Known Problems 43
PPTP Tunnel Security Authentication problems may occur when connecting a Windows 95 or NT client Validation via a Total Control Hub to a NETBuilder II bridge/router where the Total Control
Hub is setting up a PPTP tunnel to the bridge/router.
This problem is a combination of the security protocol between the client and the LS (in this case the Total Control Hub) and the time it takes to validate a Radius request on the Radius server. In addition, the setting of the DefaultAptCtl parameter needs to be considered because this determines which security protocol the NETBuilder bridge/router will use.
If the client and the LS negotiate to use PAP, the client will send PAP configure requests but at that time the LS is busy setting up the PPTP tunnel and will forward the PAP requests to the NETBuilder bridge/router. The bridge/router by default sends CHAP challenge to the client and normally the client responds immediately. Then the NETBuilder bridge/router sends a request to the Radius server for validation.
If there is another PAP request from the client to the bridge/router while the bridge/router is waiting for validation from the Radius server, the bridge/router will send a PAP NAK to the client and the session is terminated. If the CHAP success message is received before the next PAP message, the PAP message is discarded and the connection is established.
Solutions include disabling CHAP on the NETBuilder DAC or disabling PAP between the client and the LS.
This situation does not arise when the NETBuilder bridge/router is using internal security because it is fast enough to check the CHAP response before the next PAP message is generated.
RAS Ports with Manual Tunnels configured with Manual Dial, and terminated as RAS ports at the central Dial Configured Tunnels site, will idle out inappropriately at the central site within the time specified by the DialIdleTimer when data is traversing the virtual port tunnel. You should configure
the DialIdleTimer on the RAS defined port to be zero, or configure DOD tunnels.
Remote Office RAS If you have a remote office dialing in to a central site router acting as a RAS server, Clients and Virtual Port and you wish to modify the port settings on the active virtual port connection, you Attributes must first hang up the active connection on your Remote Office bridge/router. Not doing so may result in a connection failure the next time you try to dial the virtual
port to establish a tunnel to your central office site.
SPID Wizard Detection If the two routers are connected to a single
disconnect one of the routers from the
STP AutoMode Does Not When a NETBuilder II TI is connected over X.25 to a NETBuilder II bridge/router Select the Right Mode that has Ethernet or token ring, and the Ethernet is transparent bridging to other
routers over X.25 and the token ring interface requires source route bridging to the NETBuilder II TI, STP does not select the right mode when the default value is AutoMode. Set the STP value to SRTMode.
