interesting PPPoE Problem

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

interesting PPPoE Problem

L2 Linker

Hi guys,

i am currently tasked to replace two firewalls we have in the company. The first is a small cisco ASA 5505 for client breakout and a MS TMG(yeah i hate,too) for publishing the Servers.

For the first step I am trying to replace the ASA. WAN connection is established via ADSL and PPPoE. The session is build just fine, traffic is allowed via accessrules and nat'ed correctly, but I just don't can't ping 8.8.8.8 or get any other traffic responses.

Something I've noticed so far is that our ASA always gets an IP from the 84.x.x.x - 86.x.x.x public ip range. The PA received ip like 188.110.x.x or 92.75.x.x. After the PA established the PPPoE Session i checked if it received the default route via CLI and it was there, NAT is source NAT+PAT of course. All interfaces are added in the virtual router and the correct access list has been hit, so i am quite clueless why it is so difficult to get the wan connection working. The other frustrating point is that i have very limited time windows for testing.

I'm grateful for ideas to solve this issue

Here are some screens from the log.

.pa log3.PNGpa log.PNGpa log2.PNG

1 ACCEPTED SOLUTION

Accepted Solutions

Hi Guys,

i talked with the ISP and had them reset the password. This was the root cause as it now works as expected.

View solution in original post

12 REPLIES 12

L6 Presenter

you have static public ip address ?

I think yes.and you said asa gets public ip different then ppoe paloalto ?

is that correct ?

Try to change authentication setting on paloalto ppoe from auto to other which your isp works with and see if they got the correct ip after commit

- changed the PA authentication from auto to pap which the ASA uses prior to todays testing -> didn't help

- it is a dynamic ip, but the pool doesn't change that much

- yes it is correct the PAN receives an entirely different public ip than the public ips the asa gets assigned.

can you ping your default gateway from the ip given using ping source givenip host gateway ?

L5 Sessionator

just to clarify you are able to browse the traffic however you are not able to ping 8.8.8.8. From the logs it seems you are able to do web-browsing and google analytic. The traffic is being seen in both directions. However when you are pinging you are not seeing the traffic.

Try ping from CLI using source as external ip to make sure you have connection upstream. The command would be

ping source (188.110.47.216 or the ip you are getting on the public interface) host 8.8.8.8

If this is successful then atleast you have connection from public interface to upstream.

Then try to use the internal interface using the same command.

If that fails you can trouble shoot it doing the following

1. Need to setup the filters for the traffic we are interested in. To do this, execute the following steps:

Navigate to Monitor--Packet Capture

Click 'Manage Filters'

Set Filter ID 1 to be the source IP and destination IP of traffic you feel is affected ( leave all other fields blank )

Set Filter ID 2 to be the exact inverse of what you did in step 3 (destination IP in source field, Source IP in destination field)

2. Setup up the captures

Create and name the file stage for a packet capture on all the stages (receive, transmit, firewall and drop)

3. Enable filters and captures 

debug dataplane packet-diag set filter on

debug dataplane packet-diag set capture on

4. open 2 CLI windows

on 1 run the following command to look at the counter ( make sure it run this command once before running the traffic)

show counter global filter packet-filter yes delta yes

on the 2nd window run the following command to look at he sessions

show session all filter source <ip address> destination <ip address>

After your test has been done stop all the captures and filters and see if global counter show you anything why it is dropping the traffic or if you have getting pcap with drop stage.

This will help you narrow down the issue.

Let us know if this helps you resolve the issue.

Thanks

Numan

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!