ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Problem with getting PPPoE link up on SSG20

06.07.12   |  
‎06-07-2012 12:05 AM


I have an SSG20 with interfaces ethernet0/0 and ethernet0/1 belonging to the Untrust zone. Ethernet0/0 is connected to my first ISP supplying an ADSL connection that is configured and working properly. I have a direct Ethernet cable coming from my second ISP which I attached to the ethernet0/1 interface. I setup a new PPPoE profile with the correct username and password (double checked). I used to have the PPPoE connection linked to a TP-Link WR741ND Wireless Router which worked properly. I had the ISP reset the MAC address to match the SSG20 ethernet0/1 interface and confirmed it matches. 

Interface ethernet0/1 is configured as follows:
set interface "ethernet0/1" zone "Untrust"
set pppoe name "untrust"
set pppoe name "untrust" username "username" password "password"
set pppoe name "untrust" interface ethernet0/1

I get the following messages in the SSG20 event log: 
1- PPPoE session started negotiations.
2- Point-to-Point Protocol over Ethernet (PPPoE) connection failed to establish a session. Timeout PADI

I changed the MAC on the TP-Link router to match the MAC of SSG20's ethernet0/1 interface and connected it to verify the connection is still working as expected which it is.

I have attached the debug session for the SSG20 using "debug pppoe basic". I have also attached the system log and WAN settings of the TP-Link router (to show successful connection).

Any help would be appreciated. Thanks in advance.


ScreenOS Firewalls (NOT SRX)

Re: Problem with getting PPPoE link up on SSG20

06.09.12   |  
‎06-09-2012 10:47 PM


PADI timeout indicates config mismatch.
Please refer the following KB article:

In the debug, I see the following:
There is a mention of dst-mac not belonging to ethernet0/1.

## 2012-06-05 09:45:41 : pppoe_decap_handler: rcv a pppoe pak 0x3c892e0 (60 bytes) from interface ethernet0/1:
## 2012-06-05 09:45:41 : g_i_b_pppoe: LOOK for TRUE CTX for incoming ifp ethernet0/1
## 2012-06-05 09:45:41 : g_i_b_pppoe: FOUND FIRST CTX untrust for incoming ifp ethernet0/1
## 2012-06-05 09:45:41 : g_i_b_pppoeSmiley SurprisedNLY context, RETURN ACTUAL ifp ethernet0/1 (ctx untrust) for incoming ifp ethernet0/1
## 2012-06-05 09:45:41 : pppoe_decap_handler: pak drop: dst MAC is not ethernet0/1 interface's
## 2012-06-05 09:45:41 : pppoe_fsm_reset dns_handle = 0
## 2012-06-05 09:45:41 : send_padi: about to send PADI to i/f ethernet0/1, num_attemps 0

May the mapping for MAC address is not complete yet. Please check this with your ISP.

Another thing to try is to do a SNOOP detail on the firewall (interface ethernet0/1) and check the packets.