PPTP connection to Pix

Discussion in 'Cisco' started by Can2002, Jul 2, 2004.

  1. Can2002

    Can2002 Guest

    I've configured PPTP on a 501 but am having problems connecting from a
    Windows XP client. The connection initiates, but then hangs at the
    'Verifying username and password' prompt for ~30-40 seconds and then gives
    me a '721:Remote computer did not respond'.

    I initially tried connecting behind my company's firewall (Firewall-1) where
    I was hidden behind the firewall's external address. I repeated the test
    from a dialup connection with the same result.

    I've pasted below the current config + debugging output. Apologies for the
    length, but I thought I'd include everything up-front. Thanks in advance
    for any feedback.

    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password *** encrypted
    passwd *** encrypted
    hostname pix
    domain-name domain.com
    clock timezone GMT/BST 0
    clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 191.66.55.44 ultimate
    access-list external-in permit icmp any any echo-reply
    access-list external-in permit icmp any any source-quench
    access-list external-in permit icmp any any unreachable
    access-list external-in permit icmp any any time-exceeded
    access-list external-in permit esp host ultimate 85.184.40.224
    255.255.255.240
    pager lines 24
    logging on
    logging monitor debugging
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 85.184.40.238 255.255.255.240
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool PPTP 10.10.10.10-10.10.10.20
    pdm location ultimate 255.255.255.255 outside
    pdm history enable
    arp timeout 14400
    nat (inside) 0 0.0.0.0 0.0.0.0 0 0
    access-group external-in in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa authentication ssh console LOCAL
    ntp server 217.169.20.28 source outside
    http server enable
    http ultimate 255.255.255.255 outside
    http 85.184.40.224 255.255.255.240 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    ssh allowed 255.255.255.255 outside
    ssh 85.184.40.224 255.255.255.240 inside
    ssh timeout 30
    console timeout 0
    vpdn group PPTP accept dialin pptp
    vpdn group PPTP ppp authentication mschap
    vpdn group PPTP ppp encryption mppe auto
    vpdn group PPTP client configuration address local PPTP
    vpdn group PPTP pptp echo 60
    vpdn group PPTP client authentication local
    vpdn username remote password ***
    vpdn enable outside
    dhcpd address 85.184.40.230-85.184.40.234 inside
    dhcpd dns 158.43.192.1
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd domain domain.com
    dhcpd enable inside
    username admin password *** encrypted privilege 15
    terminal width 80
    Cryptochecksum:76e6425e5b19480fa7f8a4a985e32d87
    : end

    I've switched on the following debugging options:

    debug aaa authentication
    debug ppp negotiation
    debug ppp io
    debug ppp upap
    debug ppp chap
    debug ppp error
    debug ppp uauth
    debug pptp
    debug vpdn event
    debug vpdn error
    debug vpdn packet

    When connecting I see the following debugging output:

    710001: TCP access requested from 191.66.55.44/25251 to
    outside:82.183.41.42/pptp
    710002: TCP access permitted from 191.66.55.44/25251 to
    outside:82.183.41.42/pptp

    PPTP: soc select returns rd mask = 0x1
    PPTP: new peer fd is 1

    Tnl 20 PPTP: Tunnel created; peer initiatedPPTP: created tunnel, id = 20

    PPTP: cc rcvdata, socket fd=1, new_conn: 1
    PPTP: cc rcv 156 bytes of data

    Tnl 20 PPTP: CC I
    009c00011a2b3c4d0001000001000000000000010000000100000a2800000000000000000000
    000000000000000000000000000000000000000000000000...
    Tnl 20 PPTP: CC I SCCRQ
    Tnl 20 PPTP: protocol version 0x100
    Tnl 20 PPTP: framing caps 0x1
    Tnl 20 PPTP: bearer caps 0x1
    Tnl 20 PPTP: max channels 0
    Tnl 20 PPTP: firmware rev 0xa28
    Tnl 20 PPTP: hostname ""
    Tnl 20 PPTP: vendor "Microsoft Windows NT"
    Tnl 20 PPTP: SCCRQ-ok -> state change wt-sccrq to estabd
    Tnl 20 PPTP: CC O SCCRP
    PPTP: cc snddata, socket fd=1, len=156, data:
    009c00011a2b3c4d0002000001000100000000030000000300001200686f6c6c790000000000
    000000000000000000000000000000000000000000000000...

    PPTP: cc waiting for input, max soc fd = 1

    PPTP: soc select returns rd mask = 0x2

    PPTP: cc rcvdata, socket fd=1, new_conn: 0
    PPTP: cc rcv 168 bytes of data

    Tnl 20 PPTP: CC I
    00a800011a2b3c4d0007000000005fcb0000012c05f5e1000000000300000003004000000000
    000000000000000000000000000000000000000000000000...
    Tnl 20 PPTP: CC I OCRQ
    Tnl 20 PPTP: call id 0x0
    Tnl 20 PPTP: serial num 24523
    Tnl 20 PPTP: min bps 300:0x12c
    Tnl 20 PPTP: max bps 100000000:0x5f5e100
    Tnl 20 PPTP: bearer type 3
    Tnl 20 PPTP: framing type 3
    Tnl 20 PPTP: recv win size 64
    Tnl 20 PPTP: ppd 0
    Tnl 20 PPTP: phone num len 0
    Tnl 20 PPTP: phone num ""
    Tnl/Cl 20/20 PPTP: l2x store session: tunnel id 20, session id 20,
    hash_ix=20
    PPP virtual access open, ifc = 0

    Tnl/Cl 20/20 PPTP: vacc-ok -> state change wt-vacc to estabd
    Tnl/Cl 20/20 PPTP: CC O OCRP
    PPTP: cc snddata, socket fd=1, len=32, data:
    002000011a2b3c4d00080000001400000100000000fa00001000000000000000

    PPTP: cc waiting for input, max soc fd = 1

    PPTP: soc select returns rd mask = 0x2

    PPTP: cc rcvdata, socket fd=1, new_conn: 0
    PPTP: cc rcv 24 bytes of data

    Tnl 20 PPTP: CC I
    001800011a2b3c4d000f000000140000ffffffffffffffff0000000000000000004000000200
    00000100000000000000f047aa00e047aa00010000000200...
    Tnl/Cl 20/20 PPTP: CC I SLI
    PPTP: cc waiting for input, max soc fd = 1

    603104: PPTP Tunnel created, tunnel_id is 20, remote_peer_ip is
    191.66.55.44, ppp_virtual_interface_id is 1, client_dynamic_ip is
    10.10.10.10, username is , MPPE_key_strength is None
    PPTP: soc select returns rd mask = 0x2
    603105: PPTP Tunnel deleted, tunnel_id = 20, remote_peer_ip = 191.66.55.44

    PPTP: cc rcvdata, socket fd=1, new_conn: 0
    PPTP: cc rcv 16 bytes of data

    Tnl 20 PPTP: CC I
    001000011a2b3c4d000c000000000000e7e03c00020000000000000000000000004000000200
    00000100000000000000f047aa00e047aa00010000000200...
    Tnl/Cl 20/20 PPTP: CC I ClearRQ
    Tnl/Cl 20/20 PPTP: ClearReq -> state change estabd to terminal
    Tnl/Cl 20/20 PPTP: CC O CDN
    PPTP: cc snddata, socket fd=1, len=148, data:
    009400011a2b3c4d000d00000014010000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000...

    Tnl/Cl 20/20 PPTP: Destroying session
    PPP va close, device = 1

    Tnl 20 PPTP: no-sess -> state change estabd to wt-stprp
    Tnl 20 PPTP: CC O StopCCRQ
    PPTP: cc snddata, socket fd=1, len=16, data:
    001000011a2b3c4d0003000000000000

    PPTP: cc waiting for input, max soc fd = 1

    PPTP: soc select returns rd mask = 0x2

    PPTP: cc rcvdata, socket fd=1, new_conn: 0
    PPTP: cc rcv 16 bytes of data

    Tnl 20 PPTP: CC I
    001000011a2b3c4d0003000001000000e7e03c00020000000000000000000000004000000200
    00000100000000000000f047aa00e047aa00010000000200...
    Tnl 20 PPTP: Recvd STOPCCRQ
    Tnl 20 PPTP: reason 1
    Tnl 20 PPTP: StopCCRQ -> state change wt-stprp to wt-stprp
    Tnl 20 PPTP: CC O StopCCRP
    PPTP: cc snddata, socket fd=1, len=16, data:
    001000011a2b3c4d0004000001000000

    Tnl 20 PPTP: Destroy tunnel
    PPTP: cc waiting for input, max soc fd = 0
    Can2002, Jul 2, 2004
    #1
    1. Advertising

  2. Can2002

    Can2002 Guest

    Just to add to my last post, if I enable vpdn on the inside interface, I can
    authenticate fine from an internal PC.

    Cheers,
    Chris
    Can2002, Jul 2, 2004
    #2
    1. Advertising

  3. Can2002

    John Rennie Guest

    My config is:

    sysopt connection permit-pptp
    ip local pool vpdnpool 192.168.1.224-192.168.1.239
    vpdn group vpdngroup accept dialin pptp
    vpdn group vpdngroup ppp authentication mschap
    vpdn group vpdngroup ppp encryption mppe 40 required
    vpdn group vpdngroup client configuration address local vpdnpool
    vpdn group vpdngroup pptp echo 60
    vpdn group vpdngroup client authentication local
    vpdn username test password test
    vpdn enable outside

    The only differences seem to be the address allocation and that I've used the
    sysopt command to let the pptp protocol through.

    JR


    On Fri, 2 Jul 2004 13:15:05 +0100, "Can2002" <can2002@nospammailDOTnet> wrote:

    >I've configured PPTP on a 501 but am having problems connecting from a
    >Windows XP client. The connection initiates, but then hangs at the
    >'Verifying username and password' prompt for ~30-40 seconds and then gives
    >me a '721:Remote computer did not respond'.
    John Rennie, Jul 4, 2004
    #3
  4. Can2002

    can2002 Guest

    John Rennie wrote:
    > My config is:
    >
    > sysopt connection permit-pptp
    > ip local pool vpdnpool 192.168.1.224-192.168.1.239
    > vpdn group vpdngroup accept dialin pptp
    > vpdn group vpdngroup ppp authentication mschap
    > vpdn group vpdngroup ppp encryption mppe 40 required
    > vpdn group vpdngroup client configuration address local vpdnpool
    > vpdn group vpdngroup pptp echo 60
    > vpdn group vpdngroup client authentication local
    > vpdn username test password test
    > vpdn enable outside
    >
    > The only differences seem to be the address allocation and that I've
    > used the sysopt command to let the pptp protocol through.


    Thanks John.

    My original VPN config was built using the VPN wizard. I tried wiping the
    config and used the example config from one of Cisco's articles which still
    didn't work.

    In the end I dropped the software from 6.3 to 6.2 and built up the config
    bit by bit. This worked and I've subsequently upgraded it to 6.3 again and
    put in the rest of the required config and it now works! Just one of those
    mysteries I guess!

    Chris
    can2002, Jul 4, 2004
    #4
  5. Can2002

    chackamakka Guest

    Hello,

    Try and put in this line:
    fixup protocol pptp 1723
    I seem to remember I had the same problem. This line needs to be in
    the config since software version 6.????...3 I guess. Before it was
    not necessary but the pix is going to do some checks on pptp. Enfin
    you can always try it.

    gr,
    philippe
    chackamakka, Jul 7, 2004
    #5
  6. Can2002

    chackamakka Guest

    Hallo again,

    maybe change "vpdn group vpdngroup ppp encryption mppe 40 required" by
    "vpdn group vpdngroup ppp encryption mppe 128 required" or "vpdn group
    vpdngroup ppp encryption mppe auto".

    gr,
    Philippe
    chackamakka, Jul 7, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. someone

    PPTP Connection Through the PIX

    someone, Dec 4, 2003, in forum: Cisco
    Replies:
    1
    Views:
    488
  2. usman malik

    PIX PPTP connection problem

    usman malik, Sep 14, 2004, in forum: Cisco
    Replies:
    1
    Views:
    529
    Rik Bain
    Sep 15, 2004
  3. Replies:
    4
    Views:
    579
    Houston SBC
    Apr 27, 2007
  4. Elia Spadoni
    Replies:
    15
    Views:
    2,843
  5. optixgate
    Replies:
    0
    Views:
    513
    optixgate
    Apr 10, 2010
Loading...

Share This Page