03-24-2020 03:34 AM
Hello!
I have a Cisco that is configured as an L2TP+IPSEC VPN server. Employees connect from Windows computers. If up to 30 people connect to the server, there are no problems. But once the number of connections reaches 30, new users can't connect. Windows gives an error of 720.
show version:
Cisco IOS XE Software, Version 16.06.03
Cisco IOS Software [Everest], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.3, RELEASE SOFTWARE (fc8)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Wed 28-Feb-18 23:54 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2018 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
rt-Sbyt-GRE uptime is 27 weeks, 5 days, 9 hours, 34 minutes
Uptime for this control processor is 27 weeks, 5 days, 9 hours, 37 minutes
System returned to ROM by PowerOn at 11:57:45 MSK Sun Dec 9 2018
System restarted at 01:49:44 MSK Thu Sep 12 2019
System image file is "bootflash:isr4300-universalk9.16.06.03.SPA.bin"
Last reload reason: PowerOn
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Suite License Information for Module:'esg'
--------------------------------------------------------------------------------
Suite Suite Current Type Suite Next reboot
--------------------------------------------------------------------------------
FoundationSuiteK9 None None None
securityk9
appxk9
AdvUCSuiteK9 None None None
uck9
cme-srst
cube
Technology Package License Information:
-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
appxk9 appxk9 Permanent appxk9
uck9 uck9 RightToUse uck9
securityk9 securityk9 RightToUse securityk9
ipbase ipbasek9 Permanent ipbasek9
cisco ISR4331/K9 (1RU) processor with 1796073K/6147K bytes of memory.
Processor board ID xxx
3 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
3125247K bytes of flash memory at bootflash:.
0K bytes of WebUI ODM Files at webui:.
Configuration register is 0x2102
sho run (without some fragments):
version 16.6
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware throughput level 300000
!
hostname xxx
!
boot-start-marker
boot system bootflash:isr4300-universalk9.16.06.03.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 xxx
!
aaa new-model
!
!
aaa group server radius radius_ve
server name radius_XXX
!
aaa authentication login default local
aaa authentication ppp default group radius_XXX
aaa authorization network default if-authenticated
!
!
!
!
!
!
aaa session-id common
clock timezone MSK 3 0
!
!
!
!
!
!
!
ip name-server xxx
ip domain name xxx
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group l2tp
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
l2tp tunnel timeout no-session 15
ip pmtu
ip mtu adjust
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2677205731
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2677205731
revocation-check none
rsakeypair TP-self-signed-2677205731
!
!
crypto pki certificate chain TP-self-signed-2677205731
certificate self-signed 01
xxx
quit
!
!
!
!
!
!
!
!
!
license udi pid ISR4331/K9 sn xxx
license accept end user agreement
license boot level appxk9
license boot level uck9
license boot level securityk9
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
username operator privilege 15 secret 5 xxx
!
redundancy
mode none
!
!
!
!
!
!
track 10 ip sla 10 reachability
delay down 10 up 5
!
track 11 ip sla 11 reachability
delay down 10 up 5
!
!
!
!
!
!
!
!
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key xxx address 0.0.0.0 no-xauth
crypto isakmp keepalive 3600
!
!
crypto ipsec transform-set l2tp_tr esp-3des esp-sha-hmac
mode transport
!
!
!
crypto dynamic-map l2tp_dmap 10
set nat demux
set transform-set l2tp_tr
!
!
crypto map l2tp_map 10 ipsec-isakmp dynamic l2tp_dmap
!
!
!
!
!
!
!
!
interface Virtual-Template1
ip address xxx 255.255.255.0
ip mtu 1400
peer default ip address pool VPN
no keepalive
ppp authentication ms-chap-v2
!
!
ip local pool VPN 10.10.10.2 10.10.10.254
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
radius server radius_XXX
address ipv4 xxx auth-port 1645 acct-port 1646
key 7 xxx
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0
privilege level 15
!
ntp master
ntp server 10.181.17.8
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
cisco debug at the time of connection:
What might be the problem? How to solve it?
03-24-2020 04:24 AM
- Possibly a resource problem. Perhaps could be resolved with newer software release , if applicable but that is not sure in this case. You may need 'heavier' supporting vpn-end-users equipment.
M.
03-24-2020 04:28 AM
03-24-2020 05:22 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide