How to quickly locate a failure to set up a tunnel between the LAC and LNS

1

During L2TP configuration, if the LAC cannot set up a tunnel with the LNS, perform the following operations to locate the fault quickly.
1. Run the start l2tp command on the LAC to check whether there is a reachable route to the LNS. If the route is unreachable, configure a reachable route to the LNS.
2. Check the L2TP configuration on the LNS and delete the remote specified in the allow l2tp command. If an L2TP tunnel can be established successfully, the cause is that the tunnel name on the LAC is incorrect or the tunnel name specified by the LNS is incorrect. Select either of the following solutions.
 - Run the tunnel name command on the LAC to configure the local tunnel name as the value of remote in the allow 12tp command on the LNS.
 -Run the allow l2tp command on the LNS to change the remote parameter so that the tunnel name is consistent with that configured on the LAC. If the local tunnel name is not configured using the tunnel name command on the LAC, the value of the remote parameter is the device name of the LAC.

Other related questions:
How can I quickly locate why the LAC cannot set up an L2TP tunnel with the LNS
When configuring the L2TP function, the LAC cannot set up a tunnel with the LNS. How can I quickly locate the fault? 1. Run the start l2tp command on the LAC to check whether there is a reachable route to the LNS. If no, configure a reachable route to the LNS. 2. Check the L2TP configuration on the LNS and delete the parameter remote specified in the allow l2tp command. If an L2TP tunnel can be established successfully, the LAC cannot set up a tunnel with the LNS because the tunnel name on the LAC is incorrect or the tunnel name specified by the LNS is incorrect. Use either of the following methods to solve this problem: -Run the tunnel name command on the LAC to set the local tunnel name to the value of the parameter remote specified by the allow l2tp command on the LNS. -Run the allow l2tp command on the LNS to change the value of the parameter remote to the tunnel name configured on the LAC. If no local tunnel name is configured using the tunnel name command on the LAC, the value of the parameter remote is the device name of the LAC.

How to rapidly locate the cause of a failure to establish a tunnel between the LAC and LNS
During L2TP configuration, the LAC cannot set up a tunnel with the LNS. Perform the following operations to quickly locate the fault.
1. Run the start l2tp command on the LAC to check whether there is a reachable route to the LNS. If the route is unreachable, ensure route reachability.
2. Check the L2TP configuration on the LNS and delete the remote parameter specified in the allow l2tp command. If an L2TP tunnel can be established successfully, the LAC cannot set up a tunnel with the LNS because the tunnel name on the LAC is incorrect or the tunnel name specified by the LNS is incorrect. Use the following methods:
 - Run the tunnel name command on the LAC to set the local tunnel name to the value of remote specified by the allow l2tp command on the LNS.
 - Run the allow l2tp command on the LNS to change the value of remote to the tunnel name configured on the LAC. If no local tunnel name is configured using the tunnel name command on the LAC, the value of remote is the device name of the LAC.

Description of LAC and LNS of the L2TP on firewalls
L2TP access concentrator (LAC): It is a device attached to the switching network. The LAC has a PPP terminal system and delivers L2TP processing. It usually provides access services for PPP users. The LAC is located between the L2TP network server (LNS) and a user, used to transfer information packets between the LNS and the user. The LAC encapsulates the information packets received from the user based on L2TP and delivers the information packets to the LNS. In addition, it decapsulates information packets received from the LNS and delivers the information packets to the user. The LAC and the user are connected in local connection mode or over a PPP link. In the VPDN application scenario, the LAC and the user are connected over the PPP link. LNS: It is both a logical termination point of a PPP system and an L2TP server. Generally, it serves as an edge on the enterprise intranet. As one side of an L2TP tunnel endpoint, the LNS is a peer to the LAC. The LNS is the logical termination point of a PPP session that is being tunneled from the remote system by the LAC. By establishing an L2TP tunnel on the public network, the peer end of a PPP session is logically extended from the LAC to the LNS on the enterprise intranet.

Method used to establish an IPSec tunnel between the AR and PC
An IPSec tunnel is established between the AR and PC. This example applies to all AR models of V200R002C00 and later versions. For details about the configuration, see "Example for Configuring an IPSec Tunnel for Remote Dial-Up Users to Connect to the Headquarters" of "Using VPN to Implement WAN Interconnection" in Typical Configuration Examples.

Use the IP source trail function on S series switches to quickly locate attack sources
S series fixed switches do not support this function. S series modular switches provide the ip source-trail command that enables the source IP address tracing function for the specified IP addresses. After this command is executed on a switch, the switch records statistics on the traffic destined for the specified addresses. A maximum of 32 IP addresses can be configured in the command. For example, traffic on the host with IP address 10.0.0.1 is detected to be abnormal. You can enable the source IP address tracing function for 10.0.0.1, then check statistics on the traffic destined for the host, and quickly locate the attack source. The configuration is as follows: [HUAWEI] ip source-trail ip-address 10.0.0.1 [HUAWEI] display ip source-trail ip-address 10.0.0.1 Destination Address: 10.0.0.1 SrcAddr SrcIF Bytes Pkts Bits/s Pkts/s ----------------------------------------------------------------------------------- 10.1.0.2 GE3/0/23 85.971M 60.234K 1.356M 121 10.1.0.3 GE3/0/23 15.462M 10.852K 203.984K 17 10.1.0.4 GE3/0/23 14.785M 10.577K 204.601K 18 10.1.0.5 GE3/0/23 3.432M 6.557K 118.164K 28 10.1.0.6 GE3/0/23 2.541M 4.600K 34.257K 7 Based on statistics on the traffic destined for the host with IP address 10.0.0.1. The source IP address 10.1.0.2 has sent heavy traffic to the host, so attack source the host with IP address 10.1.0.2 is located. You can then configure an ACL on the switch to block the traffic from 10.1.0.2 to 10.0.0.1.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top