Вы находитесь на странице: 1из 59

Security Level:

2013/11/15

Signaling analysis
of PDSN
CDMA Team

in Wireless Network General Engineers Office

www.huawei.com

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Preface
This slide introduces the signaling analysis of PDSN. It
includes the analysis of A11 messages, PPP messages and
accounting messages.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 2

Reference

Package of Documents-PDSN9660(V800R002C02_05)

Rfc2002 (IP Mobility Support)

Rfc1332 (IPCP)

Rfc1661 (PPP)

Rfc1994 (CHAP)

Rfc2484 (LCP)

3GPP2_X.S0011-005-C_v1.0 (Accounting)

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 3

Objective
After this course, you will be able to:

Know the signaling flow of A11 interface.

Know the signaling flow of PPP protocol.

Know the signaling flow of PDSN accounting messages.

Can do some simple trouble shooting based on the signaling


analysis.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 4

CONTENT
Chapter 1 Overview
Chapter 2 A11 messages
Chapter 3 PPP messages
Chapter 4 Accounting messages

Chapter 5 Examples and Trouble


Shooting

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 5

Overview
Procedure of CDMA 1X data service connection setup:

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 6

Overview

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 7

Overview
Procedure of CDMA 1X data service connection released by MS:

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 8

Overview

In simple IP network, there are three kinds of messages in PDSN:


A11 messages

PPP messages
Accounting messages

Function of each kind of messages:


A11 messages: setup or release the A10 connection between the PCF and
PDSN.
PPP messages: setup or release the PPP connection between the MS and
PDSN.
Accounting messages: do the accounting for MS between the PDSN and AAA.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 9

Overview
The whole procedure of a connection setup and release:

Setup the A10 connection

Setup the PPP connection

Accounting

Release the PPP and A10 connection.


Stop accounting.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 10

Overview

How to trace the signaling in PDSN LMT

Trace the authentication and accounting messages


Trace the A11 messages and the PPP messages
Trace all messages of one subscriber

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 11

CONTENT
Chapter 1 Overview

Chapter 2 A11 messages


Chapter 3 PPP messages
Chapter 4 Accounting messages

Chapter 5 Examples and Trouble


Shooting

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 12

A11 messages

Message type of A11 interface


A11-Registration Request (PCF->PDSN):
It is used to setup the A10 connection, keep alive the A10 connection
periodically, release the A10 connection. It carriers the accounting
information of wireless side.
A11-Registration Reply (PDSN->PCF):
It is used to answer the A11-Registration Request message.
A11-Registration Update (PDSN->PCF):
It is used to update the status of A10 connection, when the PDSN releases

the A10 connection.


A11-Registration Acknowledge (PCF->PDSN):
It is used to answer the A11-Registration Update message.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 13

A11 messages

Procedure of A10 connection setup:

PCF

PDSN
A11-registration request (setup)
A11-registration reply

A11-registration request (active)


A11-registration reply

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 14

A11 messages

A11-Registration Request message:


In HUAWEI PDSN9660, there are two types A11-Registration Request

messages: setup message and active message.


A11-Registration Request setup message is to send the initialization
information of the A10 connection.
A11-Registration Request active message is to send the information of the
wireless side which is related to the traffic channel.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 15

A11 messages
A11-Registration Request setup message

This parameter is used to


negotiate with PDSN.

Indicates the type of this


message. It is setup type.
It is given by PCF when
MS setup the connection.
A pair of PCF Session ID
and PCF IP indicates a
PPP session in PDSN
uniquely.

PDSN RPIF IP in
hexadecimal
PCF IP in
hexadecimal

MS IMSI in ASCII code

MS IMSI

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 16

A11 messages

Important parameters:
usLifeTime : Indicates the length of A10 connection that the PCF expected,

measures by second.
ulHomeAgent : The PDSN RPIF IP address.
ulCareOfAddr : The PCF IP address.
stIMSI: The IMSI of the subscriber. The IMSI in the message of page 15 is 2
57 03 02 94 00 11 22. It is encoded with the rule as follows:

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 17

A11 messages
A11-Registration Reply of the
A11-Registration Request setup
message:
Important parameters:
ucCode, indicates whether the
PDSN accepts the request
message. 0 means accept.
usLifeTime, indicates the length of
A10 connection that the PDSN
permitted.
This parameter can be set in
command SET A11TIMER. The
default value is 1800 seconds.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 18

A11 messages
A11-Registration Request active message :

Indicates the type of this


message. It is active type.

Service option. 33-1X data


service. 59-EVDO data
service

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 19

A11 messages

Explanation of A11-Registration Request active message :


The header of A11-Registration Request active message is the same as the
A11-Registration Request setup message. It also have the ulLifeTime,
usHomeAddr, ulCareOfAddr, and the usIMSI, etc. But the extension part of
this message is different. There are some wireless information in its

extension part, such as the service option, the air link QOS, etc.
This message is also used in the A10 connection keep alive scenario.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 20

A11 messages

Procedure of A10 connection release:

PCF

PDSN
The reason to trigger the release can be:
MS terminate, PDSN terminate, PCF terminate

A11 registration request (stop)


A11 registration reply

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 21

A11 messages
A11-Registration Request stop :
Important parameters:
usLifeTime: 0 indicates this is a
release message.
ulHomeAgent: PDSN RPIF IP
ulCareOfAddr: PCF IP
stIMSI: MS IMSI

A11-Registration Reply message is


the same as the reply message in A10
connection setup procedure.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 22

CONTENT
Chapter 1 Overview
Chapter 2 A11 messages

Chapter 3 PPP messages


Chapter 4 Accounting messages

Chapter 5 Examples and Trouble


Shooting

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 23

PPP messages
After the A10 connection of a subscriber is setup, the PPP negotiation starts.
PPP is Point to Point Protocol. It setup a connection between two point.
In CDMA data service, the PDSN needs to set up PPP sessions with an MS to

enable the MS to access external PDNs. Before the PPP session setup, the MS
should negotiate the parameters with PDSN.
PPP negotiation between the PDSN and an MS goes in three phases.
Step1: Link Control Protocol (LCP) phase.
Step2: Authentication phase.
Step3: Network Control Protocol (NCP) phase.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 24

PPP messages

Step1: LCP phase


The LCP is used to automatically agree upon the encapsulation format
options, handle varying limits on sizes of packets, detect a looped-back link
and other common mis-configuration errors, and terminate the link.
Parameters should be negotiated between MS and PDSN in LCP phase

includes:
Maximum Receive Unit (MRU)
Magic number
Authentication method
MRU is the maximum size of IP packet that can be received by a equipment.
The default value is 1500Bytes. It can be set in command SET PPP.
Magic number is used to detect the loopback of a link.
The authentication method can be no-authenticate, PAP or CHAP. This
authentication method indicates which method to use in the authentication

phase.
HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 25

PPP messages
There are four main messages in LCP phase:
LCP Configure-Request
LCP Configure-Ack
LCP Configure-Nak
LCP Configure-Reject
LCP Configure-Request message
contains the parameters that should
be negotiated.
Notes:
If the authentication method of MS is noauthenticate, the authentication method
wont be contained in LCP ConfigureRequest message.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 26

PPP messages
LCP Configure-Ack message
contains the parameters that are
accepted by the sender.

LCP Configure-Nak message


contains the parameters that cant
be accepted by the sender. The value
of these parameters are the suggest
value from the sender.
Notes: If all of the parameters in LCP
Configure-Request are accepted, the
LCP Configure-Nak is not needed
anymore.
HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 27

PPP messages
LCP Configure-Reject message
contains the parameters that reject
by the sender.

A full signaling procedure of LCP negotiation:

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 28

PPP messages

Step2: Authentication phase


There are two kinds of authentication method, PAP and CHAP.
PAP: Password Authentication Protocol.
CHAP: Challenge Handshake Authentication Protocol.

PAP
The MS sends its user name and
password to PDSN, then the PDSN
forward them to AAA. AAA will check
whether the user name and
password is correct. If the result is
correct, the AAA will reply a
authentication success message.

HUAWEI TECHNOLOGIES CO., LTD.

PAP authenticate Request


With user name and PW
Access request PAP

Huawei Confidential

Access response
PAP authenticate Ack

Page 29

PPP messages
CHAP
The password is not send in message. Use a challenge number to do the
authentication.

CHAP authenticate Challenge


With a challenge number and a
message ID

Password in MS
challenge

MD5
message ID

CHAP authenticate Response


With chap password and user
name

CHAP password

Password in AAA
challenge

MD5
message ID
Access request CHAP
(with user name, challenge number,
CHAP password
chap password and message ID )

Access response
CHAP authenticate
success

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Compare the two


Same means
CHAP password
authentication
successful.
Different means
failed.

Page 30

PPP messages

Step3: NCP phase


The NCP phase of PPP is IPCP.
IPCP is The PPP Internet Protocol Control Protocol .
IPCP protocol is to assign an IP address from one peer of PPP link to another
peer. In CDMA data service network, the PDSN assigns IPs to MSs.

There are three kinds of messages in IPCP phase:


IPCP Configure-Request
IPCP Configure-Ack
IPCP Configure-Nak

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 31

PPP messages
IPCP Configure-Request contains
the IP address option, it means that
the MS want to get IP address from
PDSN.
Notes:
The value of ip address must be 00000000
if the MS dont have a IP address.

IPCP Configure-Nak contains the IP


address that the PDSN wants to
assign to MS.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 32

PPP messages
IPCP Configure-Ack
The IP address contains in this
message means the PDSN accept
the IP request of MS. This message
indicates the IPCP phase is
successful.

A full signaling procedure of IPCP negotiation:

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 33

PPP messages
A full signaling procedure of PPP negotiation:

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 34

CONTENT
Chapter 1 Overview
Chapter 2 A11 messages
Chapter 3 PPP messages

Chapter 4 Accounting messages


Chapter 5 Examples and Trouble
Shooting

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 35

Accounting messages
Postpaid accounting procedure:
PDSN
Accounting
start
When the timer of interim
UDR reaches, PDSN will
send this message to
AAA to trigger the interim
record.

AAA
Accounting request start
Accounting response

Accounting request interim update


Accounting response

When the upload or


download flux reach the
threshold, PDSN will send
the stop message to AAA
to trigger the record.

Accounting request stop


Accounting response

Accounting request start


Accounting response
Accounting
stop.

Accounting request stop


Accounting response

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 36

Accounting messages

Used to identify one


connection of an MS.

Accounting Request start message:

Used to
identify a
couple of
Accounting
start and
Accounting
stop messages.

Time of
accounting start
in second.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 37

Accounting messages

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 38

Accounting messages
Some importance parameters:
Calling station ID: IMSI of the MS
Acct event time: The time of this accounting start message.
Acct session ID: this ID is used to identify a couple of Accounting start and
Accounting stop messages.
3GPP2 Correlation ID: this ID is used to identify one connection of an MS.
The relationship between the acct session ID and 3GPP2 correlation ID:
During the network browsing, an MS may have many accounting sessions.
Each accounting session consists of an Accounting start message and an
Accounting stop message. Different accounting sessions of one MS are
identified by different accounting session ID. But during the MS connecting
to the network, one MS only have one 3GPP2 correlation ID. In the AAA side,
AAA use the 3GPP2 correlation ID to identify one connection of an MS.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 39

Accounting messages
Accounting Request stop message:

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 40

Accounting messages

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 41

Accounting messages

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 42

Accounting messages
Some importance parameters:
Calling station ID: IMSI of the MS
Acct session ID: In a start and stop message pair, the acct session id are the
same.
Acct session time: The time duration between this pair of accounting start
and stop messages.
Acct output/input octets: The number of output/input octets packet during
this session.
Acct event time: The time of this accounting stop message.
Acct terminate cause: The reason of the stop message.
3GPP2 Correlation ID: this ID is used to identify one connection of an MS.
3GPP2 session continue: identify whether this is the last accounting
message. True means the whole accounting procedure is over. False means
the procedure isnt finish, there will be another accounting start message
follow this stop message.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 43

CONTENT
Chapter 1 Overview
Chapter 2 A11 messages
Chapter 3 PPP messages
Chapter 4 Accounting messages

Chapter 5 Examples and Trouble


Shooting

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 44

Examples
The successful flow of no-authentication

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 45

Examples
The successful flow of PAP authentication

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 46

Examples
The successful flow of CHAP authentication

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 47

Trouble Shooting of A10 connection


setup
How to do the trouble shooting in A10 connection setup step?
The failed phenomena of A10 connection setup:

Focus on the ucCode in A11-Registration Reply message.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 48

Trouble Shooting of A10 connection


setup
Example: The ucCode is mobile node failed authentication (131)
Analysis steps:
1. The reason of ucCode=131 is
caused by the difference of the
security alliance between the
PCF and PDSN.
2. Solution:
Check the secret key and SPI
setting in PCF and PDSN.
In PCF: LST PDSN
In PDSN: LST ALLSPI

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 49

Trouble Shooting of A10 connection


setup
Typical ucCode Reason and Solution method
81H (129)

Reason: Administratively prohibited. It is caused by the PDSN. May be it


because of the CPU usage of SPU is too high or the session number limit is
reached.
Solution: Do the check: DSP BRDCPU, DSP LICENSE, LST USR

83H (131)

Reason: The secret key and SPI are different in PCF and PDSN.
Solution: Use LST PDSN in BSC, use LST SPI in PDSN to check whether the
parameters are match. Use MOD PDSN in BSC and SET SPI in PDSN to
change.

85H (133)

Reason: The system time of PCF and PDSN are different. And the time
interval is longer than 5 minutes.
Solution: Change the system time of PCF and PDSN. Change the BSC BAM
time or change the PDSN system time (SET SYSTIME)

86H (134)

Reason: There is some error in A11-Registration Request message.


Solution: There may be many reasons. Sometimes, may be it caused by the
length of IMSI code. If the length is shorter than 15 digits, the 134 will be
caused.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 50

Trouble Shooting of PPP connection


setup
How to do the trouble shooting in LCP negotiation step?
In LCP negotiation phase, the following parameters will be negotiated between
MS and PDSN:
Maximum Receive Unit (MRU)
Asynchronism Control Code Mapping (ACCM)
Authentication protocol,
Magic number,
Protocol compression
Address control compression

If one of these parameters failed to negotiate, the LCP negotiation phase will be
failed.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 51

Trouble Shooting of PPP connection


setup
Trouble shooting in LCP negotiation phase:
Trouble phenomena 1:
For one PCF, all MSs in this PCF cant use data service. If you can only trace
the LCP Request message, not the LCP Reply message, in PCF side. But you
can trace both the LCP Request and LCP Reply messages of this PCF in PDSN
side.
PCF side trace:
PDSN side trace:

Solution for phenomena 1:


Check whether the setting of GRE sequence number is the same in PCF and
PDSN.
The PDSN use the GRE sequence number by default.
In PCF side, use LST PCFAN to check the parameter Use Sequence No., use
MOD PCFAN to modify the setting.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 52

Trouble Shooting of PPP connection


setup
Trouble phenomena 2:
For one or some MSs, if in LCP negotiation step, you can see from the
message that the MS and PDSN are negotiating one parameter endlessly till the
negotiation timeout. Then the LCP terminate message was sent by ether of the
two side to end the negotiation.
Solution for phenomena 2:
This is because of MS or PDSN need to
negotiate some parameters with the peer
side compulsively, but the peer side
dont support this parameter.
So you need to find out from the
message that which parameters they are.
And which side dont support them.
After you find them out, you need to
discuss with the two sides to change the
settings in them.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 53

Trouble Shooting of PPP connection


setup
How to do the trouble shooting in Authentication step?
In authentication phase, the MSs interwork with AAA. And the function of PDSN
in this phase is just forward the messages between them.
Trouble phenomena 1:
All of the MSs cant successfully authenticated. If you can just trace the Access
request message from PDSN to AAA, but cant receive any message from AAA.
Solution for phenomena 1:
1. Check whether the connection between PDSN and AAA is OK. (Ping from
PDSN to AAA, ping from AAA to PDSN PIIF IP)
2. Check whether the corresponding parameters between PDSN and AAA are
the same. (The secret key which is set in SET AUTHSEC command)
3. Check whether the progress of AAA is running normally.
4. If this kind of trouble occurs periodically but not permanently, please check
the traffic statistic information in M2000. Pay attention to the authentication
successful ratio. If the ratio drops when the busy hour comes, please check
whether the CPU usage of AAA is over load.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 54

Trouble Shooting of PPP connection


setup
Trouble phenomena 2:
For one or some MSs, the authentication always failed. In the trace file, the AAA
sends an Access Reject message to PDSN.

Solution for phenomena 2:


1. Check whether the user name and password in MS and AAA are the same. If
not, correct it.
2. If the authentication is failed when the MS uses CHAP as its authentication
protocol, but successful when use PAP protocol. Check whether the AAA
support the CHAP protocol. And whether the encrypt method in AAA and MS
are the same. (Generally, the encrypt method is MD5).
3. If this MS is a prepaid service MS, the following things must be checked:
A. Whether the AAA support prepaid service.
B. Whether the connection between AAA and SCP is OK.
C. Whether the subscriber is defined in SCP.
D. Whether the subscriber still have balance.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 55

Trouble Shooting of PPP connection


setup
How to do the trouble shooting in IPCP step?
In IPCP phase, the PDSN assign IP addresses to MSs.

Trouble phenomena 1:
Some of the MSs cant access to the network, but sometimes these MSs can
access. The failure MSs are not fixed. When tracing the signaling of these MSs,
you may find the authentication is successful. But after the authentication step,
PDSN will send a LCP terminate request to end this connection.
Solution for phenomena 1:
This is a representative problem of less of IP address.
Check point:
1. Whether the domain has aN IP POOL.
2. Whether there is a The usage of local address pool exceeds 90% alarm in
PDSN.
If the domain doesnt have an IP POOL, use SET POOL to add an IP POOL.
If there is an alarm, you need to discuss with the maintenance engineer of
customer to enlarge the IP POOL of the domain.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 56

Trouble Shooting of PPP connection


setup
Trouble phenomena 2:
Some of the MSs cant access to the network permanently. When trace the
signaling of them, found that the LCP and authentication steps are all
successful. The PDSN also assign an IP address to this MS, and the MS accept
this IP address. But the IPCP negotiation still cant successfully complete.
Solution for phenomena 2:
In IPCP step, the MS and PDSN not only negotiate the IP address but also the IP
address of main and slave DNS server and the compression mode of TCP/IP
header.
Some MSs may have a fixed DNS server IP address inside it. If this DNS IP is
not contained in PDSN configuration file, and the MS doesnt support the
negotiation of DNS IP address, the IPCP phase will be failed. The solution is to
add this DNS IP in PDSN or change the MSs setting.
When using the PC+MS to access to the network, the VJ compression may set
in PC. VJ compression is a kind of TCP/IP header compression. If the PDSN
doesnt support this type of compression, and the MS is forced to negotiate
this parameter, the negotiation will be failed. The solution is to change the
setting in PDSN or PC. In PDSN, use the command SET PPPCOMP.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 57

Trouble Shooting of PPP connection


setup
How to do the trouble shooting in accounting step?
Generally, if the AAA is working normally, the accounting trouble is very little.

Trouble phenomena:
The AAA cant receive the billing record. When trace in PDSN, you can only see
the Accounting request messages but not the response messages.
Solution for this phenomena:
Check point:
1. Whether the AAA IP is correctly configured in PDSN.
2. Whether the connection between PDSN and AAA is normal. Use the PING
command to do the test.
3. If the authentication server and the accounting server is one AAA, check
whether the successful ratio of authentication is normal. If the ratio if low when
the busy hour comes, check whether the AAA is over load.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 58

Security Level:

2013/11/15

Thank You
www.huawei.com
www.huawei.com

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential