Cisco 2800 IOS 12.4 L2TP VPN win xp connects, win7 connects briefly than disconnects after 20 seconds

I have a cisco 2800 IOS router ver 12.4 I setup a VPN for L2TP connections I am able to connect from windows xp no problem. Windows 7 connects briefly and I can ping the remote network for about 15 pings and then it disconnects. Windows event viewer shows

The user MACHINE\user dialed a connection named VPN Connection which has terminated. The reason code returned on termination is 829.

Open in new window


The output of debug vdpn event in the cisco 2800 is

ct 11 17:53:00.721: VPDN Received L2TUN socket message <xCRQ - Session Incoming>
Oct 11 17:53:00.721: VPDN Tnl/Sn 46009 45 L2TUN socket session accept requested
Oct 11 17:53:00.725: VPDN Tnl/Sn 46009 45 Setting up dataplane for L2-L2, no idb
Oct 11 17:53:00.753: VPDN Received L2TUN socket message <xCCN - Session Connected>
Oct 11 17:53:00.757: VPDN uid:44 VPDN session up
Oct 11 17:53:00.877: VPDN Vi3 Virtual interface created for unknown, bandwidth 1000000 Kbps
Oct 11 17:53:00.877: VPDN Vi3 Setting up dataplane for L2-L3, Vi3
Oct 11 17:53:00.881: VPDN Received L2TUN socket message <Dataplane UP>
Oct 11 17:53:00.885: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
Oct 11 17:53:01.885: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
Oct 11 17:53:21.070: VPDN Vi3 disconnect (TEST-CMD) IETF: 9/nas-error Ascend: 66/VPDN Local PPP Disconnect
Oct 11 17:53:21.070: VPDN Vi3 vpdn shutdown session, result=2, error=7, vendor_err=0
Oct 11 17:53:21.070: VPDN Vi3 VPDN/AAA: accounting stop sent
Oct 11 17:53:21.070: VPDN Vi3 Unbinding session from idb
Oct 11 17:53:21.070: Vi3 VPDN: Resetting interface
Oct 11 17:53:21.074: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
Oct 11 17:53:22.042: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down

Open in new window


running config on the cisco 2800 is

Current configuration : 6832 bytes
!
! Last configuration change at 12:34:49 MST Tue Oct 11 2011 by Admin
! NVRAM config last updated at 12:34:51 MST Tue Oct 11 2011 by Admin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CISCO2800
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $X$XXXX$XXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local-case
aaa authentication ppp default group radius local
aaa authorization network default group radius if-authenticated
!
!
aaa session-id common
clock timezone MST -7
clock summer-time MST recurring
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.3.1 192.168.3.99
ip dhcp excluded-address 192.168.3.151 192.168.3.254
!
ip dhcp pool ccp-pool1
   network 192.168.3.0 255.255.255.0
   default-router 192.168.3.1
   dns-server 75.75.75.75 8.8.8.8
   domain-name domain.local
!
!
no ip bootp server
no ip domain lookup
ip name-server 75.75.75.75
ip name-server 8.8.8.8
login block-for 30 attempts 5 within 1
login delay 5
login on-failure log
login on-success log
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group VPN
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
 l2tp tunnel receive-window 256
!
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-XXXXXXXXX
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-XXXXXXXXX
 revocation-check none
 rsakeypair TP-self-signed-XXXXXXXXX
!
!
crypto pki certificate chain TP-self-signed-XXXXXXXXX
 certificate self-signed 01
  XXXXXXXX 308201AB A0030201 02020101 300D0609 2A864886 F70D0101 XXXXXXXX
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33363435 XXXXXXXX 3834301E 170D3131 30383139 31363532
  30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36343535
  39333338 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A0AA 32E23283 42BC7DEA D19AA042 F971B386 5BA042F7 A887EBCF DE117D09
  F8194638 819F2B88 6660C078 XXXXXXXX 5B88B1B0 DD8347EC 188727D3 F373111A
  9ED6EF6B 0FEADEC3 B70A00CF E54B42DD C77AD8FD E2FBC380 21521CF1 790306CE
  XXXXXXXX 2A63DC32 D099D6B7 9D085470 89A49A18 CFD5B49E 4B1FEDE1 99CD5587
  71AB0203 010001A3 6A306830 0F060355 1D130101 FF040530 030101FF 30150603
  551D1104 0E300C82 0A424552 4E414C49 4C4C4F30 1F060355 1D230418 30168014
  B2E14414 0412C688 3A83E24F 4B6EE2B7 1637D486 301D0603 551D0E04 XXXXXXXX
  E1441404 12C6883A 83E24F4B 6EE2B716 37D48630 0D06092A 864886F7 0D010104
  05000381 81001B1E 24BA533F 8013CA13 EB90F2C4 125C9220 97AE9CB2 03236D28
  5223AD01 E85B2136 EBFA9F94 1CB404EE 0368A01E 6573FAFF 151F11D8 ADDCF88B
  66CE8A67 BCA2C9EE 8CAB4D02 9DFEA879 3A29E4A9 C7680158 4F0C37FC 02392A49
  XXXXXXXX F22EB56C 44F1D317 07F76F13 EE0D8F5C 5CD537AE 833EB4C7 XXXXXXXX
  9E3B5A33 C4C0
        quit
!
!
username XXXXXXXX privilege 15 secret 5 $XXXXXXXX$KHXXXXXXXXmrFXXXXXXXXqyMJD/
archive
 log config
  hidekeys
!
!
crypto isakmp policy 2
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key MYVERYSECRETKEY address 173.000.000.85
crypto isakmp key MYVERYSECRETKEY address 173.000.000.165
crypto isakmp key MYVERYSECRETKEY address 0.0.0.0 0.0.0.0
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set tset esp-aes esp-sha-hmac
crypto ipsec transform-set ccsp esp-3des esp-sha-hmac
 mode transport
!
crypto ipsec profile PROF
 set transform-set tset
!
!
crypto dynamic-map cc 10
 set nat demux
 set transform-set ccsp
!
!
crypto map cisco 10 ipsec-isakmp dynamic cc
!
!
!
ip ssh authentication-retries 5
ip ssh port 5555 rotary 1
ip ssh version 2
!
policy-map FOO
 class class-default
  shape average 128000
!
!
!
!
!
interface Loopback1
 no ip address
!
interface Tunnel0
 description Belen VPN
 ip address 192.168.10.2 255.255.255.0
 tunnel source FastEthernet0/0
 tunnel destination 173.000.000.85
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile PROF
 service-policy output FOO
!
interface Tunnel1
 description Los Lunas VPN
 ip address 192.168.11.2 255.255.255.0
 tunnel source FastEthernet0/0
 tunnel destination 173.000.000.165
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile PROF
 service-policy output FOO
!
interface FastEthernet0/0
 description $ES_WAN$
 ip address 75.000.000.169 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
 crypto map cisco
!
interface FastEthernet0/1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.3.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no keepalive
 no cdp enable
!
interface Virtual-Template1
 ip unnumbered FastEthernet0/1
 peer default ip address pool vpn_pool
 ppp mtu adaptive
 ppp encrypt mppe 128 required
 ppp authentication ms-chap-v2
!
router rip
 version 2
 network 192.168.3.0
 network 192.168.10.0
 network 192.168.11.0
 network 192.168.12.0
!
ip local pool vpn_pool 192.168.12.175 192.168.12.199
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 75.000.000.174
!
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat translation timeout 3700
ip nat inside source route-map NONAT_NAT interface FastEthernet0/0 overload
!
ip access-list extended nonat_nat
 deny   ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255
 deny   ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
 deny   ip 192.168.3.0 0.0.0.255 192.168.12.0 0.0.0.255
 permit ip 192.168.3.0 0.0.0.255 any
!
no logging trap
access-list 152 remark deny_ssh_default_port_and_telnet
access-list 152 deny   tcp any any eq 22
access-list 152 deny   tcp any any eq telnet
access-list 152 permit tcp any gt 1024 any gt 1024
no cdp run
!
!
!
route-map NONAT_NAT permit 1
 match ip address nonat_nat
!
!
!
radius-server host 192.168.3.11 auth-port 1812 acct-port 1813 key 7 XXXXXXXXXXXX
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd ^C
|=================================================================|
Cisco 2800 Router - Authorized Personel Only
Internal IP: 192.168.3.1
External IP: 75.000.000.169 - Comcast
Hostname $(hostname)
Domain $(domain)
Line $(line)
|=================================================================|
^C
!
line con 0
line aux 0
line vty 0 4
 access-class 152 in
 privilege level 15
 rotary 1
 transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
ntp clock-period 17180248
ntp server 192.5.41.40
!
end

Open in new window


Any help is most appreciated! Russ
techsrxAsked:
Who is Participating?
 
techsrxAuthor Commented:
Finally Bailed on trying to get this to work and went with OpenVPN which has been working very nicely.
0
 
asavenerCommented:
Have you tried disabling the Windows firewall on the Win 7 system?
0
 
techsrxAuthor Commented:
I did disable the firewall on the windows 7 machine with no luck
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
asavenerCommented:
Are you using the VPN client built into Windows, or are you using the Cisco VPN client?
0
 
asavenerCommented:
To add a necessary registry setting:

    In the Start menu search box, type "regedit" and press ENTER
        You will be prompted to allow Administrator rights, click Yes.
    Locate and click the registry subkey named HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
    On the Edit menu, point to New, and click DWORD Value
    In the New Value #1 box, type "AssumeUDPEncapsulationContextOnSendRule" (this is case-sensitive and contains no spaces), and press ENTER.
    Right-click AssumeUDPEncapsulationContextOnSendRule, and select Modify.
    In the Value data box, type "2" and click OK
    Reboot the computer
0
 
techsrxAuthor Commented:
Thank you for your response. I apologize for being slow to answer, we just moved offices. I am settled in now. though.

We are using the windows VPN client, it works fine with Windows XP but disconnects on Windows 7 right at 20 seconds. I tried the regedit listed above and rebooted but it still disconnected after 20 seconds.

Thanks Russ
0
 
techsrxAuthor Commented:
Final solution was using OPENVPN
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.