(usr-tc) Need help with IEA Next Hop
Hi Folks, I have a problem that I need some help with, mainly setting the IEA Next Hop Gateway - to automatically set up users who want Xstop filtering to go through the Xstop unit rather than the main router. We are running 4.1.59 HiperARCs with 3com SA 6.0.8x, with TC units and router (default gateway) on the same class C network. I had read in the Knowledgebase where the Next Hop Gateway must lie outside the subnet of the main TC ethernet interface, and so I have made sure that the Xstop is not on the same subnet. I have also read (and followed to a T) the instructions in the KnowledgeBase pertaining to setting up the database with PW_VPN_Neighbor and hacking the radserv.scp to allow this.... all done. I can run 'client -v' part of the radius tools from coredump.ae.usr.com and I can see that the IP address of the IEA Next Hop is being passed to the HiperARC. I can run 'mon radius' on a user in question, and it shows: VPN-NEIGHBOR : -772795387 ^^^^^^^^^ should be an IP address After the user is logged in I can run a 'show session username' and it will list IEA Next Hop Gateway : xxx.xxx.xxx.xxx like it should. However, the problem is that it apparently isn't working -- I don't see it as the next hop in a traceroute, I can't see any reference to it in a 'list ip routes'. Some items enabled/disabled on the HiperARC that may be pertinent are: IEA Next Hop Routing: ENABLED IEA Send Unsolicited Proxy Arp: ENABLED IEA Force Next Hop Route: DISABLED IP proxy ARP for all dialin addresses: ENABLED If anybody can shed some light on this I surely would appreciate it. Thanks, Mike Tindor - To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
Mike Tindor wrote:
Hi Folks,
I have a problem that I need some help with, mainly setting the IEA Next Hop Gateway - to automatically set up users who want Xstop filtering to go through the Xstop unit rather than the main router.
We are running 4.1.59 HiperARCs with 3com SA 6.0.8x, with TC units and router (default gateway) on the same class C network.
I had read in the Knowledgebase where the Next Hop Gateway must lie outside the subnet of the main TC ethernet interface, and so I have made sure that the Xstop is not on the same subnet.
Hmmm, I would think you need the IP address of your Xstop machine on a subnet on the TC Ethernet interface, otherwise the router will not know how to talk to it and send all traffic out the default route. I am using IEA in 4.1.59-6 without any problems, I'm in processing of switching my upstream ISP and it's turned out to be a very nice feature. I just bound two different class C addresses to the Ethernet adapter. Maybe mine is working because I didn't read the knowledge base and figured everything out on my own.
I can run 'mon radius' on a user in question, and it shows: VPN-NEIGHBOR : -772795387 ^^^^^^^^^ should be an IP address
Yeah, mine does this, ignore it, it's got the right address in there, it's just not showing it as a human readable IP address, I suspect they just printf a signed long.
After the user is logged in I can run a 'show session username' and it will list IEA Next Hop Gateway : xxx.xxx.xxx.xxx like it should.
However, the problem is that it apparently isn't working -- I don't see it as the next hop in a traceroute, I can't see any reference to it in a 'list ip routes'.
Yeah, well, if it's on a different subnet I don't see how you can talk to it. Have you tried to ping your Xstop box from the HiPer ARC? Do a traceroute as well from the HiPer ARC, it shouldn't go through your default route. It looks like you're set up to use proxy arp IEA, that's also how I configured mine. I'd try giving the Xstop box an IP address inside of a subnet assigned to the Ethernet port of the HiPer ARC. -Ron GLISnet, Inc. +1 810/939.9885 - To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
participants (2)
-
Mike Tindor -
Ronald Kushner