VPN Error 806 - GRE - Cisco 877

Posted on 2008-10-28
Last Modified: 2012-05-05
I have a Cisco 877 that is working brilliantly, but for some reason I can't get GRE pass through to work using the SDM interface.

I stopped using Cisco when it was all Pix and CLI stuff and have forgotten everything I learnt back then.

We are using a MS VPN Connection and it stops at verifying username and password and returns a Error 806.

The config doesn't have any GRE items in it, however when I add it to access list 103 (which is the same list as pptp is on) the problem remains.  

Have tried the old 101 list etc, but am of the oppinion I am missing something obvious, so please can you help?


show   run

Building configuration...

Current configuration : 10702 bytes


! Last configuration change at 16:48:20 PCTime Tue Oct 28 2008 by admin

! NVRAM config last updated at 16:46:59 PCTime Tue Oct 28 2008 by admin


version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption


hostname gateway





no logging buffered

logging console critical


aaa new-model



aaa group server radius rad_eap


aaa group server radius rad_mac


aaa group server radius rad_acct


aaa group server radius rad_admin


aaa group server tacacs+ tac_admin


aaa group server radius rad_pmip


aaa group server radius dummy


aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization ipmobile default group rad_pmip 

aaa accounting network acct_methods start-stop group rad_acct



aaa session-id common

clock timezone PCTime 0

clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00


crypto pki trustpoint TP-self-signed-4121383024

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-4121383024

 revocation-check none

 rsakeypair TP-self-signed-4121383024



crypto pki certificate chain TP-self-signed-4121383024

 certificate self-signed 01

  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 

  69666963 6174652D 34313231 33383330 3234301E 170D3038 31303238 31333537 

  32325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31323133 

  38333032 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 

  8100AAD5 5C7252BC E3D8040D CB480047 49721546 C7A26DA2 E698E6B3 BE0054FF 

  8354394B EB7CFF7D 93783AE4 F7B6469C 10380D7D 5F13CE7E 6296C3F6 50A4F662 

  57CA779A 31B71D5D BD03F851 9A80E311 46889D18 40366C81 AC5C53AF 6A90BF5C 

  D329D2D1 5EEF7D77 CDF24E59 598D6577 592AEFB1 6FBAD5E4 0772B5AC BCB959D7 

  C82B0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603 

  551D1104 0B300982 07676174 65776179 301F0603 551D2304 18301680 148F203D 

  A669D85F 848598BB 44EE2621 82103BC8 59301D06 03551D0E 04160414 8F203DA6 

  69D85F84 8598BB44 EE262182 103BC859 300D0609 2A864886 F70D0101 04050003 

  81810017 5AE93345 ADA831E9 632BF911 D36D395F E7508765 F64B3136 1CA1D2AF 

  4B2410FB 093BDCB6 5AB37DFC DB22A0AD 8DB513C6 F91CFAA6 7F1D6692 47D71A9D 

  C8513780 4FCA9281 73D6D4DC A67AB8B1 D4E3A59F 88627F78 FE3D3195 2F863854 

  FB3F1852 A671E22F 1C3A9167 E6F0EDE9 FC99A795 90C759E4 6C755E7E A71D5F6A D9098B


dot11 syslog

no ip subnet-zero

ip cef



ip port-map user-protocol--2 port tcp 47

ip port-map user-protocol--1 port tcp 3101

ip port-map user-RWWp port tcp 4501 list 1 description Remote Web Workplace

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

ip name-server

ip name-server




username admin privilege 15 secret 5 $1$jPuP$l9waa1b5rqsEb/FqX3Mbg/




 log config





class-map type inspect match-all sdm-nat-user-RWWp-1

 match access-group 106

 match protocol user-RWWp

class-map type inspect match-all sdm-nat-smtp-2

 match access-group 102

 match protocol smtp

class-map type inspect match-all sdm-nat-http-1

 match access-group 101

 match protocol http

class-map type inspect match-all sdm-nat-user-protocol--1-1

 match access-group 105

 match protocol user-protocol--1

class-map type inspect match-all sdm-nat-http-2

 match access-group 101

 match protocol http

class-map type inspect match-all sdm-nat-smtp-1

 match access-group 102

 match protocol smtp

class-map type inspect match-any sdm-cls-insp-traffic

 match protocol cuseeme

 match protocol dns

 match protocol ftp

 match protocol h323

 match protocol https

 match protocol icmp

 match protocol imap

 match protocol pop3

 match protocol netshow

 match protocol shell

 match protocol realmedia

 match protocol rtsp

 match protocol smtp extended

 match protocol sql-net

 match protocol streamworks

 match protocol tftp

 match protocol vdolive

 match protocol tcp

 match protocol udp

class-map type inspect match-all sdm-insp-traffic

 match class-map sdm-cls-insp-traffic

class-map type inspect match-all sdm-nat-pptp-1

 match access-group 103

 match protocol pptp

class-map type inspect match-any sbs-services

 match protocol http

 match protocol https

 match protocol smtp

 match protocol imap

 match protocol imaps

 match protocol imap3

class-map type inspect match-all sdm-cls--1

 match class-map sbs-services

 match access-group name sbs-server

class-map type inspect match-all sdm-nat-pptp-2

 match access-group 103

 match protocol pptp

class-map type inspect match-any SDM-Voice-permit

 match protocol h323

 match protocol skinny

 match protocol sip

class-map type inspect match-any sdm-cls-icmp-access

 match protocol icmp

 match protocol tcp

 match protocol udp

class-map type inspect match-any sdm-service-sdm-inspect-1

 match protocol http

 match protocol https

 match protocol aol

 match protocol msnmsgr

 match protocol ymsgr

 match protocol appleqtc

class-map type inspect match-all sdm-icmp-access

 match class-map sdm-cls-icmp-access

class-map type inspect match-all sdm-protocol-http

 match class-map sdm-service-sdm-inspect-1

class-map type inspect match-all sdm-nat-https-1

 match access-group 104

 match protocol https



policy-map type inspect sdm-permit-icmpreply

 class type inspect sdm-icmp-access


 class class-default


policy-map type inspect sdm-inspect

 class type inspect sdm-insp-traffic


 class type inspect sdm-protocol-http


 class type inspect SDM-Voice-permit


 class class-default

  drop log

policy-map type inspect sdm-permit

 class class-default

policy-map type inspect sdm-policy-sdm-cls--1

 class type inspect sdm-cls--1


 class type inspect sdm-nat-http-1


 class type inspect sdm-nat-smtp-2


 class type inspect sdm-nat-pptp-1


 class type inspect sdm-nat-https-1


 class type inspect sdm-nat-user-protocol--1-1


 class type inspect sdm-nat-user-RWWp-1


 class type inspect sdm-nat-http-2


 class type inspect sdm-nat-pptp-2


 class class-default

policy-map type inspect sdm-permit-dmzservice

 class type inspect sdm-nat-smtp-1


 class class-default



zone security dmz-zone

zone security out-zone

zone security in-zone

zone-pair security sdm-zp-self-out source self destination out-zone

 service-policy type inspect sdm-permit-icmpreply

zone-pair security sdm-zp-out-dmz source out-zone destination dmz-zone

 service-policy type inspect sdm-permit-dmzservice

zone-pair security sdm-zp-out-self source out-zone destination self

 service-policy type inspect sdm-permit

zone-pair security sdm-zp-in-dmz source in-zone destination dmz-zone

 service-policy type inspect sdm-permit-dmzservice

zone-pair security sdm-zp-in-out source in-zone destination out-zone

 service-policy type inspect sdm-inspect

zone-pair security sdm-zp-out-zone-in-zone source out-zone destination in-zone

 service-policy type inspect sdm-policy-sdm-cls--1




interface ATM0

 no ip address

 ip route-cache flow

 no atm ilmi-keepalive

 dsl operating-mode auto 


interface ATM0.3 point-to-point

 description $ES_WAN$

 pvc 0/38 

  encapsulation aal5mux ppp dialer

  dialer pool-member 1



interface FastEthernet0


interface FastEthernet1


interface FastEthernet2

 switchport mode trunk


interface FastEthernet3


interface Dot11Radio0

 no ip address


 encryption mode ciphers tkip 

 speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0

 station-role root

 world-mode dot11d country GB both


interface Vlan1

 description $FW_INSIDE$$ES_LAN$

 ip address

 ip nat inside

 ip virtual-reassembly

 zone-member security in-zone


interface Vlan2

 description DMZ$FW_DMZ$

 ip address

 zone-member security dmz-zone


interface Dialer3

 description $FW_OUTSIDE$

 ip address negotiated

 ip nat outside

 ip virtual-reassembly

 zone-member security out-zone

 encapsulation ppp

 ip route-cache flow

 dialer pool 1

 dialer-group 1

 no cdp enable

 ppp authentication chap callin


no ip forward-protocol nd

ip route Dialer3


ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip dns server

ip nat pool Inside netmask

ip nat inside source list 4 interface Dialer3 overload

ip nat inside source static tcp 25 interface Dialer3 25

ip nat inside source static tcp 443 interface Dialer3 443

ip nat inside source static tcp 3101 interface Dialer3 3101

ip nat inside source static tcp 4501 interface Dialer3 4501

ip nat inside source static tcp 80 interface Dialer3 80

ip nat inside source static tcp 1723 interface Dialer3 1723


ip access-list extended sbs-server

 remark SDM_ACL Category=128

 permit ip any host



access-list 1 remark SDM_ACL Category=1

access-list 1 permit

access-list 2 remark SDM_ACL Category=2

access-list 2 permit

access-list 3 remark SDM_ACL Category=2

access-list 3 permit

access-list 4 remark SDM_ACL Category=2

access-list 4 permit

access-list 100 remark SDM_ACL Category=16

access-list 100 permit ip any

access-list 101 remark SDM_ACL Category=0

access-list 101 permit ip any host

access-list 102 remark SDM_ACL Category=0

access-list 102 permit ip any host

access-list 103 remark SDM_ACL Category=0

access-list 103 permit ip any host

access-list 104 remark SDM_ACL Category=0

access-list 104 permit ip any host

access-list 105 remark SDM_ACL Category=0

access-list 105 permit ip any host

access-list 106 remark SDM_ACL Category=0

access-list 106 permit ip any host

dialer-list 1 protocol ip permit

no cdp run



radius-server attribute 32 include-in-access-req format %h

radius-server vsa send accounting





line con 0

 no modem enable

line aux 0

line vty 0 4

 privilege level 15

 transport input telnet ssh


scheduler max-task-time 5000

ntp clock-period 17179590

ntp server source Dialer3 prefer



Open in new window

Question by:paulweeden
  • 2
LVL 13

Expert Comment

ID: 22826588
I don't see permit gre any any within any of the ACLs. Furthermore, your outside interface is in the out-zone security zone however the out-zone has no inspection set for PPTP, etc.

Set an ACL on the outside interface for inbound traffic permitting gre packets, then configure some inspection.

Author Comment

ID: 22939002
Hey Quori,

Sorry for going MIA, haven't been able to get my head round this whole access-group thing at the CLI, don;t suppose you have an example config I could review??



Accepted Solution

paulweeden earned 0 total points
ID: 23175147
Have decided to take a Zyxel router instead of this Cisco one as it was too complex.

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now