Disable PPTP and L2TP server

mo01 · ‎04-20-2024

Hello!

I tested PPTP and L2TP VPN solutions, but considered another solution without the Cisco router involved.

I've disabled all the virtual-access and vpdn stuff,

sh run all | i vpdn

returns nothing, but the ports for PPTP and L2TP are still open and control-plane host open-ports confirms that.

How can those services be stopped?

I already try a reload.

15.9(3)M7 on C886VA-W-E-K9

kind regards

Marco

MHM Cisco World · ‎04-20-2024

Try this

Class-map type port-filter match-all <name>

Match closed-ports

!

Policy-map type port-filter <name>

Class <name>

Drop

!

Control-plane <name>

Service-policy type port-filter input <name>

MHM

mo01 · ‎04-28-2024

I've now tried the policy map. It will, like it says, only affect closed ports (and does that), but doesn't affect the open pptp TCP port.

balaji.bandi · ‎04-20-2024

but the ports for PPTP and L2TP are still open and control-plane host open-ports confirms that.

how did you tested and confirm porst are open

you can check on the router and post below output here :

show tcp brief all

show control-plane host open-ports

show ip tcp brief

show ip socket

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

mo01 · ‎04-20-2024

router#sh tcp brief all
TCB       Local Address               Foreign Address             (state)
[...]
13Dxyz  0.0.0.0.1723               *.*                         LISTEN
router#
router#show control-plane host open-ports

 udp                      *:1701                         *:0              L2TP-Server   LISTEN
 tcp                      *:1723                         *:0                PPTP Mgmt   LISTEN
[...]

The other commands don't exist on my system.

I prefer to disable the L2TP and PPTP servers instead of creating firewall rulesets and simply answer to any requests with TCP RST or ICMP port unreachable.

Georg Pauwen · ‎04-21-2024

Hello,

the command 'clear tcp tcb' used to be around, can you give that a try ?

mo01 · ‎04-22-2024

13DC87B8  0.0.0.0.1723               *.*                         LISTEN
router#clear tcp tcb 13DC87B8
[confirm]
%Clear TCP failed: TCB 0x13DC87B8 not found
router#

Georg Pauwen · ‎04-22-2024

Hello,

what if you use:

clear tcp tcb *

mo01 · ‎04-22-2024

That removed the entry in sh tcp brief, but the PPTP server is still running.

MHM Cisco World · ‎04-22-2024

did you ever try my suggestion ???????????

MHM

mo01 · ‎04-22-2024

Not yet, because that looks like a firewall rule. Isn't it a firewll rule?

Such a configuration didn't exist in the past and PPTP server is running since I set up a PPTP VPN. Now I prefer to stop that PPTP server from running instead of configuring a firewall ruleset to deny access to it.

MHM Cisco World · ‎04-22-2024

This not FW' what we need to make CoPP drop any traffic to closed port

MHM

mo01 · ‎04-22-2024

Can you tell me what this exactly does?

Isn't there a way to simply stop the PPTP server from running?

Georg Pauwen · ‎04-22-2024

Hello,

odd that the service keeps running. Maybe you can just 'wr erase' the entire config, then reload the router, and configure everything from scratch again, with any VPDN stuff ?

MHM Cisco World · ‎04-22-2024

Check if there is vpdn enable'

Note:- dont use i vpdn

Check config line by line

MHM