Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Subscriber Management] 'Predefined-variable-defaults routing-instances' knob does not work when L2TP tunneled subscriber is configured under VRF

0

0

Article ID: KB33453 KB Last Updated: 07 Dec 2018Version: 1.0
Summary:

For any Junos OS predefined variable that can be sourced from RADIUS, you can specify a default value in a dynamic client profile. These default values are used when RADIUS does not supply a value. For example, when Radius server does not return a routing instance value, the subscribers come up in the master routing instance, which is the Junos OS default. In order to change this default behavior, it is possible to define specific routing-instance for individual dynamic profiles at the [dynamic-profiles profile-name predefined-variable-defaults routing-instances] hierarchy level. So, when there is no VSA for the information obtained from the RADIUS server exists, the Junos OS uses the predefined variable to specify the RADIUS attribute and instantiates a dynamic profile following subscriber access. However, there are some scenarios, when “predefined-variable-defaults routing-instances” knob configured under [dynamic-profiles profile-name] hierarchy level is not having any effect. One of these scenarios will be described in this KB article.

Symptoms:

In typical LNS (MX router) - LAC L2TP topology, if LNS is not receiving any Virtual-Router 26-1 VSA, it is possible to specify a non-default routing instance to which the subscriber will be assigned.

Radius profile sample output:

username@company Cleartext-Password := "secret"
   Service-Type = 2,
   Framed-Protocol = 1,
   Framed-IP-Address = 10.227.0.12,
   Framed-IP-Netmask = 255.255.255.255

 

Sample configuration of dynamic-profile on LNS:

labroot@lns-re1> show configuration dynamic-profiles dp-l2tp
predefined-variable-defaults {
    routing-instances my_instance;
}
routing-instances {
    "$junos-routing-instance" {
        interface "$junos-interface-name";
    }
}

[output omitted]


L2TP tunnel and subscriber session related outputs:

labroot@lns-re1> show services l2tp tunnel detail
  Tunnel local ID: 52520, Tunnel remote ID: 1
    Remote IP: 192.168.197.73:1701
    State: Established, Administrative State: Enabled
    Sessions: 1
    Tunnel Name: 1/14
    Local IP: 10.0.184.28:1701
    Local name: lns-re1, Remote name: ixia
    Effective Peer Resync Mechanism: silent failover
    Nas Port Method: none
    Tunnel Logical System: default, Tunnel Routing Instance: not-my-instance <-- routing instance differs from what we have specified under dynamic-profile

labroot@lns-re1> show services l2tp session detail
Tunnel local ID: 52520
  Session local ID: 55303, Session remote ID: 1, Interface unit: 3221225485
    State: Established, Administrative State: Enabled, Interface: si-1/0/0, Mode: Dedicated
    Local IP: 10.0.184.28:1701, Remote IP: 192.168.197.73:1701
    Local name: lns-re1, Remote name: ixia

labroot@lns-re1> show subscribers extensive user-name username@company
Type: L2TP
User Name: username@company
IP Address: 10.227.0.12
IP Netmask: 255.255.255.255
Logical System: default
Routing Instance: not-my-instance <--
routing instance differs from what we have specified under dynamic-profile
Interface: si-1/0/0.3221225485
Interface type: Dynamic
Underlying Interface: si-1/0/0.3221225485
Dynamic Profile Name: dp-l2tp
Dynamic Profile Version: 1
State: Active
Radius Accounting ID: 14
Session ID: 14
PFE Flow ID: 36
Login Time: 2018-11-27 10:52:51 UTC
Accounting interval: 0
Frame/cell mode: Frame
Overhead accounting bytes: -38
Calculated downstream data rate: 268435 kbps
Calculated upstream data rate: 268435 kbps
Adjusted upstream data rate: 268435 kbps
Adjusted downstream data rate: 268435 kbps

labroot@lns-re1> show route protocol access-internal 10.227.0.12

inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)

my_instance.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)

not-my-instance.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.227.0.12/32     *[Access-internal/12] 2d 00:08:08
                       Private unicast

labroot@lns-re1>


From the outputs provided above, it could be observed that subscriber come up under VRF 'not-my-instance', while configured predefined-variable-defaults is 'my_instance'. However, such behavior is expected, when tunnel server endpoint (10.0.184.28) and tunnel client endpoint (192.168.197.73) IP addresses are configured and reachable under/from VRF 'not-my-instance':

labroot@lns-re1> show interfaces routing-instance not-my-instance terse
Interface               Admin Link Proto    Local                 Remote
ge-1/0/0.0              up    up   inet     192.168.197.74/30
                                   iso
                                   multiservice
si-1/0/0.2147483649     up    up   inet     0.0.0.0             --> 0/0
                                   inet6    fe80::200:ff:fe00:0
si-1/0/0.3221225485     up    up   inet     213.0.184.28        --> 0/0
lo0.200                 up    up   inet     213.0.184.28        --> 0/0

labroot@lns-re1> show configuration routing-instances not-my-instance
instance-type vrf;
interface ge-1/0/0.0;
interface lo0.200;
route-distinguisher 10.0.184.27:260;
vrf-import not-my-instance-import;
vrf-export not-my-instance-export;
vrf-table-label;

 

So, when non-vrf RI attribute is present in SDB, the preference would be given over 'predefined-variable-defaults' knob.

Solution:

In the given the above scenario, when 'predefined-variable-defaults' knob is not taking precedence, it is possible to configure a map that will specify access options and session-specific parameters, including routing instance to which the subscriber interface will be attached:

labroot@lns-re1> show configuration access domain
map * {
    aaa-routing-instance default;
    target-routing-instance my_instance;
}


Output from the general authentication service processes traceoptions:

...
Nov 27 10:17:29.051017 Config changed for domain-map:*
Nov 27 10:17:29.051034 AAA RI changed to:default
Nov 27 10:17:29.051047 Access prof not found
Nov 27 10:17:29.051057 Address-pool not found
Nov 27 10:17:29.051067 Dynamic prof not found
Nov 27 10:17:29.051080 Target RI changed to:my_instance
[output omitted]

Outputs of the newly connected subscriber:

labroot@lns-re1> show subscribers extensive user-name username@company
Type: L2TP
User Name: username@company
IP Address: 10.227.0.12
IP Netmask: 255.255.255.255
Logical System: default
Routing Instance: my_instance
Interface: si-1/0/0.3221225493
[output omitted]

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search