Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
741
Views
0
Helpful
3
Replies

Cisco 4331 does not accept more than 30 VPN connections

asid2006
Level 1
Level 1

‎03-24-2020 03:34 AM

Hello!

I have a Cisco that is configured as an L2TP+IPSEC VPN server. Employees connect from Windows computers. If up to 30 people connect to the server, there are no problems. But once the number of connections reaches 30, new users can't connect. Windows gives an error of 720.

 

show version:

Spoiler

Cisco IOS XE Software, Version 16.06.03
Cisco IOS Software [Everest], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.3, RELEASE SOFTWARE (fc8)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Wed 28-Feb-18 23:54 by mcpre


Cisco IOS-XE software, Copyright (c) 2005-2018 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.


ROM: IOS-XE ROMMON

rt-Sbyt-GRE uptime is 27 weeks, 5 days, 9 hours, 34 minutes
Uptime for this control processor is 27 weeks, 5 days, 9 hours, 37 minutes
System returned to ROM by PowerOn at 11:57:45 MSK Sun Dec 9 2018
System restarted at 01:49:44 MSK Thu Sep 12 2019
System image file is "bootflash:isr4300-universalk9.16.06.03.SPA.bin"
Last reload reason: PowerOn

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Suite License Information for Module:'esg'

--------------------------------------------------------------------------------
Suite Suite Current Type Suite Next reboot
--------------------------------------------------------------------------------
FoundationSuiteK9 None None None
securityk9
appxk9

AdvUCSuiteK9 None None None
uck9
cme-srst
cube


Technology Package License Information:

-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
appxk9 appxk9 Permanent appxk9
uck9 uck9 RightToUse uck9
securityk9 securityk9 RightToUse securityk9
ipbase ipbasek9 Permanent ipbasek9

cisco ISR4331/K9 (1RU) processor with 1796073K/6147K bytes of memory.
Processor board ID xxx
3 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
3125247K bytes of flash memory at bootflash:.
0K bytes of WebUI ODM Files at webui:.

Configuration register is 0x2102

sho run (without some fragments):

Spoiler

version 16.6
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware throughput level 300000
!
hostname xxx
!
boot-start-marker
boot system bootflash:isr4300-universalk9.16.06.03.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
enable secret 5 xxx
!
aaa new-model
!
!
aaa group server radius radius_ve
 server name radius_XXX
!
aaa authentication login default local
aaa authentication ppp default group radius_XXX
aaa authorization network default if-authenticated
!
!
!
!
!
!
aaa session-id common
clock timezone MSK 3 0
!
!
!
!
!
!
!
ip name-server xxx
ip domain name xxx
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group l2tp
 ! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
 l2tp tunnel timeout no-session 15
 ip pmtu
 ip mtu adjust
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2677205731
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2677205731
 revocation-check none
 rsakeypair TP-self-signed-2677205731
!
!
crypto pki certificate chain TP-self-signed-2677205731
 certificate self-signed 01
  xxx
        quit
!
!
!
!
!
!
!
!
!
license udi pid ISR4331/K9 sn xxx
license accept end user agreement
license boot level appxk9
license boot level uck9
license boot level securityk9
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
username operator privilege 15 secret 5 xxx
!
redundancy
 mode none
!
!
!
!
!
!
track 10 ip sla 10 reachability
 delay down 10 up 5
!
track 11 ip sla 11 reachability
 delay down 10 up 5
!
!
!
!
!
!
!
!
!
crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key xxx address 0.0.0.0         no-xauth
crypto isakmp keepalive 3600
!
!
crypto ipsec transform-set l2tp_tr esp-3des esp-sha-hmac
 mode transport
!
!
!
crypto dynamic-map l2tp_dmap 10
 set nat demux
 set transform-set l2tp_tr
!
!
crypto map l2tp_map 10 ipsec-isakmp dynamic l2tp_dmap
!
!
!
!
!
!
!
!

interface Virtual-Template1
 ip address xxx 255.255.255.0
 ip mtu 1400
 peer default ip address pool VPN
 no keepalive
 ppp authentication ms-chap-v2
!
!
ip local pool VPN 10.10.10.2 10.10.10.254
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
radius server radius_XXX
 address ipv4 xxx auth-port 1645 acct-port 1646
 key 7 xxx
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 transport input none
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 privilege level 15
!
ntp master
ntp server 10.181.17.8
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!

cisco debug at the time of connection:

Spoiler
Mar 24 10:30:29.619: VPN AUTHOR [1185]: Authorizing key
Mar 24 10:30:29.619: VPN AUTHOR [1185]: Got username name 0#xxx#xxx
Mar 24 10:30:29.619: VPN AUTHOR [1185]: AAA request sent for key 0#xxx#xxx
Mar 24 10:30:29.619: VPN AUTHOR [1185]: Received an AAA pass
Mar 24 10:30:29.619: VPDN/AAA/AUTHOR: Parsing l2x attribute list
Mar 24 10:30:29.619: VPN AUTHOR [1185]: Found info for key 0#xxx#xxx
Mar 24 10:30:29.620: VPN AUTHOR [1185]: Free request
Mar 24 10:30:30.656: ppp34 PPP: Using vpn set call direction
Mar 24 10:30:30.656: ppp34 PPP: Treating connection as a callin
Mar 24 10:30:30.656: ppp34 PPP: Session handle[7000424] Session id[34]
Mar 24 10:30:30.754: ppp34 MS-CHAP-V2: O CHALLENGE id 1 len 32 from "xxx"
Mar 24 10:30:30.774: ppp34 MS-CHAP-V2: I RESPONSE id 1 len 62 from "xxx"
Mar 24 10:30:30.775: ppp34 PPP: Sent MSCHAP_V2 LOGIN Request
Mar 24 10:30:30.781: ppp34 PPP: Received LOGIN Response PASS
Mar 24 10:30:30.787: VT[Vi2.32]:Request took 5 msec, 5 msec processing time
Mar 24 10:30:30.791: Vi2.32 MS-CHAP-V2: O SUCCESS id 1 len 46 msg is "S=58BEF3D6DEB19806F497C81D465B19EF47CB2136"
Mar 24 10:30:30.839: VPDN Failed to get session from socket handle 1600002B

What might be the problem? How to solve it?

Labels:
0 Helpful
3 Replies 3

marce1000
VIP
VIP

‎03-24-2020 04:24 AM

 

 - Possibly a resource problem. Perhaps could be resolved with newer software release , if applicable but that is not sure in this case. You may need 'heavier' supporting vpn-end-users equipment.

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

asid2006
Level 1
Level 1
In response to marce1000

‎03-24-2020 04:28 AM

show processes cpu:
CPU utilization for five seconds: 2%/0%; one minute: 3%; five minutes: 3%
0 Helpful

Leonid Voronkin
VIP Alumni
VIP Alumni
In response to asid2006

‎03-24-2020 05:22 AM

I think he told not about CPU resources but about resources allocated for VPN by software. For example some time ago on the same platform we had the limitation for encryption on 80Mbps. After software upgrade the limitation has been eliminated. So I think it will be good if you upgrade to 16.9.5. Or to 16.6.7 if you don't want to leave major release.
________________________________________________________
Если ответ понравился, ставь звёздочку. Если ответ помог решить твою проблему, утверди его в качестве решения
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card