Known Problems 43
PPTP Tunnel Security
Validation
Authentication problems may occur when connecting a Windows 95 or NT client
via a Total Control Hub to a NETBuilder II bridge/router where the Total Control
Hub is setting up a PPTP tunnel to the bridge/router.
This problem is a combination of the security protocol between the client and the
LS (in this case the Total Control Hub) and the time it takes to validate a Radius
request on the Radius server. In addition, the setting of the DefaultAptCtl
parameter needs to be considered because this determines which security protocol
the NETBuilder bridge/router will use.
If the client and the LS negotiate to use PAP, the client will send PAP configure
requests but at that time the LS is busy setting up the PPTP tunnel and will forward
the PAP requests to the NETBuilder bridge/router. The bridge/router by default
sends CHAP challenge to the client and normally the client responds immediately.
Then the NETBuilder bridge/router sends a request to the Radius server for
validation.
If there is another PAP request from the client to the bridge/router while the
bridge/router is waiting for validation from the Radius server, the bridge/router will
send a PAP NAK to the client and the session is terminated. If the CHAP success
message is received before the next PAP message, the PAP message is discarded
and the connection is established.
Solutions include disabling CHAP on the NETBuilder DAC or disabling PAP
between the client and the LS.
This situation does not arise when the NETBuilder bridge/router is using internal
security because it is fast enough to check the CHAP response before the next PAP
message is generated.
RAS Ports with Manual
Dial Configured Tunnels
Tunnels configured with Manual Dial, and terminated as RAS ports at the central
site, will idle out inappropriately at the central site within the time specified by the
DialIdleTimer when data is traversing the virtual port tunnel. You should configure
the DialIdleTimer on the RAS defined port to be zero, or configure DOD tunnels.
Remote Office RAS
Clients and Virtual Port
Attributes
If you have a remote office dialing in to a central site router acting as a RAS server,
and you wish to modify the port settings on the active virtual port connection, you
must first hang up the active connection on your Remote Office bridge/router. Not
doing so may result in a connection failure the next time you try to dial the virtual
port to establish a tunnel to your central office site.
SPID Wizard Detection
Errors
If the two routers are connected to a single NT-1, SPID Wizard cannot detect the
correct switch type and corresponding SPIDs. To work around the problem,
disconnect one of the routers from the NT-1 before running SPID Wizard.
Reconnect the router after SPID Wizard completes the detection process.
STP AutoMode Does Not
Select the Right Mode
When a NETBuilder II TI is connected over X.25 to a NETBuilder II bridge/router
that has Ethernet or token ring, and the Ethernet is transparent bridging to other
routers over X.25 and the token ring interface requires source route bridging to
the NETBuilder II TI, STP does not select the right mode when the default value is
AutoMode. Set the STP value to SRTMode.