SRX Services Gateway
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Highlighted
SRX Services Gateway

Issue with PPPoE VDSL - Won't come up after disconnect

[ Edited ]
‎06-01-2015 03:38 AM

Hi!

 

I recently changed my ISP connection from dynamic to static IP.

PPPoE session comes up so far, but after 24h the ISP disconnects the session.

Then, it looks like the pppoe session is coming up (pppoe_log: Discovery Input: PADS packet), but I have no acces to the internet.

I have to reboot the srx in order to get access to the internet again.

 

I searched around a bit and found this kb:

[SRX] VDSL link does not come up with some ISPs

 

I instantly thought - That's it!

But the command mentioned in this article is not available on my srx100h2. Why's that?

 

Here's how the components are interconnected:

 

LAN -> srx100h2 -> vdsl-modem -> internet

 

Here's my config:

set version 12.1X44.3
set system host-name texxol
set system time-zone Europe/Berlin
set system root-authentication encrypted-password "$1$gpJobfvz$By1FacdBcNHgpTPAXfwfF."
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system name-resolution no-resolve-on-input
set system services ssh
set system services telnet
set system services web-management http
set system services web-management https system-generated-certificate
set system services web-management session idle-timeout 60
set system services dhcp pool 172.18.19.0/24 address-range low 172.18.19.200
set system services dhcp pool 172.18.19.0/24 address-range high 172.18.19.254
set system services dhcp pool 172.18.19.0/24 router 172.18.19.100
set system services dhcp propagate-settings fe-0/0/0
set system services dhcp propagate-ppp-settings pp0.0
set system syslog archive size 1000k
set system syslog archive files 5
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system syslog file kmd-logs daemon info
set system syslog file kmd-logs match KMD
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp server de.pool.ntp.org
set system ntp server 144.76.117.245 version 4
set system ntp server 144.76.117.245 prefer
set interfaces interface-range interfaces-trust member fe-0/0/2
set interfaces interface-range interfaces-trust member fe-0/0/3
set interfaces interface-range interfaces-trust member fe-0/0/4
set interfaces interface-range interfaces-trust member fe-0/0/5
set interfaces interface-range interfaces-trust member fe-0/0/6
set interfaces interface-range interfaces-trust member fe-0/0/7
set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/0 vlan-tagging
set interfaces fe-0/0/0 unit 0 encapsulation ppp-over-ether
set interfaces fe-0/0/0 unit 0 vlan-id 7
set interfaces pp0 unit 0 apply-macro VDSL_01
set interfaces pp0 unit 0 ppp-options chap default-chap-secret "$9$HD/D-Bbd2HSjws5Qn6AtxN-woJ"
set interfaces pp0 unit 0 ppp-options chap local-name "feste-ip11/9H3HHHH5HHH@t-online-com.de"
set interfaces pp0 unit 0 ppp-options chap no-rfc2486
set interfaces pp0 unit 0 ppp-options chap passive
set interfaces pp0 unit 0 ppp-options pap local-name "feste-ip11/9H3HHHH5HHH@t-online-com.de"
set interfaces pp0 unit 0 ppp-options pap no-rfc2486
set interfaces pp0 unit 0 ppp-options pap local-password "$9$dhJH369uBIn6evJJ-hsTQnts"
set interfaces pp0 unit 0 ppp-options pap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface fe-0/0/0.0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 10
set interfaces pp0 unit 0 family inet negotiate-address
set interfaces st0 unit 0 family inet
set interfaces st0 unit 0 family inet6
set interfaces vlan unit 0 family inet address 172.18.19.100/24
set snmp community public authorization read-only
set routing-options static route 192.168.8.0/24 next-hop st0.0
set routing-options static route 192.168.49.0/24 next-hop st0.0
set routing-options static route 192.168.254.0/24 next-hop st0.0
set routing-options static route 0.0.0.0/0 next-hop pp0.0
set routing-options static route 0.0.0.0/0 qualified-next-hop pp0.0 metric 1
set protocols pppoe traceoptions file pppoe_log
set protocols pppoe traceoptions level all
set protocols pppoe traceoptions flag all
set protocols stp disable
set security log mode event
set security ike proposal pre-g5-aes256-sha authentication-method pre-shared-keys
set security ike proposal pre-g5-aes256-sha dh-group group5
set security ike proposal pre-g5-aes256-sha authentication-algorithm sha1
set security ike proposal pre-g5-aes256-sha encryption-algorithm aes-256-cbc
set security ike proposal pre-g5-aes256-sha lifetime-seconds 28800
set security ike policy pre-g5-aes256-sha-St1 mode aggressive
set security ike policy pre-g5-aes256-sha-St1 proposals pre-g5-aes256-sha
set security ike policy pre-g5-aes256-sha-St1 pre-shared-key ascii-text "secret"
set security ike gateway vpn_transfair_p1 ike-policy pre-g5-aes256-sha-St1
set security ike gateway vpn_transfair_p1 address xx.xxx.xxx.xx
set security ike gateway vpn_transfair_p1 local-identity user-at-hostname "test@hds.de"
set security ike gateway vpn_transfair_p1 external-interface pp0.0
set security ike gateway vpn_transfair_p1 version v1-only
set security ipsec proposal esp-aes256-sha protocol esp
set security ipsec proposal esp-aes256-sha authentication-algorithm hmac-sha1-96
set security ipsec proposal esp-aes256-sha encryption-algorithm aes-256-cbc
set security ipsec proposal esp-aes256-sha lifetime-seconds 3600
set security ipsec policy g5-esp-aes256-sha perfect-forward-secrecy keys group5
set security ipsec policy g5-esp-aes256-sha proposals esp-aes256-sha
set security ipsec vpn vpn_transfair_p2 bind-interface st0.0
set security ipsec vpn vpn_transfair_p2 vpn-monitor optimized
set security ipsec vpn vpn_transfair_p2 vpn-monitor source-interface fe-0/0/1.0
set security ipsec vpn vpn_transfair_p2 vpn-monitor destination-ip 192.168.49.1
set security ipsec vpn vpn_transfair_p2 ike gateway vpn_transfair_p1
set security ipsec vpn vpn_transfair_p2 ike proxy-identity local 172.18.19.0/24
set security ipsec vpn vpn_transfair_p2 ike proxy-identity remote 192.168.49.0/24
set security ipsec vpn vpn_transfair_p2 ike proxy-identity service any
set security ipsec vpn vpn_transfair_p2 ike ipsec-policy g5-esp-aes256-sha
set security ipsec vpn vpn_transfair_p2 establish-tunnels immediately
set security flow tcp-mss ipsec-vpn mss 1350
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set nsw_srcnat from zone trust
set security nat source rule-set nsw_srcnat to zone Internet
set security nat source rule-set nsw_srcnat rule no_nat match source-address 172.18.19.0/24
set security nat source rule-set nsw_srcnat rule no_nat match destination-address 192.168.49.0/24
set security nat source rule-set nsw_srcnat rule no_nat match destination-address 192.168.8.0/24
set security nat source rule-set nsw_srcnat rule no_nat match destination-address 192.168.254.0/24
set security nat source rule-set nsw_srcnat rule no_nat then source-nat off
set security nat source rule-set nsw_srcnat rule nsw-src-interface match source-address 172.18.19.0/24
set security nat source rule-set nsw_srcnat rule nsw-src-interface match destination-address 0.0.0.0/0
set security nat source rule-set nsw_srcnat rule nsw-src-interface then source-nat interface
set security policies from-zone trust to-zone Internet policy All_trust_Internet match source-address netz_texxol
set security policies from-zone trust to-zone Internet policy All_trust_Internet match destination-address any
set security policies from-zone trust to-zone Internet policy All_trust_Internet match application any
set security policies from-zone trust to-zone Internet policy All_trust_Internet then permit
set security policies from-zone trust to-zone Internet policy All_trust_Internet then log session-init
set security policies from-zone trust to-zone Internet policy All_trust_Internet then log session-close
set security policies from-zone trust to-zone vpn policy to_transfair match source-address netz_texxol
set security policies from-zone trust to-zone vpn policy to_transfair match destination-address netz_transfair
set security policies from-zone trust to-zone vpn policy to_transfair match destination-address netz_texxol_dz
set security policies from-zone trust to-zone vpn policy to_transfair match destination-address netz_citrix
set security policies from-zone trust to-zone vpn policy to_transfair match application any
set security policies from-zone trust to-zone vpn policy to_transfair then permit
set security policies from-zone trust to-zone vpn policy to_transfair then log session-init
set security policies from-zone trust to-zone vpn policy to_transfair then log session-close
set security policies from-zone vpn to-zone trust policy from_transfair match source-address netz_transfair
set security policies from-zone vpn to-zone trust policy from_transfair match source-address netz_texxol_dz
set security policies from-zone vpn to-zone trust policy from_transfair match source-address netz_citrix
set security policies from-zone vpn to-zone trust policy from_transfair match destination-address netz_texxol
set security policies from-zone vpn to-zone trust policy from_transfair match application any
set security policies from-zone vpn to-zone trust policy from_transfair then permit
set security policies from-zone vpn to-zone trust policy from_transfair then log session-init
set security policies from-zone vpn to-zone trust policy from_transfair then log session-close
set security policies from-zone junos-host to-zone vpn policy from_cli_to_transfair match source-address any
set security policies from-zone junos-host to-zone vpn policy from_cli_to_transfair match destination-address netz_transfair
set security policies from-zone junos-host to-zone vpn policy from_cli_to_transfair match application junos-icmp-all
set security policies from-zone junos-host to-zone vpn policy from_cli_to_transfair then permit
set security policies from-zone junos-host to-zone vpn policy from_cli_to_transfair then log session-init
set security policies from-zone junos-host to-zone vpn policy from_cli_to_transfair then log session-close
set security zones security-zone trust address-book address netz_texxol 172.18.19.0/24
set security zones security-zone trust host-inbound-traffic system-services ping
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services http
set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services https
set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services ssh
set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services telnet
set security zones security-zone Internet address-book address netz_transfair 192.168.8.0/24
set security zones security-zone Internet host-inbound-traffic system-services ike
set security zones security-zone Internet interfaces pp0.0
set security zones security-zone vpn address-book address netz_transfair 192.168.8.0/24
set security zones security-zone vpn address-book address netz_texxol_dz 192.168.49.0/24
set security zones security-zone vpn address-book address netz_citrix 192.168.254.0/24
set security zones security-zone vpn host-inbound-traffic system-services ike
set security zones security-zone vpn host-inbound-traffic system-services ping
set security zones security-zone vpn host-inbound-traffic system-services http
set security zones security-zone vpn host-inbound-traffic system-services https
set security zones security-zone vpn host-inbound-traffic system-services snmp
set security zones security-zone vpn host-inbound-traffic system-services snmp-trap
set security zones security-zone vpn interfaces st0.0
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

Thanks in advance.

 

Andy

0 Kudos
Reply
Message 1 of 7 (8,172 Views)
6 REPLIES 6
Highlighted
SRX Services Gateway

Re: Issue with PPPoE VDSL - Won't come up after disconnect
‎06-02-2015 11:17 PM

Hi!

since I don't know how to deal with this, is there a way to reboot this device every evening?

Now I'm doing it manually via console (request system reboot at ...)

 

 

Thanks in advance

 

Andy

0 Kudos
Reply
Message 2 of 7 (8,128 Views)
Highlighted
SRX Services Gateway

Re: Issue with PPPoE VDSL - Won't come up after disconnect
‎06-03-2015 01:10 AM
You can try to remove passive from the pap-options under the pp0 interface
Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------
0 Kudos
Reply
Message 3 of 7 (8,119 Views)
Highlighted
SRX Services Gateway

Re: Issue with PPPoE VDSL - Won't come up after disconnect
‎06-03-2015 07:29 AM

Hi Marc.

 

I just tried this - same error.

0 Kudos
Reply
Message 4 of 7 (8,102 Views)
Highlighted
SRX Services Gateway

Re: Issue with PPPoE VDSL - Won't come up after disconnect
‎06-03-2015 07:50 AM
Is your ISP doing PAP or chap authentication ? I also see that you have chap auth configured with the passive option.what kind of error log do you see ?
Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------
0 Kudos
Reply
Message 5 of 7 (8,099 Views)
SRX Services Gateway

Re: Issue with PPPoE VDSL - Won't come up after disconnect
‎06-29-2015 10:46 PM

Hi Marc.

 

My ISP is doing CHAP authentication. I set up a cron job to restart the srx every night.

The problem is that this costumer is about 134km away from my office... And since there is no way to help via teamviewer I stick with this workaround.

 

Thanks anyways for your help!

 

 

Cheers

 

Andy

0 Kudos
Reply
Message 6 of 7 (7,855 Views)
Highlighted
SRX Services Gateway

Re: Issue with PPPoE VDSL - Won't come up after disconnect
‎06-29-2015 11:03 PM

Hi,

 

what you need to do is to change the auto-reconnect setting to at least 30 seconds 120 would be even better. T-online disconnects the sessions every night.

 

 

pp0 unit 0 {
      ppp-options chap {
          default-chap-secret password;
          local-name "user/user@t-online-com.de";
          passive;
      }
      pppoe-options {
        underlying-interface <interface>;
        auto-reconnect 120;
        client;
      }
      family inet {
        mtu 1492;
        negotiate-address;
      }
  }
}

 

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------
0 Kudos
Reply
Message 7 of 7 (7,852 Views)