Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kcheng
Staff
Staff

Created on ‎10-05-2022 12:35 AM Edited on ‎03-29-2024 12:07 AM By Community Manager

Article Id 225700

Troubleshooting Tip: Troubleshooting PPPoE connection failed

Description This article describes how to troubleshoot PPPoE connection failure when FortiGate is configured as the PPPoE client.
Scope FortiGate.
Solution
  1. Verify that the username and password are correctly configured.
  2. If the PPPoE interface is correctly configured, it would be required to capture the following information from FortiGate:

diag netlink interface list <pppoe>

 

diag debug reset

diag debug disable

diag debug app pppoed -1

diag debug enable

 

To stop:

 

diag debug disable

 

  1. It is also recommended to perform packet capture on the PPPoE interface:

diag sniffer packet <pppoe> '' 6 0 a

 

  1. Verify if PPPoE negotiation is successful:

 

Client to server: Initiation (PADI) -> Server to client: Offer (PADO) -> Client to server: request (PADR) -> Server to client: session confirmation (PADS).

 

PPPoE consists of two phases:

  • Active Discovery Phase.
  • PPP Session Phase.

 

Active Discovery Phase:

  1. The client sends a broadcast Initiation (PADI).
  2. The server responds with unicast Offer (PADO).
  3. The client sends a unicast Request (PADR).
  4. The server responds with a unicast Session (PADS).

 

PPP Session Phase:

  1. Link Control Protocol (LCP).
  2. PPP Authentication (PAP / CHAP).
  3. Network Control Protocol (NCP) -> IPCP.

 

A graphical representation would look like this:

 

2024-03-29 14 43 37.jpg

 

To capture packets at each stage, simply use the sniffer below:

 

diag sniff packet <interface name> "ether proto 0x8863" 6 0 a <----- Discovery Stage.
diag sniff packet <interface name> "ether proto 0x8864" 6 0 a <----- Session Stage.


For the Discovery stage, a sample packet capture might look like this:

 

Untitled picture2.png

 

For the Session stage, a sample packet capture might look like this:

 

Untitled picture3.png

 

If the transaction is valid, it will be possible to see the transactional information in the Wireshark:

 

kcheng_0-1664952505632.png

 

 

If there is only broadcast (PADI) information noticed, it may be due to incorrect physical wiring or the ISP router not responding to the request.

 

To help isolate the issue,  use the Windows machine to determine if it does not respond to broadcast. Similar to the image below.

 

Untitled picture.png

 

In these cases, it is required to check on the physical layer and/or logs on the ISP router to see if it received the broadcast packet and responded accordingly.

 

PPPoE connection failure when FortiGate is configured as the PPPoE client not working in the HA cluster

 

If issues are faced with FortiGate as a PPPoE client not working in a High Availability (HA) cluster with the default group ID 0, refer to the following articles for steps to resolve the problem:

Technical Tip: Troubleshooting PPPoE connection failed

Technical Tip: HA Cluster virtual MAC addresses

 

In the HA cluster with default HA group ID 0, it is recommended to change the HA cluster default group ID 0. The default HA MAC (group 0) is the source of the problem.
The reason the PPPoE server does not respond properly to the default HA MAC address is because if several HA cluster are on same broadcast domain with default HA group ID 0, they generate the same virtual MAC address.

 

Formula: 00-09-0f-09-<group-id_hex>-<vcluster_integer><idx>. Where <group-id_hex> is the HA group ID for the cluster converted to hexadecimal.

 

Related articles:

Technical Tip: pppoe-interface configuration.

Technical Tip: How to import 'diagnose sniffer packet' data to WireShark.
Labels:
15028
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.