:47.143621 6c:3b:6b:81:XX:XX (oui Unknown) > 90:e2:ba:ae:XX:XX (oui Unknown), ethertype PPPoE D (0x8863), length 80: PPPoE PADR [Host-Uniq 0x500FF5C517B8000005020600] [AC-Cookie 0x6F71CC054D13DCE911CC1341F1FBDCE7A16830B204F2BEF7] [AC-Name "united"] [Service-Name "pr"]
|
||||
21:35:47.143936 90:e2:ba:ae:XX:XX (oui Unknown) > 6c:3b:6b:81:XX:XX (oui Unknown), ethertype PPPoE D (0x8863), length 52: PPPoE PADS [ses 0x8a48] [AC-Name "united"] [Service-Name "pr"] [Host-Uniq 0x500FF5C517B8000005020600]
|
||||
```
|
||||
Here we see complete handshake, PADI, PADO, PADR, PADS. If you see this sequence - PPPoE handshake is working.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
### Troubleshooting pppoe packets by tcpdump
|
||||
Monitor what PPPoE answer to client PADI:
|
||||
```
|
||||
tcpdump -nei bond0.372|grep PADO
|
||||
```
|
||||
Monitor traffic from specific mac
|
||||
```
|
||||
tcpdump -nei bond0.372 ether host 00:00:00:00:00:00
|
||||
```
|
||||
|
||||
### Decoding values in accel-cmd pppoe interface show
|
||||
|
||||
```
|
||||
interface: connections: state: service-name policy:
|
||||
-----------------------------------------------------------
|
||||
bond0.2622 0 active 3
|
||||
bond0.2529 2251 active 3
|
||||
bond0.368 530 active 3
|
||||
bond0.923 0 active 1
|
||||
```
|
||||
* service-name policy is bitmask value - 1 means service-blank, 3 means service-blank+service-name-by-list,2 means service-name-by-list (only)
|
||||
```
|
||||
/* Answer requests with empty (0 size) service name */
|
||||
#define PPPOE_FLAG_ANSWER_BLANK (1 << 0)
|
||||
/* Answer to assigned service names */
|
||||
#define PPPOE_FLAG_ANSWER_LIST (1 << 1)
|
||||
/* Answer to ANY service name */
|
||||
#define PPPOE_FLAG_ANSWER_ANY (1 << 2)
|
||||
/* Answer to global service name list */
|
||||
#define PPPOE_FLAG_ANSWER_GLOBAL (1 << 3)
|
||||
|
||||
```
|
||||
So for example 3 means bit 0 and bit 1 is set - so service-name policy is service-blank+service-name-by-list.
|
||||
|
||||
### Troubleshooting radius packets by tcpdump
|
||||
|
||||
Usually when user try to authenticate, radius server receives Access-Request packet from pppoe. If user is authenticated, radius server sends Access-Accept packet. If user is not authenticated, radius server sends Access-Reject packet. If radius server is not responding, it means that there is no connection between radius server and router or secret is invalid.<br>
|
||||
@@ -293,3 +235,69 @@ tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 262144
|
||||
0x0000: 011c f55c 5141 d61d f602 f854 f32b 6455
|
||||
0x0010: da
|
||||
```
|
||||
|
||||
### Troubleshooting PPPoE session example
|
||||
|
||||
Verify if PPPoE handshake is working:
|
||||
The only fact is important is to trace sequence for specific user MAC if he sends correct PADI and receives correct PADO, and then sends PADR. For example:
|
||||
```
|
||||
tcpdump -ni bond0.2529 -vvv -e pppoed and ether host 6c:3b:6b:81:XX:XX
|
||||
|
||||
21:35:47.131362 6c:3b:6b:81:XX:XX (oui Unknown) > Broadcast, ethertype PPPoE D (0x8863), length 60: PPPoE PADI [Host-Uniq 0x500FF5C517B8000005020600] [Service-Name "pr"]
|
||||
21:35:47.131408 90:e2:ba:ae:XX:XX (oui Unknown) > 6c:3b:6b:81:XX:XX (oui Unknown), ethertype PPPoE D (0x8863), length 80: PPPoE PADO [AC-Name "united"] [Service-Name "pr"] [AC-Cookie 0x6F71CC054D13DCE911CC1341F1FBDCE7A16830B204F2BEF7] [Host-Uniq 0x500FF5C517B8000005020600]
|
||||
21:35:47.143621 6c:3b:6b:81:XX:XX (oui Unknown) > 90:e2:ba:ae:XX:XX (oui Unknown), ethertype PPPoE D (0x8863), length 80: PPPoE PADR [Host-Uniq 0x500FF5C517B8000005020600] [AC-Cookie 0x6F71CC054D13DCE911CC1341F1FBDCE7A16830B204F2BEF7] [AC-Name "united"] [Service-Name "pr"]
|
||||
21:35:47.143936 90:e2:ba:ae:XX:XX (oui Unknown) > 6c:3b:6b:81:XX:XX (oui Unknown), ethertype PPPoE D (0x8863), length 52: PPPoE PADS [ses 0x8a48] [AC-Name "united"] [Service-Name "pr"] [Host-Uniq 0x500FF5C517B8000005020600]
|
||||
```
|
||||
Here we see complete handshake, PADI, PADO, PADR, PADS. If you see this sequence - PPPoE handshake is working.
|
||||
|
||||
### Decoding values in accel-cmd pppoe interface show
|
||||
|
||||
```
|
||||
interface: connections: state: service-name policy:
|
||||
-----------------------------------------------------------
|
||||
bond0.2622 0 active 3
|
||||
bond0.2529 2251 active 3
|
||||
bond0.368 530 active 3
|
||||
bond0.923 0 active 1
|
||||
```
|
||||
* service-name policy is bitmask value - 1 means service-blank, 3 means service-blank+service-name-by-list,2 means service-name-by-list (only)
|
||||
```
|
||||
/* Answer requests with empty (0 size) service name */
|
||||
#define PPPOE_FLAG_ANSWER_BLANK (1 << 0)
|
||||
/* Answer to assigned service names */
|
||||
#define PPPOE_FLAG_ANSWER_LIST (1 << 1)
|
||||
/* Answer to ANY service name */
|
||||
#define PPPOE_FLAG_ANSWER_ANY (1 << 2)
|
||||
/* Answer to global service name list */
|
||||
#define PPPOE_FLAG_ANSWER_GLOBAL (1 << 3)
|
||||
|
||||
```
|
||||
So for example 3 means bit 0 and bit 1 is set - so service-name policy is service-blank+service-name-by-list.
|
||||
|
||||
### Verify for other PPPoE servers in the network
|
||||
|
||||
```
|
||||
pppoe01 ~ # pppoe-discovery -I bond0.2529
|
||||
Detected PPPoE server at interface bond0.2529
|
||||
Detected PPPoE server at interface bond0.2529
|
||||
Access-Concentrator: MikroTik
|
||||
Detected PPPoE server at interface bond0.2529
|
||||
Service-Name: AL
|
||||
--------------------------------------------------
|
||||
AC-Ethernet-Address: 74:4d:28:c2:XX:XX
|
||||
Detected PPPoE server at interface bond0.2529
|
||||
Detected PPPoE server at interface bond0.2529
|
||||
Access-Concentrator: ahZZZ ZZZ
|
||||
Detected PPPoE server at interface bond0.2529
|
||||
Service-Name: ahm
|
||||
--------------------------------------------------
|
||||
AC-Ethernet-Address: 6c:3b:6b:67:XX:XX
|
||||
Detected PPPoE server at interface bond0.2529
|
||||
Detected PPPoE server at interface bond0.2529
|
||||
Access-Concentrator: diab-AHHDJFDF
|
||||
Detected PPPoE server at interface bond0.2529
|
||||
Service-Name: TR
|
||||
...
|
||||
```
|
||||
As you can see there are 3 other PPPoE servers in the network, and they are all detected by pppoe-discovery. They might cause conflicts during PPPoE session establishment, so it is recommended to find and remove them.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user