Additional Troubleshooting Commands
This section introduces some additional commands that might be useful when troubleshooting PPTP.
show vpdn
The show vpdn command can be used to view basic information regarding any PPTP tunnels that have been established.
Example 3-77 illustrates the show vpdn command output.
Example 3-77. show vpdn Command Output
Arizona_PNS#show vpdn %No active L2TP tunnels %No active L2F tunnels PPTP Tunnel and Session Information Total tunnels 1 sessions 1 LocID Remote Name State Remote Address Port Sessions 23 estabd 172.16.1.2 1058 1 LocID RemID TunID Intf Username State Last Chg 16 32768 23 Vi1 mjlnet estabd 00:00:16 %No active PPPoE tunnels Arizona_PNS# |
In Example 3-77, you can see that one PPTP tunnel has been established, with one active session within it (highlighted line 1).
The IP address of the remote access client/PNS (172.16.1.2), together with the TCP (source) port the remote access client/PNS is using for control connection connectivity, are shown in highlighted line 2. In this case, the source port is 1058.
In highlighted line 3, the local and remote (peer) Call IDs can be seen. They are 16 and 32768, respectively.
Additionally, the virtual access interface being used by the active session is displayed (Vi1, virtual access interface 1), together with the username for the session (mjlnet). Finally, the tunnel/session uptime is shown (16 seconds).
show vpdn tunnel
The show vpdn tunnel command shows basic information regarding specific tunnels, as shown in Example 3-78.
Example 3-78. show vpdn tunnel Command Output
Arizona_PNS#show vpdn tunnel %No active L2TP tunnels %No active L2F tunnels PPTP Tunnel Information Total tunnels 1 sessions 1 LocID Remote Name State Remote Address Port Sessions 23 estabd 10.10.10.15 1058 1 %No active PPPoE tunnels Arizona_PNS# |
In highlighted line 1, you can see that there is one PPTP tunnel active. Within it, there is one active session.
Highlighted line 2 shows the IP address of the remote access client/PNS, together with the TCP (source) port being used by the remote access client/PNS for control channel connectivity.
One thing to note in highlighted line 2 is the absence of any remote name. A remote name is supplied by Windows 98 remote access client/PNS but might not be supplied by Windows 2000 or Windows NT remote access client/PNS. The remote name is the DNS name of the remote access client/PNS and should not be confused with the username used for PPP authentication on the tunnel session.
show vpdn session
As the command syntax suggests, the show vpdn session command displays summary information regarding sessions within the PPTP tunnels, as shown in Example 3-79.
Example 3-79. show vpdn session Command Output
Arizona_PNS#show vpdn session %No active L2TP tunnels %No active L2F tunnels PPTP Session Information Total tunnels 1 sessions 1 LocID RemID TunID Intf Username State Last Chg 16 32768 23 Vi1 mjlnet estabd 00:00:34 %No active PPPoE tunnels Arizona_PNS# |
In highlighted line 1, you can see that one tunnel, and within it, one session, are active.
Highlighted line 2 shows the local and remote (peer) Call IDs (16 and 32768, respectively). The session terminates on virtual access interface 1 (Vi1), and the username for the session is mjlnet. Finally, the session uptime is 34 seconds.
show ppp mppe virtual-access number
To view MPPE information and statistics for a certain interface, the show ppp mppe virtual-access number command can be used. Output for this command is shown in Example 3-80.
Example 3-80. show ppp mppe virtual-access Command Output
Arizona_PNS#show ppp mppe virtual-access 1 Interface Virtual-Access1 (current connection) Software encryption, 40 bit encryption, Stateless mode packets encrypted = 0 packets decrypted = 25 sent CCP resets = 0 receive CCP resets = 0 next tx coherency = 0 next rx coherency = 25 tx key changes = 0 rx key changes = 25 rx pkt dropped = 0 rx out of order pkt= 0 rx missed packets = 0 Arizona_PNS# |
In this case, MPPE information for virtual access interface 1 is displayed.
The session key length and encryption mode is shown in highlighted line 1. In this case, 40-bit session keys and the stateless encryption are being used.
In highlighted line 2, the number of encrypted and decrypted packets is displayed (0 and 25, respectively).
The number of CCP resets is shown in highlighted line 3. CCP resets are sent when packet loss is detected in stateful encryption mode. Because the mode being used in this case is stateless encryption, these numbers will remain 0.
Highlighted line 4 shows the transmit (tx) and receive (rx) coherency counts. The transmit coherency count corresponds to the sequence number of the next packet to be encrypted, and the receive coherency count corresponds to the sequence number of the next packet to be decrypted.
The next highlighted line shows the number of transmit (tx) and receive (rx) key changes. Because the encryption mode being used in stateless encryption (the key changes on a packet-by-packet basis), you would expect to see the number of transmit and receive key changes as equal to the number of packets sent and received. If you compare the number of key changes to the number of encrypted (sent) and decrypted (received) packets in highlighted line 2, you can see that they do, in fact, match.
Note that for stateful encryption mode, the key is reinitialized (changed) every 256 packets or when a CCP reset is received.
Highlighted line 6 shows the number of packets received and dropped and the number of packets that are received out of order. Note that packets are dropped if they are duplicates of packets already received.
Finally, in highlighted line 7, the number of missed packets is shown.
debug ppp mppe packet
The debug mppe packet command can be used to view MPPE packet information, as the sample output in Example 3-81 demonstrates.
Example 3-81. debug mppe packet Command Output
Arizona_PAC#debug ppp mppe packet MPPE Packets debugging is on Arizona_PAC# *Aug 17 21:00:31.867 UTC: Vi1 MPPE: I coh 70 len 100 ENC FLUSH *Aug 17 21:00:33.371 UTC: Vi1 MPPE: I coh 71 len 100 ENC FLUSH *Aug 17 21:00:34.323 UTC: Vi1 MPPE: I coh 72 len 109 ENC FLUSH *Aug 17 21:00:39.379 UTC: Vi1 MPPE: I coh 73 len 100 ENC FLUSH *Aug 17 21:00:40.331 UTC: Vi1 MPPE: I coh 74 len 109 ENC FLUSH *Aug 17 21:00:40.879 UTC: Vi1 MPPE: I coh 75 len 100 ENC FLUSH *Aug 17 21:00:42.383 UTC: Vi1 MPPE: I coh 76 len 100 ENC FLUSH *Aug 17 21:00:46.339 UTC: Vi1 MPPE: I coh 77 len 109 ENC FLUSH *Aug 17 21:00:48.391 UTC: Vi1 MPPE: I coh 78 len 100 ENC FLUSH Arizona_PAC# |
In highlighted line 1, a MPPE packet is received on virtual access interface 1. A coherency count of 70 is shown, together with the packet length (100).
debug ppp mppe event
This command displays MPPE event information, including the method of key generation, the session key length, and the encryption mode.
Example 3-82 shows debug ppp mppe event command output.
Example 3-82. debug ppp mppe eventCommand Output
Arizona_PAC#debug ppp mppe event MPPE Events debugging is on Arizona_PAC# *Aug 17 21:01:41.683 UTC: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up *Aug 17 21:01:43.711 UTC: Vi1 MPPE: Generate keys using local database *Aug 17 21:01:43.711 UTC: Vi1 MPPE: Initialize keys *Aug 17 21:01:43.715 UTC: Vi1 MPPE: [40 bit encryption] [stateless mode] *Aug 17 21:01:44.703 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up Arizona_PAC# |
In this case, keys are generated using the local database (highlighted line 1), and 40-bit session keys and stateless encryption are being used (highlighted lines 2 and 3).
debug ppp mppe detailed
Detailed MPPE encryption and decryption information can be displayed using the debug ppp mppe detailed command. Extra caution is advised in using this command as it can produce large amounts of output.
Example 3-83 shows debug ppp mppe detailed command output.
Example 3-83. debug ppp mppe detailed Command Output
Arizona_PAC#debug ppp mppe detailed MPPE Packet Details debugging is on Arizona_PAC# *Aug 17 21:03:34.511 UTC: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up *Aug 17 21:03:36.663 UTC: Vi1 MPPE: CCP RX (rx, includes MPPE header) len 100 *Aug 17 21:03:36.663 UTC: 90 0 B9 30 8 72 9D D5 DE 2B AA 8D 78 8D E5 F6 *Aug 17 21:03:36.663 UTC: C EB AF 2 D4 0 55 A1 6 7E 3 38 72 4C 15 8B *Aug 17 21:03:36.663 UTC: 23 E1 57 9 79 7A F5 24 99 F9 94 76 46 BB EA C9 *Aug 17 21:03:36.663 UTC: ... *Aug 17 21:03:36.663 UTC: Vi1 MPPE: CCP RX (after decryption) len 98 *Aug 17 21:03:36.663 UTC: 0 21 45 0 0 60 88 E6 0 0 80 11 EE FD C0 A8 *Aug 17 21:03:36.663 UTC: 2 1 FF FF FF FF 0 89 0 89 0 4C 9F 26 83 38 *Aug 17 21:03:36.663 UTC: 29 10 0 1 0 0 0 0 0 1 20 45 4E 45 4D 45 *Aug 17 21:03:36.663 UTC: ... *Aug 17 21:03:36.663 UTC: Vi1 MPPE: CCP RX (rx, includes MPPE header) len 36 *Aug 17 21:03:36.663 UTC: 90 1 9B 2 ED 17 AB A7 38 62 CD 29 D6 F B7 29 *Aug 17 21:03:36.667 UTC: 46 1C 4B 1A B4 61 1 6A E5 DC 91 7 C4 F0 B5 EE *Aug 17 21:03:36.667 UTC: 8D 16 72 29 *Aug 17 21:03:36.667 UTC: Vi1 MPPE: CCP RX (after decryption) len 34 *Aug 17 21:03:36.667 UTC: 0 21 46 0 0 20 88 E9 0 0 1 2 F9 3B C0 A8 *Aug 17 21:03:36.667 UTC: 2 1 E0 0 0 9 94 4 0 0 16 0 9 F6 E0 0 *Aug 17 21:03:36.667 UTC: 0 9 *Aug 17 21:03:36.667 UTC: Vi1 MPPE: CCP RX (rx, includes MPPE header) len 56 *Aug 17 21:03:36.667 UTC: 90 2 A4 2A 8F A3 64 66 A6 F 56 86 76 DF 9 8A *Aug 17 21:03:36.667 UTC: E 4D 46 7B 40 0 90 17 81 D8 8A FF D7 E8 5D C2 *Aug 17 21:03:36.667 UTC: F 9F D0 1 67 D3 8 A0 1E 4C B5 E1 DC 1F F 7D *Aug 17 21:03:36.667 UTC: ... *Aug 17 21:03:36.667 UTC: Vi1 MPPE: CCP RX (after decryption) len 54 *Aug 17 21:03:36.667 UTC: 0 21 45 0 0 34 88 ED 0 0 1 11 8E 19 C0 A8 *Aug 17 21:03:36.667 UTC: 2 1 E0 0 0 9 2 8 2 8 0 20 57 D9 1 2 *Aug 17 21:03:36.667 UTC: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 *Aug 17 21:03:36.667 UTC: ... |
In highlighted line 1, an encrypted packet is received (RX) on virtual access interface 1.
In highlighted line 2, the packet is shown after decryption.
debug vpdn error
PPTP error information can be displayed using the debug vpdn error command, as shown in Example 3-84.
Example 3-84. debug vpdn errorCommand Output
Arizona_PAC#debug vpdn error VPDN errors debugging is on Arizona_PAC# Jan 20 10:57:05.679 UTC: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up Jan 20 10:57:07.711 UTC: Vi1 PPTP: No session owner. Discarded Jan 20 10:57:07.711 UTC: Vi1 PPTP: No session owner. Discarded Jan 20 10:57:07.711 UTC: Vi1 PPTP: No session owner. Discarded Jan 20 10:57:07.711 UTC: Vi1 PPTP: No session owner. Discarded Arizona_PAC# |
A PPTP packet is received on virtual access interface 1 (in highlighted line 1). This packet is discarded.
debug vpdn event
This command displays PPTP event information, as shown in Example 3-85.
Example 3-85. debug vpdn eventCommand Output
Arizona_PAC#debug vpdn event VPDN events debugging is on Arizona_PAC# Jan 20 10:50:20.527 UTC: Vi1 VPDN: Virtual interface created Jan 20 10:50:20.527 UTC: Vi1 VPDN: Clone from Vtemplate 1 Jan 20 10:50:20.543 UTC: Vi1 VPDN: Bind interface direction=2 Jan 20 10:50:20.547 UTC: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up Jan 20 10:50:22.583 UTC: Vi1 VPDN: Cleanup Jan 20 10:50:22.583 UTC: Vi1 VPDN: Reset Jan 20 10:50:22.583 UTC: Vi1 VPDN: Reset Jan 20 10:50:22.583 UTC: Vi1 VPDN: Unbind interface Jan 20 10:50:22.583 UTC: Vi1 VPDN: Unbind interface Jan 20 10:50:22.583 UTC: Vi1 VPDN: Reset Jan 20 10:50:22.583 UTC: Vi1 VPDN: Unbind interface Arizona_PAC# |
In highlighted line 1, the virtual access interface is created, and in line 2, configuration is cloned (copied) from virtual template interface 1.
In highlighted line 3, the bind direction is shown (2=inbound).
Finally, in highlighted line 4, the virtual access interface changes state to up.
clear vpdn tunnel pptp remote access client/PNS_name PAC_name
The clear vpdn tunnel pptp remote access client/PNS_name PAC_name command is used to teardown a PPTP tunnel and associated session.
Note that this command can be used only where the remote access client/PNS supplies a DNS name. Windows 98 remote access client/PNSs supply a DNS name, but Windows NT and 2000 remote access client/PNSs might not.
The DNS name for a remote access client/PNS can be found by using the show vpdn command.