Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > 837 vs 857 PPTP Pass through Problems

Reply
Thread Tools

837 vs 857 PPTP Pass through Problems

 
 
gpnz@yahoo.com.au
Guest
Posts: n/a
 
      05-09-2006
Hi,

I have come across a strange issue and was wondering if anyone here had
seen this before, and if so had any ideas on what to do next/where to
look.

We are having problems with PPTP pass through on 857's using XP
clients.

We have a mix of 837's and 857's. Both essentially run the same access
rules with only minor differences due to the IOS differences of these
devices.

The routers are configured with NAT and hosts on the inside (ethternet)
establish a PPTP VPN session with a Windows 2000 SP4 RRAS server
located on the WAN (ADSL) side.

Windows 2000 and XP clients behind the 837's have no problems
establishing the PPTP session.

Windows 2000 clients behind the 857's have no problems establishing the
PPTP session.

Windows XP clients behind the 857's are unable to establish the PPTP
session 99% of the time, but very occasionally can. In fact you can
have an XP client and a 2000 client connected to the same 857, the 2000
client can consistently connect whilst the XP client has serious
issues.

Initially we thought this to be an XP configuration issue (it still
could be), but we have tried SP1 and SP2 XP machines, and if you make
no changes to the XP client, other than replacing the 857 with an 837,
the XP client can then consistently connect - so we are now suspecting
something odd with the 857, but given 2000 clients work it is very odd.

Cheers,

 
Reply With Quote
 
 
 
 
Merv
Guest
Posts: n/a
 
      05-09-2006
Post the output of show version and santized configs for both 837 and
the 857

 
Reply With Quote
 
 
 
 
gpnz@yahoo.com.au
Guest
Posts: n/a
 
      05-09-2006
Hi,

Below are the versions/configs.

Cheers,

857:
----

Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version
12.4(4)T2, REL

EASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsuppor

Copyright (c) 1986-2006 by Cisco Systems, Inc.

Compiled Wed 22-Feb-06 21:02 by ccai


ROM: System Bootstrap, Version 12.3(8r)YI2, RELEASE SOFTWARE


host857 uptime is 34 minutes
System returned to ROM by power-on
System image file is "flash:c850-advsecurityk9-mz.124-4.T2.bin"



This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be
found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
http://www.velocityreviews.com/forums/(E-Mail Removed).

Cisco 857 (MPC8272) processor (revision 0x200) with 59392K/6144K bytes
of memory
..
Processor board ID FHK1015533Z
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
4 FastEthernet interfaces
1 ATM interface
128K bytes of non-volatile configuration memory.
20480K bytes of processor board System flash (Intel Strataflash)

Configuration register is 0x2102

Config:
-------

!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname host857
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 informational
enable secret password
!
no aaa new-model
!
resource policy
!
clock timezone Napier 12
clock summer-time Napier date Mar 16 2003 3:00 Oct 5 2003 2:00
ip subnet-zero
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.150.1 192.168.150.49
ip dhcp excluded-address 192.168.150.71 192.168.150.254
!
ip dhcp pool sdm-pool
import all
network 192.168.150.0 255.255.255.0
default-router 192.168.150.1
domain-name somewhere.com
dns-server 10.10.10.1 10.10.10.2
netbios-name-server 10.10.10.3 10.10.10.4
lease 0 2
!
!
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name somewhere.com
!
username admin privilege 15 view root secret password
!
!
!
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 0/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no cdp enable
!
interface FastEthernet1
no cdp enable
!
interface FastEthernet2
no cdp enable
!
interface FastEthernet3
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 192.168.150.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username (E-Mail Removed) password password
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.150.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.150.0 0.0.0.255
access-list 2 deny any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 permit gre any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 192.168.150.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit gre any any
access-list 101 permit tcp any any eq 1723
access-list 101 permit tcp host 10.10.10.5 any eq 22
access-list 101 permit tcp 10.10.20.0 0.0.0.255 any eq 22
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.150.0 0.0.0.255 any
access-list 102 permit ip host 10.10.10.5 any
access-list 102 permit ip 10.10.20.0 0.0.0.255 any
access-list 102 deny ip any any
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner login ^C
Access is restricted to Authorised personnel only.
Access to this device is monitored.
Disconnect now if you are not authorised to access this device.
^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 102 in
privilege level 15
login local
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

837:
----
Cisco IOS Software, C837 Software (C837-K9O3SY6-M), Version 12.3(11)T3,
RELEASE

SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsup

Copyright (c) 1986-2005 by Cisco Systems, Inc.

Compiled Tue 25-Jan-05 21:43 by pwade


ROM: System Bootstrap, Version 12.2(11r)YV3, RELEASE SOFTWARE (fc2)


host837 uptime is 4 minutes
System returned to ROM by power-on
System image file is "flash:c837-k9o3sy6-mz.123-11.T3.bin"



This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export,

third-party authority to import, export,

compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be
found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
(E-Mail Removed).

Cisco C837 (MPC857DSL) processor (revision 0x600) with 58983K/6553K
bytes of mem
ory.
Processor board ID FHK0943119K (3395915234), with hardware revision
041F
CPU rev number 7
1 Ethernet interface
4 FastEthernet interfaces
1 ATM interface
128K bytes of NVRAM.
12288K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)

Configuration register is 0x2102


Config:
-------

version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname host837
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
no logging buffered
enable secret password
enable password password
!
username sysmon privilege 0 view SDM_Monitor secret password
username admin privilege 15 view root secret password
clock timezone Napier 12
clock summer-time Napier date Mar 16 2003 3:00 Oct 5 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
!
!
ip dhcp excluded-address 192.168.150.1 192.168.150.49
ip dhcp excluded-address 192.168.150.71 192.168.150.254
!
ip dhcp pool LAN
import all
network 192.168.150.0 255.255.255.0
domain-name somewhere.com
dns-server 10.10.10.1 10.10.10.2
default-router 192.168.150.1
netbios-name-server 10.10.10.3 10.10.10.4
lease 0 3
!
!
ip tcp synwait-time 10
no ip domain lookup
ip domain name somewhere.com
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip ips po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface Ethernet0
description $FW_INSIDE$
ip address 192.168.150.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no cdp enable
hold-queue 100 out
no shutdown
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
dsl operating-mode auto
no shutdown
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 0/100
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username (E-Mail Removed) password password
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
ip http access-class 2
ip http secure-server
!
ip nat inside source list 1 interface Dialer0 overload
!
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.150.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.150.0 0.0.0.255
access-list 2 deny any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 192.168.150.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp any any eq 22
access-list 101 permit gre any any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.150.0 0.0.0.255 any
access-list 102 permit tcp 10.10.20.0 0.0.0.255 any eq 22
access-list 102 permit tcp host 10.10.10.5 any eq 22
access-list 102 deny ip any any
dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane
!
banner login ^CAccess is restricted to Authorised personnel only.
Access to this device is monitored. Disconnect now if you are not
authorised to access this device.^C
!
line con 0
login local
no modem enable
transport preferred all
transport output telnet
line aux 0
login local
transport preferred all
transport output telnet
line vty 0 3
access-class 102 in
password password
login local
transport preferred all
transport input telnet ssh
transport output all
line vty 4
access-class 102 in
password password
login local
transport preferred all
transport input telnet ssh
transport output all
parser view SDM_Monitor
password password
commands exec include all crypto ipsec client ezvpn
commands exec include crypto ipsec client
commands exec include crypto ipsec
commands exec include crypto
commands exec include all ping ip
commands exec include ping
commands exec include all show
commands exec include debug
commands exec include all clear
!
!
scheduler max-task-time 5000
scheduler interval 500
end

 
Reply With Quote
 
Merv
Guest
Posts: n/a
 
      05-10-2006
Access list 101 is not identical on both routers - should they be ?

 
Reply With Quote
 
gpnz@yahoo.com.au
Guest
Posts: n/a
 
      05-10-2006
Whoops, they started out the same, but on the 857 we started playing
around a little to see if it were something in the access list on the
857 that operated differently than on the 837. With these two configs
however, operation is as described as in my first message. A 2000 box
behind the 857 has no trouble, any XP machine has trouble. Do nothing,
but replace the 857 with the 837 with the above config and the both the
2000 and XP boxes are happy.

Cheers,

 
Reply With Quote
 
Merv
Guest
Posts: n/a
 
      05-10-2006
So things that you could try:

1. upgrade the 857 to the latest 12.4T image

2. downgrade 857 to latest 12.3T image

3. load Etherreal on both an XP and 2000 PC and see if any useful
infomation can be glened about what is different between XP and 2000.

 
Reply With Quote
 
gpnz@yahoo.com.au
Guest
Posts: n/a
 
      05-11-2006
Thanks,

I'll try that. I am going to log a TAC case as well once the contracts
are sorted out. We did do a basic trace early on, and all we saw was
that there was no GRE traffic coming back to the XP client from the
RRAS server during the setup - at the same time, we didnt see the
router dropping anything from the RRAS server. I guess we might need to
look closer into the data in the packets to see if there is a
difference between the 2000 and xp... sigh, hopefully I've made a
simple mistake that Cisco can point out to me

Cheers,

 
Reply With Quote
 
jay
Guest
Posts: n/a
 
      05-11-2006
Just a stab in the dark...

Even though the config looks the same, be careful because the hidden
commands (defaults of everything)t may have changed.
ie. 'no cdp enable' shows in one config/IOS by default..
whilst the other config/IOS shows nothing - but they are both off if
you get my drift.
until you explicitly 'cdp anable' - in which the 'cdp enable' apeears
in config - whilst the other disapears again.

But the above does not make much sense in relation to your issue, since
I dont think there are many commands/features that effect 'pass
through' traffic.

The 12.4T could have extra features not on the 837 - such as NAT
traversal and things related to NAT, and the passing of L2TP/VPN
tunnels. One thing I found with NAT in IOS is that DNS resolutions gets
modified by NAT in certain situations (like dns fix-up on the PIX),
which took me days to understand troubleshoot.

I think you should be looking at new 12.4 NAT features and disabling
them, and look at possibly WinXPs L2TP features with NAT and see why
that OS does it over win2K??

Good Luck.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco 857, VPN, VPDN, PPTP, connection, but no IP connectivity?! Steven Cisco 0 01-17-2008 06:38 PM
Cisco 837 & 857 Ewan McNab Cisco 2 01-13-2008 09:58 AM
Cisco 837 vs 857 ADSL Routers Ian Wilson Cisco 10 01-16-2007 06:21 PM
pptp pass thru cisco 857 mbanyon@hotmail.com Cisco 1 08-05-2006 10:48 PM
PPTP Pass Through Problems paul tomlinson Cisco 4 11-09-2003 11:00 AM



Advertisments