SRX

Hi,

I'm trying to setup a SRX 110 for a PPPOA ADSL connection. What's confusing is that PAP does correctly autenticate, but within seconds the PPP LCP state closes:

Start of PPP session:

root> show ppp interface at-1/0/0.0 extensive
  Session at-1/0/0.0, Type: PPP, Phase: Establish
    LCP
      State: Closed
      Last started: 2013-07-29 17:49:16 UTC
      Last completed: 2013-07-29 17:48:54 UTC
      Negotiated options:
        Magic number: 2750954172, Local MRU: 1512
    Authentication: PAP
      State: Closed
      Last started: 2013-07-29 17:49:01 UTC
      Last completed: 2013-07-29 17:48:23 UTC
    IPCP
      State: Closed
      Last started: 2013-07-29 17:48:32 UTC
      Negotiated options:
        Primary DNS: 0.0.0.0, Secondary DNS: 0.0.0.0

Authentication is complete, IPCP configuration received:

root> show ppp interface at-1/0/0.0 extensive
  Session at-1/0/0.0, Type: PPP, Phase: Network
    LCP
      State: Opened
      Last started: 2013-07-29 17:49:22 UTC
      Last completed: 2013-07-29 17:49:22 UTC
      Negotiated options:
        Authentication protocol: PAP, Magic number: 2752152801, Local MRU: 1512
    Authentication: PAP
      State: Success
      Last started: 2013-07-29 17:49:22 UTC
      Last completed: 2013-07-29 17:49:22 UTC
    IPCP
      State: Ack-rcvd
      Last started: 2013-07-29 17:49:31 UTC
      Negotiated options:
        Local address: 122.148.XXX.XXX, Primary DNS: 202.136.42.222, Secondary DNS: 202.136.43.205

After 5-10 seconds the session is closed:

root> show ppp interface at-1/0/0.0 extensive
  Session at-1/0/0.0, Type: PPP, Phase: Establish
    LCP
      State: Closed
      Last started: 2013-07-29 17:49:22 UTC
      Last completed: 2013-07-29 17:49:22 UTC
      Negotiated options:
        Magic number: 2750527610, Local MRU: 1512
    Authentication: PAP
      State: Closed
      Last started: 2013-07-29 17:49:22 UTC
      Last completed: 2013-07-29 17:49:22 UTC
    IPCP
      State: Closed
      Last started: 2013-07-29 17:49:31 UTC
      Negotiated options:
        Primary DNS: 0.0.0.0, Secondary DNS: 0.0.0.0

Steps I've taken during troubleshooting;

- Changed the MTU on the at-1/0/0 interface to 1492

- Reconfigured the SRX to use PPPoE to establish a connection (PPPoE does work on another ADSL modem)

- Configured CHAP under ppp-options (PPP does authenticate, but it immediately closes)

- Ran config under JUNOS versions 11.4R1.6, 11.4R7.5, 11.4R8.4

Can anyone shed any light on how I can troubleshoot this?

Config:

root> show configuration
## Last commit: 2013-07-29 17:50:19 UTC by root
version 11.4R8.4;
system {
    root-authentication {
        encrypted-password "$1$BAH3Tdbk$x/CzGs2jleM4gb1ZdfRtC1"; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
                router {
                    192.168.1.1;
                }
            }
            propagate-settings fe-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    fe-0/0/0 {
        unit 0;
    }
    fe-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    at-1/0/0 {
        encapsulation atm-pvc;
        atm-options {
            vpi 8;
        }
        dsl-options {
            operating-mode auto;
        }
        unit 0 {
            encapsulation atm-ppp-vc-mux;
            vci 8.35;
            ppp-options {
                pap {
                    default-password "$9$k1dTzFcAtO36rvw8dVaZUjmT"; ## SECRET-DATA
                    local-name "xxx@dodo.com.au";
                    local-password "$9$06l4OdhSyKw87regJGU.mn/Ct1h"; ## SECRET-DATA
                    passive;
                }
            }
            no-keepalives;
            family inet {
                negotiate-address;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop at-1/0/0.0;
    }
}
protocols {
    ppp {
        monitor-session {
            all;
        }
    }
    stp;
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                at-1/0/0.0;
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

Your config looks pretty good. Maybe remove "no-keepalives" from your at interface, I don't have that.

I've removed that portion of the config, but I'm experiencing the same behaviour.

I've enabled traceoptions on PPP and in the logs I keep seeing the below line:

pppd_msg_input: recvmsg: Resource temporarily unavailable

 Does this mean anything to you guys?

I haven't specifically seen that message but I haven't really needed to do PPP trace.

I've actually found 12.1X44 works pretty well. I have had 11.4 crash a bit for me.

What about a "show interface at-1/0/0.0 detail" does the interface flap?

It is probably just dodo being **bleep**ty! Such a nice device on such a horrible internet connection 

Hopefully it is the ISP and not the SRX

I've attached the output of show interfaces at-1/0/0 extensive and a log file for the PPP process.

I'm not liking the line in the PPP logs; pppd_msg_input: recvmsg: Resource temporarily unavailable

edit: I've also upgraded to 12.1X45-D10

root> show version
Model: srx110h-va
JUNOS Software Release [12.1X45-D10]

Attachment(s)

show_interfaces_at-1-0-0.txt   9 KB 1 version

PPP.txt   47 KB 1 version

Odd. From quickly looking at your output your line seems okay.

I'm going to have to say it looks like an SRX issue (and specifically using dodo). Probably need to log a JTAC support request.

Where in Australia are you?

EDIT: X45 isn't great. I normally use X44 for clients now, although I am running X45 here without issues with IPv4 ADSL & Internode.

I see in your config that your trying to connect to Dodo Internet. (Where is clippy when you need him!) I've been there done that with them, I feel your pain.

It simply will not work with Dodo Internet. I spent 8 weeks working with them on the same issue and we couldn't get them to resolve the issue even after we sent them loan hardware to test with. Many hours spent on conference calls and remote sessions with JTAC as well.

Put a CISCO on and it will work, put the SRX back online and bang it doesn't. Interesting though is that if you place a SSG with an ADSL card in it will connect to Dodo just not the SRX devices.

**bleep**, so I'm guessing the fault lies with the SRX. Disappointing...

I might change ISP then, it's a good excuse to get off Dodo

What Australian ISPs have you guys had success with? I've done some reading online, from what I saw Telstra & Internode work with SRX.

I've used: Telstra Business Direct, Internode & iinet (all work well).

Yes we've have no problems with Telstra, iiNET, & PACNET.

Hi Brzxc, I had the same issue, fixed by increasing the MTU of the ATM interface:

set interfaces at-1/0/0 mtu 1540

I believe the MTU setting under a physical interface on Juniper is the total, inclusive of the layer 2 headers, whereas MTU under a family stanza is not including layer 2 overhead.

According to Dodo's website, you should be using CHAP and PPPoEoA:

http://www.dodo.com/top-right-navigation/support/technical-support/adsl-adsl-2plus/adsl-settings/

and given that you are most likely being serviced by a Tesltra DLSAM, then CHAP in particular will be important.

Don't configure manual MTU on the ATM interface either, it'll bight you in the butt later on - you work around transit MTU issues with:

set security flow tcp-mss all-tcp mss 1380

 Switch back to PPPoEoA:

at-1/0/0 {
    description "ADSL2+ Interface to Dodo";
    per-unit-scheduler;
    encapsulation ethernet-over-atm;
    atm-options {
        vpi 8;
    }
    dsl-options {
        operating-mode adsl2plus;
    }
    unit 0 {
        encapsulation ppp-over-ether-over-atm-llc;
        vci 8.35;
    }
}
unit 0 {
    description "Dodo PPPoEoA";
    ppp-options {
        chap {
            default-chap-secret "$9$RLdSK8b778mPBIR"; ## SECRET-DATA
            local-name xxx@dodo.com.au;
            passive;
        }
    }
    pppoe-options {
        underlying-interface at-1/0/0.0;
        idle-timeout 0;
        auto-reconnect 20;
        client;
    }
    family inet {
        negotiate-address;
    }
}
....
security-zone untrust {
    interfaces {
        pp0.0;
    }
}

 if you're still having issues with the above config, paste the output of:

monitor traffic interfaces at-1/0/0.0 extensive

during authentication.

---

@Kol wrote:

Hi Brzxc, I had the same issue, fixed by increasing the MTU of the ATM interface:@Brzxc

 

set interfaces at-1/0/0 mtu 1540

I believe the MTU setting under a physical interface on Juniper is the total, inclusive of the layer 2 headers, whereas MTU under a family stanza is not including layer 2 overhead.

---

I know this is a super old thread, but it still manages to occur.  Is there any definitive reason why this is the case?  I can indeed also confirm that using Internode PPPoE I had to have MTU 1540 set or i just didnt get any auth.  The ppp traceoptions were absolutely no help.

I would have thought that leaving the MTU out would just let the interface determine its own (correctly?)

At the moment mine is showing (with the at-1/0/0 interface set to a MTU of 1540)

Physical interface: at-1/0/0, Enabled, Physical link is Up
  Interface index: 148, SNMP ifIndex: 532, Generation: 152
  Link-level type: Ethernet-over-ATM, MTU: 1524, Clocking: Internal, ADSL mode, Speed: ADSL2+, Loopback: None

vs

Physical interface: at-1/0/0, Enabled, Physical link is Up
  Interface index: 148, SNMP ifIndex: 532, Generation: 152
  Link-level type: Ethernet-over-ATM, MTU: 1514, Clocking: Internal, ADSL mode, Speed: ADSL2+, Loopback: None

 when it doesnt.

I can see where it gets the default from

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/specifications/mtu-values-mini-pims-srx-series-services-gateway.html

in 1514, but just trying to work out why it has to be 1524 to actually work (setting it to 1540 just defaults back to 1524 anyway, so may as well set to the exact value its looking for)

would really appreciate some info here.... I have logged same question with JTAC for their thoughts too