Link to home
Create AccountLog in
Avatar of caclement
caclement

asked on

Cisco 891 + External PPTP Server

We have a Cisco 891 with this configuration  below

I got several computers on my lan that needs to connect to an external Windows server with pptp. The windows server is not mine but it works. The clients are using the windows connection manager. We can connect to the windows pptp server for hours sometimes.

But, sometimes we can just connect about 3-4-5 minutes, and it auto-disconnects. Is there something wrong in my configuration ? I heard the cisco router is messing with the keepalive or the connection state.

It seems to happens when i have more than 5-6 clients connected at the same time on the same server.

I got theses mesages : Link to VPN failed. OR ERROR 619 OR ERROR 651

Before, I had a RV042 and it worked like a charm. We were 10 on the vpn server and it was working. I dont see why Its not working now,,,

The errors are : Link to VPN server failed, OR ERROR 619 or ERROR 651....




version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Quantis891
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
no ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.1.1.201 10.1.1.254
!
ip dhcp pool ccp-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
ip dhcp pool Quantum
   import all
   network 10.1.1.0 255.255.255.0
   dns-server 8.8.8.8 8.8.4.4
   default-router 10.1.1.1
   netbios-name-server 10.1.1.253
   lease infinite
!
!
ip cef
no ip bootp server
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO891-K9 sn **********
!
!
object-group service Srvloc
 description Srvloc Port 427
 udp lt 427
!

!
ip tcp synwait-time 10
!
class-map type inspect match-any SDM_BOOTPC
 match access-group name SDM_BOOTPC
class-map type inspect match-any SDM_HTTPS
 match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
 match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
 match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
 match class-map SDM_HTTPS
 match class-map SDM_SSH
 match class-map SDM_SHELL
class-map type inspect match-any PPTP
 match protocol pptp
class-map match-any WebEmail
 match protocol http
 match protocol secure-http
 match protocol smtp
 match protocol pop3
 match protocol dns
 match protocol secure-pop3
 match protocol imap
class-map match-any VoIP
 match protocol skype
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map match-any VPN
 match protocol pptp
 match protocol gre
 match protocol l2tp
 match protocol ipsec
class-map type inspect match-all SDM_GRE
 match access-group name SDM_GRE
!
!
policy-map type inspect VPN
 class type inspect SDM_GRE
  inspect
 class type inspect PPTP
  inspect
policy-map QoS
 class VoIP
    priority percent 15
  set dscp ef
 class VPN
    priority percent 40
 class WebEmail
    bandwidth remaining percent 40
 class class-default
    bandwidth remaining percent 35
!
!
!
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 switchport trunk native vlan 2
 shutdown
 !
!
interface FastEthernet1
 shutdown
 !
!
interface FastEthernet2
 shutdown
 !
!
interface FastEthernet3
 shutdown
 !
!
interface FastEthernet4
 shutdown
 !
!
interface FastEthernet5
 shutdown
 !
!
interface FastEthernet6
 shutdown
 !
!
interface FastEthernet7
 switchport access vlan 2
 switchport trunk native vlan 2
 !
!
interface FastEthernet8
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 shutdown
 duplex auto
 speed auto
 !
!
interface GigabitEthernet0
 description $ETH-WAN$$FW_OUTSIDE$
 bandwidth 2048
 ip address dhcp client-id GigabitEthernet0 hostname nostromo
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 !
 service-policy output QoS
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$
 ip address 10.10.10.1 255.255.255.248
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip tcp adjust-mss 1452
 !
!
interface Vlan2
 description $FW_INSIDE$
 ip address 10.1.1.1 255.255.255.0
 ip access-group 103 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 !
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
 !
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
 top 10
 sort-by bytes
!
ip nat inside source list 1 interface GigabitEthernet0 overload
!
ip access-list extended SDM_BOOTPC
 remark CCP_ACL Category=0
 permit udp any any eq bootpc
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any any
ip access-list extended SDM_HTTPS
 remark CCP_ACL Category=1
 permit tcp any any eq 443
ip access-list extended SDM_SHELL
 remark CCP_ACL Category=1
 permit tcp any any eq cmd
ip access-list extended SDM_SSH
 remark CCP_ACL Category=1
 permit tcp any any eq 22
!
logging trap debugging
logging 10.1.1.253
access-list 1 remark INSIDE_IF=Vlan2
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 12 permit any
access-list 23 remark CCP_ACL Category=16
access-list 23 permit 10.1.1.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark CCP_ACL Category=1
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq telnet
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 22
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq www
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 443
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq cmd
access-list 100 deny   tcp any host 10.10.10.1 eq telnet
access-list 100 deny   tcp any host 10.10.10.1 eq 22
access-list 100 deny   tcp any host 10.10.10.1 eq www
access-list 100 deny   tcp any host 10.10.10.1 eq 443
access-list 100 deny   tcp any host 10.10.10.1 eq cmd
access-list 100 deny   udp any host 10.10.10.1 eq snmp
access-list 100 permit ip any any
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 permit ip 10.10.10.0 0.0.0.7 any
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip 10.1.1.0 0.0.0.255 any
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 102 permit ip 10.10.10.0 0.0.0.7 any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark CCP_ACL Category=1
access-list 103 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq telnet
access-list 103 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq 22
access-list 103 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq www
access-list 103 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq 443
access-list 103 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq cmd
access-list 103 permit tcp any any eq 1723
access-list 103 remark GRE
access-list 103 permit gre any any
access-list 103 permit udp any any eq isakmp
access-list 103 deny   udp any any eq 427
access-list 103 deny   tcp any host 10.1.1.1 eq telnet
access-list 103 deny   tcp any host 10.1.1.1 eq 22
access-list 103 deny   tcp any host 10.1.1.1 eq www
access-list 103 deny   tcp any host 10.1.1.1 eq 443
access-list 103 deny   tcp any host 10.1.1.1 eq cmd
access-list 103 deny   udp any host 10.1.1.1 eq snmp
access-list 103 permit ip any any
no cdp run
Avatar of caclement
caclement

ASKER

Is it a double nating issue ? It happens when several lan clients connect at the same time...
Avatar of Istvan Kalmar
Hi,

you need toenable gre on inspect acl:

ip access-list extended 103
 1 permit gre any any
 2 permit tcp any eq 1723 any
sorry for acl 100 need the finetuning:

ip access-list extended 100
 1 permit gre any any
 2 permit tcp any eq 1723 any
 
ACL 100 is not in use. It is for the configuration terminal in a different VLAN. Like i said...the clients CAN actually connect to the vpn. For hours sometime. But sometime, they can just connect for 3 minutes...

Thanks
Prehaps my router, has a limited number of simultanious connection to a PPTP server ?
 Any clues ?
interesting...

what shows the log?
Well i am not sure wich log to use. The PPTP connection is made by the clients not the router...


on the router
The debug show nothing specific.
I have new informations :

All the clients drops at the same time. If we connect with 2-3 minutes interval we can be fine for 30-40 minutes. But in the end, everyone drops at the same time.

I have the defaut nat timeout values, could it be this ?
I took a look at the server logs and here what is shows


22116      11:01:17.531532      MY_IP      DEST_IP      TCP      53025 > pptp [SYN]
Seq=0 Win=8192 Len=0 MSS=1460 WS=2 TSV=4447122 TSER=0

So it seems that some clients seend some icmp destination unreachable on the server. The server somehow close all the connections.

Is it possible to block those icmp send messages ?
ASKER CERTIFIED SOLUTION
Avatar of caclement
caclement

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
ICMP sent packets were the problems. I added an input acl in my inbound interface and the problem is gone