09-21-2016 07:20 AM - edited 09-21-2016 10:11 AM
I am trying to connect a Palto Alto (in Ebano, Mexico) via PPPOE and it will not connect. As described in the PA doucment the interfeace is tyring every 3 seconds but getting the following "'PPPoE session failed to connect for user:u1st on interface:ethernet1/3. Reason: No PPPoE Offer receive" in the system log. A Cisco Router can use the same cable and connection and PPPOE established. You can attach a windows PC using the exact cable and a PPPOE connection is established. I worked with Palo Alto Tech Support for over 8 hours yesterday and we really could find no solution. Packet captures shows the PPPOE going out but nothing coming back. The ISP says since the Cisco and Windows PC can attach successfully using PPPOE that proves no ISP issue. Has anyone run into this issue before and what was done to solve it?
I am adding a packet capture from the Palo Alto that cannot connect and a packet capture from a windows PC that works file.
Contacted ISP and they said since Cisco/Window machine attached they said not their problem and were no further hep. I got a packet capture of the Windows machine (christian working PPPoE.pcapng) that worked. I also got a packet capture of the Palo Alto (tx (3).pcap). As you can see in the captures the way the Palo and Windows machines are negotiating PPoE are different. How do we configure the Palo to do the same type of PPPOE negotiating.
Let me know and Ican email you the captures if you need them.
Here is an overview of protocls being used in each case:
WORKING WINDOWS
LCP
PAP
IPV
IPC
LPC
IPC
Palo Alto
PPPOED
Thanks in advance, Doug
09-22-2016 03:02 AM
have you tried manually setting the authentication to PAP or CHAP and did you make sure the profile is not set to passive?
does your ISP require an access concentrator be configured ?
09-22-2016 06:12 AM
Hello,
Actually would be really good to see PCAP files but here is no option to attached the file itself, you only can pictures/hyperlinks. I am thinking to raise this question with the community members as it would be nice to have the option to attach a file.
09-22-2016 06:15 AM
<- community member has taken note of your request and will bring it before our maker of decissions
there haven't been many cases where anyone has needed to attach anything other than pictures so that's probalby why it's currently not possible
09-29-2016 05:30 AM
All the above was done and still would not connect. The ISP said they do not require an access concentrator. As you can see the packet tracer showed that only a discovery packet was sent but when using either a router or a windows PC the packets sent from those devices are completly different. No there is no mac filtering in place be the ISP.
10-03-2016 12:17 PM
I had pretty much the same issue. I replaced a Cisco 892 router connecting to a ISP via PPPoE in Japan. That connection was using CHAP authentication. I tried to create this PPPoE connection using CHAP in my PA-200. The connection wouldn't establish. Once I used "auto" authentication the link was established.
10-03-2016 12:25 PM
Thanks for the info but I tried auto and that did not work. I have found no solution as of this time. We are running PA in a Layer 2 enviorment and have the old Cisco Router dooing the PPOE connection, as a workaround. PA Support has been little help and at this point I thing we will have to abondon the PPOE and go with some sort of "static" leased connection. Very expensive option in Mexico but seems to be only choice we have, at this point.
10-12-2016 06:15 AM
Ask you carrier if they have a bridge only modem option for your DSL. These devices create the DSL PPPOE connection and hand off a normal ethernet port on the other side. There is no configuration options on the bridge only modem at all.
I've used these with several of the USA DSL providers over the years and they provide a good option for getting the firewall connected.
The second version of this is to ask if the carrier provided DSL device can be configured into bridge mode. Here again the device bridges the DSL connect to an ethernet port. But there is a login and configuration of the modem/router and these then can allow the creation of an authenticated PPPOE session on this device.
12-09-2020 03:08 PM
I had a brand new PA-220 running v10 and I setup a PPPoE connection to a DrayTech Vigor 120 running in bridge mode to PPPoA connection. This works fine with an existing Ubiquiti USG device.
It created the PPPoE connection, and got an IP address perfectly.
Unfortunately at the time I had not created any policies or routes so could not use it.
I restored a previous config from an older PA and from them on could not get the PPPoE to connect.
It gets the PPP link up, sees that there is a DrayTech device connected but cannot establish the link.
I am going to try factory defaulting the PA220 tonight and see if I can start again and get it to work like it originally did.
Not sure how the old config would stop it from working, as i've checked (multiple times) the interface with PPPoE is setup exactly the same as the original one that worked.
12-10-2020 04:07 PM
Got this to work.
I used the default setup on the DrayTech Vigor 120.
For the PPPoE settings I set it to Auto for authentication and UNticked Passive.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
