≡ Menu

/etc/syslog.conf

Debugging Linux pppd / PPTP VPN Problems

I've already written about setting up PPTP VPN client for proprietary Microsoft Point-to-Point vpn server using Linux pptp client. Learn how to troubleshoot and resolve common PPTP network connection problems.

You need to run pppd in debug mode by passing debug option. The debug option enables connection debugging facilities. If this option is given, pppd will log the contents of all control packets sent or received in a readable form. The packets are logged through syslog with facility daemon and level debug.

Step # 1: Find out location of your debug file, enter:
# grep debug /etc/syslog.conf
Sample output:

*.=debug;\
        news.none;mail.none     -/var/log/debug
#       *.=debug;*.=info;\
        *.=debug;*.=info;\

/var/log/debug is your debug file.
Step # 2: Start pppd with debug option, enter:
# pppd debug call office.vpn
To see debug log, enter:
# tail -f /var/log/debug
Sample output:

Jul 30 16:10:56 vivek-desktop pppd[30951]: using channel 28
Jul 30 16:10:57 vivek-desktop pppd[30951]: sent [LCP ConfReq id=0x1    ]
Jul 30 16:10:58 vivek-desktop pppd[30951]: rcvd [LCP ConfReq id=0x89     ]
Jul 30 16:10:58 vivek-desktop pppd[30951]: sent [LCP ConfAck id=0x89     ]
Jul 30 16:10:58 vivek-desktop pppd[30951]: rcvd [LCP ConfAck id=0x1    ]
Jul 30 16:10:58 vivek-desktop pppd[30951]: sent [LCP EchoReq id=0x0 magic=0xa3123563]
Jul 30 16:10:58 vivek-desktop pppd[30951]: rcvd [CHAP Challenge id=0x1 , name = ""]
Jul 30 16:10:58 vivek-desktop pppd[30951]: sent [CHAP Response id=0x1 <23962ce1340a0315661377969b543b870000000000000000f69db90c5ba79e5207ac61b073af5d732fbd6a605a7740d000>, name = "vivekgite"]
Jul 30 16:10:58 vivek-desktop pppd[30951]: rcvd [LCP EchoRep id=0x0 magic=0x61a31410]
Jul 30 16:11:07 vivek-desktop pppd[30951]: rcvd [CHAP Failure id=0x1 "E=691 R=0 M=Login incorrect"]
Jul 30 16:11:07 vivek-desktop pppd[30951]: sent [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"]
Jul 30 16:11:07 vivek-desktop pppd[30951]: rcvd [LCP TermReq id=0x8a]
Jul 30 16:11:07 vivek-desktop pppd[30951]: sent [LCP TermAck id=0x8a]
Jul 30 16:11:07 vivek-desktop pppd[30951]: rcvd [LCP TermAck id=0x8b]
Jul 30 16:11:07 vivek-desktop pppd[30951]: Script pptp offcie.vpn  --nolaunchpppd finished (pid 30952), status = 0x0

You can see my password or username failed (vpn authentication problem) to authenticate itself against the VPN server. Without debug message I won't able to solve any problem. You can fix chap authentication by editing /etc/ppp/chap-secrets file. See setting up PPTP VPN client tutorial for other debugging techniques.

Linux can be configured to log dmesg output to another system via network using syslog. It is done using kernel level networking stuff ia UDP port 514. There is module called netconsole which logs kernel printk messages over udp allowing debugging of problem where disk logging fails and serial consoles are impractical. Most modern distro has this netconsole as a built-in module. netconsole initializes immediately after NIC cards. There are two steps to configure netconsole:

  • Syslogd server - Let us assume 192.168.1.100 IP having FQDN - syslogd.nixcraft.in. Please note that the remote host can run either 'netcat -u -l -p <port>' or syslogd.
  • All other systems running netconsole module in kernel

Step # 1: Configure Centralized syslogd

Login to syslogd.nixcraft.in server. Open syslogd configuration file. Different UNIX / Linux variant have different configuration files

Red Hat / CentOS / Fedora Linux Configuration

If you are using Red Hat / CentOS / Fedora Linux open /etc/sysconfig/syslog file and set SYSLOGD_OPTIONS option for udp logging.
# vi /etc/sysconfig/syslog
Configure syslogd option as follows:
SYSLOGD_OPTIONS="-m 0 -r -x"
Save and close the file. Restart syslogd, enter:
# service syslog restart

Debian / Ubuntu Linux Configuration

If you are using Debian / Ubuntu Linux open file /etc/default/syslogd set SYSLOGD option for udp logging.
# vi /etc/default/syslogd
Configure syslogd option as follows:
SYSLOGD_OPTIONS="-r"
# /etc/init.d/sysklogd restart

FreeBSD configuration

If you are using FreeBSD open /etc/rc.conf and set syslogd_flags option option for udp logging. Please note that FreeBSD by default accepts network connections. Please refer to syslogd man page for more information.

Firewall configuration

You may need to open UDP port 514 to allow network login. Sample iptables rules to open UDP port 514:
MYNET="192.168.1.0/24"
SLSERVER="192.168.1.100"
iptables -A INPUT -p udp -s $MYNET --sport 1024:65535 -d $SLSERVER --dport 514 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s $SLSERVER --sport 514 -d $MYNET --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Step # 2: Configure Linux Netconsole

You need to configure netconsole service. Once this service started, you are allowed a remote syslog daemon to record console output from local system. The local port number that the netconsole module will use 6666 (default). You need to set the IP address of the remote syslog server to send messages.

Open /etc/sysconfig/netconsole file under CentOS / RHEL / Fedora Linux, enter:
# vi /etc/sysconfig/netconsole
Set SYSLOGADDR to 192.168.1.100 (IP address of remote syslog server)
SYSLOGADDR=192.168.0.1
Save and close the file. Restart netconsole service, enter:
# /etc/init.d/netconsole restart

A note about Debian / Ubuntu Linux

Red Hat has netconsole init script. However, under Debian / Ubuntu Linux, you need to manually configure netconsole. Type the following command to start netconsole by loading kernel netconsole module, enter:
# modprobe netconsole 6666@192.168.1.5/eth0,514@192.168.1.100/00:19:D1:2A:BA:A8
Where,

  • 6666 - Local port
  • 192.168.1.5 - Local system IP
  • eth0 - Local system interface
  • 514 - Remote syslogd udp port
  • 192.168.1.100 - Remote syslogd IP
  • 00:19:D1:2A:BA:A8 - Remote syslogd Mac

You can add above modprobe line to /etc/rc.local to load module automatically. Another recommend option is create /etc/modprobe.d/netconsole file and append following text:
# echo 'options netconsole netconsole=6666@192.168.1.5/eth0,514@192.168.1.100/00:19:D1:2A:BA:A8 '> /etc/modprobe.d/netconsole

How do I verify netconsole is logging messages over UDP network?

Login to remote syslog udp server (i.e. 192.168.1.100 our sample syslogd system), enter:
# tail -f /var/log/messages
/var/log/messages is default log file under many distributions to log messages. Refer to /etc/syslog.conf for exact location of your file.

How do I use nc / netcat instead of messing with syslogd?

This is called one minute configuration. You can easily get output on 192.168.1.100 without using syslogd. All you have to do is run netcat (nc) command, on 192.168.1.100:
$ nc -l -p 30000 -u
Login to any other box, enter command:
# modprobe netconsole 6666@192.168.1.5/eth0,30000@192.168.1.100/00:19:D1:2A:BA:A8
Output should start to appear on 192.168.1.100 from 192.168.1.5 without configuring syslogd or anything else.

Further readings: