MrNv Posted January 28, 2016 · Report post Добрый день! Решили заменить cisco 7206 на ASR1002. Перенес конфиг на новую железку, сессия поднимается трафик не ходит. Подскажите куда копать. Если я правильно понимаю, проблема с отработкой ACL, т.к. исходящий трафик от vpn я wireshark'ок вижу и в ACL (LOCAL_in) он попадает, нету входящего на vpn подключение. Но содержание ACL (всех) - permit ip any any (для тестов) Данные: Настройки ISG class-map type traffic match-any class-local match access-group input name LOCAL_in match access-group output name LOCAL_out ! policy-map type service policy-local class type traffic class-local ! class type traffic default in-out ! ! policy-map type control RULE1 class type control service-check event service-start 9 service-policy type service name policy-local 10 service-policy type service identifier service-name ! class type control always event service-start 10 service-policy type service aaa list PPPoE identifier service-name 20 service-policy type service identifier service-name 21 service-policy type service name policy-local ! вывод ссесии #sh sss ses de Current Subscriber Information: Total sessions 1 -------------------------------------------------- Type: VPDN, UID: 30, State: authen, Identity: 123 IPv4 Address: 192.168.100.21 Session Up-time: 00:06:21, Last Changed: 00:06:21 Interface: Virtual-Access2.1 Switch-ID: 4394 Policy information: Context 439C2780: Handle 4C00008A AAA_id 0000002D: Flow_handle 0 Authentication status: authen Config history for session (recent to oldest): Access-type: Web-service-logon Client: SM Policy event: Got More Keys (Service) Access-type: Web-service-logon Client: SM Policy event: Got More Keys (Service) Access-type: PPP Client: SM Policy event: Got More Keys Active services associated with session: name "ex2" name "policy-local" Rules, actions and conditions executed: subscriber rule-map RULE1 condition always event session-start 1 authenticate aaa list PPPoE subscriber condition-map match-any service-check match identifier service-name ex2 [TRUE] subscriber rule-map RULE1 condition service-check event service-start 9 service-policy type service name policy-local 10 service-policy type service identifier service-name Classifiers: Class-id Dir Packets Bytes Pri. Definition 0 In 191 18772 0 Match Any 1 Out 0 0 0 Match Any 110 In 191 18772 0 Match ACL LOCAL_in 111 Out 0 0 0 Match ACL LOCAL_out 112 In 0 0 100 Match ACL Inet_in 113 Out 0 0 100 Match ACL Inet_out 4294967294 In 0 0 - Drop 4294967295 Out 0 0 - Drop Features: Absolute Timeout: Class-id Timeout Value Time Remaining Source 0 86400 23:53:38 Peruser 112 86400 23:53:38 ex2 Prepaid Time Monitor: Class-id Dir Threshold Quota Session Time Source 112 In 86397 86400 381 ex2 113 Out 86397 86400 381 ex2 Policing: Class-id Dir Avg. Rate Normal Burst Excess Burst Source 113 Out 104857500 19660780 0 ex2 Prepaid Volume Monitor: Class-id Dir Packets Bytes Source 112 In 159 11256 ex2 113 Out 0 0 ex2 Usage(since last update): 11256 - Total: 11256 Threshold:N/A - Quota:Unlimited Current states: Start Configuration Sources: Type Active Time AAA Service ID Name SVC 00:06:21 - policy-local SVC 00:06:21 1946157087 ex2 USR 00:06:21 - Peruser INT 00:06:21 - Virtual-Template1 Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
MrNv Posted January 28, 2016 · Report post ни каких идей нет? А вообще у кого нибудь pptp на ASR живёт? Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
darkagent Posted January 28, 2016 · Report post А вообще у кого нибудь pptp на ASR живёт? не живет. только pppoe, l2tp и ipoe Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...