Bay Networks Bay Dial VPN Скачать руководство пользователя страница 1

Страница: 1 / 186

February 1998

Remote Annex Software Version 14.1
BayStream Multiservice Software Version 7.2
BayStream Site Manager Software Version 7.2

Configuring and
Troubleshooting
Bay Dial VPN Services
(DVS)

Содержание Bay Dial VPN

Страница 1: ...February 1998 Remote Annex Software Version 14 1 BayStream Multiservice Software Version 7 2 BayStream Site Manager Software Version 7 2 Configuring and Troubleshooting Bay Dial VPN Services DVS ...

Страница 2: ... RAC Remote Annex System 5000 and the Bay Networks logo are trademarks of Bay Networks Inc Microsoft MS MS DOS Win32 Windows and Windows NT are registered trademarks of Microsoft Corporation All other trademarks and registered trademarks are the property of their respective owners Statement of Conditions In the interest of improving internal design operational function and or reliability Bay Netwo...

Страница 3: ...therwise disclose to any third party the Software or any information about the operation design performance or implementation of the Software and user manuals that is confidential to Bay Networks and its licensors however Licensee may grant permission to its consultants subcontractors and agents to use the Software at Licensee s facility provided they have agreed to use the Software only in accord...

Страница 4: ...manuals will cease being effective at the date of expiration of the Bay Networks copyright those restrictions relating to use and disclosure of Bay Networks confidential information shall continue in effect Licensee may terminate this license at any time The license will automatically terminate if Licensee fails to comply with any of the terms and conditions of the license Upon termination for any...

Страница 5: ...twork 1 6 Customer Premise Equipment CPE 1 6 RADIUS Authentication Server 1 7 Dial VPN Network Planning Worksheet 1 7 At the Dial VPN Service Provider s Site 1 8 For Each Destination Site 1 9 For Each Remote Node 1 10 Additional Planning Information 1 11 Where to Go Next 1 11 Chapter 2 Dial VPN Network Concepts What is Tunneling 2 1 Implementing Dial VPN at Your Site 2 2 How Tunnel Management Work...

Страница 6: ...n Information 3 2 Additional Configuration Considerations 3 3 Configuring the IP Interface 3 3 Configuring the Dial VPN Network Software 3 4 Configuring Local Authentication Using the ACP 3 5 Chapter 4 Configuring the Remote Annex Installing and Configuring the Annex Software 4 2 Loading Software and Booting the Annex 4 7 Configuring Active RIP 4 8 Defining Routes 4 8 Configuring the Annex to Adve...

Страница 7: ...Setting Up Dial VPN to Use IPX 8 3 Configuring the Dial In Node for IPX 8 3 Configuring the Network Access Server for IPX 8 4 Configuring IPX on the CPE router with Site Manager 8 5 Configuring the CPE Router Frame Relay Connection with IPX 8 7 Configuring Standards Based IPX IPXCP 8 8 Configuring IPX on the Customer Network RADIUS Server 8 8 Chapter 9 Requirements Outside the Dial VPN Network Con...

Страница 8: ...e Problems 11 8 Getting a Snapshot of the Current Status 11 9 Troubleshooting Specific Protocols 11 15 Troubleshooting a Site Manager Problem 11 15 Troubleshooting Remote Annex Problems 11 16 Tracing a Packet s Path at the Remote Annex 11 22 Troubleshooting Tunnel Problems 11 24 Appendix A Additional Planning Information Appendix B Syslog Messages Remote Annex Syslog Messages B 1 TMS Syslog Messag...

Страница 9: ...115623B Rev 00 BayStream Multiservice Software Version 7 2 ix Configuring Active RIP C 9 Defining Routes C 9 Configuring the Annex to Advertise RIP Updates C 9 Glossary Index ...

Страница 10: ...x BayStream Multiservice Software Version 7 2 115623B Rev 00 ...

Страница 11: ...Encapsulation and Decapsulation Process 2 14 Figure 2 5 Sending a Packet to a Remote Node 2 17 Figure 2 6 Static Routes from a CPE Router to a Dial VPN Gateway 2 18 Figure 6 1 Simplified Dial VPN Network 6 2 Figure 6 2 Message Exchanges Supporting RADIUS TMS Operations 6 4 Figure 8 1 Dial VPN Network Using IPX 8 2 Figure 9 1 Static Route Between the CPE Router and the Gateway 9 2 Figure 10 1 Dial ...

Страница 12: ......

Страница 13: ...nts 6 10 Table 11 1 Problem Symptoms and Likely Causes 11 6 Table 11 2 Remote Annex Troubleshooting Chart 11 17 Table A 1 Network Information Worksheet A 1 Table B 1 Remote Annex Syslog Messages Relevant to Dial VPN B 1 Table B 2 TMS Syslog Messages B 4 Table C 1 Configuring Dial In Ports Quick2Config Annex C 2 Table C 2 Configuring Dial In Ports Using Annex Manager C 3 Table C 3 Setting Remote An...

Страница 14: ......

Страница 15: ...tabase for an erpcd based network Chapter 5 Configure the tunnel management database for a RADIUS only network Chapter 6 Configure the gateway Chapter 7 Configure IPX as the routing protocol Chapter 8 Configure the Bay Dial VPN requirements outside the service provider network Chapter 9 Manage a Bay Dial VPN services network Chapter 10 Troubleshoot a Bay Dial VPN services network Chapter 11 Consid...

Страница 16: ...dinfo command Example ATM DXI Interfaces PVCs identifies the PVCs button in the window that appears when you select the Interfaces option from the ATM DXI menu brackets Indicate optional elements You can choose none one or all of the options ellipsis points Horizontal and vertical ellipsis points indicate omitted information italic text Indicates variable values in command syntax descriptions new ...

Страница 17: ...DTE data terminal equipment DLCI Data Link Control Interface DNIS domain name information server erpcd expedited remote procedure call daemon FTP File Transfer Protocol GRE Generic Routing Encapsulation protocol GUI graphical user interface IETF Internet engineering task force IP Internet Protocol IPCP Internet Protocol Control Protocol IPX Internet Packet Exchange protocol IPXCP Internet Packet E...

Страница 18: ... Go to support baynetworks com library tpubs Find the Bay Networks products for which you need documentation Then locate the specific category and model or version for your hardware or software product Using Adobe Acrobat Reader you can open the manuals and release notes search for the sections you need and print them on most standard printers You can download Acrobat Reader free from the Adobe Sy...

Страница 19: ...y Networks Technical Solutions Centers Region Telephone number Fax number United States and Canada 800 2LANWAN then enter Express Routing Code ERC 290 when prompted to purchase or renew a service contract 978 916 8880 direct 978 916 3514 Europe 33 4 92 96 69 66 33 4 92 96 69 96 Asia Pacific 61 2 9927 8888 61 2 9927 8899 Latin America 561 988 7661 561 988 7550 Technical Solutions Center Telephone n...

Страница 20: ...y Networks products Training programs can take place at your site or at a Bay Networks location For more information about training programs call one of the following numbers Region Telephone number United States and Canada 800 2LANWAN then enter Express Routing Code ERC 282 when prompted 978 916 3460 direct Europe Middle East and Africa 33 4 92 96 15 83 Asia Pacific 61 2 9927 8822 Tokyo and Japan...

Страница 21: ... secure virtual direct pathway between two endpoints The process of encapsulating and decapsulating the datagram is called tunneling and the encapsulator and decapsulator are considered the endpoints of the tunnel In this case a tunnel is the pathway between the network access server NAS that receives the remote user s call and the gateway that connects to the remote user s home network through a ...

Страница 22: ...ayStream Site Manager All the features of Remote Annex and of BayStream are available on your Dial VPN system How a Dial VPN Network Functions Any authorized remote user using a PC or dial up router who has access to a phone line and a modem can dial into your network through Dial VPN A remote node can be an individual user dialing in using IP or IPX or a dial up router using IP using either a pub...

Страница 23: ...y ISP by calling a phone number associated with that destination network The network access server handles the call The service provider s network uses a standard IP connection between the remote access server shown here as a 5393 module in a 5000 MSX chassis and the gateway A frame relay PVC and a static route must exist between the gateway and the customer premise equipment CPE router to provide...

Страница 24: ...hey essentially provide a checklist of components that you may want to have in your Dial VPN network Remote Dial In Node s Remote nodes can be laptop PCs portable hosts or dial up routers using PPP for dial up connections The portable host must have PPP client software and a TCP IP or IPX protocol stack loaded Dial VPN supports either dial up IP or IPX over PPP for dial in PC clients and IP over P...

Страница 25: ...he endpoint of the IP routed tunnels that transport GRE encapsulated packets originated by remote nodes and encapsulated by the NAS The gateway also connects to the frame relay network between the service provider s network and the user s home network The gateway is the data terminal equipment DTE for frame relay PVCs connecting to multivendor RFC 1490 compliant routers on the customer premises by...

Страница 26: ...S database The NAS and the RADIUS server communicate using IP over the service provider network The TMS database lets the NAS query for the addressing information it needs to construct the IP tunnel This query is based on the user domain name and on the policy and state information of the enterprise customer account when the remote user dials in As a Dial VPN network administrator you must provide...

Страница 27: ... virtual circuit towards the CPE which receives the authentication request and forwards it to the RADIUS server Once the user is authenticated the RADIUS server grants access to the remote node by returning an authentication accept packet with RADIUS authorization information to the gateway through the CPE The gateway then forwards the user authorization to the NAS which initiates an IP tunnel to ...

Страница 28: ...nnex 6300 5393 ___ Remote Access Concentrator 8000 5399 What is the IP address of the network port on the NAS _____________________________________________________ What type of Bay Networks gateway platform are you using ___ ASN ___ BCN ___ BLN or BLN 2 ___ 5380 in a System 5000 MSX chassis On the gateway what is the IP address of the gateway interface to your IP network __________________________...

Страница 29: ...IP address ____________________________________________ If this is an erpcd based configuration on what UNIX workstation do the TMS and the local authentication server ACP reside name __________________________________________________ IP address ____________________________________________ If this is a RADIUS only configuration list the IP address of the RADIUS TMS server name ____________________...

Страница 30: ... static route between the CPE router and the RADIUS client on the gateway What is the IP address of the RADIUS client to which you want to configure the static route _______________________________________ What is its subnet mask ________________________________________ For the static route between the CPE router and the remote node What is the IP address of the RADIUS client to which you want to ...

Страница 31: ...ot have enough information yet to complete this table but if you fill it in as you go along it will provide documentation for your network You may also find this information useful when changing or troubleshooting your network Where to Go Next For a description of how a packet moves through a Dial VPN network and other background information that can help you visualize the data flow through the ne...

Страница 32: ......

Страница 33: ...change data with their corporate home network Regardless of where a remote node is located it can dial in to its Dial VPN service provider and connect to the home network What is Tunneling Tunneling is a way of forwarding multiprotocol traffic and addresses from remote nodes to a corporate network through a Dial VPN service provider s IP backbone network GRE is the tunneling mechanism It takes an ...

Страница 34: ...h of the packet through the tunnel and the BAYDVS service provider network is the ISP network Figure 2 1 The Path of a Packet Implementing Dial VPN at Your Site To implement Dial VPN at your site first connect and configure the components to ensure proper operation The steps that follow suggest a possible order for configuring your network For detailed information on each of these steps refer to C...

Страница 35: ...intermediate nodes For installation and startup information refer to the hardware documentation for each device Establish a remote connection between a gateway on the Dial VPN network and a CPE router on the home network using frame relay 2 Install the Tunnel Management System Annex and for the erpcd based solution Access Control Protocol software on the UNIX host that serves as the load host for ...

Страница 36: ... the TMS database Refer to Chapter 5 for more information When configuring the TMS you can choose either local or remote authentication For both the erpcd based and RADIUS only solutions Dial VPN uses remote authentication that is a RADIUS server on the customer s home network provides authentication and assigns IP addresses 7 Configure the gateway including the RADIUS client using Site Manager Co...

Страница 37: ...st as the Annex erpcd and Access Control Protocol ACP software TMS verifies that the user at the remote node is a Dial VPN user If the domain portion of the username exists in the TMS database ACP increases the number of current users by one and sends a Grant message to the Remote Annex The Grant message contains the tunnel addressing information needed to send a packet from the remote node to the...

Страница 38: ... 5 for more information about the contents of the TMS database How the TMS Database Works The TMS database by default UNIX ndbm resides in the Tunnel Management Server which resides on the service provider s network The main function of this database is to verify the username or domain information supplied by the NAS It also supplies the NAS with the tunnel addressing information in the Grant mess...

Страница 39: ...ests one Based on RFC 1541 and its extensions DHCP not only provides a scalable method of dynamically allocating IP addresses to remote users it also provides a way of managing the IP addresses dynamically assigned to dial in users The Bay Networks implementation of DHCP supports Standard DHCP operation as described in RFC 1541 Interoperation with standard DHCP servers Use of both primary and seco...

Страница 40: ...dware address The DHCP server leases an IP address to each dial in user and dynamically maintains a table that links a user s IP and MAC addresses For users who need a fixed IP address a network manager can also specify a permanent assignment A single NAS can communicate with and maintain DHCP leases with up to as many DHCP servers as there are ports on the NAS up to 48 or 62 depending on the mode...

Страница 41: ...Req Auth Req CHAP completion Connect NCP negotiation Disconnect Terminate msg MIP authentication request Open Communication MIP registration request MIP DAA response Acct Start Acct Stop MIP terminate request MIP terminate response Auth Resp w info MIP registration response DHCP Server RADIUS Server DVS0009B MIP authentication response MIP DAA request DHCP response ack DHCP discover request Acct R...

Страница 42: ...n of the connection RADIUS also maintains a database of assigned addresses This prevents duplicate assignments if the server fails When the connection ends the released IP address returns to the pool at the end of the assignment queue To implement dynamic IP address allocation Dial VPN requires that the program BaySecure be installed on the RADIUS server on the customer s home network BaySecure is...

Страница 43: ...nnections does not exceed the maximum number of users allowed If the user is not a tunnel candidate the NAS first treats the request as a proxy RADIUS request and attempts to authenticate this user in the usual way Refer to the description of proxy RADIUS in the BSAC Administration Guide for your platform 4 If the dial in request is a tunnel candidate the NAS starts the authentication process and ...

Страница 44: ...o the gateway If the home network is configured to assign IP addresses using RADIUS either statically or dynamically the RADIUS server performs the address allocation If the RADIUS administrator has allocated a pool of assignable IP addresses for dial in users and if the RADIUS client on the gateway is configured for dynamic IP address assignment the RADIUS server assigns an address from that pool...

Страница 45: ...xt sections explain how a packet moves through a Dial VPN network and returns to the remote node Figure 2 4 shows the process As the packet moves from the remote node to the home network different pieces of the Dial VPN network must encapsulate add and decapsulate strip off the protocol specific envelope around the data packet ...

Страница 46: ...et Encapsulation and Decapsulation Process Flag Flag Address Control Protocol Data FCS CRKSs TFlag Control Version Protocol Type Data Tunnel ID Control Opening Flag Closing Flag Address Information FCS Data Remote annex Remote node Gateway CPE Router Data packet moves onto home network PPPpacket GRE packet Frame Relay packet DVS0003A ...

Страница 47: ...ata and the Frame Check Sequence that shows the sequence order of the frame Refer to the BayStream manual Configuring Dial Services for more information about the PPP packet 2 The NAS strips off the PPP protocol specific fields and encapsulates the data into a GRE packet The GRE packet can move through the IP tunnel to the gateway The GRE packet contains checksum information and flag bits to indic...

Страница 48: ...e CPE router on the corporate home network 5 The CPE router decapsulates the frame relay information and routes the data to the intended recipient on the home network How a Packet Returns to the Remote Node To send packets from the home network to a remote node Dial VPN essentially reverses the process described in the previous section The tunnel ensures that packets from the corporate home networ...

Страница 49: ...fect on the actual packet routing Figure 2 6 shows the static routes used to return data from a home network to a gateway on the Dial VPN network The gateway sends the GRE packet to the remote node s care of address on the NAS and the NAS forwards the packet to the remote node DVS0013A Tunnel Network access server NAS Gateway PPP connection Service provider network Frame Relay connection Customer ...

Страница 50: ...isconnects Either the NAS or TMS is not operating properly Tunnel renewal fails The administrator terminates the user connection If the NAS fails all tunnel users are disconnected and the active user counts are decremented However there is no quick way to determine when a NAS fails The logging connection may not be reset until after new tunnel users have connected When a NAS starts one of the firs...

Страница 51: ...ace while tms_dbm is running the user sees an error message The error message may not state what caused the error If there is a shortage of disk space and erpcd cannot create a lock file or add a NAS to the TMS database TMS generates a syslog message and the user cannot make a connection to the NAS Note If you enter the reset security command a new user who tries to make a connection with the NAS ...

Страница 52: ......

Страница 53: ...re Requirements To set up a Dial VPN network you must install at least the following hardware A network access server which can be a Remote Annex 4000 6100 or 6300 a Remote Access Concentrator 8000 or a corresponding 5390 5391 5393 or 5399 processor in a 5000 MSX chassis A UNIX host for the TMS and the ACP server if this is an erpcd based network A Bay Networks BayStream gateway which can be an AS...

Страница 54: ...er Troubleshooting other BayStream problems Troubleshooting and Testing Installing the Remote Annex or Remote Access Concentrator and adding or replacing hardware The installation manual for the specific Remote Annex or Remote Access Concentrator that you are installing Overview of Remote Annex or Remote Access Concentrator software and startup options Remote Annex Administrator s Guide for UNIX o...

Страница 55: ...tion principles however apply to each element Refer to the installation instructions in the hardware installation guide for the specific Remote Annex or Remote Access Concentrator being installed Additional Configuration Considerations You must also load the boot image software and configure the Modem ports Individual and group security access rights for dial in Remote routing to other networks Ac...

Страница 56: ...iguring the Dial VPN Network Software You install the software and configure each of the Dial VPN software components separately Install and configure the software on the Remote Annex or Remote Access Concentrator Install and build the Tunnel Management database and for an erpcd based network the Access Control Protocol database on the server s Install and configure BayStream software on the gatew...

Страница 57: ...sample1 chap_secret annex end 2 Similarly if you are using PAP you create a file called acp_passwd for PAP acp_passwd for PAP If you are using CHAP as your authentication protocol you need to set the PAP password only if you enable CHAP with PAP fallback The following sample entry shows an encrypted acp password for PAP sample1 IQ3Qo0HXrsUoM 501 500 sample1 users user1 bin csh The user cannot ente...

Страница 58: ...p_password information Security for CHAP and PAP acp_dialup information for IP and IPX addresses For a complete description of ACP security refer to the following documentation Remote Annex Administrator s Guide for UNIX Remote Annex 6300 Supplement to the Remote Annex Administrator s Guide for UNIX Managing Remote Access Concentrators Using Command Line Interfaces ...

Страница 59: ...he device Table 4 1 Where to Find Configuration Information For information on Refer to this document Using the Annex Manager to configure the Remote Annex Appendix C Using Quick2Config and Annex Manager Using the Annex Manager with Remote Access Concentrators Managing Remote Access Concentrators Using Annex Manager Remote Annex configuration and administration procedures and a detailed descriptio...

Страница 60: ... the network configuration differs from the default values Refer to the hardware installation guides for the Remote Annex or Remote Access Concentrator being installed for the list of the ROM Monitor commands and their default values 2 Boot the Annex software standard installation The Annex used generically here to indicate either the Remote Annex or the Remote Access Concentrator gets its operati...

Страница 61: ...ote Annex 6300 Supplement to the Remote Annex Administrator s Guide for UNIX Managing Remote Access Concentrators Using Command Line Interfaces Set the primary preferred security host to the address of the primary TMS server You can also designate the secondary TMS server if any as the secondary preferred security host Accept the default value if the optional secondary security host is not in use ...

Страница 62: ...d from the modems annex file default path usr spool erpcd bfs You can list the modems in the modems annex file using the modem l command on the Annex On a Remote Annex 4000 5390 enter the following configuration command sequence from the na or admin prompt set annex enable_security y set annex pref_secure1_host ip address of TMS host ACP or BSAC set annex pref_secure2_host ip address of secondary ...

Страница 63: ... for sessions calls based on dialed number calling number and call type Each incoming call is compared against each SPB in order until there is a match If no match exists the Annex rejects the call pri The following SPB causes the Remote Annex 6300 5393 to answer all voice bearer calls with a modem begin_session modem bearer voice call_action modem set mode auto_detect end_session The following SP...

Страница 64: ...t the annex prompt 6 Enable Syslogging This is not required but it is very useful in troubleshooting Appendix B Syslog Messages presents information on syslogs From the na or admin prompt set annex syslog_mask debug set annex syslog_host ip address of syslogging host To enable logging in an erpcd based system enable erpcd syslogging and create the appropriate log files on the host then restart the...

Страница 65: ...t manual that explain the reasons for and consequences of making such changes 8 Reboot the Annex After booting the Annex use the ping command at the annex prompt to ensure that connectivity to the gateway exists If not check the routing table using the netstat r command and your configuration Loading Software and Booting the Annex To set the preferred load host enter the following sequence of comm...

Страница 66: ...subnet address In this case enter the gateway s address using the ROM Monitor addr command The Annex automatically adds this gateway to its routing table Configuring Active RIP The following section assumes you have read the sections on active and passive RIP in the Remote Annex Administrator s Guide for UNIX Active RIP is enabled by default Once active RIP is enabled both passive and active RIP a...

Страница 67: ... 1 and or RIP 2 Updates By default active RIP sends RIP version 2 updates to the IP broadcast address so that both RIP 1 and RIP 2 systems can receive them This assumes that rip_send_version is set to compatibility which is the default It also assumes the routers on your network accept both RIP 1 and RIP 2 updates Although discarding RIP 2 updates violates the RIP 1 RFC 1058 some RIP implementatio...

Страница 68: ......

Страница 69: ...tration and configuration of the tunnel happens at the service provider s site An administrator at the service provider site must configure the tunnel with various attributes its destination IP address the security protocols it supports its password and so on The these attributes are stored in the tunnel management system TMS database Dial VPN offers two ways of managing and using the TMS database...

Страница 70: ...m program to create these entries as a file in usr annex the security directory Alternatively you can create a text file of entries using the syntax format that follows These entries are really TMS commands You can either type them at the UNIX command prompt or copy them from a text file and paste them at the UNIX command line prompt Create one TMS entry for each domain name that you want to authe...

Страница 71: ...l If you do specify the hwalen parameter use the actual length in bytes of the hexadecimal value of the DLCI number the hardware address For example if the DLCI is 101 that is 0x65 the hardware address length is 1 byte For a hardware address of 400 0x190 the hardware address length is 2 bytes If you omit the hwalen parameter tms_dbm derives the length from the value of the hwaddr parameter If for ...

Страница 72: ... Command Description add Creates a new TMS database entry Returns an error if the entry already exists clear Removes the specified information Using clear with the rases argument sets the current user counts to zero and deletes the RAS list Using clear with all clears the RASes and stats Returns an error if no matching entry exists not if you clear an already cleared entry delete Removes an existi...

Страница 73: ...elp command remove Removes from the database the IP address of a RAS that is no longer in use Decrements the total active user count for each domain DNIS pair for which there is an active user count for the specified RAS Use this command if you remove a RAS from service show Displays the specified database information returns an error if no matching entry exists Note In addition to the parameters ...

Страница 74: ...erpcd source code and rebuild Required for all but help for which it is optional With rekey you must specify domain new_domain and dnis new_dnis along with the original domain and dnis te te_addr Specifies the IP address of the frame relay port on the gateway in which the tunnel endpoint te resides The address 0 0 0 0 is not valid This is the tunnel endpoint nearest the remote user s home network ...

Страница 75: ...teway and the CPE router For Dial VPN hwtype must be fr for frame relay If not specified the gateway is the CPE router hwaddr is a link address associated with the network If hwalen is four bytes or less you can specify this as a decimal number TMS converts it to a hexadecimal number To specify this value as a hexadecimal number prefix the number with 0x For a frame relay connection this argument ...

Страница 76: ...y Not used for other commands sauth secondary_authentication_ server_addr Specifies the IP address of the secondary authentication server You must not specify a secondary server without specifying a primary server Optional for add and modify Not used for other commands pacct primary_accounting_ server_addr Specifies the IP address of the primary accounting server This is usually the address of the...

Страница 77: ...red for add and modify Not used for other commands acctp accounting_protocol Specifies the accounting protocol used between the gateway and the accounting server The only valid value is radius Specify none to disable accounting If you specify this protocol you must also specify a primary server Required for add and modify Not used for other commands addrp dynamic_address_allocation _protocol Speci...

Страница 78: ...f suff prefix suffix takey is the key that the authentication algorithm uses It can be up to 64 hexadecimal characters 0 9 A F a f in length spi is optional for add and modify Not used for other commands If you specify spi for tunnel authentication all three ta arguments are required for add and modify If you specify the ta arguments you must also specify the spi value The spi takey combination in...

Страница 79: ...remote access servers that have active connections to the specified domain and the number of users connected to each RAS Clearing rases sets the current user counts and RAS list to 0 Showing stats displays the number of GRANTs and DENYs Clearing stats resets the GRANT and DENY counters to 0 Showing ordered displays the current list of remote access servers sorted in ascending order Showing all dis...

Страница 80: ...Messages TMS like the other elements of Dial VPN writes its system and error messages to the system log file syslog These messages are interspersed with other syslog messages in chronological order of occurrence TMS on an erpcd based network uses the auth facility For the complete list of syslog messages refer to Appendix B Syslog Messages ...

Страница 81: ...her process the authentication How It Works Upon receiving a call from a remote user the NAS determines whether the call is from a tunnel user The RADIUS server on the service provider s network recognizes the format of the VPN identifier in the user name and returns tunnel information to the NAS TMS database specifies Where dial in user authentication takes place Which servers authenticate dial i...

Страница 82: ... particular user from a particular client If this count exceeds the specified limit the RADIUS server rejects the authentication request The resource tracking starts with the authentication request The server uses RADIUS accounting information to confirm and decrement the count The NAS recognizes the returned tunnel attributes of the authentication request and passes the information to its interna...

Страница 83: ...he remote node and the customer s home network when the RADIUS server on the service provider s network maintains the TMS database In this dialogue the Access Request message from the NAS is the standard access request for an incoming call The provider RADIUS TMS server detects whether this is a tunnel candidate by parsing the Username and Called Number attributes If it does not find a valid domai...

Страница 84: ... Annex NAS Provider RADIUS Server BNX Gateway Access response w Tunnel info Access request Access req CHAP complete Session start Acct req start Acct req start NCP negotiation Disconnect MIP auth req Open Communication MIP registration resp MIP terminate msg MIP terminate response Auth resp w info Acct resp Acct resp Customer RADIUS Server DVS0015A MIP auth resp w info MIP registration req Acct re...

Страница 85: ...te authentication server s for this user Accounting server the remote accounting server s for this user Using RADIUS Accounting The NAS logs the tunnel bound link sessions to the local provider s RADIUS server This information does reflect the usage of the NAS ports but it is different from the customer that is the user s home network information in that it may not reflect link aggregation and it ...

Страница 86: ...o the provider s RADIUS server Table 6 1 Service Provider Accounting Messages Message Type Field Name Contents User Start Message Acct Status Type Start NAS IP Address Port Port Type Connection origination of call Username The original contents of the user field Calling Station_ID Called Station ID Either or both if applicable Service Type As user authorized Tunnel Type DVS or L2TP for Dial VPN on...

Страница 87: ... field Calling Station_ID Called Station ID Either or both if applicable Service Type As user authorized Tunnel Type DVS or L2TP for Dial VPN only DVS is valid Tunnel Media Type IP Acct Client Endpoint A string containing the IP address of the accounting client system and possibly other system specific identifiers Tunnel Server Endpoint A string containing the IP address of the tunnel server the c...

Страница 88: ...e Virtual Username The original contents of the user field Calling Station_ID Called Station ID Either or both if applicable Service Type As user authorized Tunnel Type DVS or L2TP for Bay Dial VPN only DVS is valid Tunnel Media Type IP Acct Client Endpoint Provider NAS IP address A string containing the IP address of the accounting client system and possibly other system specific identifiers Tunn...

Страница 89: ...tents of the user field Calling Station_ID Called Station ID Either or both if applicable Service Type As user authorized Tunnel Type DVS or L2TP for Bay Dial VPN only DVS is valid Tunnel Media Type IP Acct Client Endpoint A string containing the IP address of the accounting client system and possibly other system specific identifiers Tunnel Server Endpoint A string containing the IP address of th...

Страница 90: ...alled station id 555 1212 dnis 555 1212 ID should be unique to the tunnel definition Maximum open tunnels default unlimited integer maxu unlimited integer Tunnel Type dvs tutype dvs Tunnel Server Endpoint 200 11 11 11 fr 0x0070 200 11 11 11 fr 120 te hwtype hwaddr hwalen no longer needed 200 11 11 11 fr 0x0070 200 11 11 11 fr 0x0070 BSAC properly recognizes the hard ware address in various hex len...

Страница 91: ...C server This attribute is not used if the IP Pooling feature on the authenti cation server is active for same tunnel BSAC only and only for non MP calls Tunnel Password 32 HEX chars takey 32 HEX chars Make sure dictionary is set for HEX values on this attribute Annex Sec Profile Index 1234 spi 1234 If no spi or spi 0 then tatype tamode takey or their RADIUS equivalents are not needed Annex Tunnel...

Страница 92: ......

Страница 93: ...1 Using Site Manager select the module and slot that you want to configure 2 Add the circuit that you re going to configure on that interface 3 Select frame relay as the WAN protocol in the WAN Protocol window This enables frame relay on the interface you just selected You can customize frame relay later to suit your system s requirements 4 Select Mobile IP as the Layer 3 protocol in the Select Pr...

Страница 94: ...guration Manager window select Protocol IP Mobile IP Security The Edit Mobile IP SPIs window opens from which you can set the security parameters a Add or set the Security Parameter Index SPI value The SPI is a value that uniquely identifies a set of keys used to apply security to messages that contain this value The SPI value is an integer in the range 256 through 65535 Setting the SPI value and ...

Страница 95: ...able c If you want to enable dynamic IP addressing set the Dynamic Client Addressing parameter to Enable You must also ensure that the corresponding RADIUS server is configured to support dynamic IP address assignment and has a pool of assignable addresses d Specify the IP address of the RADIUS client e Accept the default values for all other parameters and click OK This returns you to the Dial VP...

Страница 96: ...changes When you respond you return to the Dial VPN RADIUS window Keep clicking on Done until you reach the Configuration Manager window The RADIUS client configuration is now complete Note There can be only one RADIUS proxy client per slot and the slot must contain synchronous ports configured as frame relay Only one home agent can be configured per frame relay interface ...

Страница 97: ...ameters needed on each component of the network Figure 8 1 shows the Novell network addresses assigned in this example The Dial VPN components of the network shown in Figure 8 1 consist of A laptop computer equipped with a PCMCIA modem configured to support IPX over PPP using the IPX Control Protocol IPXCP A Remote Annex Model 5393 residing in a System 5000 MSX chassis The Remote Annex acts as the...

Страница 98: ...nager 132 245 54 20 root vega Bench 10 TMS erpod 132 245 54 9 root lima Annex Tms Console 132 245 55 15 Bench 13 Laptop computer 10 251 0 1 255 255 0 Phone 9 838 7929 Username Password Domain Telos Adtran 5393 1132 245 54 54 Console 132 245 54 244 5008 Encryption SPI______ 256 65535 Key____ 32 Hex digits TACO 5380 Router E1331 132 245 54 110 Internal IP address 11 3 0 1 S1312 FRCP 11 3 0 2 DLCI 10...

Страница 99: ...ndows NT and DOS or Windows running FastLink II Configuring the Dial In Node for IPX Assuming that the dial in user is running a PC under Windows 95 the following steps describe how to configure the PC as a dial in node In the following descriptions the term Click refers to the right mouse button unless otherwise specified 1 Click on the Network Neighborhood icon 2 On the drop down menu click Prop...

Страница 100: ... based IPX over PPP by means of the IPX Control Protocol IPXCP This lets a remote PC user dial into a NAS as an endpoint node on an IPX network The dial in user can also simultaneously run TCP IP over the same dial up connection Network access support of IPX is a software keyed feature that can be added to a basic unit or that is included with the Enterprise Feature Set The first step in configuri...

Страница 101: ...network The following steps describe how to use Site Manager to configure IPX on a Bay Networks CPE router If the CPE router is not a Bay Networks device refer to the manufacturer s configuration instructions 1 From the Site Manager window use the Tools menu to select Configuration Manager in dynamic mode The path is Site Manager Tools Configuration Manager Dynamic 2 Click the interface on which y...

Страница 102: ... encapsulation is correct for the interface you are configuring Click OK to accept your selection For example Figure 8 1 shows an Ethernet interface for this circuit so ETHERNET_II is the correct encapsulation type To see the list of valid values click Values The following list shows the relationship between interface types and encapsulation types 7 Click on File Exit to return to the main Configu...

Страница 103: ...figuration Manager Dynamic 2 Click the interface that you want to configure This example configures frame relay on the circuit designated COM1 The Edit Connector window appears 3 Click Edit Circuit The frame relay Circuit Definition window appears 4 Click Services The frame relay Service list window appears 5 From the Protocols menu select Add Delete 6 Click the check boxes for the IPX and RIP SAP...

Страница 104: ...es apply to configuring BSAC for other platforms To add IPX protocol support on the BSAC RADIUS server you must use a UNIX editor to edit the user s file in the directory etc raddb default and insert the following text Framed IPX Network 00 171 205 239 This is the dotted decimal equivalent of the hexadecimal address 00ABCDEF You can use the Windows 95 accessory Calculator in scientific mode to do ...

Страница 105: ...ay Access WAN link s Novell network number so that no static routes are required The router knows the correct frame relay DLCI associated with that Novell network number because it is the router s synchronous interface Note To determine the value for the ipx_frame_type at the Novell server you can examine the AUTOEXEC NCF file or issue the Novell console command PROTOCOL The Novell command loadins...

Страница 106: ......

Страница 107: ...DIUS server software that supports Dial VPN The RADIUS server and the RADIUS client on the gateway must share the same primary secret Configuring the CPE router at the home destination network for frame relay and for Bay Networks routers an adjacent host and appropriate DLCIs For any CPE router there must also exist a static route from the CPE router to the RADIUS client on the gateway and a stati...

Страница 108: ...home network and the Dial VPN gateway to ensure that responses sent to the remote node reach their intended recipient If the CPE router is a Bay Networks router it must also be configured with the gateway as an adjacent host Cisco routers use a different addressing scheme and therefore do not require that you configure an adjacent host Figure 9 1 shows a simplified view of a Dial VPN network with ...

Страница 109: ...nage and configure the router You can use a cell based ASCII terminal or a PC running terminal emulation connected to the console port of the router to run the script file install bat to change the IP address of the router s initial startup interface The install bat file steps through the minimal configuration questions needed to manage the router with Site manager Once the router can talk with Si...

Страница 110: ... Enter an appropriate subnet mask in the Subnet mask field 9 If appropriate enter a transmit broadcast address or accept the default value then click OK 10 On the main Configuration Manager window click the COM port connector button select Edit Circuit then select Interfaces 11 On the frame relay Interface List window make sure that the Management Type parameter is set to ANSI T1 617D When finishe...

Страница 111: ...er than to the real address of the gateway router Then when the static route entries to the gateway router destination network of 11 3 0 0 are entered you can use the pseudo address 10 200 0 100 as the next hop address The adjacent host entry will come into play and tell the CPE router to get to that network it must send the traffic out DLCI 200 For a Bay Networks router the complete static route ...

Страница 112: ...e adjacent host The physical address of the adjacent host DLCI number The adjacent host s encapsulation method in this case Ethernet Configuring a Static Route Between the CPE and the Gateway If you use Site Manager to configure a static route on the CPE at the user s home network we suggest that you accept the default parameter values where possible Use the path Configuration Manager Protocols IP...

Страница 113: ...st important Dial VPN considerations in configuring the frame relay parameters If you are using Site Manager you can accept the default values for most frame relay parameters Do not change the Service Name parameter value that the router assigns Put all frame relay PVCs running virtual private network services that is Dial VPN in one service record Do not mix them with other routed PVCs in the sam...

Страница 114: ... configure it The steps in general are 1 Configure each NAS to act as a RADIUS client Each NAS must be configured with the IP address of the BSAC server a secret password that is shared with the server and the make model of the NAS 2 Ensure that the machine on which you are running BSAC has the IP protocol configured 3 Run the BSAC Administrator program 4 Connect to your BSAC server using the defa...

Страница 115: ...lement to the Remote Annex Administrator s Guide for UNIX BaySecure Access Control Administration Guide the version specific to your operating system Managing the Dial VPN network involves among other things the following standard network management activities Configuring the network components as described in previous chapters Monitoring traps events and statistics Managing the network files incl...

Страница 116: ...h a PC and a PPP connection dial in to a network access server NAS at the edge of the Dial VPN network 2 The NAS sends a TMS lookup request to the TMS server asking whether this is an authorized tunnel user 3 The Tunnel Manager sends a TMS lookup reply to the NAS Assuming that this is a legitimate tunnel user the authentication process continues Otherwise the NAS may apply local authentication pro...

Страница 117: ...ified and apply this profile to many users at once The Current Users display identifies the active users and their assigned IP addresses so RADIUS administrators can tell which user has which address In addition the administrator can release any assigned address that is no longer in use by selecting that address and clicking Clear Assigning Addresses All available IP addresses are in a queue The f...

Страница 118: ...rk Each service that the NAS provides to a dial in user constitutes a session the beginning of the session is the point at which service is first provided and the end of the session is the point at which the service ends A user may have multiple sessions in parallel or series if the gateway supports that with each session generating a separate start and stop record with its own Session ID Figure 1...

Страница 119: ... sends that information to the RADIUS LCP negotiation CHAP initiation Remote Node Local Node Accounting Server RAS TMS Gateway Grant w info Auth Info Req Auth Req CHAP completion Connect Addr Rel NCP negotiation Disconnect Terminate msg MIP authentication request Response Open Communiction MIP registration request MIP DAA response Acct Start Acct Stop MIP terminate request MIP terminate response A...

Страница 120: ...acket it does not send an acknowledgment to the client Upgrading and Changing Your Dial VPN Network You add new devices to the network and establish new CPE connections using the same procedures that you used originally to set up your network For configuration procedures refer to Chapters 3 through 9 Be sure to update the network information in your worksheets for future reference For information ...

Страница 121: ... UNIX Remote Annex 6300 Supplement to the Remote Annex Administrator s Guide for UNIX Managing Remote Access Concentrators Using Command Line Interfaces BaySecure Access Control Administration Guide for your particular operating system The documentation associated with the router software you are using What s in This Chapter This chapter summarizes troubleshooting information from a variety of sou...

Страница 122: ...eature for the first time test it at a time or on a node that minimizes disruption to the network After verifying the change make the change and verify it on one node at a time in the network This will help you isolate and solve any problems that may occur as the result of the change 3 Select the proper tool for configuring the elements of your Dial VPN network When you create a new configuration ...

Страница 123: ...storing files of that type For example if you change a BayStream platform s software image or configuration file save the file to each memory card that contains the same files To make sure that the files of the same name are consistent on multiple memory cards display the directory of each card and compare the sizes of each file 7 Handle memory cards carefully to prevent static damage Static elect...

Страница 124: ... answers to the following questions 1 What are the symptoms of the problem Exactly what is happening What is not happening ______________________________________________________________ ______________________________________________________________ ______________________________________________________________ The more information you have about the symptoms of the problem the more easily you can ...

Страница 125: ...ound you are using may help you isolate the problem 5 What end stations are involved ______________________________________________________________ ______________________________________________________________ ______________________________________________________________ ______________________________________________________________ Identifying the end stations involved can help you to determine...

Страница 126: ...e most likely cause is Do the following Look here for information A single protocol on a single port The problem is most likely in the network layer or above Refer to the chapter on troubleshooting a network connection specifically the section on IP in the BayStream guide Troubleshooting and Testing A single protocol on multiple ports within one slot The problem is most likely in the configuration...

Страница 127: ...ts within all slots in the BayStream platform An operational problem such problems interfere with the basic operation of the hardware and software These problems include Damaged router Power problems Blown fuse LEDs not lit Router won t boot Wrong boot PROM Incorrect BayStream software image for the BayStream platform BayStream software image and configuration file are not the same on all ports Lo...

Страница 128: ... for example by the severity of the event messages the software entity reporting them and the number of the slot from which the entity reported them On the Annex side you can use the CLI who command to display the user name the jobs the user is running when the connection began any idle time and the source of the connection The CLI stats command displays general Annex statistics statistics for one...

Страница 129: ...able the port Watch the event log Stop here if the software entity recovers b Reset the slot Watch the event log Stop here if the software entity recovers c Press the Reset button on the front panel for no more than one second This initiates a warm boot procedure which will keep the log intact Watch the event log Stop here if the software entity recovers d Save the log to a file and transfer it us...

Страница 130: ...ct name Then configure and enable the object The Statistics Manager also lets you monitor a BayStream platform s status and performance You can access the statistical values in the MIB by using the following options in the Tools menu of the Statistics Manager window Caution Always save a copy of the entire log to your memory card when a fault appears The BayStream platform saves the log to a memor...

Страница 131: ...statistics by using the netstat T command At the Remote Annex console enter the command netstat T to review the status of the current Dial VPN tunnels This command displays the following information Device Dev The destination port on which the tunnel terminates This can be any valid asynchronous port numbers for example asy2 for port 2 Protocol Proto The connection protocol Connection state State ...

Страница 132: ...n on the GRE protocol packets Total packets received Total packets sent Count of packets with bad checksums Total packets dropped on transmit Total packets dropped on receive Refer to the description of the netstat command in the Remote Annex Administrator s Guide for UNIX the Remote Annex 6300 Supplement to the Remote Annex Administrator s Guide for UNIX or Managing Remote Access Concentrators Us...

Страница 133: ... to a network analyzer and use the analyzer to parse the data We recommend that you use Packet Capture to capture data generated on remote BayStream platforms save it in Network General Sniffer format files and use TFTP or FTP to transfer the files to a site where you can open the files with a network analyzer For detailed instructions on using Packet Capture refer to the BayStream guide Troublesh...

Страница 134: ...detailed notes as you perform each procedure These notes Give you an opportunity to pause and think clearly about the problem and the procedures you are following Writing things down can help you visualize and clarify the problem and what to do about it Provide you with a record of the tasks you performed This record is essential because You can refer to it during the procedure to recall whether y...

Страница 135: ... be with the Internet Protocol IP refer to the BayStream manual Troubleshooting and Testing The following references have detailed protocol information including examples that may help you isolate and correct a problem They do not however have explicit troubleshooting information For information on Frame relay refer to the BayStream guides Configuring Frame Relay Services for IP Routing or Configu...

Страница 136: ...er an Annex is running are due to improper configuration of the Annex or a host If you appear to have a problem with Remote Annex software refer to the Remote Annex Administrator s Guide for UNIX the Remote Annex 6300 supplement to the Remote Annex Administrator s Guide for UNIX or Managing Remote Access Concentrators Using Command Line Interfaces Table 11 2 summarizes some symptoms that can affec...

Страница 137: ...y of these situations occurs do the following Make sure that the Annex port parameters are set correctly Check the cable connections paying close attention to the wiring of the Annex s DCD DSR and DTR control lines The superuser stats tap and control commands provide useful information When changing parameters using na or admin remember to use the reset annex command after entering the new values ...

Страница 138: ...ast packet used a host address of all zeros network 0 Later refinements required a change to the broadcast address specifying a host address of all ones network 255 A host configured with a network 255 address will accept network 0 broadcasts Hosts configured with network 0 addressing will not see network 255 broadcasts You can configure the Annex for either method of addressing by setting the bro...

Страница 139: ...seudo terminal entries in etc ttys Update the etc ttys file to contain the proper number of pseudo terminals as indicated by the actual device entries in dev All network ports are in use The rlogin or telnet command is rejected after the user name is entered in response to the login prompt The error message all network ports in use indicates that all available pseudo terminals are in use On BSD ho...

Страница 140: ...ining user configured routes use netstat C 1 Verify that the Annex routed parameter is set to Y 2 If necessary reboot the Annex 3 See the description of enabling and disabling active RIP in the Remote Annex Administrator s Guide for UNIX Use the stats o command to display the status of the options annex stats o KEYED OPTIONS LAT keyed off Atalk keyed off tn3270 keyed off dialout RIP filtering keye...

Страница 141: ... out For example a filter that discards outgoing UDP packets also discards RIP packets since RIP runs on UDP To list all the defined filters enter the following CLI superuser commands annex su password annex filter list Refer to the description of filtering in the Remote Annex Administrator s Guide for UNIX 10 Your hosts may be ignoring RIP version 2 updates Verify that the interface parameter rip...

Страница 142: ...address 5 If your network is divided into subnets the IP subnet addresses and subnet masks may not be set correctly for the Annex and the SLIP and PPP ports Verify the configured IP subnet addresses and subnet masks for the Annex and the SLIP and PPP ports 6 If the Annex parameter routed is set to N passive RIP is disabled Reset the Annex parameter routed to Y 7 If subnet routes are not being lear...

Страница 143: ...le goes from 4 to 6 a traceroute message was lost probably due to network congestion Speed The speed in bits per second of the interface over which the outbound or return packet was forwarded If the packet could not be forwarded ping t displays a zero in this field MTU The maximum transmission unit in bytes of the interface over which the outbound or return packet was forwarded The MTU is the larg...

Страница 144: ...utbound packet as indicated by the asterisks under the Dir heading Note that the hop count remains at 1 since the packet crossed only one router annex ping t 132 254 33 4 PING hobbes 56 data bytes Dir Router Hops Speed b s MTU 132 254 99 2 1 19200 1024 132 254 33 3 1 0 0 Troubleshooting Tunnel Problems Since the TMS is an extension of the proprietary erpcd you can use essentially the same troubles...

Страница 145: ... that RAS in the current users field of the TMS database for every domain dnis combination This disconnects the users on that RAS reducing the current number of sessions If the TMS erpcd itself fails the RAS detects the condition by the failure of the logging connection The RAS falls back to the secondary server if specified which should have the same TMS database configuration However unless the ...

Страница 146: ......

Страница 147: ...entation for your network You may also find this information useful when changing or troubleshooting your network Table A 1 Network Information Worksheet Requested Information Your Information Physical Connector Information Enter the slot number containing the link module that provides the initial IP network interface This module can reside in any slot that is designated for link module support No...

Страница 148: ...erface connect to the same local area network LAN as the Site Manager workstation Example No IP Routing Protocol Information Use the IP Routing Protocol to configure this router remotely This is necessary only if you answered No to the previous question Example RIP See the following sections for details on the IP Routing Protocol you choose to configure RIP Configuration Information Should RIP lis...

Страница 149: ...val in seconds Example 40 Router priority Example 1 Poll interval Example 20 If you are configuring OSPF neighbors what is the IP address for each neighbor Note Neighbors are defined only if the OSPF interface type is NBMA Example Not applicable sample format 192 32 156 8 192 32 156 9 Static Route to Site Manager Configuration Information Destination network Example 192 32 90 0 Destination network...

Страница 150: ...dure Example 192 32 10 12 WAN Information The following information about enabling frame relay PPP and SMDS from the installation script is for experienced users only Normally these protocols are implemented from Site Manager on an additional interface Frame Relay Information To enable frame relay on a synchronous connector on this initial IP interface Enable frame relay on the interface Example Y...

Страница 151: ...e 10 Acceptable loss of Echo Reply packets Example 3 Enable local authentication protocol None PAP or CHAP Example CHAP Local PAP ID for this interface Example LPAP Local PAP password optional Example LPWD Authentication protocol enabled on remote peer Example Yes Remote peer PAP ID Example RPAP Remote peer PAP password Example RPWD Enable PAP Fallback Example Yes Enable Link Quality Reporting LQR...

Страница 152: ...xample csecret CHAP Local Name Example chaplocalname CHAP Periodic Timer Example 60 Allow PAP Reject Example Disable SMDS Information To enable SMDS on a synchronous connector on this initial IP interface Enable SMDS on the interface Example Yes Individual address Example C1617555433FFFF Group address Example E16175556667FFFF ARP address Example E16175550000FFF Table A 1 Network Information Worksh...

Страница 153: ...Remote Annex syslog messages shown in Table B 1 Table B 1 Remote Annex Syslog Messages Relevant to Dial VPN Type Syslog Contents Meaning Debug ppp port DVS requesting user authentication from gateway_addr primary_authentication_server_addr secondary_authentication_server_addr The user has been identified as a tunnel user and authentication is being requested ppp port DVS requesting tunnel registra...

Страница 154: ...ason An error occurred while authenticating a tunnel user ppp port ipcp configuration error IPCP disabled Even though the tunnel is provisioned for IPCP the port parameter settings are set so that IPCP is disabled This must be corrected before successful IPCP data transfer can occur ppp port ipcp configuration error IPXCP disabled Even though the tunnel is provisioned for IPXCP the port parameter ...

Страница 155: ...wal failed reason An error occurred during the tunnel renewal phase When the system creates tunnels it uses an internal value to set the tunnel lifetime Before expiring the system reregisters or renews the tunnel This error occurs when there is a failure to renew the tunnel ACP Log File acp_logfile These are examples of typical accounting information for the Annex Annex_IP_Addr id port date time D...

Страница 156: ...the installation directory Notice tms broke lock for domain DNIS The lock held by another process for the indicated domain DNIS pair was broken The occurrence of many of these messages could indicate that processes are hanging after they acquire a lock and before they let it go In any case check the database entry with the tms_dbm show command Alert tms could not read database This is a serious pr...

Страница 157: ... error code that tms_request does not recognize This can occur only if the site has modified the code Notice tms domain DNIS user count already zero This message indicates a correction not a problem A user who was tunneled to the indicated domain DNIS pair disconnected from the NAS and the user count for that domain DNIS pair was already zero This can occur if an administrator has previously perfo...

Страница 158: ...st type request_type The request message from a NAS contained the indicated unknown type This probably indicates incompatible NAS and erpcd versions Alert tms could not update database This is a serious problem indicating that the database is not accessible Check the installation directory and database file tms database access attributes Notice tms lock was broken for domain DNIS The lock for the ...

Страница 159: ...ason An error occurred while authenticating a tunnel user ppp port ipcp configuration error IPCP disabled Even though the tunnel is provisioned for IPCP the port parameter settings are set so that IPCP is disabled This must be corrected before successful IPCP data transfer can occur ppp port ipcp configuration error IPXCP disabled Even though the tunnel is provisioned for IPXCP the port parameter ...

Страница 160: ...tunnel lifetime Before expiring the system reregisters or renews the tunnel This error occurs when there is a failure to renew the tunnel ACP Log File acp_logfile These are examples of typical accounting information for the Annex Annex_IP_Addr id port date time DVS tunnel login username Success Login succeeded Annex_IP_Addr id port date time DVS tunnel logout username User logged out Annex_IP_Addr...

Страница 161: ...Syslog Messages 115623B Rev 00 BayStream Multiservice Software Version 7 2 B 9 ...

Страница 162: ... Windows refer to the Quick2Config Annex online help for details on configuring a Remote Annex If you use UNIX refer to the Annex Manager User s Guide for details about managing a Remote Annex Installing and Configuring the Remote Annex Software This section is an overview of the installation and configuration process highlighting areas of particular concern 1 Install the Remote Annex software Thi...

Страница 163: ...stallation guide for your Remote Annex device for information on powerup and boot procedures 3 Set up the dial in port on the Annex for dial in and enable ACP security for PPP on all ports Table C 1 summarizes how to configure the dial in ports on the Remote Annex using Quick2Config Annex Note Dial VPN works only for native PPP you may not dial in as CLI then convert to PPP to use Dial VPN Table C...

Страница 164: ...k on More Not applicable Set Security Preferred Host IP address of the preferred security host Click on OK to accept these settings Not applicable Security Setup Enable security for the following parameters Incoming Ports with Modems Incoming Ports without Modems Click on the appropriate boxes to enable security This automatically sets the enable_security parameter to y Set PPP Security Protocol C...

Страница 165: ...he Remote Annex Configuring the pri section of the config file this way lets any user dial in to the 6300 5393 device The default path to the config file is usr spool erpcd bfs config annex 5 Enable system logging This is not required but it is very useful in troubleshooting Appendix B of the Dial VPN manual presents information on system logs Table C 4 lists the procedures to enable syslogging us...

Страница 166: ... UNIX refer to your UNIX system documentation The erpcd utility uses the auth facility 6 Reboot the Remote Annex To reboot the Annex using either Quick2Config Annex or Annex Manager a From the Configure menu select the Boot option b Click on Apply Table C 4 Enabling System Logging Interface Actions Quick2Config Annex 1 Select the General Annex tab 2 Select All from the Logging menu 3 Display the A...

Страница 167: ... explaining the purposes for and consequences of such changes When you configure the Remote Annex you have to decide how the Annex will communicate with the TMS This can be by means of a static route RIP or even the default compatibility mode Then you configure the environment as described in the Remote Annex Administrator s Guide for UNIX the Remote Annex 6300 Supplement to the Remote Annex Admin...

Страница 168: ...nex Manager 1 From the Configure menu select the Boot option 2 Click on Apply Do not set the Annex interfaces to accept RIP 2 packets unless you are sure all nodes on your network or internet are advertising only RIP 2 updates Authenticating Incoming RIP 2 Updates and Requests To authenticate incoming RIP 2 messages use the command line interface to set the rip_auth parameter to a password contain...

Страница 169: ...n and the Authentication field must contain a 16 byte unencrypted password The password in the message matches the value of the rip_auth parameter The Annex accepts all RIP 2 messages it authenticates but does not necessarily discard all unauthenticated messages it receives Table C 6 shows the conditions that determine whether the Annex accepts or discards a RIP message Although RIP 2 authenticati...

Страница 170: ...d for passive RIP need not be defined after you enable active RIP you may want to define a default route and one or more static routes for other purposes For example a default router can act as a bottleneck through which all traffic to and from a network must pass You can also use static routes to reach routers that are not running active RIP To define default and static routes that remain across ...

Страница 171: ...figure the Annex to accept RIP packets as shown in Table C 7 You may need to reset the appropriate port or Annex subsystem or reboot the Annex for changes to take effect 1 From the Configure menu select the Boot option 2 Click on Apply Table C 7 Configuring the Annex to Advertise RIP Packets Interface Actions Quick2Config Annex 1 Open the Network Annex tab 2 Select Option 1 broadcast address from ...

Страница 172: ...Configuring and Troubleshooting Bay Dial VPN Services C 11 BayStream Multiservice Software Version 7 2 115623B Rev 00 ...

Страница 173: ...f address A termination point of a tunnel heading towards the remote node The care of address which is usually the address of the Dial VPN network access server is specified to the gateway during the connection process When the gateway encapsulates the frame relay packet into a GRE packet it includes the care of address CHAP Challenge Handshake Authentication Protocol A method of establishing secu...

Страница 174: ... those of another for instance between an IP network and a frame relay network A device that forwards traffic between networks based on network layer information and routing tables now known as a router Generic Routing Encapsulation GRE A method of encapsulating arbitrary network layer protocol information over another arbitrary network layer protocol The encapsulation allows the first network lay...

Страница 175: ...rimary rate interface ISP Internet service provider See also service provider LCP Link Control Protocol A component of PPP that negotiates the link characteristics of a PPP session with the peer connection interface An example of a link characteristic is the maximum transmission unit MTU local authentication server The server on the Dial VPN network that exchanges authentication messages with the ...

Страница 176: ...ed Network Control packets for example IP over PPP IPCP and IPX over PPP IPXCP PSTN Public switched telephone network RADIUS Remote Authentication Dial in User Service A system of distributed client server security that secures remote access to networks and network services against unauthorized access RADIUS client A program that resides on the gateway and sends authentication requests to the RADI...

Страница 177: ...curity to messages that contain this value The SPI value is an integer in the range of 256 through 65535 Setting the SPI value and the keys to 0 in Site Manager turns off this security feature service provider A corporation that uses a transmission facility telecommunications equipment and network operation software to provide a telecommunications network as a commercial service Corporations subsc...

Страница 178: ...MS A database of IP tunnel management information that resides on a server on the Dial VPN network This server provides information to the NAS to authenticate users via the RADIUS client on the Dial VPN gateway and to construct IP tunnels based on user dial in information from the remote node and information stored in the TMS database Virtual Private Network VPN A public wide area network WAN comp...

Страница 179: ...es 11 13 ASN 1 5 3 1 3 4 asynchronous modem with 4000 5390 3 3 traffic 1 5 authentication by home site 5 2 local 3 5 RADIUS 1 7 authentication type 7 2 authentication_protocol TMS parameter 5 9 authp TMS parameter 5 9 B Backbone Node switch routers 1 2 backup copies 11 3 Bay Networks Technical Solutions Center 11 3 11 9 BayDVS 1 1 BaySecure Access Control 2 10 BayStream managing 10 1 platform 3 4 ...

Страница 180: ...6 D data terminal equipment DTE 1 5 database alternatives 5 11 TMS 2 6 5 1 troubleshooting errors 11 25 decapsulation packet 1 1 process 2 14 default service record 9 7 delete tms_dbm command 5 4 destination site 3 3 diagnostic steps 11 9 diags command 11 9 Dial VPN configuration 1 4 configuring for IPX 8 3 enabling and activating 10 2 installing and configuring 3 1 overview 2 2 removing disabling...

Страница 181: ...mand 11 17 hardware installation 3 2 hardware requirements 3 1 help tms_dbm command 5 4 home agent 7 2 home network 1 1 5 1 host portable 1 4 hosts command 11 18 hosts don t appear in hosts display message 11 18 hw_addr TMS parameter 5 7 hw_addr_len TMS parameter 5 7 hw_type TMS parameter 5 7 hwaddr tms_dbm parameter 5 3 hwaddr TMS parameter 5 7 hwalen TMS parameter 5 7 hwtype TMS parameter 5 7 I ...

Страница 182: ...etWare network 8 1 NetWare server 9 8 network changing 10 6 configuration map 11 14 how it works 10 2 managing 10 1 status snapshot 11 9 network access server 1 1 1 5 configuring for IPX 8 4 Network General Sniffer format 11 13 network hardware requirements 3 1 network information worksheet A 1 network logins to BSD hosts are invisible message 11 19 network planning worksheet 1 7 A 1 network unrea...

Страница 183: ... 11 PSTN 1 5 public switched telephone network PSTN 1 5 PVC 1 3 9 7 Q Quick Get statistics tool 11 11 Quick Start installation script install bat 1 7 procedure 3 3 R RADIUS 1 2 authentication request 1 7 client 1 5 1 7 9 1 client on gateway 7 3 Remote Authentication Dial In User Service remote authentication server 1 7 server 1 5 7 3 9 1 RADIUS server configuring for IPX 8 8 RADIUS only solution 6...

Страница 184: ...cret primary 9 1 security access rights for dial in 3 3 ACP 4 2 C 2 security parameter index spi 5 2 7 2 security_protocol_index TMS parameter 5 10 server ACP 1 6 3 1 NetWare or Windows NT 9 8 RADIUS 1 5 1 7 7 3 9 1 TMS 5 1 servers_location TMS parameter 5 8 service record default 9 7 manual configuration 9 7 session not terminated message 11 17 session parameter block SPB 4 5 C 4 show tms_dbm com...

Страница 185: ...cription 2 6 troubleshooting 11 25 TMS syslog messages B 4 tms_dbm command arguments 5 6 tms_dbm commands 5 4 tool configuration 11 2 traceroute facility RFC 1493 11 22 traffic asynchronous and synchronous 1 5 congestion 11 5 troubleshooting 11 1 preparation 11 4 Remote Annex problem 11 16 Site Manager problem 11 15 specific protocols 11 15 TMS database errors 11 25 tunnel problems 11 24 worksheet...

Страница 186: ...v 00 V virtual private network VPN 1 1 VT100 terminal emulation 3 3 W WAN 3 1 7 1 WAN worksheet information A 4 who command 11 8 Windows NT based server 9 8 worksheet network planning 1 7 troubleshooting 11 4 wrong host address appears in host table message 11 18 ...

Результаты поиска

Содержание Bay Dial VPN

Отзывы:

Бренды по названию

Популярные бренды

Bay Networks Bay Dial VPN, Руководство по настройке и устранению неисправностей

Результаты поиска

Содержание Bay Dial VPN

Отзывы:

Бренды по названию

Популярные бренды