In dial-related applications, PPP is the most commonly used encapsulation type. PPP allows two machines on a point-to-point communication link to negotiate various parameters for authentication, compression, and the Layer 3 (L3) protocols, such as IP. A failure in the PPP negotiation between two routers causes the connection to fail.
The debug ppp negotiation command enables you to view the PPP negotiation transactions, identify the problem or stage when the error occurs, and develop a resolution. However, it is imperative that you understand the debug ppp negotiation command output. This document provides a comprehensive method to read debug ppp negotiation command output.
Readers of this document must ensure that these conditions are met:
PPP must be enabled on the interfaces on both routers. Issue the encapsulation ppp command to accomplish this.
Issue this command to enable Millisecond timestamps on the router:
Router(config)# service timestamp debug datetime msec
For more information on debug commands, see Important Information on Debug Commands.
Note: PPP negotiation between two peers cannot start unless the lower layer (ISDN, physical interface, dial-up line, and so on) under PPP functions perfectly. For example, if you want to run PPP over ISDN, then all ISDN layers must be up; otherwise PPP does not start.
This document is not restricted to specific software and hardware versions.
For more information on document conventions, refer to the Cisco Technical Tips Conventions.
The link goes through several phases in the process of PPP negotiation, as shown in this table. The end result is that PPP is either up or down.
Phase | Description |
---|---|
DOWN | In this phase, PPP is down. This message is seen after the link and PPP are completely brought down: *Mar 3 23:32:50.296: BR0:1 PPP: Phase is DOWN |
ESTABLISHING | PPP transitions to this phase when it receives an indication that the physical layer is up and ready to be used. LCP1 negotiation occurs in this phase. *Mar 3 23:32:06.884: BR0:1 PPP: Phase is ESTABLISHING |
AUTHENTICATING | If PPP authentication (CHAP2 or PAP3) is desired on the link, then PPP transitions to this phase. Keep in mind that PPP authentication is optional. *Mar 3 23:32:06.952: BR0:1 PPP: Phase is AUTHENTICATING |
UP | Once authentication is complete, PPP transitions to the UP phase. NCP4 negotiation occurs in this phase. *Mar 3 23:42:53.412: BR0:1 PPP: Phase is UP |
TERMINATING | In this phase, PPP shuts down. *Mar 3 23:43:23.256: BR0:1 PPP: Phase is TERMINATING |
1. LCP = Link Control Protocol
2. CHAP = Challenge Handshake Authentication Protocol
3. PAP = Password Authentication Protocol
4. NCP = Network Control Protocol
This diagram shows the PPP phase transitions:
This table includes description of PPP negotiation packets that are used in both LCP and NCP negotiation:
Packet | Code | Description |
---|---|---|
CONFREQ | Configure-Request | To open a connection to the peer, the device transmits this message along with the configuration options and values the sender wishes the peer to support. All options and values are negotiated simultaneously. If the peer responds with a CONFREJ or CONFNAK message, then the router sends another CONFREQ with another set of options or values. |
CONFREJ | Configure-Reject | If some configuration option received in the CONFREQ message is not acceptable or not recognizable, the router responds with a CONFREJ message. The unacceptable option (from the CONFREQ message) is included in the CONFREJ message. |
CONFNAK | Configure-NAK1 | If the received configuration option is recognizable and acceptable, but some value is not acceptable, the router transmits a CONFNAK message. The router appends the option and value that it can accept in the CONFNAK message so that the peer can include that option in the next CONFREQ message. |
CONFACK | Configure-ACK2 | If all options in the CONFREQ message are recognizable and all values are acceptable, then the router transmits a CONFACK message. |
TERMREQ | Terminate-Request | This message is used to initiate an LCP close. |
TERMACK | Terminate-ACK | This message is transmitted in response to the TERMREQ message. |
1. NAK = Negative Acknowledge
2. ACK = Acknowledge
Note: Each peer can send CONFREQs with the option or value it wants the peer to support. This can cause the options negotiated in each direction to be different. For example, one side may wish to authenticate the peer, while the other may not.
Within some of the PPP phases described previously, PPP also goes into specific stages such as LCP negotiation, authentication, and NCP negotiation. For more information, refer to RFC 1548 and RFC 1661 .
LCP is a phase in which parameters to establish, configure, and test the data-link connection are negotiated. An LCP state of open means that LCP was successfully completed, while an LCP state of closed indicates an LCP failure.
This diagram shows a conceptual view of an LCP handshake:
The LCP negotiation also uses a parameter called MagicNumber, which is used to determine if the link is looped back. A random string is sent across the link and, if the same value is returned, then the router determines that the link is looped back.
In this stage, the authentication is performed with the authentication protocol (CHAP or PAP) agreed upon in LCP negotiation. For PAP related information, refer to Configuring and Troubleshooting PPP Password Authentication Protocol (PAP).
For CHAP related information, refer to Understanding and Configuring PPP CHAP Authentication.
Note: Authentication is optional and PPP only enters this stage if it needs to authenticate.
This phase is used to establish and configure different network-layer protocols. The most common L3 protocol negotiated is IP. The routers exchange IP Control Protocol (IPCP) messages to negotiate options specific to the protocol (IP in this example).
RFC 1332 says that IPCP negotiates two options: compression and IP address assignments. However, IPCP is also used to pass network related information such as primary and backup Windows Name Service (WINS) and Domain Name System (DNS) servers.
The negotiation occurs with the use of CONF messages, as described in the PPP Negotiation Packets: A Description section of this document.
When you read the debug ppp negotiation command output for troubleshooting purposes, follow these instructions:
Identify the phase transitions in the debug command output. Determine the furthest phase the connection achieved, such as UP or AUTHENTICATING. This can help you identify the phase in which the connection failed. For more information on the phases, see the Phases of PPP Negotiation section.
For the phase in which the failure occurred, look for messages that indicate that LCP, authentication, or NCP (as appropriate) are successful:
The LCP state should be open. You can also look at the last incoming and outgoing CONFACK messages to verify that the parameters you require have been negotiated.
Authentication should be successful. If you use two-way authentication, then each transaction must be successful. For more information on troubleshooting PPP authentication failures, refer to Troubleshooting PPP (CHAP or PAP) Authentication.
The IPCP state should be open. Verify that the addressing is correct and that a route to the peer is installed.
Most lines in the debug ppp negotiation command output are characterized by:
The timestamp—Millisecond timestamps are useful. See the Prerequisites section of this document for more information.
Interface and Interface number—This field is useful when debug connections use multiple connections, or when the connection transitions through several interfaces. For example, certain connections (such as multilink calls) are controlled by the physical interface at the beginning, but are later controlled by the dialer interface or virtual-access interface.
Type of PPP message—This field indicates whether the line is a general PPP, LCP, CHAP, PAP, or IPCP message.
Direction of the message—An I indicates an incoming packet, and an O indicates an outgoing packet. This field can be used to determine if the message was generated or received by the router.
Message—This field includes the particular transaction under negotiation.
ID—This field is used to match and coordinate request messages to the appropriate response messages. You can use the ID field to associate a response with an incoming message. This option is especially useful when the incoming message and the response are far apart in the debug output.
Length—The length field defines the length of the information field. This field is not important for general troubleshooting.
Note: Fields 4 through 7 may not appear in all PPP messages, depending on the purpose of the message.
Note: This example illustrates the fields:
This is an annotated description of debug ppp negotiation command output:
maui-soho-01#debug ppp negotiation PPP protocol negotiation debugging is on maui-soho-01# *Mar 1 00:06:36.645: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up !--- The Physical Layer (BRI Interface) is up. Only now can PPP !--- negotiation begin. *Mar 1 00:06:36.661: BR0:1 PPP: Treating connection as a callin *Mar 1 00:06:36.665: BR0:1 PPP: Phase is ESTABLISHING, Passive Open [0 sess, 0 load] !--- The PPP Phase is ESTABLISHING. LCP negotiation now occurs. *Mar 1 00:06:36.669: BR0:1 LCP: State is Listen *Mar 1 00:06:37.034: BR0:1 LCP: I CONFREQ [Listen] id 7 len 17 !--- This is the incoming CONFREQ. The ID field is 7. *Mar 1 00:06:37.038: BR0:1 LCP: AuthProto PAP (0x0304C023) *Mar 1 00:06:37.042: BR0:1 LCP: MagicNumber 0x507A214D (0x0506507A214D) *Mar 1 00:06:37.046: BR0:1 LCP: Callback 0 (0x0D0300) !--- The peer has requested: !--- Option: Authentication Protocol, Value: PAP !--- Option: MagicNumber (This is used to detect loopbacks and is always sent.) !--- Option: Callback, Value: 0 (This is for PPP Callback; MS Callback uses 6.) *Mar 1 00:06:37.054: BR0:1 LCP: O CONFREQ [Listen] id 4 len 15 !--- This is an outgoing CONFREQ, with parameters for the peer to implement. !--- Note that the ID Field is 4, so this is not related to the previous !--- CONFREQ message. *Mar 1 00:06:37.058: BR0:1 LCP: AuthProto CHAP (0x0305C22305) *Mar 1 00:06:37.062: BR0:1 LCP: MagicNumber 0x1081E7E1 (0x05061081E7E1) !--- This router requests: !--- Option: Authentication Protocol, Value: CHAP !--- Option: MagicNumber (This is used to detect loopbacks and is always sent.) *Mar 1 00:06:37.066: BR0:1 LCP: O CONFREJ [Listen] id 7 len 7 !--- This is an outgoing CONFREJ for message with Field ID 7. !--- This is the response to the CONFREQ received first. *Mar 1 00:06:37.070: BR0:1 LCP: Callback 0 (0x0D0300) !--- The option that this router rejects is Callback. !--- If the router wanted to do MS Callback rather than PPP Callback, it !--- would have sent a CONFNAK message instead. *Mar 1 00:06:37.098: BR0:1 LCP: I CONFACK [REQsent] id 4 len 15 !--- This is an incoming CONFACK for a message with Field ID 4. *Mar 1 00:06:37.102: BR0:1 LCP: AuthProto CHAP (0x0305C22305) *Mar 1 00:06:37.106: BR0:1 LCP: MagicNumber 0x1081E7E1 (0x05061081E7E1) !--- The peer can support all requested parameters. *Mar 1 00:06:37.114: BR0:1 LCP: I CONFREQ [ACKrcvd] id 8 len 14 !--- This is an incoming CONFREQ message; the ID field is 8. !--- This is a new CONFREQ message from the peer in response to the CONFREJ id:7. *Mar 1 00:06:37.117: BR0:1 LCP: AuthProto PAP (0x0304C023) *Mar 1 00:06:37.121: BR0:1 LCP: MagicNumber 0x507A214D (0x0506507A214D) !--- The peer has requested: !--- Option: Authentication Protocol, Value: PAP !--- Option: MagicNumber (This is used to detect loopbacks and is always sent.) *Mar 1 00:06:37.125: BR0:1 LCP: O CONFNAK [ACKrcvd] id 8 len 9 !--- This is an outgoing CONFNACK for a message with Field ID 8. *Mar 1 00:06:37.129: BR0:1 LCP: AuthProto CHAP (0x0305C22305) !--- This router recognizes the option Authentication Protocol, !--- but does not accept the value PAP. In the CONFNAK message, !--- it suggests CHAP instead. *Mar 1 00:06:37.165: BR0:1 LCP: I CONFREQ [ACKrcvd] id 9 len 15 !--- This is an incoming CONFREQ message with Field ID 9. *Mar 1 00:06:37.169: BR0:1 LCP: AuthProto CHAP (0x0305C22305) *Mar 1 00:06:37.173: BR0:1 LCP: MagicNumber 0x507A214D (0x0506507A214D) !--- CHAP authentication is requested. *Mar 1 00:06:37.177: BR0:1 LCP: O CONFACK [ACKrcvd] id 9 len 15 !--- This is an outgoing CONFACK for a message with Field ID 9. *Mar 1 00:06:37.181: BR0:1 LCP: AuthProto CHAP (0x0305C22305) *Mar 1 00:06:37.185: BR0:1 LCP: MagicNumber 0x507A214D (0x0506507A214D) *Mar 1 00:06:37.189: BR0:1 LCP: State is Open !--- This indicates that the LCP state is Open. *Mar 1 00:06:37.193: BR0:1 PPP: Phase is AUTHENTICATING, by both [0 sess, 0 load] !--- The PPP Phase is AUTHENTICATING. PPP Authentication occurs now. !--- Two-way authentication is now performed (indicated by the both keyword). *Mar 1 00:06:37.201: BR0:1 CHAP: O CHALLENGE id 4 len 33 from "maui-soho-01" !--- This is the outgoing CHAP Challenge. !--- In LCP the routers had agreed upon CHAP as the authentication protocol. *Mar 1 00:06:37.225: BR0:1 CHAP: I CHALLENGE id 3 len 33 from "maui-soho-03" !--- This is an incoming Challenge message from the peer. *Mar 1 00:06:37.229: BR0:1 CHAP: Waiting for peer to authenticate first *Mar 1 00:06:37.237: BR0:1 CHAP: I RESPONSE id 4 len 33 from "maui-soho-03" !--- This is an incoming response from the peer. *Mar 1 00:06:37.244: BR0:1 CHAP: O SUCCESS id 4 len 4 !--- This router has successfully authenticated the peer. *Mar 1 00:06:37.248: BR0:1 CHAP: Processing saved Challenge, id 3 *Mar 1 00:06:37.260: BR0:1 CHAP: O RESPONSE id 3 len 33 from "maui-soho-01" *Mar 1 00:06:37.292: BR0:1 CHAP: I SUCCESS id 3 len 4 !--- This is an incoming Success message. Each side has !--- successfully authenticated the other. *Mar 1 00:06:37.296: BR0:1 PPP: Phase is UP [0 sess, 0 load] !--- The PPP status is now UP. NCP (IPCP) negotiation begins. *Mar 1 00:06:37.304: BR0:1 IPCP: O CONFREQ [Closed] id 4 len 10 *Mar 1 00:06:37.308: BR0:1 IPCP: Address 172.22.1.1 (0x0306AC160101) !--- This is an outgoing CONFREQ message. It indicates that !--- the local machine address is 172.22.1.1. *Mar 1 00:06:37.312: BR0:1 CDPCP: O CONFREQ [Closed] id 4 len 4 *Mar 1 00:06:37.320: BR0:1 CDPCP: I CONFREQ [REQsent] id 4 len 4 *Mar 1 00:06:37.324: BR0:1 CDPCP: O CONFACK [REQsent] id 4 len 4 !--- These messages are for CDP Control Protocol (CDPCP). *Mar 1 00:06:37.332: BR0:1 IPCP: I CONFREQ [REQsent] id 4 len 10 *Mar 1 00:06:37.336: BR0:1 IPCP: Address 172.22.1.2 (0x0306AC160102) !--- This is an incoming CONFREQ message that indicates that the peer !--- address is 172.22.1.2. An address of 0.0.0.0 indicates that the peer !--- does not have an address and requests the local router to provide it !--- with an address in IPCP negotiation. *Mar 1 00:06:37.344: BR0:1 IPCP: O CONFACK [REQsent] id 4 len 10 *Mar 1 00:06:37.348: BR0:1 IPCP: Address 172.22.1.2 (0x0306AC160102) *Mar 1 00:06:37.356: BR0:1 IPCP: I CONFACK [ACKsent] id 4 len 10 *Mar 1 00:06:37.360: BR0:1 IPCP: Address 172.22.1.1 (0x0306AC160101) *Mar 1 00:06:37.363: BR0:1 IPCP: State is Open !--- The IPCP state is Open. Note that in the IPCP negotiation, each side !--- accepted the IP address of the peer, and one was assigned to the peer. *Mar 1 00:06:37.371: BR0:1 CDPCP: I CONFACK [ACKsent] id 4 len 4 *Mar 1 00:06:37.375: BR0:1 CDPCP: State is Open !--- This indicates that the CDPCP state is Open. *Mar 1 00:06:37.387: BR0 IPCP: Install route to 172.22.1.2 !--- A route to the peer is installed. *Mar 1 00:06:38.288: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to up *Mar 1 00:06:42.609: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to maui-soho-03
When the lower layer becomes available (Up), a CONFREQ is sent to start the first PPP phase (LCP phase). It is used in LCP and NCP phases as an attempt to configure the connection. To open a connection to the peer, the device transmits this message along with the configuration options and values the sender wishes the peer to support. All options and values are negotiated simultaneously. If the peer responds with a CONFREJ or CONFNAK message, then the router sends another CONFREQ with another set of options or values.
If all options in the CONFREQ message are recognizable and all values are acceptable, then the router transmits a CONFACK message.
If some configuration option received in the CONFREQ is not acceptable or not recognizable, the router responds with a CONFREJ message. The unacceptable option (from the CONFREQ) is included in the CONFREJ message.
If the received configuration option is recognizable and acceptable, but some value is not acceptable, the router transmits a CONFNAK message. The router appends the option and value that it can accept in the CONFNAK message so that the peer can include that option in the next CONFREQ message.
PPP uses keepalives in order to maintain the integrity of the connection. These keepalives are the ECHOREQ frame that is sent to remote PPP peer, and the remote PPP peer should respond with an ECHOREP frame upon receipt of an ECHOREQ frame. By default, if the router misses five ECHOREP frames, then the link is considered down and PPP is brought down.
This frame indicates that the PPP peer that sent this frame terminates the PPP connection.
This message is transmitted in response to the TERMREQ message. This closes down the PPP connection.
This message indicates that the PPP connection has been brought down. An LCP or NCP connection can be cut off:
on administrative close (LCP only).
when the lower level goes out of service (dial-up line, ISDN, and so on).
when negotiations fall through.
on line loop detection.
This is one of the LCP-negotiated options within the CONFREQ frame. ACCM sets the character escape sequences. ACCM tells the port to ignore specified control characters within the data stream. If the router at the other end of the connection does not support ACCM negotiation, the port is forced to use FFFFFFFF. In that case, issue this command:
ppp accm match 000a000
ACFC is an LCP option that allows endpoints to send messages back and forth more efficiently.
AuthProto is the authentication protocol type negotiated in the CONFREQ frame between both PPP connection peers for use in the authentication phase. If no PPP authentication is configured, this output is not seen in CONFREQ frame negotiated parameters. The possible values are CHAP or PAP.
This message indicates that the callback option is under negotiation. The number after the callback syntax indicates which callback option is negotiated. The number 0 is normal PPP callback, while the number 6 indicates the Microsoft callback option (which is automatically available in Cisco IOS® Software Release 11.3(2)T or later).
This message indicates that the authentication protocol under negotiation is CHAP.
This is an LCP option used to identify a PPP peer in PPP multilink connection. For more information, refer to Criteria for Naming Multilink PPP Bundles.
This message indicates that the LCP negotiation has been completed successfully.
LQM is available on all serial interfaces that run PPP. LQM monitors the link quality and takes the link down when the quality drops below a configured percentage. The percentages are calculated for both the incoming and outgoing directions. The outgoing quality is calculated by comparison of the total number of packets and bytes sent with the total number of packets and bytes received by the peer. The incoming quality is calculated by comparison of the total number of packets and bytes received with the total number of packets and bytes sent by the peer.
When LQM is enabled, Link Quality Reports (LQRs) are sent every keepalive period. LQRs are sent in place of keepalives. All incoming keepalives are responded to properly. If LQM is not configured, keepalives are sent every keepalive period, and all incoming LQRs are responded to with an LQR.
Magic Number support is available on all serial interfaces. PPP always attempts to negotiate for Magic Numbers, which are used to detect looped-back networks. A random string is sent across the link and if the same value is returned, then the router determines that the link is looped back.
The link might or might not be taken down upon looped-back detection; it depends on the use of the down-when-looped command.
This message indicates that the authentication protocol under negotiation for use by PPP peers is PAP. For more information on PAP, refer to Configuring and Troubleshooting PPP Password Authentication Protocol (PAP).
This option turns compression for the protocol fields either on or off.
This is an LCP option negotiated in the process of PPP multilink LCP setup. This option determines the maximum number of bytes that can constitute a frame. If MRRU is not negotiated in LCP, then Multilink PPP (MPPP) cannot run on the link.
MRU is an LCP option negotiated in the CONFREQ frame to negotiate the size of the exchanged packets.
This frame is sent from the local PPP peer (on which authentication is enabled) to the remote peer. It asks the remote peer to send a valid username and password for PPP connection authentication. This frame is used only with PAP.
This frame is sent out from the authenticated PPP peer to the authenticating PPP peer. This frame carries the valid username and password pair. This frame is used only when PAP is used for PPP connection authentication.
This frame is sent out from the authenticating PPP peer when the authentication failed on the authenticating PPP peer.
This is the CHAP challenge frame that is sent from the authenticating PPP peer to the authenticated PPP peer. The challenge frame consists of an ID, a random number, and either the host name of the local communication server or the name of the user on the remote device. This frame is used only when CHAP is used for PPP connection authentication.
This frame is the CHAP response sent from the authenticated PPP peer to the authenticating PPP peer.
The required response consists of two parts:
An MD5 hash output of the shared secret.
Either the host name of the remote device or the name of the user on the remote device.
This frame is used only when CHAP is used for PPP connection authentication.
On an outgoing CONFREQ message, this value indicates the IP address the local router wishes to use. If the address included is 0.0.0.0, the local machine requests the peer to supply it an IP address it can use.
On an incoming CONFREQ message, this value indicates the IP address the peer wishes to use. If the address included is 0.0.0.0, the peer requests the local machine to supply it an IP address it can use.
On an outgoing CONFNAK message, this value indicates the IP address the peer should use rather than the one the peer suggested in the CONFREQ message.
On an incoming CONFNAK message, this value indicates the IP address the local machine should use, instead of the one it suggested in the previous CONFREQ message.
On an outgoing CONFACK message, this value indicates that the IP address requested by the peer is acceptable to the local machine.
On an incoming CONFACK message, this value indicates that the IP address requested by the local machine is acceptable to the peer.
This message indicates that a compression protocol is under negotiation between both PPP peers. Cisco IOS Software supports these compression protocols to be negotiated over a PPP connection:
MS-Point-to-Point Compression (MS-PPC)
stacker
predictor
This message indicates that CDP negotiation occurs in the NCP phase. To turn off CDP on the router, issue the no cdp run command.
A CODEREJ packet is sent upon receipt of an uninterpretable packed from the remote PPP peer.
When the router finishes IPCP (NCP phase for IP L3 protocol), it must install the given IP address to the remote PPP peer in the routing table and be seen as a connected route in the routing table. If you do not see this message, verify that the no peer neighbor-route command is not configured.
This value indicates that IP is the network layer under negotiation in the NCP phase.
This message indicates the IPCP (NCP phase for IP L3 protocol) has been completed successfully.
The PPP peer, upon receipt of a PPP packet with an unknown protocol field, uses the PROTREJ message to indicate that the peer has attempted to use a protocol that is unsupported. When a PPP device receives a PROTREJ message, it must at the earliest opportunity cease to send packets of the indicated protocol.