caclement
asked on
Cisco 891 + External PPTP Server
We have a Cisco 891 with this configuration below
I got several computers on my lan that needs to connect to an external Windows server with pptp. The windows server is not mine but it works. The clients are using the windows connection manager. We can connect to the windows pptp server for hours sometimes.
But, sometimes we can just connect about 3-4-5 minutes, and it auto-disconnects. Is there something wrong in my configuration ? I heard the cisco router is messing with the keepalive or the connection state.
It seems to happens when i have more than 5-6 clients connected at the same time on the same server.
I got theses mesages : Link to VPN failed. OR ERROR 619 OR ERROR 651
Before, I had a RV042 and it worked like a charm. We were 10 on the vpn server and it was working. I dont see why Its not working now,,,
The errors are : Link to VPN server failed, OR ERROR 619 or ERROR 651....
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Quantis891
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
no ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.1.1.201 10.1.1.254
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
ip dhcp pool Quantum
import all
network 10.1.1.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 10.1.1.1
netbios-name-server 10.1.1.253
lease infinite
!
!
ip cef
no ip bootp server
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO891-K9 sn **********
!
!
object-group service Srvloc
description Srvloc Port 427
udp lt 427
!
!
ip tcp synwait-time 10
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any PPTP
match protocol pptp
class-map match-any WebEmail
match protocol http
match protocol secure-http
match protocol smtp
match protocol pop3
match protocol dns
match protocol secure-pop3
match protocol imap
class-map match-any VoIP
match protocol skype
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map match-any VPN
match protocol pptp
match protocol gre
match protocol l2tp
match protocol ipsec
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
!
!
policy-map type inspect VPN
class type inspect SDM_GRE
inspect
class type inspect PPTP
inspect
policy-map QoS
class VoIP
priority percent 15
set dscp ef
class VPN
priority percent 40
class WebEmail
bandwidth remaining percent 40
class class-default
bandwidth remaining percent 35
!
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
switchport trunk native vlan 2
shutdown
!
!
interface FastEthernet1
shutdown
!
!
interface FastEthernet2
shutdown
!
!
interface FastEthernet3
shutdown
!
!
interface FastEthernet4
shutdown
!
!
interface FastEthernet5
shutdown
!
!
interface FastEthernet6
shutdown
!
!
interface FastEthernet7
switchport access vlan 2
switchport trunk native vlan 2
!
!
interface FastEthernet8
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
shutdown
duplex auto
speed auto
!
!
interface GigabitEthernet0
description $ETH-WAN$$FW_OUTSIDE$
bandwidth 2048
ip address dhcp client-id GigabitEthernet0 hostname nostromo
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
service-policy output QoS
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO- FE 1$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.248
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip tcp adjust-mss 1452
!
!
interface Vlan2
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
!
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
top 10
sort-by bytes
!
ip nat inside source list 1 interface GigabitEthernet0 overload
!
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
!
logging trap debugging
logging 10.1.1.253
access-list 1 remark INSIDE_IF=Vlan2
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 12 permit any
access-list 23 remark CCP_ACL Category=16
access-list 23 permit 10.1.1.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark CCP_ACL Category=1
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq telnet
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 22
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq www
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 443
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq cmd
access-list 100 deny tcp any host 10.10.10.1 eq telnet
access-list 100 deny tcp any host 10.10.10.1 eq 22
access-list 100 deny tcp any host 10.10.10.1 eq www
access-list 100 deny tcp any host 10.10.10.1 eq 443
access-list 100 deny tcp any host 10.10.10.1 eq cmd
access-list 100 deny udp any host 10.10.10.1 eq snmp
access-list 100 permit ip any any
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 permit ip 10.10.10.0 0.0.0.7 any
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip 10.1.1.0 0.0.0.255 any
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 102 permit ip 10.10.10.0 0.0.0.7 any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark CCP_ACL Category=1
access-list 103 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq telnet
access-list 103 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq 22
access-list 103 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq www
access-list 103 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq 443
access-list 103 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq cmd
access-list 103 permit tcp any any eq 1723
access-list 103 remark GRE
access-list 103 permit gre any any
access-list 103 permit udp any any eq isakmp
access-list 103 deny udp any any eq 427
access-list 103 deny tcp any host 10.1.1.1 eq telnet
access-list 103 deny tcp any host 10.1.1.1 eq 22
access-list 103 deny tcp any host 10.1.1.1 eq www
access-list 103 deny tcp any host 10.1.1.1 eq 443
access-list 103 deny tcp any host 10.1.1.1 eq cmd
access-list 103 deny udp any host 10.1.1.1 eq snmp
access-list 103 permit ip any any
no cdp run
I got several computers on my lan that needs to connect to an external Windows server with pptp. The windows server is not mine but it works. The clients are using the windows connection manager. We can connect to the windows pptp server for hours sometimes.
But, sometimes we can just connect about 3-4-5 minutes, and it auto-disconnects. Is there something wrong in my configuration ? I heard the cisco router is messing with the keepalive or the connection state.
It seems to happens when i have more than 5-6 clients connected at the same time on the same server.
I got theses mesages : Link to VPN failed. OR ERROR 619 OR ERROR 651
Before, I had a RV042 and it worked like a charm. We were 10 on the vpn server and it was working. I dont see why Its not working now,,,
The errors are : Link to VPN server failed, OR ERROR 619 or ERROR 651....
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Quantis891
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
no ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.1.1.201 10.1.1.254
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
ip dhcp pool Quantum
import all
network 10.1.1.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 10.1.1.1
netbios-name-server 10.1.1.253
lease infinite
!
!
ip cef
no ip bootp server
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO891-K9 sn **********
!
!
object-group service Srvloc
description Srvloc Port 427
udp lt 427
!
!
ip tcp synwait-time 10
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any PPTP
match protocol pptp
class-map match-any WebEmail
match protocol http
match protocol secure-http
match protocol smtp
match protocol pop3
match protocol dns
match protocol secure-pop3
match protocol imap
class-map match-any VoIP
match protocol skype
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map match-any VPN
match protocol pptp
match protocol gre
match protocol l2tp
match protocol ipsec
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
!
!
policy-map type inspect VPN
class type inspect SDM_GRE
inspect
class type inspect PPTP
inspect
policy-map QoS
class VoIP
priority percent 15
set dscp ef
class VPN
priority percent 40
class WebEmail
bandwidth remaining percent 40
class class-default
bandwidth remaining percent 35
!
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
switchport trunk native vlan 2
shutdown
!
!
interface FastEthernet1
shutdown
!
!
interface FastEthernet2
shutdown
!
!
interface FastEthernet3
shutdown
!
!
interface FastEthernet4
shutdown
!
!
interface FastEthernet5
shutdown
!
!
interface FastEthernet6
shutdown
!
!
interface FastEthernet7
switchport access vlan 2
switchport trunk native vlan 2
!
!
interface FastEthernet8
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
shutdown
duplex auto
speed auto
!
!
interface GigabitEthernet0
description $ETH-WAN$$FW_OUTSIDE$
bandwidth 2048
ip address dhcp client-id GigabitEthernet0 hostname nostromo
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
service-policy output QoS
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 10.10.10.1 255.255.255.248
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip tcp adjust-mss 1452
!
!
interface Vlan2
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
!
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
top 10
sort-by bytes
!
ip nat inside source list 1 interface GigabitEthernet0 overload
!
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
!
logging trap debugging
logging 10.1.1.253
access-list 1 remark INSIDE_IF=Vlan2
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 12 permit any
access-list 23 remark CCP_ACL Category=16
access-list 23 permit 10.1.1.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark CCP_ACL Category=1
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq telnet
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 22
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq www
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 443
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq cmd
access-list 100 deny tcp any host 10.10.10.1 eq telnet
access-list 100 deny tcp any host 10.10.10.1 eq 22
access-list 100 deny tcp any host 10.10.10.1 eq www
access-list 100 deny tcp any host 10.10.10.1 eq 443
access-list 100 deny tcp any host 10.10.10.1 eq cmd
access-list 100 deny udp any host 10.10.10.1 eq snmp
access-list 100 permit ip any any
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 permit ip 10.10.10.0 0.0.0.7 any
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip 10.1.1.0 0.0.0.255 any
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 102 permit ip 10.10.10.0 0.0.0.7 any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark CCP_ACL Category=1
access-list 103 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq telnet
access-list 103 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq 22
access-list 103 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq www
access-list 103 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq 443
access-list 103 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq cmd
access-list 103 permit tcp any any eq 1723
access-list 103 remark GRE
access-list 103 permit gre any any
access-list 103 permit udp any any eq isakmp
access-list 103 deny udp any any eq 427
access-list 103 deny tcp any host 10.1.1.1 eq telnet
access-list 103 deny tcp any host 10.1.1.1 eq 22
access-list 103 deny tcp any host 10.1.1.1 eq www
access-list 103 deny tcp any host 10.1.1.1 eq 443
access-list 103 deny tcp any host 10.1.1.1 eq cmd
access-list 103 deny udp any host 10.1.1.1 eq snmp
access-list 103 permit ip any any
no cdp run
Hi,
you need toenable gre on inspect acl:
ip access-list extended 103
1 permit gre any any
2 permit tcp any eq 1723 any
you need toenable gre on inspect acl:
ip access-list extended 103
1 permit gre any any
2 permit tcp any eq 1723 any
sorry for acl 100 need the finetuning:
ip access-list extended 100
1 permit gre any any
2 permit tcp any eq 1723 any
ip access-list extended 100
1 permit gre any any
2 permit tcp any eq 1723 any
ASKER
ACL 100 is not in use. It is for the configuration terminal in a different VLAN. Like i said...the clients CAN actually connect to the vpn. For hours sometime. But sometime, they can just connect for 3 minutes...
Thanks
Thanks
ASKER
Prehaps my router, has a limited number of simultanious connection to a PPTP server ?
Any clues ?
Any clues ?
interesting...
what shows the log?
what shows the log?
ASKER
Well i am not sure wich log to use. The PPTP connection is made by the clients not the router...
on the router
ASKER
The debug show nothing specific.
ASKER
I have new informations :
All the clients drops at the same time. If we connect with 2-3 minutes interval we can be fine for 30-40 minutes. But in the end, everyone drops at the same time.
I have the defaut nat timeout values, could it be this ?
All the clients drops at the same time. If we connect with 2-3 minutes interval we can be fine for 30-40 minutes. But in the end, everyone drops at the same time.
I have the defaut nat timeout values, could it be this ?
ASKER
I took a look at the server logs and here what is shows
22116 11:01:17.531532 MY_IP DEST_IP TCP 53025 > pptp [SYN]
Seq=0 Win=8192 Len=0 MSS=1460 WS=2 TSV=4447122 TSER=0
So it seems that some clients seend some icmp destination unreachable on the server. The server somehow close all the connections.
Is it possible to block those icmp send messages ?
22116 11:01:17.531532 MY_IP DEST_IP TCP 53025 > pptp [SYN]
Seq=0 Win=8192 Len=0 MSS=1460 WS=2 TSV=4447122 TSER=0
So it seems that some clients seend some icmp destination unreachable on the server. The server somehow close all the connections.
Is it possible to block those icmp send messages ?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
ICMP sent packets were the problems. I added an input acl in my inbound interface and the problem is gone
ASKER