ScreenOS Firewalls (NOT SRX)
Reply
New User
faboudib
Posts: 1
Registered: ‎06-06-2012
0

Problem with getting PPPoE link up on SSG20

Hi,

I have an SSG20 with interfaces ethernet0/0 and ethernet0/1 belonging to the Untrust zone. Ethernet0/0 is connected to my first ISP supplying an ADSL connection that is configured and working properly. I have a direct Ethernet cable coming from my second ISP which I attached to the ethernet0/1 interface. I setup a new PPPoE profile with the correct username and password (double checked). I used to have the PPPoE connection linked to a TP-Link WR741ND Wireless Router which worked properly. I had the ISP reset the MAC address to match the SSG20 ethernet0/1 interface and confirmed it matches. 

Interface ethernet0/1 is configured as follows:
set interface "ethernet0/1" zone "Untrust"
set pppoe name "untrust"
set pppoe name "untrust" username "username" password "password"
set pppoe name "untrust" interface ethernet0/1

I get the following messages in the SSG20 event log: 
1- PPPoE session started negotiations.
2- Point-to-Point Protocol over Ethernet (PPPoE) connection failed to establish a session. Timeout PADI

I changed the MAC on the TP-Link router to match the MAC of SSG20's ethernet0/1 interface and connected it to verify the connection is still working as expected which it is.

I have attached the debug session for the SSG20 using "debug pppoe basic". I have also attached the system log and WAN settings of the TP-Link router (to show successful connection).

Any help would be appreciated. Thanks in advance.

Recognized Expert
Sahota
Posts: 484
Registered: ‎03-15-2012
0

Re: Problem with getting PPPoE link up on SSG20

Hi,

PADI timeout indicates config mismatch.
Please refer the following KB article: http://kb.juniper.net/KB14951

In the debug, I see the following:
There is a mention of dst-mac not belonging to ethernet0/1.

## 2012-06-05 09:45:41 : pppoe_decap_handler: rcv a pppoe pak 0x3c892e0 (60 bytes) from interface ethernet0/1:
## 2012-06-05 09:45:41 : g_i_b_pppoe: LOOK for TRUE CTX for incoming ifp ethernet0/1
## 2012-06-05 09:45:41 : g_i_b_pppoe: FOUND FIRST CTX untrust for incoming ifp ethernet0/1
## 2012-06-05 09:45:41 : g_i_b_pppoe:smileysurprised:NLY context, RETURN ACTUAL ifp ethernet0/1 (ctx untrust) for incoming ifp ethernet0/1
## 2012-06-05 09:45:41 : pppoe_decap_handler: pak drop: dst MAC is not ethernet0/1 interface's
## 2012-06-05 09:45:41 : pppoe_fsm_reset dns_handle = 0
## 2012-06-05 09:45:41 : send_padi: about to send PADI to i/f ethernet0/1, num_attemps 0

May the mapping for MAC address is not complete yet. Please check this with your ISP.

Another thing to try is to do a SNOOP detail on the firewall (interface ethernet0/1) and check the packets.


Thanks.
Hardeep

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.