Try it with "vpdn authen-before-forward" Ben On Tue, Feb 17, 2009 at 3:22 PM, Kurt Bales <kwba...@kwbales.net> wrote:
> Hi All, > > There is probably an obvious answer to this, but I am failing to make > it work the way I want so I'm asking the resident experts. > > We are a wholesale ISP taking DSL tails as L2TP from carriers. > > We have an LNS which is currently setup to switch these sessions to > downstream channel partners based on match against the domain/REALM. > > For one of the realms on which we receive L2TP sessions, we would like > to select a destination (either locally terminated or > switched-to-channel-partner) on a per-account basis. These currently > are switched to us on a per-account basis by our upstream provider > doing per-account authentication and A/V pairs to forward the > sessions. Their A/V pairs are setting a tunnel-id for these. > > > We thought was to leverage the "multihop-hostname" command under a > request-dialin configured VPDN-group. > > The documentation on CCO seems to imply that it can be used to match > against a VPDN tunnel-id, but we could not get that to work. > > "multihop-hostname > > To enable a tunnel switch to initiate a tunnel based on the hostname > or tunnel ID associated with an ingress tunnel, use the > multihop-hostname command in VPDN request-dialin subgroup > configuration mode. To disable this option, use the no form of this > command." > > We tried configuring up a vpdn-group with a multihop > hostname/initiate-to/local name/l2tp tunnel password, surely that > would be enough to correctly match and therefore switch the session > across to the downstream LNS? > > Unfortunately we could not get it to work, the error coming back was > complaining that it could not assign a virtual-template to the > session, which would seem to imply an attempt to terminate the session > locally > > Feb 17 12:14:18: SSS MGR [uid:606]: Handling Policy Service Authorize > action (1 pending sessions) Feb 17 12:14:18: SSS PM > [uid:606][6858A474]: RM/VPDN disabled: RM/VPDN author not needed Feb > 17 12:14:18: SSS PM [uid:606][6858A474]: AAA author needed for > registered user Feb 17 12:14:18: SSS MGR [uid:606]: Got reply Need > More Keys from PM Feb 17 12:14:18: SSS MGR [uid:606]: Handling Need > More Keys action Feb 17 12:14:18: VPDN uid:606 disconnect (TEST-CMD) > IETF: 9/nas-error Ascend: 62/VPDN No Resources Feb 17 12:14:18: VPDN > uid:606 vpdn shutdown session, result=2, error=5, vendor_err=0 Feb 17 > 12:14:18: VPDN uid:606 VPDN/AAA: accounting stop sent Feb 17 12:14:18: > L2TUN APP: uid:606handle/665997Destroying app session Feb 17 12:14:18: > L2TUN APP: uid:606handle/665997Stopping service selection Feb 17 > 12:14:18: L2X SSS [uid:606]: Disc sent to SSS Feb 17 12:14:18: L2TP > _____:06839:000070B5: > Feb 17 12:14:18: L2TP _____:06839:000070B5: Shutting down session > Feb 17 12:14:18: L2TP _____:06839:000070B5: Result Code > Feb 17 12:14:18: L2TP _____:06839:000070B5: Call disconnected, > refer to error msg (2) > Feb 17 12:14:18: L2TP _____:06839:000070B5: Error Code > Feb 17 12:14:18: L2TP _____:06839:000070B5: Insufficient resources (4) > Feb 17 12:14:18: L2TP _____:06839:000070B5: Vendor Error > Feb 17 12:14:18: L2TP _____:06839:000070B5: None (0) > Feb 17 12:14:18: L2TP _____:06839:000070B5: Optional Message > Feb 17 12:14:18: L2TP _____:06839:000070B5: "No virtual-template > specified" > Feb 17 12:14:18: L2TP _____:06839:000070B5: > > > > vpdn enable > vpdn multihop > vpdn aaa attribute nas-port vpdn-nas > vpdn redirect > vpdn logging > vpdn logging local > vpdn logging tunnel-drop > vpdn history failure table-size 50 > vpdn session-limit 2048 > vpdn search-order multihop-hostname domain > vpdn domain-delimiter @ suffix > vpdn domain-delimiter / prefix ! > vpdn-group customer3 > request-dialin > protocol l2tp > multihop hostname <tunnel-name> > initiate-to ip <downstream LNS IP> priority 1 > local name <my hostname> > l2tp tunnel password 0 <mumble> ! > > > > > Any thoughts/suggestions? > > > Regards, > > Kurt Bales > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/