Menu
▾
▴
l2tpns-users — Setup questions, discussion.
You can subscribe to this list here.
| 2004 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(2) |
Aug
|
Sep
(4) |
Oct
(2) |
Nov
(10) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2005 |
Jan
(2) |
Feb
(1) |
Mar
(4) |
Apr
(2) |
May
(4) |
Jun
(13) |
Jul
(16) |
Aug
(16) |
Sep
(38) |
Oct
(34) |
Nov
(48) |
Dec
(31) |
| 2006 |
Jan
(33) |
Feb
(15) |
Mar
(38) |
Apr
(13) |
May
(19) |
Jun
(20) |
Jul
(2) |
Aug
(24) |
Sep
(14) |
Oct
(17) |
Nov
(5) |
Dec
(4) |
| 2007 |
Jan
(7) |
Feb
(5) |
Mar
(1) |
Apr
(6) |
May
|
Jun
(2) |
Jul
|
Aug
(1) |
Sep
(2) |
Oct
(8) |
Nov
(5) |
Dec
(1) |
| 2008 |
Jan
|
Feb
(1) |
Mar
(3) |
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(9) |
Dec
|
| 2009 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
(6) |
| 2010 |
Jan
(8) |
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
|
Dec
|
| 2014 |
Jan
|
Feb
|
Mar
(4) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2016 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
|
Dec
|
|
From: Roelf D. <ro...@ro...> - 2016-10-09 07:41:08
|
Do you have some debug logs ? How is your LNS authenticating users upstream? Using radius ? What are you seeing on the RADIUS side ? Too little information to help, unfortunately. On Sat, Oct 8, 2016 at 12:10 PM, Mark Tiller <mar...@aj...> wrote: > We have been using L2TPNS for a long time and this week faced a new > challenge where our 3G SIM provider has changed the authentication method. > Before we were being sent CHAP using and passwords but now they are saying > we are being sent the CLI to be used as authentication. Does anyone know > if L2TPNS support this and how to change the configuration ? > > > In the L2TPNS CLI we see the below -: > > > SID LkToSID TID Username IP I T G > 6 opened downloaded uploaded idle Rem.Time LAC(L)/RLNS(R)/PPPOE(P) > CLI > 3 0 3 * 0.0.0.0 N N N > N 1 0 0 1 0 (L)90.155.53.55 > 8944200009646033316 > > > > > > So we still get the tunnel and a session but notice the username is now > coming across to as an asterisk. > > > Any help would be appreciated. > > > Thanks, > > > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > L2tpns-users mailing list > L2t...@li... > https://lists.sourceforge.net/lists/listinfo/l2tpns-users > > |
|
From: Mark T. <mar...@aj...> - 2016-10-08 10:28:32
|
We have been using L2TPNS for a long time and this week faced a new challenge where our 3G SIM provider has changed the authentication method. Before we were being sent CHAP using and passwords but now they are saying we are being sent the CLI to be used as authentication. Does anyone know if L2TPNS support this and how to change the configuration ? In the L2TPNS CLI we see the below -: SID LkToSID TID Username IP I T G 6 opened downloaded uploaded idle Rem.Time LAC(L)/RLNS(R)/PPPOE(P) CLI 3 0 3 * 0.0.0.0 N N N N 1 0 0 1 0 (L)90.155.53.55 8944200009646033316 So we still get the tunnel and a session but notice the username is now coming across to as an asterisk. Any help would be appreciated. Thanks, |
|
From: Tony G. <to...@ga...> - 2014-03-12 22:55:53
|
Thanks Dominique and Mat, It was indeed IP forwarding not being enabled. Can't believe I overlooked that one. Regards, Tony -----Original Message----- From: Dominique Rousseau [mailto:d.r...@nn...] Sent: Wednesday, 12 March 2014 7:01 PM To: l2t...@li... Subject: Re: [l2tpns-users] Problem with connectivity from dsl login Le Wed, Mar 12, 2014 at 05:04:01AM +0000, Tony Gayler [to...@ga...] a écrit: > Hi, > > I've setup a l2tpns server for adsl terminations and ppp sessions from > my wholesale ISP authenticate correct, however there appears to be > only traffic coming from the connection and none able to return. Like the other answer suggest, check that you got ip forwarding on. If that's ok, are you sure, you got a route for the return packets, towards your LNS, on the « DNS server » you are asking to ? -- Dominique Rousseau Neuronnexion, Prestataire Internet & Intranet 21 rue Frédéric Petit - 80000 Amiens tel: 03 22 71 61 90 - fax: 03 22 71 61 99 - http://www.neuronnexion.coop ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech _______________________________________________ L2tpns-users mailing list L2t...@li... https://lists.sourceforge.net/lists/listinfo/l2tpns-users |
|
From: Dominique R. <d.r...@nn...> - 2014-03-12 09:19:11
|
Le Wed, Mar 12, 2014 at 05:04:01AM +0000, Tony Gayler [to...@ga...] a écrit: > Hi, > > I've setup a l2tpns server for adsl terminations and ppp sessions from > my wholesale ISP authenticate correct, however there appears to be > only traffic coming from the connection and none able to return. Like the other answer suggest, check that you got ip forwarding on. If that's ok, are you sure, you got a route for the return packets, towards your LNS, on the « DNS server » you are asking to ? -- Dominique Rousseau Neuronnexion, Prestataire Internet & Intranet 21 rue Frédéric Petit - 80000 Amiens tel: 03 22 71 61 90 - fax: 03 22 71 61 99 - http://www.neuronnexion.coop |
|
From: Mat W. <ma...@ma...> - 2014-03-12 08:26:19
|
Tony, Have you checked you have a "1" in /proc/sys/net/ipv4/ip_forward? Mat > On 12 Mar 2014, at 3:04 pm, Tony Gayler <to...@ga...> wrote: > > Hi, > > I’ve setup a l2tpns server for adsl terminations and ppp sessions from my wholesale ISP authenticate correct, however there appears to be only traffic coming from the connection and none able to return. > > My l2tpns startup-config is as follows: > > # Current configuration: > set debug 4 > set log_file "/var/log/l2tpns" > set pid_file "/var/run/l2tpns.pid" > set random_device "/dev/urandom" > set l2tp_secret "secret" > set l2tp_mtu 1500 > set ppp_restart_time 3 > set ppp_max_configure 10 > set ppp_max_failure 5 > set primary_dns 8.8.8.8 > set secondary_dns 8.8.4.4 > set primary_radius 127.0.0.1 > set secondary_radius 0.0.0.0 > set primary_radius_port 1812 > set secondary_radius_port 0 > set radius_accounting no > set radius_interim 0 > set radius_secret "secret" > set radius_authtypes "pap" > set radius_dae_port 3799 > set radius_bind_min 0 > set radius_bind_max 0 > set allow_duplicate_users no > set kill_timedout_sessions yes > set guest_account "" > set bind_address 0.0.0.0 > set peer_address 10.0.1.1 > set send_garp no > set throttle_speed 28 > set throttle_buckets 6000 > set accounting_dir "/var/run/l2tpns/acct" > set account_all_origin no > set dump_speed no > set multi_read_count 10 > set scheduler_fifo no > set lock_pages no > set icmp_rate 0 > set packet_limit 0 > set cluster_address 239.192.13.13 > set cluster_interface "eth0" > set cluster_mcast_ttl 1 > set cluster_hb_interval 5 > set cluster_hb_timeout 150 > set cluster_master_min_adv 1 > set ipv6_prefix :: > set cli_bind_address 0.0.0.0 > set hostname "en-lns1" > set nexthop_address 0.0.0.0 > set nexthop6_address :: > set echo_timeout 10 > set idle_echo_timeout 240 > set iftun_address 10.0.1.159 > set tundevicename "tun0" > set disable_lac_func no > set auth_tunnel_change_addr_src no > set bind_address_remotelns 0.0.0.0 > set bind_portremotelns 65432 > set pppoe_if_to_bind "" > set pppoe_service_name "" > set pppoe_ac_name "l2tpns-pppoe" > set disable_sending_hello no > set disable_no_spoof no > set bind_multi_address "" > set pppoe_only_equal_svc_name no > set multi_hostname "" > set no_throttle_local_IP no > > my users file in freeradius: > > D0-2 Cleartext-Password := "password" > Framed-IP-Address = 10.0.1.135, > Framed-Route += "10.0.2.0/24 10.0.1.135" , > Framed-MTU = 1492 > > DEFAULT Auth-Type == Accept > Service-Type = "Framed-User", > Framed-Protocol = "PPP", > Framed-IP-Netmask = "255.255.255.255", > Idle-Timeout = 86400, > Framed-Routing = "None" > > Session is up: > > lns1# show sess > SID LkToSID TID Username IP I T G 6 opened downloaded uploaded idle Rem.Time LAC(L)/RLNS(R)/PPPOE(P) CLI > 1 0 2 D0-2 10.0.1.135 N N N N 1175 108804 384589 0 0 (L)a.b.c.d * > > Routes: > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > default 10.0.1.1 0.0.0.0 UG 0 0 0 eth0 > 10.0.1.0 * 255.255.255.0 U 0 0 0 eth0 > 10.0.1.135 * 255.255.255.255 UH 0 0 0 tun0 > 10.0.2.0 10.0.1.135 255.255.255.0 UG 0 0 0 tun0 > > (LAC IP routes removed for privacy) > > If I run iftop on tun0 I can see dns requests going out but none going back.. > > Any ideas? > > Regards, > > Tony > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > L2tpns-users mailing list > L2t...@li... > https://lists.sourceforge.net/lists/listinfo/l2tpns-users |
|
From: Tony G. <to...@ga...> - 2014-03-12 07:18:02
|
Hi,
I've setup a l2tpns server for adsl terminations and ppp sessions from my wholesale ISP authenticate correct, however there appears to be only traffic coming from the connection and none able to return.
My l2tpns startup-config is as follows:
# Current configuration:
set debug 4
set log_file "/var/log/l2tpns"
set pid_file "/var/run/l2tpns.pid"
set random_device "/dev/urandom"
set l2tp_secret "secret"
set l2tp_mtu 1500
set ppp_restart_time 3
set ppp_max_configure 10
set ppp_max_failure 5
set primary_dns 8.8.8.8
set secondary_dns 8.8.4.4
set primary_radius 127.0.0.1
set secondary_radius 0.0.0.0
set primary_radius_port 1812
set secondary_radius_port 0
set radius_accounting no
set radius_interim 0
set radius_secret "secret"
set radius_authtypes "pap"
set radius_dae_port 3799
set radius_bind_min 0
set radius_bind_max 0
set allow_duplicate_users no
set kill_timedout_sessions yes
set guest_account ""
set bind_address 0.0.0.0
set peer_address 10.0.1.1
set send_garp no
set throttle_speed 28
set throttle_buckets 6000
set accounting_dir "/var/run/l2tpns/acct"
set account_all_origin no
set dump_speed no
set multi_read_count 10
set scheduler_fifo no
set lock_pages no
set icmp_rate 0
set packet_limit 0
set cluster_address 239.192.13.13
set cluster_interface "eth0"
set cluster_mcast_ttl 1
set cluster_hb_interval 5
set cluster_hb_timeout 150
set cluster_master_min_adv 1
set ipv6_prefix ::
set cli_bind_address 0.0.0.0
set hostname "en-lns1"
set nexthop_address 0.0.0.0
set nexthop6_address ::
set echo_timeout 10
set idle_echo_timeout 240
set iftun_address 10.0.1.159
set tundevicename "tun0"
set disable_lac_func no
set auth_tunnel_change_addr_src no
set bind_address_remotelns 0.0.0.0
set bind_portremotelns 65432
set pppoe_if_to_bind ""
set pppoe_service_name ""
set pppoe_ac_name "l2tpns-pppoe"
set disable_sending_hello no
set disable_no_spoof no
set bind_multi_address ""
set pppoe_only_equal_svc_name no
set multi_hostname ""
set no_throttle_local_IP no
my users file in freeradius:
D0-2 Cleartext-Password := "password"
Framed-IP-Address = 10.0.1.135,
Framed-Route += "10.0.2.0/24 10.0.1.135" ,
Framed-MTU = 1492
DEFAULT Auth-Type == Accept
Service-Type = "Framed-User",
Framed-Protocol = "PPP",
Framed-IP-Netmask = "255.255.255.255",
Idle-Timeout = 86400,
Framed-Routing = "None"
Session is up:
lns1# show sess
SID LkToSID TID Username IP I T G 6 opened downloaded uploaded idle Rem.Time LAC(L)/RLNS(R)/PPPOE(P) CLI
1 0 2 D0-2 10.0.1.135 N N N N 1175 108804 384589 0 0 (L)a.b.c.d *
Routes:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.0.1.1 0.0.0.0 UG 0 0 0 eth0
10.0.1.0 * 255.255.255.0 U 0 0 0 eth0
10.0.1.135 * 255.255.255.255 UH 0 0 0 tun0
10.0.2.0 10.0.1.135 255.255.255.0 UG 0 0 0 tun0
(LAC IP routes removed for privacy)
If I run iftop on tun0 I can see dns requests going out but none going back..
Any ideas?
Regards,
Tony
|
|
From: Patrick C. <z...@am...> - 2011-10-12 00:24:19
|
Wilson, The 500 value you see is just an artificial limitation by a constant in the source code: l2tpns.h:#define MAXTUNNEL 500 // could be up to 65535 This field is a unsigned 16bit integer so you can just change this and re-compile to allow up to 65k tunnels potentially. Hope this helps you. Regards, Patrick Tue, Oct 11, 2011 at 08:12:59PM -0300, Wilson Rogerio Lopes wrote: > Hello, > > I'm interested to use l2tpns as my LNS solution to provide access to my > dial-up clients. > Today we have 10k tunnels established and 15k sessions approximately. > > I have a doubt about the max number of established tunnels per l2tpns > process. Is 499 only ? > > > sh tun ? > all Show all tunnels, including unused > <1-499> Show specific tunnel by id > <cr> > > Best Regards, > Wilson. > ------------------------------------------------------------------------------ > All the data continuously generated in your IT infrastructure contains a > definitive record of customers, application performance, security > threats, fraudulent activity and more. Splunk takes this data and makes > sense of it. Business sense. IT sense. Common sense. > http://p.sf.net/sfu/splunk-d2d-oct > _______________________________________________ > L2tpns-users mailing list > L2t...@li... > https://lists.sourceforge.net/lists/listinfo/l2tpns-users |
|
From: Wilson R. L. <wl...@ig...> - 2011-10-11 23:48:16
|
Hello, I'm interested to use l2tpns as my LNS solution to provide access to my dial-up clients. Today we have 10k tunnels established and 15k sessions approximately. I have a doubt about the max number of established tunnels per l2tpns process. Is 499 only ? > sh tun ? all Show all tunnels, including unused <1-499> Show specific tunnel by id <cr> Best Regards, Wilson. |
|
From: Franz S. <fra...@cu...> - 2010-06-24 15:10:57
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
this is my first post but i am sure you ca help me figuring out the
problem with multiple sessions with one user.
I have one user who connects via 3 sessions. The sessions and tunnels
are open, but only one of three sessions are working.
Sessions:
show session
SID TID Username IP I T G
6 opened downloaded uploaded idle LAC CLI
1 1 dum...@te... 192.168.62.8 N N N
N 1485 504 0 7 192.168.100.10 *
2 2 dum...@te... 192.168.62.9 N N N
N 1480 0 0 6 192.168.100.10 *
3 1 dum...@te... 192.168.62.10 N N N
N 1479 119128 585095 7 192.168.100.15 *
Tunnels:
show tunnels
TID Hostname IP State Sessions
1 INT-TEST 192.168.100.10 Open 2
2 INT-TEST 192.168.100.15 Open 1
3 (null) 192.168.100.15 Free 0
The Clients connect from the same IP. (PPOE Tunnel).
I can only ping 192.168.62.10.
ping 192.168.62.10
PING 192.168.62.10 (192.168.62.10) 56(84) bytes of data.
64 bytes from 192.168.62.10: icmp_req=1 ttl=254 time=31.9 ms
64 bytes from 192.168.62.10: icmp_req=2 ttl=254 time=32.8 ms
64 bytes from 192.168.62.10: icmp_req=3 ttl=254 time=33.0 ms
64 bytes from 192.168.62.10: icmp_req=4 ttl=254 time=32.4 ms
^C
- --- 192.168.62.10 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 31.989/32.589/33.028/0.446 ms
ping 192.168.62.8
PING 192.168.62.8 (192.168.62.8) 56(84) bytes of data.
^C
- --- 192.168.62.8 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
ping 192.168.62.9
PING 192.168.62.9 (192.168.62.9) 56(84) bytes of data.
^C
- --- 192.168.62.9 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
Is there a config problem or did i hit a kernel bug in the tun dev ?
Class Device = "tun0"
Class Device path = "/sys/devices/virtual/net/tun0"
addr_len = "0"
address = ""
broadcast = ""
carrier = "1"
dev_id = "0x0"
dormant = "0"
features = "0x0"
flags = "0x11"
group = "-1"
ifalias =
ifindex = "6"
iflink = "6"
link_mode = "0"
mtu = "1452"
operstate = "unknown"
owner = "-1"
tun_flags = "0x1"
tx_queue_len = "1000"
type = "65534"
uevent = "INTERFACE=tun0
IFINDEX=6"
Thanks in advance
Franz
- --
kind regards, +43-664-8468643
Franz Skale +43-1-7189880-0
Senior Systems Engineer www.cubit.at
PGP KeyID 0xB294D39A
Key Fingerprint B508 8896 B83C B374 770D 80EF 3AD9 4A66 B294 D39A
Neuer Standort: 1070 Wien, Zieglergasse 67/3/1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkwjcm4ACgkQOtlKZrKU05pwRgCgnetcfnPrgHbQHhta6u/M2uew
8JQAn0FcKOqb0bPdNWqzjIsjHtjlKBQs
=OUeM
-----END PGP SIGNATURE-----
|
|
From: <ma...@ma...> - 2010-04-14 00:12:26
|
J, You really need to use a dynamic routing protocol when clustering and BGP is the only support one WITHIN L2TPNS that it supports. Others use L2TPNS clusters but then might choose to use Quagga to use some other routing protocol, and some also feel Quagga's routing implementations, including BGP is better than the one built into L2TPNS. Quagga works by detecting the systems local IP cache table to determine what to advertise via whatever routing protocol. The reason you need a dynamic routing protocol between your L2TPNS cluster and its gateway is multipathing. Sure, you could statically route user ranges to the cluster on your routed with equal costed routes, but if one of the nodes every drops out you'll be dropping every X packets to the cluster. Hence the reason for BGP, because each node in the clusters advertises the same IP ranges that every other node in the cluster advertises (apart from the master when "cluster_master_min_adv" is reached at which stage the master doesn't advertise anything via BGP APART FROM any throttled or walled garden sessions. Keep this well in mind when doing a cluster setup, if your doing a lot of throttle or walled garden session the master is the only one that takes care of this traffic (due to IPTABLES traversal)). There's no real great detailed documentation on BGP or clustering on L2TPNS. We've learnt most of our stuff from reading the source, and experience. Mat Quoting J <l2t...@xe...>: > Greetings, > > I am running a series of Debian-based (amd64 kernel) servers running > the latest version of l2tpns (2.1.21-1.2). > > I am interested in taking advantage of the clustering capabilities, > however the documentation is extremely poor. > > First of all, can anyone refer me to better l2tpns documentation > with special regards to clustering? > > As a bonus question, can anyone tell me how this would fit into my > existing (non-BGP-enabled) border firewall? How are neighbors/peers > configured in l2tpns in contrast to a physical security > appliances' configuration? in case it matters, my border firewall > is a Juniper Netscreen ISG 2000. If I am understanding what it > will take to make this work, I may also need another router in the > mix; this would be an SSG 140. > > Basically, I know very little about BGP beyond basic definition. > However I really need to make my several l2tpns servers stop acting > as individual (degraded) clusters, and to begin functioning the way > l2tpns was written to work. > > PLEASE help. > > Thanks > > J > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > L2tpns-users mailing list > L2t...@li... > https://lists.sourceforge.net/lists/listinfo/l2tpns-users > |
|
From: J <l2t...@xe...> - 2010-04-13 23:56:38
|
> You really need to use a dynamic routing protocol when clustering and BGP is the only support one WITHIN L2TPNS that it supports. > > Others use L2TPNS clusters but then might choose to use Quagga to use some other routing protocol, and some also feel Quagga's routing implementations, including BGP is better than the one built into L2TPNS. Quagga works by detecting the systems local IP cache table to determine what to advertise via whatever routing protocol. > Interesting, I'll read about Quagga. > The reason you need a dynamic routing protocol between your L2TPNS cluster and its gateway is multipathing. Sure, you could statically route user ranges to the cluster on your routed with equal costed routes, but if one of the nodes every drops out you'll be dropping every X packets to the cluster. Hence the reason for BGP, because each node in the clusters advertises the same IP ranges that every other node in the cluster advertises (apart from the master when "cluster_master_min_adv" is reached at which stage the master doesn't advertise anything via BGP APART FROM any throttled or walled garden sessions. Keep this well in mind when doing a cluster setup, if your doing a lot of throttle or walled garden session the master is the only one that takes care of this traffic (due to IPTABLES traversal)). Fortunately, we're not using walled/garden sessions at this time. > > There's no real great detailed documentation on BGP or clustering on L2TPNS. We've learnt most of our stuff from reading the source, and experience. heh, thats kind of the route I was afraid of going ... Thank you very much for this. I'm sure in the end I'll get to what I'm blindly groping for. =) J > Mat > > > > > > Quoting J <l2t...@xe...>: > >> Greetings, >> >> I am running a series of Debian-based (amd64 kernel) servers running the latest version of l2tpns (2.1.21-1.2). >> >> I am interested in taking advantage of the clustering capabilities, however the documentation is extremely poor. >> >> First of all, can anyone refer me to better l2tpns documentation with special regards to clustering? >> >> As a bonus question, can anyone tell me how this would fit into my existing (non-BGP-enabled) border firewall? How are neighbors/peers configured in l2tpns in contrast to a physical security appliances' configuration? in case it matters, my border firewall is a Juniper Netscreen ISG 2000. If I am understanding what it will take to make this work, I may also need another router in the mix; this would be an SSG 140. >> >> Basically, I know very little about BGP beyond basic definition. However I really need to make my several l2tpns servers stop acting as individual (degraded) clusters, and to begin functioning the way l2tpns was written to work. >> >> PLEASE help. >> >> Thanks >> >> J >> ------------------------------------------------------------------------------ >> Download Intel® Parallel Studio Eval >> Try the new software tools for yourself. Speed compiling, find bugs >> proactively, and fine-tune applications for parallel performance. >> See why Intel Parallel Studio got high marks during beta. >> http://p.sf.net/sfu/intel-sw-dev >> _______________________________________________ >> L2tpns-users mailing list >> L2t...@li... >> https://lists.sourceforge.net/lists/listinfo/l2tpns-users >> > > |
|
From: J <l2t...@xe...> - 2010-04-13 22:24:47
|
Greetings, I am running a series of Debian-based (amd64 kernel) servers running the latest version of l2tpns (2.1.21-1.2). I am interested in taking advantage of the clustering capabilities, however the documentation is extremely poor. First of all, can anyone refer me to better l2tpns documentation with special regards to clustering? As a bonus question, can anyone tell me how this would fit into my existing (non-BGP-enabled) border firewall? How are neighbors/peers configured in l2tpns in contrast to a physical security appliances' configuration? in case it matters, my border firewall is a Juniper Netscreen ISG 2000. If I am understanding what it will take to make this work, I may also need another router in the mix; this would be an SSG 140. Basically, I know very little about BGP beyond basic definition. However I really need to make my several l2tpns servers stop acting as individual (degraded) clusters, and to begin functioning the way l2tpns was written to work. PLEASE help. Thanks J |
|
From: Dominique R. <d.r...@nn...> - 2010-01-21 08:13:06
|
Le Thu, Jan 21, 2010 at 01:26:53PM +1100, Jason Millan [jm...@m2...] a écrit: > Hi, > > Just to help rule out some possible issues if anyone can assist in > answering these questions it might help. > > 1. The Total Bandwidth used across the cluster is around 400Mbps. we > see that each of the nodes does around 80Mbps. Is there a limit on the > L2TPNS software on bandwidth per node? All the interfaces are 1G and > our switches are also 1G. None that I know of, besides your CPU capacities. > 2. Can we move the multicast interface to another interface other than > the public interface where all internet traffic flows? Do we need to > have Multicast configured on the router side for the L2TPNS cluster to > work? Unless you're trying to have your nodes communicate through a router, it doesn't have to care about multicast. We have the cluster_interface set on a separate VLAN without trouble. > 3. Our routers have MTU set as 1500. So do we need to set a lower MTU on > the L2TPNS tunnel interface to like 1472? (via startup-config) or keep > the 1500 ? What matters is the end-to-end MTU, because the MTU problems mainly comes from PPPoE encapsulation. And for this, the usual MSS tricks handle things quite well. > 4.Does the L2TPNS software support 64-bit and multi-threading ? any > issues? (we compiled the L2TPNS on 64-bit CentOS) Afaik, l2tpns works great int 64bits. But don't mix 32bits nodes with 64bits ones. (a few months ago, there was a thread about this) > 5. Our nodes have two CPU's and HyperThreading has been disabled yet we > still see one core saturated before another does any work, are there any > issues with multithreading and L2TPNS ? As for threading, I d'ont think there is support, but in the stress tests we did, l2tpns was not much cpu-bound, so don't really see a need :) On a multi-core system, you could probably get better performances by having the NIC irqs handled by one of the core, and l2tpns on the other. -- Dominique Rousseau Neuronnexion, Prestataire Internet & Intranet 50, rue Riolan 80000 Amiens tel: 03 22 71 61 90 - fax: 03 22 71 61 99 - http://www.neuronnexion.coop |
|
From: David P. <da...@dp...> - 2010-01-21 03:13:38
|
> Just to help rule out some possible issues if anyone can assist in answering these questions it might help. > > 1. The Total Bandwidth used across the cluster is around 400Mbps. we see that each of the nodes does around 80Mbps. Is there a limit on the L2TPNS software on bandwidth per node? All the interfaces are 1G and our switches are also 1G. IIRC I was able to get around 160 mbit through a single interface on a dual-cpu Intel machine with an e1000 card. However this is *years* ago so I could be off by an order of magnitude. You need to make sure that your NIC supports interrupt mitigation and that it's enabled. Also I found that pinning the NIC's IRQ to a single CPU gave a big performance improvement too, because the second CPU could just keep running L2TPNS and keep a hot cache. > 2. Can we move the multicast interface to another interface other than the public interface where all internet traffic flows? Do we need to have Multicast configured on the router side for the L2TPNS cluster to work? Sorry I don't know about multicast. > 3. Our routers have MTU set as 1500. So do we need to set a lower MTU on the L2TPNS tunnel interface to like 1472? (via startup-config) or keep the 1500 ? It's up to you. L2TPNS will deal fine with fragmented packets, but I'd suggest doing some testing to see whether it's a problem for you. > 4.Does the L2TPNS software support 64-bit and multi-threading ? any issues? (we compiled the L2TPNS on 64-bit CentOS) L2TPNS does not support multi-threading but I don't see why 64-bit wouldn't work. During the initial development I found that even linking in the threading library -lpthread would drastically reduce the capacity of the server. Linking in threading changes a lot of the libc stuff so that it does locking, which is a lot slower. This is also the reason for the *awful* anonymous mmap() allocations instead of plain malloc(). I needed to be able to share the session info with the CLI process, and I couldn't use threading. There is reason for the madness. > 5. Our nodes have two CPU’s and HyperThreading has been disabled yet we still see one core saturated before another does any work, are there any issues with multithreading and L2TPNS ? That's expected, and it's a limitation. At the time we were working on this we only had dual-CPU machines anyway, and the second CPU got used by the kernel for handling the NIC. |
|
From: Jason M. <jm...@m2...> - 2010-01-21 02:27:24
|
Hi, Just to help rule out some possible issues if anyone can assist in answering these questions it might help. 1. The Total Bandwidth used across the cluster is around 400Mbps. we see that each of the nodes does around 80Mbps. Is there a limit on the L2TPNS software on bandwidth per node? All the interfaces are 1G and our switches are also 1G. 2. Can we move the multicast interface to another interface other than the public interface where all internet traffic flows? Do we need to have Multicast configured on the router side for the L2TPNS cluster to work? 3. Our routers have MTU set as 1500. So do we need to set a lower MTU on the L2TPNS tunnel interface to like 1472? (via startup-config) or keep the 1500 ? 4.Does the L2TPNS software support 64-bit and multi-threading ? any issues? (we compiled the L2TPNS on 64-bit CentOS) 5. Our nodes have two CPU's and HyperThreading has been disabled yet we still see one core saturated before another does any work, are there any issues with multithreading and L2TPNS ? Any help is appreciated :-) Regards, Netops2010 |
|
From: Dominique R. <d.r...@nn...> - 2010-01-20 08:14:37
|
Le Wed, Jan 20, 2010 at 12:33:02PM +1100, Jason Millan [jm...@m2...] a écrit:
> Hi,
>
> We have a 6 node cluster, for some reason when all six nodes are active,
> one node handles no traffic and has no load.
Maybe it's cluster_master_min_adv :
cluster_master_min_adv
Determines the minumum number of up to date slaves required
before the master will drop routes (default: 1).
--
Dominique Rousseau
Neuronnexion, Prestataire Internet & Intranet
50, rue Riolan 80000 Amiens
tel: 03 22 71 61 90 - fax: 03 22 71 61 99 - http://www.neuronnexion.coop
|
|
From: Jason M. <jm...@m2...> - 2010-01-20 04:19:33
|
Hi, The routing is being performed by a redback se400 which does not impose such a limitation. Regards, Netops2010 ________________________________ From: dpa...@go... [mailto:dpa...@go...] On Behalf Of David Parrish Sent: Wednesday, 20 January 2010 1:08 PM To: Jason Millan Cc: l2t...@li... Subject: Re: [l2tpns-users] l2tpns clustering max number of nodes I haven't touched l2tpns in years so my memory may be off, but I think the limit you are coming up against here is the iBGP route limit on your upstream router. I *think* the limit is 8 on Cisco gear, but I could be very wrong. On Wed, Jan 20, 2010 at 12:33 PM, Jason Millan <jm...@m2...> wrote: Hi, We have a 6 node cluster, for some reason when all six nodes are active, one node handles no traffic and has no load. As soon as another node is stopped the last one in the cluster starts to participate i.e. traffic on interfaces and load on the actual box. Are there any limits on the number of nodes that can actively participate in the cluster or any ideas? Regards, Netops2010 ------------------------------------------------------------------------ ------ Throughout its 18-year history, RSA Conference consistently attracts the world's best and brightest in the field, creating opportunities for Conference attendees to learn about information security's most important issues through interactions with peers, luminaries and emerging and established companies. http://p.sf.net/sfu/rsaconf-dev2dev _______________________________________________ L2tpns-users mailing list L2t...@li... https://lists.sourceforge.net/lists/listinfo/l2tpns-users |
|
From: David P. <da...@dp...> - 2010-01-20 02:08:58
|
I haven't touched l2tpns in years so my memory may be off, but I think the limit you are coming up against here is the iBGP route limit on your upstream router. I *think* the limit is 8 on Cisco gear, but I could be very wrong. On Wed, Jan 20, 2010 at 12:33 PM, Jason Millan <jm...@m2...> wrote: > Hi, > > > > We have a 6 node cluster, for some reason when all six nodes are active, > one node handles no traffic and has no load. > > > > As soon as another node is stopped the last one in the cluster starts to > participate i.e. traffic on interfaces and load on the actual box. > > > > Are there any limits on the number of nodes that can actively participate > in the cluster or any ideas? > > > > > > Regards, > > Netops2010 > > > > > ------------------------------------------------------------------------------ > Throughout its 18-year history, RSA Conference consistently attracts the > world's best and brightest in the field, creating opportunities for > Conference > attendees to learn about information security's most important issues > through > interactions with peers, luminaries and emerging and established companies. > http://p.sf.net/sfu/rsaconf-dev2dev > _______________________________________________ > L2tpns-users mailing list > L2t...@li... > https://lists.sourceforge.net/lists/listinfo/l2tpns-users > > |
|
From: Jason M. <jm...@m2...> - 2010-01-20 02:03:24
|
Hi, We have a 6 node cluster, for some reason when all six nodes are active, one node handles no traffic and has no load. As soon as another node is stopped the last one in the cluster starts to participate i.e. traffic on interfaces and load on the actual box. Are there any limits on the number of nodes that can actively participate in the cluster or any ideas? Regards, Netops2010 |
|
From: Hernán F. <dr...@gm...> - 2010-01-19 23:42:12
|
Hello, I've been using l2tpns for a while now. Recently the server was rootkited so I had to make a clean install. Copied the configuration files and all, and after that I've been getting the errors at the end of this message. Sometimes it fixes itself after several minutes, sometimes it won't. I try killing l2tpns but it refuses to die, unless I do it with a signal 9. Restarting it solves the problem (during this time I can't even access the l2tpns CLI). I've also noticed that restarting openswan also fixes the problem. Any suggestions? Here's the logfile at the moment it's failing: 2010-01-19 17:13:15 00/00 Sending v5 heartbeat #91343, change #594 with 0 changes (18 x-sess, 18 x-tunnels, 18 highsess, 18 hightun, size 3388) 2010-01-19 17:13:15 00/00 Sending v5 heartbeat #91344, change #594 with 0 changes (18 x-sess, 18 x-tunnels, 18 highsess, 18 hightun, size 3388) 2010-01-19 17:13:16 00/00 Sending v5 heartbeat #91345, change #594 with 0 changes (18 x-sess, 18 x-tunnels, 18 highsess, 18 hightun, size 3389) 2010-01-19 17:13:16 03/03 Kill session 3 (xxxxxxxxx): Expired 2010-01-19 17:13:16 00/00 Reached multi_read_count (10); processed 10 udp, 10 tun and 0 cluster packets 2010-01-19 18:06:56 00/00 Sending v5 heartbeat #91346, change #595 with 1 changes (18 x-sess, 18 x-tunnels, 18 highsess, 18 hightun, size 3323) 2010-01-19 18:06:56 06/00 Sending HELLO message 2010-01-19 18:06:56 07/00 Sending HELLO message 2010-01-19 18:06:56 08/00 Sending HELLO message 2010-01-19 18:06:56 09/00 Sending HELLO message 2010-01-19 18:06:56 10/00 Sending HELLO message 2010-01-19 18:06:56 11/00 Sending HELLO message 2010-01-19 18:06:56 12/00 Sending HELLO message 2010-01-19 18:06:56 13/00 Sending HELLO message 2010-01-19 18:06:56 14/00 Sending HELLO message 2010-01-19 18:06:56 15/00 Sending HELLO message 2010-01-19 18:06:56 16/00 Error sending data out tunnel: No route to host (udpfd=9, buf=0xa0bcfe6, len=20, dest=10.5.2.26) 2010-01-19 18:06:56 16/00 Sending HELLO message 2010-01-19 18:06:56 17/00 Sending HELLO message 2010-01-19 18:06:56 18/00 Sending HELLO message 2010-01-19 18:06:56 01/00 Sending HELLO message 2010-01-19 18:06:56 02/00 Sending HELLO message 2010-01-19 18:06:56 03/00 Kill tunnel 3: Expired 2010-01-19 18:06:56 04/00 Error sending data out tunnel: No route to host (udpfd=9, buf=0xa0ba43e, len=20, dest=10.5.1.26) 2010-01-19 18:06:56 04/00 Sending HELLO message 2010-01-19 18:06:56 05/00 Sending HELLO message 2010-01-19 18:06:56 10/04 Shutting down session 4: No response to LCP ECHO requests. 2010-01-19 18:06:56 10/04 Allocated radius 112 2010-01-19 18:06:56 05/05 Shutting down session 5: No response to LCP ECHO requests. 2010-01-19 18:06:56 05/05 Allocated radius 113 2010-01-19 18:06:56 06/06 Shutting down session 6: No response to LCP ECHO requests. 2010-01-19 18:06:56 06/06 Allocated radius 114 2010-01-19 18:06:56 07/07 Shutting down session 7: No response to LCP ECHO requests. 2010-01-19 18:06:56 07/07 Allocated radius 115 2010-01-19 18:06:56 04/08 Shutting down session 8: No response to LCP ECHO requests. 2010-01-19 18:06:56 04/08 Allocated radius 116 2010-01-19 18:06:56 11/09 Shutting down session 9: No response to LCP ECHO requests. Thanks, Hernan |
|
From: daren f. <dar...@ho...> - 2009-12-21 19:01:31
|
Thank you for your reply. In fact i found the origin of my problem by dumping packets. The packet size was totally different when comparing a server to the other... the only difference between them was the kernel version... One was linux-2.6.26-2-686 the other linux-2.6.26-2-amd64, i swapped to both 686 and now it works like a charm :) I didn't imagine that could be related to this, but i got no other difference, so... now i will take care of this "little" detail. Regards Daren > Date: Sun, 20 Dec 2009 21:40:09 +1100 > Subject: Re: [l2tpns-users] Unable to cluster - hertbeat element error > From: bo...@c4... > To: dar...@ho... > CC: l2t...@li... > > On Thu, Dec 17, 2009 at 2:38 AM, daren ferreira <dar...@ho...> wrote: > > I'm using l2tpns for a quite long while and i'm now testing the cluster > > feature, without success. > > > > CRIT-0-0 DANGER: I received a heartbeat element where i didn't understand > > the type! (X) > > Most of time X = 0 > > Whacky. I'm not entirely sure why you're seeing this. You have > multicast enabled on the server, and the switch? It is possible that > something else is using the multicast address which is confusing > l2tpns. If everything else looks OK, you could try using a different > multicast address (set "cluster_address" in your config). _________________________________________________________________ Achetez un nouveau PC et bénéficiez de Windows 7 dès sa sortie ! http://www.portable-windows.com/ |
|
From: daren f. <dar...@ho...> - 2009-12-16 15:38:32
|
Hello, I'm using l2tpns for a quite long while and i'm now testing the cluster feature, without success. In fact i always receive on the slave: CRIT-0-0 DANGER: I received a heartbeat element where i didn't understand the type! (X) Most of time X = 0 If i shut the master down and then start it, i get : CRIT-0-0 I got an incomplete heartbeat packet! This means I'm probably out of sync!! and on the new master (ex slave): CRIT-0-0 I just got a heartbeat from master X.X.X.X, but _I_ am the master So it seems that the problem is related to multicast communication , but i found nothing on doc nor mailing-lists... Do somebody have any idea on how to get clustering working? I'm using debian 2.6.26 kernel I tried with l2tpns cvs version and 2.1.21. Best regards Daren _________________________________________________________________ Achetez un nouveau PC et bénéficiez de Windows 7 dès sa sortie ! http://www.portable-windows.com/ |
|
From: Johannes J. <jj...@gl...> - 2009-12-11 14:06:47
|
Hi List,
When using Framed-Route statemens in Radius like 10.0.0.0/24 it works
just fine, but l2tpns doesn't honor gateway or metric specifications in
the form of
Framed-Route += 10.0.0.0/24 1.2.3.4 100
Is there any patch to add this feature to l2tpns?
Background:
Assume a dial-in router that is running quagga and talks BGP to another
quagga running on the LNS. The router tells the LNS it has a route to
subnet 1.2.3.4/30, the quagga instance on the LNS then adds a route to
1.2.3.4/0 to dev tun0. But now the l2tpns process does not know how, or
to which session it has to route the packets destined for 1.2.3.4/0
because the link IP/NET <-> Session does not exist.
Is there any way to achieve this? I can't use the integrated bgpd,
because it doesn't provide the options we need (prefix filter, route
maps... you name it), but how can I tell l2tpns there are routes it
hasn't set itself?
So my solution was to avoid talking bgp at all and trying to set these
routes via radius. This option currently fails, because I have to set
this route on two LNS (primary and backup), which are both connected at
the same time, so I have to distribute the routes with different costs
and tried to achieve this by using metrics... which aren't honored by
l2tpns at all....
Do you have any ideas about this scenario? Metrics would be great,
because they would solve the 3minutes timeout issue introduced by bgp,
when the primary connection fails....
Well, looking forward to any help and hoping, that this list somehow is
still alive ;)
Best regards,
John
|
|
From: Johannes J. <jj...@gl...> - 2009-12-08 09:03:12
|
Hi Paul, Paul Cupis schrieb: > Johannes Jakob wrote: >> l2tpns... not more than 4 hours later I had a completely new LNS setup >> for terminating DSL connections with working multilink for two of our >> carriers (thanks to Mouhammad Tayseer Alquoatli for his work on the >> multilink patch!) > > Can I ask which specific patch(es) you've used for multilink support, > please? I applied this patch http://sourceforge.net/mailarchive/message.php?msg_id=d8c9df6c0703050152o41b1e596ge1b8a26a32f82661%40mail.gmail.com / http://sourceforge.net/tracker/?func=detail&aid=1678233&group_id=97282&atid=617565 to the current CVS HEAD: cd /usr/local/src cvs -d:pserver:ano...@l2...:/cvsroot/l2tpns \ login # just press enter! cvs -z3 -d:pserver:ano...@l2...:/cvsroot/l2tpns co -P l2tpns wget -O l2tpns-multilink.patch 'http://sourceforge.net/tracker/download.php?group_id=97282&atid=617565&file_id=219832&aid=1678233' cd l2tpns patch -p1 < /usr/local/src/l2tpns-multilink.patch #patch -p1 < /usr/local/src/l2tp-telnetbind.patch #mine make && make install You will have to adjust your l2tpns settings: set allow_duplicate_users yes Regards, Johannes |
|
From: Paul C. <pa...@cu...> - 2009-12-08 07:45:20
|
Johannes Jakob wrote: > l2tpns... not more than 4 hours later I had a completely new LNS setup > for terminating DSL connections with working multilink for two of our > carriers (thanks to Mouhammad Tayseer Alquoatli for his work on the > multilink patch!) Can I ask which specific patch(es) you've used for multilink support, please? |
12 messages has been excluded from this view by a project administrator.
