837 vs 857 PPTP Pass through Problems

Discussion in 'Cisco' started by gpnz@yahoo.com.au, May 9, 2006.

  1. Guest

    Hi,

    I have come across a strange issue and was wondering if anyone here had
    seen this before, and if so had any ideas on what to do next/where to
    look.

    We are having problems with PPTP pass through on 857's using XP
    clients.

    We have a mix of 837's and 857's. Both essentially run the same access
    rules with only minor differences due to the IOS differences of these
    devices.

    The routers are configured with NAT and hosts on the inside (ethternet)
    establish a PPTP VPN session with a Windows 2000 SP4 RRAS server
    located on the WAN (ADSL) side.

    Windows 2000 and XP clients behind the 837's have no problems
    establishing the PPTP session.

    Windows 2000 clients behind the 857's have no problems establishing the
    PPTP session.

    Windows XP clients behind the 857's are unable to establish the PPTP
    session 99% of the time, but very occasionally can. In fact you can
    have an XP client and a 2000 client connected to the same 857, the 2000
    client can consistently connect whilst the XP client has serious
    issues.

    Initially we thought this to be an XP configuration issue (it still
    could be), but we have tried SP1 and SP2 XP machines, and if you make
    no changes to the XP client, other than replacing the 857 with an 837,
    the XP client can then consistently connect - so we are now suspecting
    something odd with the 857, but given 2000 clients work it is very odd.

    Cheers,
    , May 9, 2006
    #1
    1. Advertising

  2. Merv Guest

    Post the output of show version and santized configs for both 837 and
    the 857
    Merv, May 9, 2006
    #2
    1. Advertising

  3. Guest

    Hi,

    Below are the versions/configs.

    Cheers,

    857:
    ----

    Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version
    12.4(4)T2, REL

    EASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsuppor

    Copyright (c) 1986-2006 by Cisco Systems, Inc.

    Compiled Wed 22-Feb-06 21:02 by ccai


    ROM: System Bootstrap, Version 12.3(8r)YI2, RELEASE SOFTWARE


    host857 uptime is 34 minutes
    System returned to ROM by power-on
    System image file is "flash:c850-advsecurityk9-mz.124-4.T2.bin"



    This product contains cryptographic features and is subject to United

    States and local country laws governing import, export, transfer and

    use. Delivery of Cisco cryptographic products does not imply

    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.

    A summary of U.S. laws governing Cisco cryptographic products may be
    found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

    If you require further assistance please contact us by sending email to
    .

    Cisco 857 (MPC8272) processor (revision 0x200) with 59392K/6144K bytes
    of memory
    ..
    Processor board ID FHK1015533Z
    MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
    4 FastEthernet interfaces
    1 ATM interface
    128K bytes of non-volatile configuration memory.
    20480K bytes of processor board System flash (Intel Strataflash)

    Configuration register is 0x2102

    Config:
    -------

    !version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname host857
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 4096 informational
    enable secret password
    !
    no aaa new-model
    !
    resource policy
    !
    clock timezone Napier 12
    clock summer-time Napier date Mar 16 2003 3:00 Oct 5 2003 2:00
    ip subnet-zero
    no ip source-route
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.150.1 192.168.150.49
    ip dhcp excluded-address 192.168.150.71 192.168.150.254
    !
    ip dhcp pool sdm-pool
    import all
    network 192.168.150.0 255.255.255.0
    default-router 192.168.150.1
    domain-name somewhere.com
    dns-server 10.10.10.1 10.10.10.2
    netbios-name-server 10.10.10.3 10.10.10.4
    lease 0 2
    !
    !
    ip cef
    ip inspect name SDM_LOW cuseeme
    ip inspect name SDM_LOW ftp
    ip inspect name SDM_LOW h323
    ip inspect name SDM_LOW icmp
    ip inspect name SDM_LOW rcmd
    ip inspect name SDM_LOW realaudio
    ip inspect name SDM_LOW rtsp
    ip inspect name SDM_LOW esmtp
    ip inspect name SDM_LOW sqlnet
    ip inspect name SDM_LOW streamworks
    ip inspect name SDM_LOW tftp
    ip inspect name SDM_LOW tcp
    ip inspect name SDM_LOW udp
    ip inspect name SDM_LOW vdolive
    ip tcp synwait-time 10
    no ip bootp server
    no ip domain lookup
    ip domain name somewhere.com
    !
    username admin privilege 15 view root secret password
    !
    !
    !
    !
    !
    interface Null0
    no ip unreachables
    !
    interface ATM0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface ATM0.1 point-to-point
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    pvc 0/100
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface FastEthernet0
    no cdp enable
    !
    interface FastEthernet1
    no cdp enable
    !
    interface FastEthernet2
    no cdp enable
    !
    interface FastEthernet3
    no cdp enable
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
    ip address 192.168.150.1 255.255.255.0
    ip access-group 100 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    ip tcp adjust-mss 1452
    !
    interface Dialer0
    description $FW_OUTSIDE$
    ip address negotiated
    ip access-group 101 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip inspect SDM_LOW out
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    ip route-cache flow
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication pap callin
    ppp pap sent-username password password
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    !
    ip http server
    ip http access-class 2
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 5 life 86400 requests 10000
    ip nat inside source list 1 interface Dialer0 overload
    !
    access-list 1 remark INSIDE_IF=Vlan1
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 192.168.150.0 0.0.0.255
    access-list 2 remark HTTP Access-class list
    access-list 2 remark SDM_ACL Category=1
    access-list 2 permit 192.168.150.0 0.0.0.255
    access-list 2 deny any
    access-list 100 remark auto generated by SDM firewall configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    access-list 100 permit gre any any
    access-list 101 remark auto generated by SDM firewall configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 101 deny ip 192.168.150.0 0.0.0.255 any
    access-list 101 permit icmp any any echo-reply
    access-list 101 permit icmp any any echo
    access-list 101 permit icmp any any time-exceeded
    access-list 101 permit icmp any any unreachable
    access-list 101 permit gre any any
    access-list 101 permit tcp any any eq 1723
    access-list 101 permit tcp host 10.10.10.5 any eq 22
    access-list 101 permit tcp 10.10.20.0 0.0.0.255 any eq 22
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any log
    access-list 102 remark VTY Access-class list
    access-list 102 remark SDM_ACL Category=1
    access-list 102 permit ip 192.168.150.0 0.0.0.255 any
    access-list 102 permit ip host 10.10.10.5 any
    access-list 102 permit ip 10.10.20.0 0.0.0.255 any
    access-list 102 deny ip any any
    dialer-list 1 protocol ip permit
    no cdp run
    !
    control-plane
    !
    banner login ^C
    Access is restricted to Authorised personnel only.
    Access to this device is monitored.
    Disconnect now if you are not authorised to access this device.
    ^C
    !
    line con 0
    login local
    no modem enable
    transport output telnet
    line aux 0
    login local
    transport output telnet
    line vty 0 4
    access-class 102 in
    privilege level 15
    login local
    transport input telnet ssh
    transport output all
    !
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
    end

    837:
    ----
    Cisco IOS Software, C837 Software (C837-K9O3SY6-M), Version 12.3(11)T3,
    RELEASE

    SOFTWARE (fc4)
    Technical Support: http://www.cisco.com/techsup

    Copyright (c) 1986-2005 by Cisco Systems, Inc.

    Compiled Tue 25-Jan-05 21:43 by pwade


    ROM: System Bootstrap, Version 12.2(11r)YV3, RELEASE SOFTWARE (fc2)


    host837 uptime is 4 minutes
    System returned to ROM by power-on
    System image file is "flash:c837-k9o3sy6-mz.123-11.T3.bin"



    This product contains cryptographic features and is subject to United

    States and local country laws governing import, export, transfer and

    use. Delivery of Cisco cryptographic products does not imply

    third-party authority to import, export,

    third-party authority to import, export,

    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.

    A summary of U.S. laws governing Cisco cryptographic products may be
    found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

    If you require further assistance please contact us by sending email to
    .

    Cisco C837 (MPC857DSL) processor (revision 0x600) with 58983K/6553K
    bytes of mem
    ory.
    Processor board ID FHK0943119K (3395915234), with hardware revision
    041F
    CPU rev number 7
    1 Ethernet interface
    4 FastEthernet interfaces
    1 ATM interface
    128K bytes of NVRAM.
    12288K bytes of processor board System flash (Read/Write)
    2048K bytes of processor board Web flash (Read/Write)

    Configuration register is 0x2102


    Config:
    -------

    version 12.3
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname host837
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 3 log
    security passwords min-length 6
    no logging buffered
    enable secret password
    enable password password
    !
    username sysmon privilege 0 view SDM_Monitor secret password
    username admin privilege 15 view root secret password
    clock timezone Napier 12
    clock summer-time Napier date Mar 16 2003 3:00 Oct 5 2003 2:00
    no aaa new-model
    ip subnet-zero
    no ip source-route
    !
    !
    ip dhcp excluded-address 192.168.150.1 192.168.150.49
    ip dhcp excluded-address 192.168.150.71 192.168.150.254
    !
    ip dhcp pool LAN
    import all
    network 192.168.150.0 255.255.255.0
    domain-name somewhere.com
    dns-server 10.10.10.1 10.10.10.2
    default-router 192.168.150.1
    netbios-name-server 10.10.10.3 10.10.10.4
    lease 0 3
    !
    !
    ip tcp synwait-time 10
    no ip domain lookup
    ip domain name somewhere.com
    ip inspect name SDM_LOW cuseeme
    ip inspect name SDM_LOW ftp
    ip inspect name SDM_LOW h323
    ip inspect name SDM_LOW icmp
    ip inspect name SDM_LOW netshow
    ip inspect name SDM_LOW rcmd
    ip inspect name SDM_LOW realaudio
    ip inspect name SDM_LOW rtsp
    ip inspect name SDM_LOW esmtp
    ip inspect name SDM_LOW sqlnet
    ip inspect name SDM_LOW streamworks
    ip inspect name SDM_LOW tftp
    ip inspect name SDM_LOW tcp
    ip inspect name SDM_LOW udp
    ip inspect name SDM_LOW vdolive
    ip ips po max-events 100
    ip ssh time-out 60
    ip ssh authentication-retries 2
    no ftp-server write-enable
    !
    !
    !
    !
    !
    !
    !
    interface Null0
    no ip unreachables
    !
    interface Ethernet0
    description $FW_INSIDE$
    ip address 192.168.150.1 255.255.255.0
    ip access-group 100 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    no cdp enable
    hold-queue 100 out
    no shutdown
    !
    interface ATM0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    no atm ilmi-keepalive
    dsl operating-mode auto
    no shutdown
    !
    interface ATM0.1 point-to-point
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    pvc 0/100
    encapsulation aal5snap
    protocol ppp dialer
    dialer pool-member 1
    !
    !
    interface FastEthernet1
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet2
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet3
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet4
    no ip address
    duplex auto
    speed auto
    !
    interface Dialer0
    description $FW_OUTSIDE$
    ip address negotiated
    ip access-group 101 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip inspect SDM_LOW out
    ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication pap callin
    ppp pap sent-username password password
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    !
    no ip http server
    ip http access-class 2
    ip http secure-server
    !
    ip nat inside source list 1 interface Dialer0 overload
    !
    access-list 1 remark INSIDE_IF=Ethernet0
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 192.168.150.0 0.0.0.255
    access-list 2 remark HTTP Access-class list
    access-list 2 remark SDM_ACL Category=1
    access-list 2 permit 192.168.150.0 0.0.0.255
    access-list 2 deny any
    access-list 100 remark auto generated by SDM firewall configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    access-list 101 remark auto generated by SDM firewall configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 101 deny ip 192.168.150.0 0.0.0.255 any
    access-list 101 permit icmp any any echo-reply
    access-list 101 permit icmp any any echo
    access-list 101 permit icmp any any time-exceeded
    access-list 101 permit icmp any any unreachable
    access-list 101 permit tcp any any eq 22
    access-list 101 permit gre any any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any log
    access-list 102 remark VTY Access-class list
    access-list 102 remark SDM_ACL Category=1
    access-list 102 permit ip 192.168.150.0 0.0.0.255 any
    access-list 102 permit tcp 10.10.20.0 0.0.0.255 any eq 22
    access-list 102 permit tcp host 10.10.10.5 any eq 22
    access-list 102 deny ip any any
    dialer-list 1 protocol ip permit
    no cdp run
    !
    !
    control-plane
    !
    banner login ^CAccess is restricted to Authorised personnel only.
    Access to this device is monitored. Disconnect now if you are not
    authorised to access this device.^C
    !
    line con 0
    login local
    no modem enable
    transport preferred all
    transport output telnet
    line aux 0
    login local
    transport preferred all
    transport output telnet
    line vty 0 3
    access-class 102 in
    password password
    login local
    transport preferred all
    transport input telnet ssh
    transport output all
    line vty 4
    access-class 102 in
    password password
    login local
    transport preferred all
    transport input telnet ssh
    transport output all
    parser view SDM_Monitor
    password password
    commands exec include all crypto ipsec client ezvpn
    commands exec include crypto ipsec client
    commands exec include crypto ipsec
    commands exec include crypto
    commands exec include all ping ip
    commands exec include ping
    commands exec include all show
    commands exec include debug
    commands exec include all clear
    !
    !
    scheduler max-task-time 5000
    scheduler interval 500
    end
    , May 9, 2006
    #3
  4. Merv Guest

    Access list 101 is not identical on both routers - should they be ?
    Merv, May 10, 2006
    #4
  5. Guest

    Whoops, they started out the same, but on the 857 we started playing
    around a little to see if it were something in the access list on the
    857 that operated differently than on the 837. With these two configs
    however, operation is as described as in my first message. A 2000 box
    behind the 857 has no trouble, any XP machine has trouble. Do nothing,
    but replace the 857 with the 837 with the above config and the both the
    2000 and XP boxes are happy.

    Cheers,
    , May 10, 2006
    #5
  6. Merv Guest

    So things that you could try:

    1. upgrade the 857 to the latest 12.4T image

    2. downgrade 857 to latest 12.3T image

    3. load Etherreal on both an XP and 2000 PC and see if any useful
    infomation can be glened about what is different between XP and 2000.
    Merv, May 10, 2006
    #6
  7. Guest

    Thanks,

    I'll try that. I am going to log a TAC case as well once the contracts
    are sorted out. We did do a basic trace early on, and all we saw was
    that there was no GRE traffic coming back to the XP client from the
    RRAS server during the setup - at the same time, we didnt see the
    router dropping anything from the RRAS server. I guess we might need to
    look closer into the data in the packets to see if there is a
    difference between the 2000 and xp... sigh, hopefully I've made a
    simple mistake that Cisco can point out to me :)

    Cheers,
    , May 11, 2006
    #7
  8. jay Guest

    Just a stab in the dark...

    Even though the config looks the same, be careful because the hidden
    commands (defaults of everything)t may have changed.
    ie. 'no cdp enable' shows in one config/IOS by default..
    whilst the other config/IOS shows nothing - but they are both off if
    you get my drift.
    until you explicitly 'cdp anable' - in which the 'cdp enable' apeears
    in config - whilst the other disapears again.

    But the above does not make much sense in relation to your issue, since
    I dont think there are many commands/features that effect 'pass
    through' traffic.

    The 12.4T could have extra features not on the 837 - such as NAT
    traversal and things related to NAT, and the passing of L2TP/VPN
    tunnels. One thing I found with NAT in IOS is that DNS resolutions gets
    modified by NAT in certain situations (like dns fix-up on the PIX),
    which took me days to understand troubleshoot.

    I think you should be looking at new 12.4 NAT features and disabling
    them, and look at possibly WinXPs L2TP features with NAT and see why
    that OS does it over win2K??

    Good Luck.
    jay, May 11, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. paul tomlinson

    PPTP Pass Through Problems

    paul tomlinson, Nov 7, 2003, in forum: Cisco
    Replies:
    4
    Views:
    3,891
    paul tomlinson
    Nov 9, 2003
  2. Replies:
    1
    Views:
    5,140
  3. Ian Wilson

    Cisco 837 vs 857 ADSL Routers

    Ian Wilson, Jan 15, 2007, in forum: Cisco
    Replies:
    10
    Views:
    3,846
    Doug McIntyre
    Jan 16, 2007
  4. Ewan McNab

    Cisco 837 & 857

    Ewan McNab, Jan 12, 2008, in forum: Cisco
    Replies:
    2
    Views:
    445
  5. Steven
    Replies:
    0
    Views:
    895
    Steven
    Jan 17, 2008
Loading...

Share This Page