|
Absurd PPTP problems: PPTP out no longer works.
Hello
I have a weird problem that I am trying to resolve from 15hours now... I have the exact identical problems on two sites , the first is C2611 with 12.3(25) ADVSEC the second site is a 2650 with 12.4(18) ADVSEC here is the conf: The problem is that ANY PPTP outgoing doesn't work at all. I was disperate and "downgraded" the 2650 (conf is below) to a 12.2(9)T and it worked. Current configuration : 7099 bytes ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service internal service sequence-numbers no service dhcp ! hostname 89-186-68-6.dcpool.ip ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 4096 notifications no logging console no logging monitor enable password 7 xxxxxxxxxxxxxxxxxxxxxxxxxx! no aaa new-model clock timezone CET 1 no network-clock-participate slot 1 no network-clock-participate wic 0 no ip source-route no ip gratuitous-arps ip cef ! ! ip inspect log drop-pkt ip inspect max-incomplete low 300 ip inspect max-incomplete high 400 ip inspect one-minute low 500 ip inspect one-minute high 600 ip inspect udp idle-time 20 ip inspect tcp idle-time 60 ip inspect tcp synwait-time 45 ip inspect tcp max-incomplete host 300 block-time 0 ip inspect name OUT-IN esmtp ip inspect name OUT-IN pop3 ip inspect name OUT-IN pop3s ip inspect name OUT-IN http ip inspect name OUT-IN https ip inspect name OUT-IN imap ip inspect name OUT-IN imaps ip inspect name OUT-IN ftp ip inspect name OUT-IN ftps ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! ip ips sdf location flash:128mb.sdf ip ips signature 2004 0 disable ip ips signature 2001 0 disable ip ips name AUDIT no ip bootp server ip domain round-robin ip domain name kpnqwest.it ip name-server 217.97.32.2 ip name-server 217.97.32.7 login block-for 120 attempts 5 within 60 login on-failure log ! ! ! ! username xxxxxxxxxxxxxxx ! ! ip tcp selective-ack ip tcp synwait-time 10 ip ssh time-out 90 ip ssh version 2 ! ! ! ! interface Null0 no ip unreachables ! interface ATM0/0 description KPNQWest ADSL 2048/512 no ip address no ip redirects no ip proxy-arp no ip mroute-cache atm ilmi-keepalive dsl operating-mode auto hold-queue 224 in ! interface ATM0/0.1 point-to-point description Point to Point Uplink bandwidth 2048 ip address 89.186.68.6 255.255.255.252 ip access-group 100 in no ip redirects no ip proxy-arp ip inspect OUT-IN in ip ips AUDIT in ip nat outside ip virtual-reassembly max-fragments 16 max-reassemblies 64 no ip mroute-cache pvc 8/35 encapsulation aal5snap ! ! interface FastEthernet0/0 ip address 172.16.0.12 255.255.255.240 no ip redirects no ip proxy-arp ip nat inside no ip virtual-reassembly no ip mroute-cache duplex auto speed auto no cdp enable hold-queue 100 in ! no ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 ATM0/0.1 ! no ip http server no ip http secure-server ip nat translation timeout 3600 ip nat translation tcp-timeout 1200 ip nat translation udp-timeout 100 ip nat translation finrst-timeout 15 ip nat translation syn-timeout 45 ip nat translation icmp-timeout 120 ip nat inside source list 102 interface ATM0/0.1 overload ip nat inside source static tcp 172.16.0.1 25 89.186.68.6 25 extendable ip nat inside source static tcp 172.16.0.1 80 89.186.68.6 80 extendable ip nat inside source static tcp 172.16.0.1 110 89.186.68.6 110 extendable ip nat inside source static tcp 172.16.0.1 443 89.186.68.6 443 extendable ip nat inside source static tcp 172.16.0.1 465 89.186.68.6 465 extendable ip nat inside source static tcp 172.16.0.1 995 89.186.68.6 995 extendable ip nat inside source static tcp 172.16.0.1 3389 89.186.68.6 3389 extendable ip nat inside source static tcp 172.16.0.10 33389 89.186.68.6 33389 extendable ! ! no logging trap access-list 100 deny ip 0.0.0.0 0.255.255.255 any access-list 100 deny ip 10.0.0.0 0.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 deny ip 169.254.0.0 0.0.255.255 any access-list 100 deny ip 172.16.0.0 0.15.255.255 any access-list 100 deny ip 192.0.2.0 0.0.0.255 any access-list 100 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 access-list 100 deny ip 192.168.0.0 0.0.255.255 any access-list 100 deny ip 224.0.0.0 15.255.255.255 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip host 89.186.68.6 any access-list 100 permit udp host 77.93.230.26 eq isakmp host 89.186.68.6 access-list 100 permit esp host 77.93.230.26 host 89.186.68.6 access-list 100 permit udp host 77.93.230.26 host 89.186.68.6 range snmp snmptrap access-list 100 permit udp 77.93.229.208 0.0.0.7 host 89.186.68.6 range snmp snmptrap access-list 100 deny tcp any lt 1023 any lt 1023 access-list 100 permit udp any eq ntp any access-list 100 permit udp any eq domain any access-list 100 deny udp any lt 1023 any lt 1023 access-list 100 permit ip any any fragments access-list 100 permit icmp any any echo access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any time-exceeded access-list 100 permit icmp any any packet-too-big access-list 100 permit icmp any any unreachable access-list 100 permit icmp any any source-quench access-list 100 deny icmp any any access-list 100 deny udp any any eq echo access-list 100 deny udp any any range 33400 34400 access-list 100 permit tcp any any range ftp-data ftp access-list 100 permit tcp host 77.93.230.26 host 89.186.68.6 eq 22 access-list 100 permit tcp 77.93.229.208 0.0.0.7 host 89.186.68.6 eq 22 access-list 100 deny tcp any any eq 22 access-list 100 permit tcp any any eq smtp access-list 100 permit tcp any any eq www access-list 100 permit tcp any any eq pop3 access-list 100 permit tcp any any eq 443 access-list 100 permit tcp any any eq 465 access-list 100 deny udp any any range snmp snmptrap access-list 100 permit tcp any any eq 990 access-list 100 permit tcp any any eq 995 access-list 100 permit tcp any any access-list 100 permit udp any any access-list 100 permit 41 any any access-list 100 permit gre any any access-list 100 deny ip any any log access-list 102 permit ip 172.16.0.0 0.0.0.255 any snmp-server community public RO snmp-server ifindex persist snmp-server contact xxxxxxxx no cdp run ! ! control-plane ! ! ! banner login ^C You are connected to $(hostname).$(domain) on line $(line). If you are not authorized to access this system, disconnect now. THIS IS FOR AUTHORIZED USE ONLY Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning. Network Administrator: GOD@paradise.org ! line con 0 login local transport output telnet stopbits 1 line aux 0 login local transport preferred none transport output telnet stopbits 1 line vty 0 4 login local transport preferred none transport input ssh transport output all flowcontrol software ! scheduler max-task-time 5000 ntp server 192.43.244.18 ntp server 193.204.114.105 ! end |
Re: Absurd PPTP problems: PPTP out no longer works.
If I enable debug I just see:
%FW-6-DROP_TCP_PKT: Dropping tcp pkt 83.233.181.2:1723 => 172.16.0.9:3519 due to SYN inside current window -- ip ident 0 tcpflags 0xA012 seq.no 96264208 ack 3269803051 since that IP is one of my PPTP servers, it may be the cause how can I resolve that issue? |
Re: Absurd PPTP problems: PPTP out no longer works.
> how can I resolve that issue? Open a case with the Cisco TAC |
Re: Absurd PPTP problems: PPTP out no longer works.
What if i dont have any service contracts?
the config is correct? "Merv" <merv.hrabi@rogers.com> ha scritto nel messaggio news:189da732-2c0c-46a8-b60c-60b906f59376@y21g2000hsf.googlegroups.com... > >> how can I resolve that issue? > > Open a case with the Cisco TAC > |
Re: Absurd PPTP problems: PPTP out no longer works.
Just tried to downgrade to 12.4 IPBASEK9 with the same config. Doesn't work.
Downgraded to 12.3(25) ADVSEC K9, it works perfectly. |
Re: Absurd PPTP problems: PPTP out no longer works.
On Mar 30, 8:08 am, "Elia Spadoni" <ad...@NOSPAMspadhausen.com> wrote:
> Just tried to downgrade to 12.4 IPBASEK9 with the same config. Doesn't work. > > Downgraded to 12.3(25) ADVSEC K9, it works perfectly. There have been a number of issues reported with PPTP in 12.4 > What if i dont have any service contracts? then don't call the TAC ;-)) |
Re: Absurd PPTP problems: PPTP out no longer works.
Hello Merv,
I have done some progress: Well: on 12.4 (assuming that we use always the same config, just swap the IOS and restart the router) I CANNOT connect to a remote PPTP server. on a second site I have a /29 range and I can succesfully connect to a remote pptp server, but in this case i have the public /29 ip address directly on the ETH of the pc from wich i initiate the connection. "Merv" <merv.hrabi@rogers.com> ha scritto nel messaggio news:a3f5326f-dffb-434c-ad08-1cec6b44230c@59g2000hsb.googlegroups.com... > On Mar 30, 8:08 am, "Elia Spadoni" <ad...@NOSPAMspadhausen.com> wrote: >> Just tried to downgrade to 12.4 IPBASEK9 with the same config. Doesn't >> work. >> >> Downgraded to 12.3(25) ADVSEC K9, it works perfectly. > > > There have been a number of issues reported with PPTP in 12.4 > > >> What if i dont have any service contracts? > > then don't call the TAC ;-)) |
Re: Absurd PPTP problems: PPTP out no longer works.
> on 12.4 (assuming that we use always the same config, just swap the IOS and > restart the router) I CANNOT connect to a remote PPTP server. on a second > site I have a /29 range and I can succesfully connect to a remote pptp > server, but in this case i have the public /29 ip address directly on the > ETH of the pc from wich i initiate the connection. PPTP uses a control channel (TCP session on port 1723) and a separate data channel using a GRE tunnel which carries the PPP traffic. Your PC will open the control channel first see the PPTP RFC for protocol details: http://www.ietf.org/rfc/rfc2637.txt With the 12.4 IOS version, the handling of one or both of these channels must have changed in some fashion. You might want to see if modifying your config ( which) you should not have to do) as per the Cisco do "Configuring PPTP Through PAT to a Microsoft PPTP Server" http://www.cisco.com/en/US/tech/tk82...800949c0.shtml makes any difference with 12.4 Basically you are adding the keyword overload and also using the keyword interface instead of explicit IP address: |
Re: Absurd PPTP problems: PPTP out no longer works.
Hello
Thank you for your link. I think it is a bug of the IOS. Since with the SAME IDENTICAL config, it works perfectly on 12.4(8) ADV SEC. I am now trying to flash the 12.4(12)a, b, et c, and also the 12.4(17) and 17a to se what is the latest relase that works. "Merv" <merv.hrabi@rogers.com> ha scritto nel messaggio news:db66690b-87d3-4766-9d2e-5e117ff0bcc6@z38g2000hsc.googlegroups.com... > >> on 12.4 (assuming that we use always the same config, just swap the IOS >> and >> restart the router) I CANNOT connect to a remote PPTP server. on a second >> site I have a /29 range and I can succesfully connect to a remote pptp >> server, but in this case i have the public /29 ip address directly on the >> ETH of the pc from wich i initiate the connection. > > > PPTP uses a control channel (TCP session on port 1723) and a separate > data channel using a GRE tunnel which carries the PPP traffic. > > Your PC will open the control channel first > > see the PPTP RFC for protocol details: http://www.ietf.org/rfc/rfc2637.txt > > > With the 12.4 IOS version, the handling of one or both of these > channels must have changed in some fashion. > > > You might want to see if modifying your config ( which) you should not > have to do) as per the Cisco do > "Configuring PPTP Through PAT to a Microsoft PPTP Server" > http://www.cisco.com/en/US/tech/tk82...800949c0.shtml > > makes any difference with 12.4 > > Basically you are adding the keyword overload and also using the > keyword interface instead of explicit IP address: > > > |
Re: Absurd PPTP problems: PPTP out no longer works.
Solved my issue
the bugged relase is the 12.4(18) - any relase, tested IPBASEK9, ADVIPSERVICES and ADVSECURITY dont'work. Tested the 12.4(17a) works perfectly, and also the previous releases of 12.4 |
| All times are GMT. The time now is 09:30 AM. |
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.