Managing the L2TP Destination Lockout Process

When multiple sets of tunneling parameters are available, L2TP uses a selection algorithm to choose the best tunnel for subscriber traffic. As part of this selection process, the JunosE Software’s L2TP implementation includes a lockout feature in which the router locks out, or disregards, destinations that are assumed to be unavailable.

By default, when a destination becomes unavailable, L2TP locks out that destination for a lockout timeout of 300 seconds (5 minutes). After the lockout timeout expires, L2TP assumes that the destination is now available and includes the destination when performing the selection algorithm.

Tasks to manage the L2TP lockout process include:

  1. Modifying the Lockout Procedure
  2. Verifying That a Locked-Out Destination Is Available
  3. Configuring a Lockout Timeout
  4. Unlocking a Destination that is Currently Locked Out
  5. Starting an Immediate Lockout Test

Modifying the Lockout Procedure

You can optionally configure your own lockout procedure by specifying the lockout timeout you want to use or enabling a lockout test, or both. When the lockout timeout expires, the destination is either immediately unlocked (if lockout testing is not enabled) or begins the lockout test to verify that the destination is available.

L2TP performs the lockout test by attempting to establish a tunnel to the unavailable destination. For the test, L2TP must first obtain the parameters for a tunnel to the destination. If no such tunnel currently exists, L2TP must wait until it receives a new session request that has tunnel parameters for the locked out destination. The destination remains locked out while L2TP waits for the tunnel parameters and becomes available only after successful completion of the lockout test. Therefore, if lockout testing is enabled, the destination is actually locked out longer than the lockout timer you specify.

Note: Always configure the lockout timeout to be shorter than the destruct timeout. The destruct timeout (as described in Specifying a Destruct Timeout for L2TP Tunnels and Sessions) overrides the lockout timeout—when the destruct timeout expires, all information about the locked out destination is deleted, including the time remaining on the destination’s lockout timeout and the requirement to run a lockout test prior to returning the destination to service. As a result, the locked out destination might be returned to service prior to expiration of your configured lockout timeout and without completion of the lockout test you specified.

Figure 9 shows how locked-out destinations transition from a locked-out state to available status when using the default lockout configuration, a configuration that includes a modified lockout timer, and a configuration with both a modified timer and the lockout test.

Figure 9: Lockout States

Lockout States

You can use the following commands to manage L2TP destination lockout and configure a lockout process that meets the needs of your network environment:

Verifying That a Locked-Out Destination Is Available

You can use the l2tp destination lockout-test command to configure L2TP to test locked-out destinations; this verifies that a previously locked-out destination is available before the router changes the destination’s status.

Configuring a Lockout Timeout

You use the l2tp destination lockout-timeout command to configure the amount of time (in seconds) between when an L2TP destination is found to be unavailable and when it is eligible for unlocking. When the timeout period expires, L2TP either begins the lockout test procedure (if configured to do so) or immediately returns the destination to available state.

Best Practice: Always configure the lockout timeout to be shorter than the destruct timeout. The destruct timeout (as described in Specifying a Destruct Timeout for L2TP Tunnels and Sessions) overrides the lockout timeout—when the destruct timeout expires, all information about the locked out destination is deleted, including the time remaining on the destination's lockout timeout and the requirement to run a lockout test prior to returning the destination to service.

You can specify a lockout timeout in the range 60–3600 seconds (1 minute–1 hour). The router uses a timeout value of 300 seconds by default.

Unlocking a Destination that is Currently Locked Out

You use the l2tp unlock destination command to force L2TP to immediately unlock the specified L2TP destination, which is currently locked out and unavailable. L2TP then considers the destination to be available. Any remaining lockout time and the lockout test setting (if configured) are not taken into account.

You must be at privilege level 10 or higher to use this command.

Starting an Immediate Lockout Test

You use the l2tp unlock-test destination command to force L2TP to immediately start the lockout test for the specified destination—any remaining lockout time for the destination is ignored.

You must be at privilege level 10 or higher to use this command.

Note: If lockout testing is not configured, this command immediately unlocks the destination and L2TP then considers the destination to be available