Absurd PPTP problems: PPTP out no longer works.

Discussion in 'Cisco' started by Elia Spadoni, Mar 29, 2008.

  1. Elia Spadoni

    Elia Spadoni Guest

    Hello
    I have a weird problem that I am trying to resolve from 15hours now...

    I have the exact identical problems on two sites ,
    the first is C2611 with 12.3(25) ADVSEC

    the second site is a 2650 with 12.4(18) ADVSEC

    here is the conf:

    The problem is that ANY PPTP outgoing doesn't work at all. I was disperate
    and "downgraded" the 2650 (conf is below) to a 12.2(9)T and it worked.

    Current configuration : 7099 bytes
    !
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service internal
    service sequence-numbers
    no service dhcp
    !
    hostname 89-186-68-6.dcpool.ip
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 3 log
    security passwords min-length 6
    logging buffered 4096 notifications
    no logging console
    no logging monitor
    enable password 7 xxxxxxxxxxxxxxxxxxxxxxxxxx!
    no aaa new-model
    clock timezone CET 1
    no network-clock-participate slot 1
    no network-clock-participate wic 0
    no ip source-route
    no ip gratuitous-arps
    ip cef
    !
    !
    ip inspect log drop-pkt
    ip inspect max-incomplete low 300
    ip inspect max-incomplete high 400
    ip inspect one-minute low 500
    ip inspect one-minute high 600
    ip inspect udp idle-time 20
    ip inspect tcp idle-time 60
    ip inspect tcp synwait-time 45
    ip inspect tcp max-incomplete host 300 block-time 0
    ip inspect name OUT-IN esmtp
    ip inspect name OUT-IN pop3
    ip inspect name OUT-IN pop3s
    ip inspect name OUT-IN http
    ip inspect name OUT-IN https
    ip inspect name OUT-IN imap
    ip inspect name OUT-IN imaps
    ip inspect name OUT-IN ftp
    ip inspect name OUT-IN ftps
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    !
    !
    ip ips sdf location flash:128mb.sdf
    ip ips signature 2004 0 disable
    ip ips signature 2001 0 disable
    ip ips name AUDIT
    no ip bootp server
    ip domain round-robin
    ip domain name kpnqwest.it
    ip name-server 217.97.32.2
    ip name-server 217.97.32.7
    login block-for 120 attempts 5 within 60
    login on-failure log
    !
    !
    !
    !
    username xxxxxxxxxxxxxxx
    !
    !
    ip tcp selective-ack
    ip tcp synwait-time 10
    ip ssh time-out 90
    ip ssh version 2
    !
    !
    !
    !
    interface Null0
    no ip unreachables
    !
    interface ATM0/0
    description KPNQWest ADSL 2048/512
    no ip address
    no ip redirects
    no ip proxy-arp
    no ip mroute-cache
    atm ilmi-keepalive
    dsl operating-mode auto
    hold-queue 224 in
    !
    interface ATM0/0.1 point-to-point
    description Point to Point Uplink
    bandwidth 2048
    ip address 89.186.68.6 255.255.255.252
    ip access-group 100 in
    no ip redirects
    no ip proxy-arp
    ip inspect OUT-IN in
    ip ips AUDIT in
    ip nat outside
    ip virtual-reassembly max-fragments 16 max-reassemblies 64
    no ip mroute-cache
    pvc 8/35
    encapsulation aal5snap
    !
    !
    interface FastEthernet0/0
    ip address 172.16.0.12 255.255.255.240
    no ip redirects
    no ip proxy-arp
    ip nat inside
    no ip virtual-reassembly
    no ip mroute-cache
    duplex auto
    speed auto
    no cdp enable
    hold-queue 100 in
    !
    no ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 ATM0/0.1
    !
    no ip http server
    no ip http secure-server
    ip nat translation timeout 3600
    ip nat translation tcp-timeout 1200
    ip nat translation udp-timeout 100
    ip nat translation finrst-timeout 15
    ip nat translation syn-timeout 45
    ip nat translation icmp-timeout 120
    ip nat inside source list 102 interface ATM0/0.1 overload
    ip nat inside source static tcp 172.16.0.1 25 89.186.68.6 25 extendable
    ip nat inside source static tcp 172.16.0.1 80 89.186.68.6 80 extendable
    ip nat inside source static tcp 172.16.0.1 110 89.186.68.6 110 extendable
    ip nat inside source static tcp 172.16.0.1 443 89.186.68.6 443 extendable
    ip nat inside source static tcp 172.16.0.1 465 89.186.68.6 465 extendable
    ip nat inside source static tcp 172.16.0.1 995 89.186.68.6 995 extendable
    ip nat inside source static tcp 172.16.0.1 3389 89.186.68.6 3389 extendable
    ip nat inside source static tcp 172.16.0.10 33389 89.186.68.6 33389
    extendable
    !
    !
    no logging trap
    access-list 100 deny ip 0.0.0.0 0.255.255.255 any
    access-list 100 deny ip 10.0.0.0 0.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 deny ip 169.254.0.0 0.0.255.255 any
    access-list 100 deny ip 172.16.0.0 0.15.255.255 any
    access-list 100 deny ip 192.0.2.0 0.0.0.255 any
    access-list 100 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    access-list 100 deny ip 192.168.0.0 0.0.255.255 any
    access-list 100 deny ip 224.0.0.0 15.255.255.255 any
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip host 89.186.68.6 any
    access-list 100 permit udp host 77.93.230.26 eq isakmp host 89.186.68.6
    access-list 100 permit esp host 77.93.230.26 host 89.186.68.6
    access-list 100 permit udp host 77.93.230.26 host 89.186.68.6 range snmp
    snmptrap
    access-list 100 permit udp 77.93.229.208 0.0.0.7 host 89.186.68.6 range snmp
    snmptrap
    access-list 100 deny tcp any lt 1023 any lt 1023
    access-list 100 permit udp any eq ntp any
    access-list 100 permit udp any eq domain any
    access-list 100 deny udp any lt 1023 any lt 1023
    access-list 100 permit ip any any fragments
    access-list 100 permit icmp any any echo
    access-list 100 permit icmp any any echo-reply
    access-list 100 permit icmp any any time-exceeded
    access-list 100 permit icmp any any packet-too-big
    access-list 100 permit icmp any any unreachable
    access-list 100 permit icmp any any source-quench
    access-list 100 deny icmp any any
    access-list 100 deny udp any any eq echo
    access-list 100 deny udp any any range 33400 34400
    access-list 100 permit tcp any any range ftp-data ftp
    access-list 100 permit tcp host 77.93.230.26 host 89.186.68.6 eq 22
    access-list 100 permit tcp 77.93.229.208 0.0.0.7 host 89.186.68.6 eq 22
    access-list 100 deny tcp any any eq 22
    access-list 100 permit tcp any any eq smtp
    access-list 100 permit tcp any any eq www
    access-list 100 permit tcp any any eq pop3
    access-list 100 permit tcp any any eq 443
    access-list 100 permit tcp any any eq 465
    access-list 100 deny udp any any range snmp snmptrap
    access-list 100 permit tcp any any eq 990
    access-list 100 permit tcp any any eq 995
    access-list 100 permit tcp any any
    access-list 100 permit udp any any
    access-list 100 permit 41 any any
    access-list 100 permit gre any any
    access-list 100 deny ip any any log
    access-list 102 permit ip 172.16.0.0 0.0.0.255 any
    snmp-server community public RO
    snmp-server ifindex persist
    snmp-server contact xxxxxxxx
    no cdp run
    !
    !
    control-plane
    !
    !
    !
    banner login ^C
    You are connected to $(hostname).$(domain) on line $(line).
    If you are not authorized to access this system, disconnect now.

    THIS IS FOR AUTHORIZED USE ONLY

    Unauthorized or improper use of this system may result in
    administrative disciplinary action and civil and criminal penalties.
    By continuing to use this system you indicate your awareness of and
    consent
    to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not
    agree to the conditions stated in this warning.

    Network Administrator:
    !
    line con 0
    login local
    transport output telnet
    stopbits 1
    line aux 0
    login local
    transport preferred none
    transport output telnet
    stopbits 1
    line vty 0 4
    login local
    transport preferred none
    transport input ssh
    transport output all
    flowcontrol software
    !
    scheduler max-task-time 5000
    ntp server 192.43.244.18
    ntp server 193.204.114.105
    !
    end
     
    Elia Spadoni, Mar 29, 2008
    #1
    1. Advertising

  2. Elia Spadoni

    Elia Spadoni Guest

    If I enable debug I just see:

    %FW-6-DROP_TCP_PKT: Dropping tcp pkt 83.233.181.2:1723 => 172.16.0.9:3519
    due to SYN inside current window -- ip ident 0 tcpflags 0xA012 seq.no
    96264208 ack 3269803051


    since that IP is one of my PPTP servers, it may be the cause

    how can I resolve that issue?
     
    Elia Spadoni, Mar 30, 2008
    #2
    1. Advertising

  3. Elia Spadoni

    Merv Guest


    > how can I resolve that issue?


    Open a case with the Cisco TAC
     
    Merv, Mar 30, 2008
    #3
  4. Elia Spadoni

    Elia Spadoni Guest

    What if i dont have any service contracts?

    the config is correct?


    "Merv" <> ha scritto nel messaggio
    news:...
    >
    >> how can I resolve that issue?

    >
    > Open a case with the Cisco TAC
    >
     
    Elia Spadoni, Mar 30, 2008
    #4
  5. Elia Spadoni

    Elia Spadoni Guest

    Just tried to downgrade to 12.4 IPBASEK9 with the same config. Doesn't work.

    Downgraded to 12.3(25) ADVSEC K9, it works perfectly.
     
    Elia Spadoni, Mar 30, 2008
    #5
  6. Elia Spadoni

    Merv Guest

    On Mar 30, 8:08 am, "Elia Spadoni" <> wrote:
    > Just tried to downgrade to 12.4 IPBASEK9 with the same config. Doesn't work.
    >
    > Downgraded to 12.3(25) ADVSEC K9, it works perfectly.



    There have been a number of issues reported with PPTP in 12.4


    > What if i dont have any service contracts?


    then don't call the TAC ;-))
     
    Merv, Mar 30, 2008
    #6
  7. Elia Spadoni

    Elia Spadoni Guest

    Hello Merv,
    I have done some progress:

    Well:

    on 12.4 (assuming that we use always the same config, just swap the IOS and
    restart the router) I CANNOT connect to a remote PPTP server. on a second
    site I have a /29 range and I can succesfully connect to a remote pptp
    server, but in this case i have the public /29 ip address directly on the
    ETH of the pc from wich i initiate the connection.


    "Merv" <> ha scritto nel messaggio
    news:...
    > On Mar 30, 8:08 am, "Elia Spadoni" <> wrote:
    >> Just tried to downgrade to 12.4 IPBASEK9 with the same config. Doesn't
    >> work.
    >>
    >> Downgraded to 12.3(25) ADVSEC K9, it works perfectly.

    >
    >
    > There have been a number of issues reported with PPTP in 12.4
    >
    >
    >> What if i dont have any service contracts?

    >
    > then don't call the TAC ;-))
     
    Elia Spadoni, Mar 30, 2008
    #7
  8. Elia Spadoni

    Merv Guest


    > on 12.4 (assuming that we use always the same config, just swap the IOS and
    > restart the router) I CANNOT connect to a remote PPTP server. on a second
    > site I have a /29 range and I can succesfully connect to a remote pptp
    > server, but in this case i have the public /29 ip address directly on the
    > ETH of the pc from wich i initiate the connection.



    PPTP uses a control channel (TCP session on port 1723) and a separate
    data channel using a GRE tunnel which carries the PPP traffic.

    Your PC will open the control channel first

    see the PPTP RFC for protocol details: http://www.ietf.org/rfc/rfc2637.txt


    With the 12.4 IOS version, the handling of one or both of these
    channels must have changed in some fashion.


    You might want to see if modifying your config ( which) you should not
    have to do) as per the Cisco do
    "Configuring PPTP Through PAT to a Microsoft PPTP Server"
    http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800949c0.shtml

    makes any difference with 12.4

    Basically you are adding the keyword overload and also using the
    keyword interface instead of explicit IP address:
     
    Merv, Mar 30, 2008
    #8
  9. Elia Spadoni

    Elia Spadoni Guest

    Hello

    Thank you for your link.
    I think it is a bug of the IOS.

    Since with the SAME IDENTICAL config, it works perfectly on 12.4(8) ADV SEC.
    I am now trying to flash the 12.4(12)a, b, et c, and also the 12.4(17) and
    17a to se what is the latest relase that works.


    "Merv" <> ha scritto nel messaggio
    news:...
    >
    >> on 12.4 (assuming that we use always the same config, just swap the IOS
    >> and
    >> restart the router) I CANNOT connect to a remote PPTP server. on a second
    >> site I have a /29 range and I can succesfully connect to a remote pptp
    >> server, but in this case i have the public /29 ip address directly on the
    >> ETH of the pc from wich i initiate the connection.

    >
    >
    > PPTP uses a control channel (TCP session on port 1723) and a separate
    > data channel using a GRE tunnel which carries the PPP traffic.
    >
    > Your PC will open the control channel first
    >
    > see the PPTP RFC for protocol details: http://www.ietf.org/rfc/rfc2637.txt
    >
    >
    > With the 12.4 IOS version, the handling of one or both of these
    > channels must have changed in some fashion.
    >
    >
    > You might want to see if modifying your config ( which) you should not
    > have to do) as per the Cisco do
    > "Configuring PPTP Through PAT to a Microsoft PPTP Server"
    > http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800949c0.shtml
    >
    > makes any difference with 12.4
    >
    > Basically you are adding the keyword overload and also using the
    > keyword interface instead of explicit IP address:
    >
    >
    >
     
    Elia Spadoni, Mar 30, 2008
    #9
  10. Elia Spadoni

    Elia Spadoni Guest

    Solved my issue
    the bugged relase is the 12.4(18) - any relase, tested IPBASEK9,
    ADVIPSERVICES and ADVSECURITY
    dont'work.

    Tested the 12.4(17a) works perfectly, and also the previous releases of 12.4
     
    Elia Spadoni, Mar 30, 2008
    #10
  11. Elia Spadoni

    Guest

    On 30 Mar, 18:17, "Elia Spadoni" <> wrote:
    > Solved my issue
    > the bugged relase is the 12.4(18) - any relase, tested IPBASEK9,
    > ADVIPSERVICES and ADVSECURITY
    > dont'work.
    >
    > Tested the 12.4(17a) works perfectly, and also the previous releases of 12.4


    If one 12.4(18) is broken then it would be expected that
    all Feature Sets in that version would be similarly
    broken. Unless of course the particular buggy feature
    was not in the Feature Set.

    This may apply less strictly to other Trains. eg T, XLQ
    whatever they come up with next.

    IPBASEK9, ADVIPSERVICES, ADVSECURITY
    being Feature Sets.

    Well done figuring it out.
     
    , Mar 30, 2008
    #11
  12. Elia Spadoni

    Elia Spadoni Guest

    Hello

    since I did not need any particular feature, I first tried with the IPBASE
    so I was sure that a lighter IOS was loaded.
    I just needed to connect to a pptp server with a pc in the nat, a very
    simple thing to do!

    every 12.4(18) I tried, returns me errors in PPTP link. Any PPTP vpn
    outgoing don't work.
    With 12.4(17a) everything works PERFECTLY.

    I begin to think that all my troubles with the Ipsec + gre tunnel could be
    related to this buggy IOS.


    <> ha scritto nel messaggio
    news:...
    > On 30 Mar, 18:17, "Elia Spadoni" <> wrote:
    >> Solved my issue
    >> the bugged relase is the 12.4(18) - any relase, tested IPBASEK9,
    >> ADVIPSERVICES and ADVSECURITY
    >> dont'work.
    >>
    >> Tested the 12.4(17a) works perfectly, and also the previous releases of
    >> 12.4

    >
    > If one 12.4(18) is broken then it would be expected that
    > all Feature Sets in that version would be similarly
    > broken. Unless of course the particular buggy feature
    > was not in the Feature Set.
    >
    > This may apply less strictly to other Trains. eg T, XLQ
    > whatever they come up with next.
    >
    > IPBASEK9, ADVIPSERVICES, ADVSECURITY
    > being Feature Sets.
    >
    > Well done figuring it out.
     
    Elia Spadoni, Mar 30, 2008
    #12
  13. Elia Spadoni

    Merv Guest

    On Mar 30, 1:20 pm, "Elia Spadoni" <> wrote:
    > Hello
    >
    > since I did not need any particular feature, I first tried with the IPBASE
    > so I was sure that a lighter IOS was loaded.
    > I just needed to connect to a pptp server with a pc in the nat, a very
    > simple thing to do!
    >
    > every 12.4(18) I tried, returns me errors in PPTP link. Any PPTP vpn
    > outgoing don't work.
    > With 12.4(17a) everything works PERFECTLY.
    >
    > I begin to think that all my troubles with the Ipsec + gre tunnel could be
    > related to this buggy IOS.



    Elia, go for the extra bonus points and determine the Cisco bug
    id ;-)))
     
    Merv, Mar 30, 2008
    #13
  14. Elia Spadoni

    Elia Spadoni Guest

    Hello

    how can I do that?


    >
    > Elia, go for the extra bonus points and determine the Cisco bug
    > id ;-)))
    >
    >
     
    Elia Spadoni, Mar 30, 2008
    #14
  15. Elia Spadoni

    Merv Guest

    On Mar 30, 2:08 pm, "Elia Spadoni" <> wrote:
    > Hello
    >
    > how can I do that?
    >
    >
    >
    > > Elia, go for the extra bonus points and determine the Cisco bug
    > > id ;-)))



    You need a Cisco CCO account to do that - you can register for a guest
    account I guess

    Not sure if the bug toolkit would be visible to guest accounts or not

    http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
     
    Merv, Mar 30, 2008
    #15
  16. Elia Spadoni

    Merv Guest

    perhaps it is

    CSCsm34632 PPTP doesn't pass through static NAT

    Symptoms: PPTP connection does not get established properly. Users are
    stuck in authentication phase

    Conditions: Occurs when PPTP server is behind a NAT router configured
    with a static NAT entry.

    1st Found-In: 12.4(17.4)T, 12.4(17.8)M

    Fixed-In: 12.4(19.11)M, 12.4(19.11)T
     
    Merv, Apr 1, 2008
    #16
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. ::spidernik::

    Absurd fonts... :(

    ::spidernik::, Nov 23, 2003, in forum: Firefox
    Replies:
    1
    Views:
    564
    dantu
    Nov 24, 2003
  2. PS2 gamer
    Replies:
    4
    Views:
    746
    AnyBody43
    Jun 1, 2004
  3. Adriano
    Replies:
    1
    Views:
    951
    mark mandel
    Dec 15, 2003
  4. Fogar
    Replies:
    1
    Views:
    753
    Erick
    Jan 17, 2006
  5. Billie Volkova

    Order time for x64 is absurd...

    Billie Volkova, Jun 29, 2005, in forum: Windows 64bit
    Replies:
    12
    Views:
    945
    Andre Da Costa [Extended64]
    Jul 1, 2005
Loading...

Share This Page