C803 & DSL line does not close (after idle timeout) 1

[daFranze]

I upgraded a Cisco 803 "Router" to act as a DSL Router + Firewall

Since I do not have a DSL flatrate I want to disconnect my line after timeout, but

a) Router connects, initiated from "outside" (guessing it's something from the ISP) though firewall is configured not to accept the package
b) router does not disconnect line after timeout

the config

 service timestamps debug datetime localtime service timestamps log datetime localtime service password-encryption 
!
hostname rtqpgmr08b
!
boot system flash c800-k9osy6-mw.122-15.T9.bin 
logging queue-limit 100 
logging buffered 64000 
debugging enable 
password 7 hidden
!
username mg password
username apvremote password
!
!
ip subnet-zero
no ip domain lookup
ip name-server 145.253.2.11
ip name-server 145.253.2.75
ip name-server 145.253.2.203
!
ip ssh source-interface Ethernet0
ip ssh rsa keypair-name ssh-key
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pppoe
!
isdn switch-type basic-net3
!
!
interface Ethernet0
 ip address 192.168.17.125 255.255.255.0  ip access-group 110 out  ip nat inside  ip tcp adjust-mss 1452  pppoe enable  pppoe-client dial-pool-number 1  no keepalive  no cdp enable !
interface BRI0
 ip unnumbered Ethernet0
 encapsulation ppp
 dialer idle-timeout 600
 dialer wait-for-carrier-time 10
 dialer map ip 192.168.171.6 name apvremote 0190666666  dialer-group 2  isdn switch-type basic-net3  no keepalive  ppp callback request  ppp authentication chap  ppp multilink !
interface Dialer1
 description ARCOR DSL
 ip address negotiated
 ip access-group 112 in
 ip access-group 112 out
 ip mtu 1488
 ip nat outside
 encapsulation ppp
 ip tcp adjust-mss 1452
 no ip mroute-cache
 shutdown
 dialer pool 1
 dialer idle-timeout 25
 dialer-group 1
 no keepalive
 no cdp enable
 ppp chap hostname
 ppp chap password
!
ip nat inside source list 102 interface Dialer1 overload ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip route 10.43.44.0 255.255.255.0 192.168.171.6 ip route 10.43.50.0 255.255.255.0 192.168.171.6 ip route 192.168.171.6 255.255.255.255 BRI0 no ip http server no ip http secure-server !
!
access-list 102 permit ip 192.168.17.0 0.0.0.255 any log access-list 110 permit ip any any log access-list 111 permit icmp any any echo access-list 111 permit icmp any any echo-reply access-list 111 permit udp any any eq domain access-list 111 permit udp any any eq ntp access-list 111 permit tcp any any eq [URL unfurl="true"]www access-list[/URL] 111 permit tcp any any range ftp-data ftp access-list 111 permit tcp any any eq pop3 access-list 111 permit tcp any any eq smtp
access-list 111 deny   ip any any log
access-list 112 deny   ip any any log
dialer-list 1 protocol ip list 112
dialer-list 2 protocol ip list 110
no cdp run
!
!
line con 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 password 7
 login local
!
no rcapi server
!
!
End

following debugoptions are set:

 rtqpgmr08b#sh debugging
Dial on demand:
  Dial on demand events debugging is on
  Dial on demand packets debugging is on
  Dial on demand dynamic dialer maps debugging is on
  Dialer forwarding events debugging is on Generic IP:
  IP packet debugging is on for access list 110
PPPoE:
  PPPoE protocol events debugging is on
  PPPoE data packets debugging is on
  PPPoE control packets debugging is on
  PPPoE protocol errors debugging is on

Debugging output, with dialer 1 shutdown

Mar 23 14:15:26: PPPoE 0: I PADO  R:0030.8801.36fe L:00b0.c28c.86be Et0
         00 B0 C2 8C 86 BE 00 30 88 01 36 FE 88 63 11 07
         00 00 00 18 01 03 00 04 02 CF DF 64 01 02 00 08 ...
Mar 23 14:15:29: PPPoE 1541: I PADS  R:0030.8801.36fe L:00b0.c28c.86be Et0
         00 B0 C2 8C 86 BE 00 30 88 01 36 FE 88 63 11 65
         06 05 00 18 01 03 00 04 02 CF DF 64 01 01 00 00 ...
Mar 23 14:15:29: IN PADS from PPPoE Session Mar 23 14:15:29: Di1 DDR: is a shutdown interface, rejecting call Mar 23 14:15:29: Vi2 DDR: disconnecting call Mar 23 14:15:29: Vi2 Debug: Condition 1, interface Di1 triggered, count 2 Mar 23 14:15:29: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up Mar 23 14:15:29: Vi2 DDR: Dialer statechange to up Mar 23 14:15:29: Di1 DDR: is a shutdown interface, rejecting call Mar 23 14:15:29: Vi2 DDR: disconnecting call Mar 23 14:15:29: Vi2 DDR: Can not bind incoming call Mar 23 14:15:29: Vi2 DDR: disconnecting call Mar 23 14:15:29: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down Mar 23 14:15:44: Vi2 DDR: re-enable timeout Mar 23 14:15:49: Vi2 Debug: Condition 1, interface Di1 cleared, count 1 Mar 23 14:16:09: PPPoE 0: I PADO  R:0030.8801.36fe L:00b0.c28c.86be Et0
         00 B0 C2 8C 86 BE 00 30 88 01 36 FE 88 63 11 07
         00 00 00 18 01 03 00 04 02 CF DF 64 01 02 00 08 ...
Mar 23 14:16:11: PPPoE 1542: I PADS  R:0030.8801.36fe L:00b0.c28c.86be Et0
         00 B0 C2 8C 86 BE 00 30 88 01 36 FE 88 63 11 65
         06 06 00 18 01 03 00 04 02 CF DF 64 01 01 00 00 ...
Mar 23 14:16:11: IN PADS from PPPoE Session Mar 23 14:16:11: Di1 DDR: is a shutdown interface, rejecting call Mar 23 14:16:11: Vi2 DDR: disconnecting call Mar 23 14:16:11: Vi2 Debug: Condition 1, interface Di1 triggered, count 2 Mar 23 14:16:11: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up Mar 23 14:16:11: Vi2 DDR: Dialer statechange to up Mar 23 14:16:11: Di1 DDR: is a shutdown interface, rejecting call Mar 23 14:16:11: Vi2 DDR: disconnecting call Mar 23 14:16:11: Vi2 DDR: Can not bind incoming call Mar 23 14:16:11: Vi2 DDR: disconnecting call Mar 23 14:16:11: Vi2 Debug: Condition 1, interface Di1 cleared, count 1 Mar 23 14:16:31: PPPoE 0: I PADO  R:0030.8801.36fe L:00b0.c28c.86be Et0
         00 B0 C2 8C 86 BE 00 30 88 01 36 FE 88 63 11 07
         00 00 00 18 01 03 00 04 02 CF DF 64 01 02 00 08 ...
Mar 23 14:16:34: PPPoE 452: I PADS  R:0030.8801.36fe L:00b0.c28c.86be Et0
         00 B0 C2 8C 86 BE 00 30 88 01 36 FE 88 63 11 65
         01 C4 00 18 01 03 00 04 02 CF DF 64 01 01 00 00 ...
Mar 23 14:16:34: IN PADS from PPPoE Session Mar 23 14:16:34: Di1 DDR: is a shutdown interface, rejecting call Mar 23 14:16:34: Vi2 DDR: disconnecting call Mar 23 14:16:34: Vi2 Debug: Condition 1, interface Di1 triggered, count 2 Mar 23 14:16:34: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up Mar 23 14:16:34: Vi2 DDR: Dialer statechange to up Mar 23 14:16:34: Di1 DDR: is a shutdown interface, rejecting call Mar 23 14:16:34: Vi2 DDR: disconnecting call Mar 23 14:16:34: Vi2 DDR: Can not bind incoming call Mar 23 14:16:34: Vi2 DDR: disconnecting call Mar 23 14:16:34: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down term no mon

Any ideas? Or hints?

Best Regards, Franz
--
Solaris System Manager from Munich, Germany
I used to work for Sun Microsystems Support (EMEA) for 5 years

 

[rtfmdude]

Franz,

First, for troubleshooting, you'll want to leave the interface 'no shut' since the router will not attempt to route packets out of a shutdown interface.

Then, try running a 'debug dialer packet' alone and track which traffic is initiating an outbound connection. I don't think that debug is going to show you much about what kind of traffic, but it should give you source/destination ip address. After you get that, then you can create an access-list that permits that source ip address, and run a debug ip packet referencing that access-list(so we only see relevant debug output). Trace the port numbers on the originating traffic and you can see if a workstation on the inside is mistakenly sending netbios traffic or dns queries or something out there.

 

[daFranze]

Thank you rtfmdude (nice nic btw! ;-)) for the post!

Well, this is more or less what we already tried. The config above is a debug config, since we found out that C803 does not disconnect after timeout.

The Dialer1 interface is configured with an ACL, that has no "interesting traffic" (deny ip any any), BUT a Package from the IP Range of the ISP

Mar 23 14:15:26: PPPoE 0: I PADO  R:0030.8801.36fe L:00b0.c28c.86be Et0
         00 B0 C2 8C 86 BE 00 30 88 01 36 FE 88 63 11 07
         00 00 00 18 01 03 00 04 02 CF DF 64 01 02 00 08 ...

initiates a PPPeE connection, which should not!
This connection will never close (even after timeout) and since I do not have a flat I will pay for this... :-(

I will try out what you suggested, but I'm guessing we already tried...

Best Regards, Franz
--
Solaris System Manager from Munich, Germany
I used to work for Sun Microsystems Support (EMEA) for 5 years

 

[daFranze]

if nobody can give another hint: is there another forum anybody can recommend to ask such a question (English or German Language)? Thanks!

Best Regards, Franz
--
Solaris System Manager from Munich, Germany
I used to work for Sun Microsystems Support (EMEA) for 5 years

 

[rtfmdude]

Franz,

I swear I reponded to this a few days ago - maybe my post never made it! I was wondering what constitutes a 'connection' or how your billing is done (per byte or connect time). I agree, your service provider is initiating the connection and am surprised that they would bill you for connect time that they initiated. Since I'm not very familiar with dsl, I suggest joining the cisco-nsp mailing list at

http://puck.nether.net

(cisco-nsp@puck.nether.net, but you must join the mailing list before posting) There are lots of experienced network people on there.

Good luck - I'll see you there!

 

[daFranze]

thanks rtfmdude, I will join this!
My DLS Provider will charge me by time. Since the PPPoE "link" is up I'm guessing they will charge me; DSL is new to me too...

Best Regards, Franz
--
Solaris System Manager from Munich, Germany
I used to work for Sun Microsystems Support (EMEA) for 5 years