ASR1002 blocking PPTP

netrunner · ‎10-30-2020

Hello,

we have an ASR1002 router that's configured as pppoe server (with radius).

clients connect with pppoe to our ASR and get public ip addresses.

they all can reach the internet, however they all say that they cannot establish pptp sessions from their pc to some external servers.

Since there is no NAT on ASR, how is possible that PPTP sessions are blocked?

Can you help?

marce1000 · ‎10-30-2020

- For the particular traffic type and or source and destination(s) , check the ASA's logs, check if you can find any useful info's.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

netrunner · ‎10-30-2020

Hello marce1000

ASA? I have just ASR1002 with no firewall involved

marce1000 · ‎10-30-2020

Sorry : s/ASA/ASR1002/g

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Georg Pauwen · ‎10-30-2020

Hello,

--> they all can reach the internet, however they all say that they cannot establish pptp sessions from their pc to some external servers.

What exactly are the clients trying to do ? They get a public IP address from the ASR, and then they try to establish a PPTP session ?

Post the full running config of the ASR...

netrunner · ‎11-13-2020

Hello,

this is the ASR config.

Customers want to connect from home to office or from office to other external servers with PPTP+GRE tunnel.

No problem if they change in L2TP tunnel but this workaround is not always acceptable.

Current configuration : 189421 bytes
!
! Last configuration change at 10:08:30 ITA Fri Nov 13 2020 by admin
! NVRAM config last updated at 10:08:30 ITA Fri Nov 13 2020 by admin
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname ASR-OF-TO
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
logging buffered 10240 informational
!
aaa new-model
aaa session-mib disconnect
!
!
aaa group server radius hal-radius
 server name hal-radius1
 retransmit 2
 timeout 120
!
aaa group server radius hal-accounting1
 server name hal-accounting1
 retransmit 2
 timeout 120
!
aaa group server radius hal-accounting2
 server name hal-accounting2
 retransmit 2
 timeout 120
!
aaa authentication login default local
aaa authentication ppp default group hal-radius
aaa authorization exec default local 
aaa authorization network default group hal-radius 
aaa authorization subscriber-service default local group hal-radius 
aaa accounting delay-start all
aaa accounting update periodic 10
aaa accounting network default start-stop broadcast group hal-radius group hal-accounting1 group hal-accounting2
!
!
!
!
aaa server radius dynamic-author
 client 10.5.0.4 server-key AAAAAAAAAAAAAA
 server-key AAAAAAAAAAAAAA
 auth-type any
!
aaa session-id common
aaa policy interface-config allow-subinterface
clock timezone ITA 1 0
 clock summer-time ITA recurring last Sun Mar 2:00 last Sun Oct 2:00
!
!
!
!
!
!
!
!
!
!
!


ip name-server XXXXXXXXXXXX

ip domain name XXXXXXXXXX
!
!
!
!
!
!
 !
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
spanning-tree extend system-id
!
username admin privilege 15 password 99999999999999999999
!
redundancy
 mode none
 !
!
!
!
!
cdp run
!
lldp run
!
policy-map 15MB
 class class-default
  police 18874000 1179648 2359296 conform-action transmit  exceed-action drop 
policy-map 25MB
 class class-default
  police 31457000 1966080 3932160 conform-action transmit  exceed-action drop 
policy-map 6MB
 class class-default
  police 7549500 471859 943718 conform-action transmit  exceed-action drop 
policy-map 200MB
 class class-default
  police 251656000 15728640 31457280 conform-action transmit  exceed-action drop 
policy-map 2MB
 class class-default
  police 2516500 157286 314572 conform-action transmit  exceed-action drop 
policy-map 5MB
 class class-default
  police 6291000 393216 786432 conform-action transmit  exceed-action drop 
policy-map 60MB
 class class-default
  police 75497000 4718592 9437184 conform-action transmit  exceed-action drop 
policy-map 1MB
 class class-default
  police 1258000 78643 157286 conform-action transmit  exceed-action drop 
policy-map 50MB
 class class-default
  police 62914500 3932160 7864320 conform-action transmit  exceed-action drop 
policy-map 1000MB
 class class-default
  police 1258288000 78643200 157286400 conform-action transmit  exceed-action drop 
policy-map 3MB
 class class-default
  police 3774500 235929 471859 conform-action transmit  exceed-action drop 
policy-map 100MB
 class class-default
  police 125829000 7864320 15728640 conform-action transmit  exceed-action drop 
policy-map 40MB
 class class-default
  police 50331500 3145728 6291456 conform-action transmit  exceed-action drop 
policy-map 8MB
 class class-default
  police 10066000 629146 1258291 conform-action transmit  exceed-action drop 
policy-map 4MB
 class class-default
  police 5033000 314572 629145 conform-action transmit  exceed-action drop 
policy-map 10MB
 class class-default
  police 12582500 786432 1572864 conform-action transmit  exceed-action drop 
policy-map 500MB
 class class-default
  police 629144000 39321600 78643200 conform-action transmit  exceed-action drop 
policy-map 30MB
 class class-default
  police 37748500 2359296 4718592 conform-action transmit  exceed-action drop 
policy-map 12MB
 class class-default
  police 15099000 943718 1887437 conform-action transmit  exceed-action drop 
 policy-map 20MB
 class class-default
  police 25165500 1572864 3145728 conform-action transmit  exceed-action drop 
policy-map 7MB
 class class-default
  police 8808000 550502 1101004 conform-action transmit  exceed-action drop 
policy-map 300MB
 class class-default
  police 377480000 23592960 47185920 conform-action transmit  exceed-action drop 
!
!
! 
!
!
!
!
!
!
!
!
!
!
 !
! 
! 
! 
! 
! 
! 
bba-group pppoe global
 virtual-template 1
 sessions max limit 64000
 sessions per-vc limit 64000
 sessions per-mac limit 64000
 sessions per-vlan limit 64000 inner 64000
 sessions per-vc throttle 100 30 1800
 sessions per-mac throttle 100 30 1800
 sessions per-vlan throttle 100 30 1800
 sessions auto cleanup
!
bba-group pppoe test
 virtual-template 2
 sessions per-vc limit 64000
 sessions per-mac limit 64000
 sessions per-vlan limit 64000 inner 64000
 sessions per-vc throttle 100 30 1800
 sessions per-mac throttle 100 30 1800
 sessions per-vlan throttle 100 30 1800
 sessions auto cleanup
!
!
!
interface Loopback1
  ip address CCCCCCCCCCC 255.255.255.0
 ip ospf network point-to-point
!
interface Loopback2
 ip address 10.5.92.252 255.255.255.255
 ip ospf 1 area 0
!
interface Loopback3
 ip address 100.64.0.1 255.255.0.0
 ip ospf network point-to-point
!
interface Loopback4
 ip address DDDDDDDDDDDD 255.255.255.0
 ip ospf network point-to-point
!
interface Port-channel1
 no ip address
 no negotiation auto
!
interface Port-channel1.11640002
 encapsulation dot1Q 1614 second-dot1q 2
 pppoe enable group global
!
interface Port-channel1.101000011
 encapsulation dot1Q 100 second-dot1q 11
 pppoe enable group global
!
interface Port-channel1.101000013
 encapsulation dot1Q 100 second-dot1q 13
 pppoe enable group global
!
 interface Port-channel1.101000019
 encapsulation dot1Q 100 second-dot1q 19
 pppoe enable group global
!
interface Port-channel1.101000020
 encapsulation dot1Q 100 second-dot1q 20
 pppoe enable group global
!
interface Port-channel1.101000021
 encapsulation dot1Q 100 second-dot1q 21
 pppoe enable group global
!
interface Port-channel1.101000022
 encapsulation dot1Q 100 second-dot1q 22
 pppoe enable group global
!
interface Port-channel1.101000027
 encapsulation dot1Q 100 second-dot1q 27
 pppoe enable group global
!
interface Port-channel1.101000029
 encapsulation dot1Q 100 second-dot1q 29
 pppoe enable group global
!
interface Port-channel1.101000030
 encapsulation dot1Q 100 second-dot1q 30
 pppoe enable group global
!
interface Port-channel1.101000031
 encapsulation dot1Q 100 second-dot1q 31
 pppoe enable group global
!
interface Port-channel1.101020012
 encapsulation dot1Q 102 second-dot1q 12
 pppoe enable group global
!
interface Port-channel1.101020017
 encapsulation dot1Q 102 second-dot1q 17
 pppoe enable group global
!
interface Port-channel1.101020018
 encapsulation dot1Q 102 second-dot1q 18
 pppoe enable group global
!
interface Port-channel1.101020019
 encapsulation dot1Q 102 second-dot1q 19
 pppoe enable group global
!
interface Port-channel1.101070014
 encapsulation dot1Q 107 second-dot1q 14
 pppoe enable group global
!
interface Port-channel1.101180010
 encapsulation dot1Q 118 second-dot1q 10
 pppoe enable group global
 !
interface Port-channel1.101240010
 encapsulation dot1Q 124 second-dot1q 10
 pppoe enable group global
!
interface Port-channel1.101240011
 encapsulation dot1Q 124 second-dot1q 11
 pppoe enable group global
!
interface Port-channel1.101240012
 encapsulation dot1Q 124 second-dot1q 12
 pppoe enable group global
!
interface Port-channel1.101240013
 encapsulation dot1Q 124 second-dot1q 13
 pppoe enable group global
!
interface Port-channel1.101270011
 encapsulation dot1Q 127 second-dot1q 11
 pppoe enable group test
!
interface Port-channel1.101270012
 encapsulation dot1Q 127 second-dot1q 12
 pppoe enable group global
!
interface Port-channel1.101300010
 encapsulation dot1Q 130 second-dot1q 10
 pppoe enable group global
!
interface Port-channel1.101300011
 encapsulation dot1Q 130 second-dot1q 11
 pppoe enable group global
!
interface Port-channel1.101300012
 encapsulation dot1Q 130 second-dot1q 12
 pppoe enable group global
!
 interface Port-channel1.101300013
 encapsulation dot1Q 130 second-dot1q 13
 pppoe enable group global
!
interface Port-channel1.101300014
 encapsulation dot1Q 130 second-dot1q 14
 pppoe enable group global
!
interface Port-channel1.101300015
 encapsulation dot1Q 130 second-dot1q 15
 pppoe enable group global
!
interface Port-channel1.101300016
 encapsulation dot1Q 130 second-dot1q 16
 pppoe enable group global
!
interface Port-channel1.101300017
 encapsulation dot1Q 130 second-dot1q 17
 pppoe enable group global
!
interface Port-channel1.101300018
 encapsulation dot1Q 130 second-dot1q 18
 pppoe enable group global
!
interface Port-channel1.101300019
 encapsulation dot1Q 130 second-dot1q 19
 pppoe enable group global
!
interface Port-channel1.101300020
 encapsulation dot1Q 130 second-dot1q 20
 pppoe enable group global
!
interface Port-channel1.101300021
 encapsulation dot1Q 130 second-dot1q 21
 pppoe enable group global
!
interface Port-channel1.101300022
 encapsulation dot1Q 130 second-dot1q 22
 pppoe enable group global
!
interface Port-channel1.101300023
 encapsulation dot1Q 130 second-dot1q 23
 pppoe enable group global
!
interface Port-channel1.101310010
 encapsulation dot1Q 131 second-dot1q 10
 pppoe enable group global
!
interface Port-channel1.101310011
 encapsulation dot1Q 131 second-dot1q 11
 pppoe enable group global
!
interface Port-channel1.101310012
 encapsulation dot1Q 131 second-dot1q 12
 pppoe enable group global
 !
interface Port-channel1.101310013
 encapsulation dot1Q 131 second-dot1q 13
 pppoe enable group global
!
interface Port-channel1.101310014
 encapsulation dot1Q 131 second-dot1q 14
 pppoe enable group global
!
interface Port-channel1.101310015
 encapsulation dot1Q 131 second-dot1q 15
 pppoe enable group global
!
interface Port-channel1.101310016
 encapsulation dot1Q 131 second-dot1q 16
 pppoe enable group global
!
interface Port-channel1.101310017
 encapsulation dot1Q 131 second-dot1q 17
 pppoe enable group global
!
interface Port-channel1.101310018
 encapsulation dot1Q 131 second-dot1q 18
 pppoe enable group global
!
interface Port-channel1.101310019
 encapsulation dot1Q 131 second-dot1q 19
 pppoe enable group global
!
interface Port-channel1.101310020
 encapsulation dot1Q 131 second-dot1q 20
 pppoe enable group global
!
interface Port-channel1.101310021
 encapsulation dot1Q 131 second-dot1q 21
 pppoe enable group global
!
 interface Port-channel1.101310022
 encapsulation dot1Q 131 second-dot1q 22
 pppoe enable group global
!
interface Port-channel1.101310023
 encapsulation dot1Q 131 second-dot1q 23
 pppoe enable group global
!
interface Port-channel1.101310024
 encapsulation dot1Q 131 second-dot1q 24
 pppoe enable group global
!
interface Port-channel1.101310025
 encapsulation dot1Q 131 second-dot1q 25
 pppoe enable group global
!
interface Port-channel1.101310026
 encapsulation dot1Q 131 second-dot1q 26
 pppoe enable group global
!
interface Port-channel1.101320010
 encapsulation dot1Q 132 second-dot1q 10
 pppoe enable group global
!
interface Port-channel1.101320011
 encapsulation dot1Q 132 second-dot1q 11
 pppoe enable group global
!
interface Port-channel1.101320012
 encapsulation dot1Q 132 second-dot1q 12
 pppoe enable group global
!
interface Port-channel1.101320013
 encapsulation dot1Q 132 second-dot1q 13
 pppoe enable group global
!
interface Port-channel2
 no ip address
 no negotiation auto
!
interface Port-channel2.1
 description uplink
 encapsulation dot1Q 192
 ip address 10.15.192.114 255.255.255.0
 ip nat outside
!
interface GigabitEthernet0/0/0
 no ip address
 negotiation auto
 cdp enable
 channel-group 1 mode active
!
interface GigabitEthernet0/0/1
 no ip address
 negotiation auto
 cdp enable
 channel-group 1 mode active
!
interface GigabitEthernet0/0/2
 no ip address
 negotiation auto
 cdp enable
 channel-group 1 mode active
!
 interface GigabitEthernet0/0/3
 no ip address
 negotiation auto
 cdp enable
 channel-group 1 mode active
!
interface GigabitEthernet0/2/0
 no ip address
 shutdown
 negotiation auto
 cdp enable
!
interface GigabitEthernet0/2/1
 no ip address
 shutdown
 negotiation auto
 cdp enable
!
interface GigabitEthernet0/2/2
 no ip address
 shutdown
 negotiation auto
 cdp enable
 !
interface GigabitEthernet0/2/3
 no ip address
 shutdown
 negotiation auto
 cdp enable
!
interface GigabitEthernet0/2/4
 no ip address
 negotiation auto
 cdp enable
 channel-group 2 mode active
!
interface GigabitEthernet0/2/5
 no ip address
 negotiation auto
 cdp enable
 channel-group 2 mode active
!
interface GigabitEthernet0/2/6
 no ip address
 negotiation auto
 cdp enable
 channel-group 2 mode active
!
interface GigabitEthernet0/2/7
 no ip address
 negotiation auto
 cdp enable
 channel-group 2 mode active
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 ip address 192.168.255.1 255.255.255.240
 negotiation auto
!
interface Virtual-Template1
 mtu 1480
 ip unnumbered Loopback3
 ip nat inside
 ip tcp adjust-mss 1440
 no logging event link-status
 peer default ip address pool default-pool
 keepalive 60
 ppp mtu adaptive
 ppp authentication chap eap ms-chap ms-chap-v2 pap
 ppp ipcp dns 8.8.8.8
!
interface Virtual-Template2
 mtu 1492
 bandwidth 1000000
 ip unnumbered Loopback3
 ip nat inside
 ip tcp adjust-mss 1452
 no logging event link-status
 peer default ip address pool default-pool
 keepalive 60
 ppp authentication chap eap ms-chap ms-chap-v2 pap
!
router ospf 1
 router-id 10.15.192.114
 log-adjacency-changes detail
 summary-address 100.64.0.0 255.255.0.0
 summary-address DDDDDDDDDDDDD 255.255.255.0
 redistribute connected subnets
 redistribute static subnets
 network 10.15.192.0 0.0.0.255 area 0
 network DDDDDDDDDDDDDD 0.0.0.255 area 0.0.0.37
 network EEEEEEEEEEEEEE 0.0.0.255 area 0.0.0.37
 !
ip local pool default-pool 100.64.0.2 100.64.127.254
ip local pool denat-pool DDDDDDDDDDDDD DDDDDDDDDDDDD
ip local pool Route-Pool 100.64.128.2 100.64.255.254
ip nat settings mode cgn
no ip nat settings support mapping outside
ip nat pool of-natpool CCCCCCCCC CCCCCCCCCCCC netmask 255.255.255.248
ip nat inside source route-map nat-of pool of-natpool overload
no ip classless
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip ssh version 2
!
ip access-list standard ssh-access
 permit 10.0.0.0 0.255.255.255
 deny   any log
!
ip radius source-interface Loopback2 
access-list 155 permit ip 100.64.0.0 0.0.255.255 any log
!
route-map nat-of permit 10
 match ip address 155
!
snmp-server community pub19jin RW
snmp-server location ITGate Corso Svizzera, 185, Torino, TO, 10149
!
!
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req 
radius-server attribute 32 include-in-accounting-req 
radius-server attribute 30 original-called-number
radius-server attribute 4 10.15.192.114
radius-server attribute 31 mac format one-byte delimiter colon 
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 120 tries 3
radius-server deadtime 2
 !
radius server hal-radius1
 address ipv4 10.5.0.4 auth-port 1812 acct-port 1813
 key 00000000000
!
radius server hal-accounting1
 address ipv4 10.5.0.6 auth-port 1812 acct-port 1813
 key 00000000000
!
radius server hal-accounting2
 address ipv4 10.5.0.13 auth-port 1812 acct-port 1813
 key 00000000000
!
radius server hal-test
 address ipv4 10.5.0.2 auth-port 1812 acct-port 1813
 key 00000000000
!
!
control-plane
!
 !
 !
 !
 !
!
!
!
!
banner 
^C
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 access-class ssh-access in
 transport preferred ssh
line vty 5 15
 access-class ssh-access in
!
no network-clock synchronization automatic
ntp server 193.204.114.105 source Loopback1
!
end

netrunner · ‎11-25-2020

Hello,

any update on this? Still not working...