cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
834
Views
5
Helpful
3
Replies

Cisco ISR C1111-8 and L2TP Server

Hello

 

On the C111-8P router, I configured L2TP Server with IPSec.

 

When trying to connect, I get the following error:

% FMANRP_ESS-4-FULLVAI: Session creation failed due to Full Virtual-Access Interfaces not being supported. Check that all applied Virtual-Template and RADIUS features support Virtual-Access sub-interfaces. swidb = 0x7F72CCED30, ifnum = 31

 

Software Version: Cisco IOS XE Software, Version 16.09.07

 

Configuration under the spoiler:

 

Spoiler

RT-CISR-01#sh running-config
Building configuration...


Current configuration : 8472 bytes
!
! Last configuration change at 23:17:39 MSK Sat Sep 11 2021
! NVRAM config last updated at 23:17:42 MSK Sat Sep 11 2021
!
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 250000
!
hostname RT-CISR-01
!
boot-start-marker
boot system bootflash:/c1100-universalk9_ias.16.09.07.SPA.bin
boot-end-marker
!
!
enable secret 5 $1$z60f$mn9O8Gq3bJ0OIfpKzS7GV.
!
aaa new-model
!
!
aaa authentication ppp default local
aaa authorization network default local
!
!
!
!
!
!
aaa session-id common
clock timezone MSK 3 0
!
!
!
!
!
!
ip nbar http-services
!
!
!
ip name-server 8.8.8.8 8.8.4.4
ip domain name vts.loc
ip dhcp excluded-address 10.136.1.1 10.136.1.10
ip dhcp excluded-address 10.36.1.1 10.36.1.10
ip dhcp excluded-address 10.36.2.1 10.36.2.10
ip dhcp excluded-address 10.36.3.1 10.36.3.10
ip dhcp excluded-address 10.36.36.1 10.36.36.10
ip dhcp excluded-address 10.36.254.1 10.36.254.10
ip dhcp excluded-address 10.36.254.0
ip dhcp excluded-address 10.36.254.255 255.255.255.255
!
ip dhcp pool VLAN_1
network 10.36.1.0 255.255.255.0
default-router 10.36.1.1
dns-server 20.20.20.1 10.36.1.1
!
ip dhcp pool VLAN_3
network 10.36.3.0 255.255.255.0
default-router 10.36.3.1
dns-server 20.20.20.1 10.36.3.1
!
ip dhcp pool VLAN_2
network 10.36.2.0 255.255.255.0
default-router 10.36.2.1
dns-server 20.20.20.1 10.36.2.1
!
ip dhcp pool VLAN_36
network 10.36.36.0 255.255.255.0
default-router 10.36.36.1
dns-server 20.20.20.1 10.36.36.1
!
ip dhcp pool L2TP_POOL
network 10.36.254.0 255.255.255.0
dns-server 10.36.254.1
domain-name vts.loc
default-router 10.36.254.1
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
multilink bundle-name authenticated
vpdn enable
vpdn session-limit 100
!
vpdn-group L2TP_REMOTE_USERS
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2398733053
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2398733053
revocation-check none
rsakeypair TP-self-signed-2398733053
!

!
diagnostic bootup level minimal
!
spanning-tree extend system-id

et-analytics
!
!
username vpn_vtuchk password 0 XXXXXXXXXXXXXXXXXXXXXX
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
track 1 ip sla 1 reachability
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
lifetime 3600
crypto isakmp key 123Qwerty!@ address 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
!
!
crypto dynamic-map CRYPTO_MAP_REMOTE_USERS 10
set nat demux
set transform-set ESP-3DES-SHA
!
!
crypto map CRYPTO_MAP 100 ipsec-isakmp dynamic CRYPTO_MAP_REMOTE_USERS
!
!
!
!
!
!
!
!
interface Loopback1
description L2TP_VPN_ENDPOINT
ip address 10.36.254.1 255.255.255.0
!
interface GigabitEthernet0/0/0
description ISR-DR
no ip address
ip mtu 1452
ip nat outside
ip tcp adjust-mss 1412
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/0/1
description ISR-TS
no ip address
ip mtu 1452
ip nat outside
ip tcp adjust-mss 1412
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 2
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
shutdown
!
interface GigabitEthernet0/1/2
shutdown
!
interface GigabitEthernet0/1/3
shutdown
!
interface GigabitEthernet0/1/4
shutdown
!
interface GigabitEthernet0/1/5
shutdown
!
interface GigabitEthernet0/1/6
shutdown
!
interface GigabitEthernet0/1/7
shutdown
!
interface Virtual-Template1
ip unnumbered Loopback1
peer default ip address dhcp-pool L2TP_POOL
ppp encrypt mppe auto
ppp authentication ms-chap ms-chap-v2
!
interface Vlan1
ip address 10.36.1.1 255.255.255.0
ip nat inside
!
interface Vlan2
ip address 10.36.2.1 255.255.255.0
ip nat inside
!
interface Vlan3
ip address 10.36.3.1 255.255.255.0
ip nat inside
!
interface Vlan36
ip address 10.36.36.1 255.255.255.0
ip nat inside
!
interface Dialer1
description DomRu
ip address negotiated
ip mtu 1452
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1412
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp mtu adaptive
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxx
ppp chap password 0 xxxxxxxxxxxxx
ppp pap sent-username xxxxxxxxxxx password 0 xxxxxxxxxx
ppp ipcp dns request
!
interface Dialer2
description TelSvc
ip address negotiated
ip mtu 1452
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1412
dialer pool 2
dialer idle-timeout 0
dialer persistent
dialer-group 2
ppp mtu adaptive
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxx
ppp chap password 0 xxxxxxxxxxxxx
ppp pap sent-username xxxxxxxxxxx password 0 xxxxxxxxxx
ppp ipcp dns request
crypto map CRYPTO_MAP
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source route-map NAT-1-DR interface Dialer1 overload
ip nat inside source route-map NAT-2-TS interface Dialer2 overload
ip route 0.0.0.0 0.0.0.0 Dialer1 track 1
ip route 0.0.0.0 0.0.0.0 Dialer2 253
!
!
ip access-list extended ACL_OUTSIDE_IN
ip access-list extended LAN_NAT
permit ip 10.36.0.0 0.0.255.255 any
!
ip sla 1
icmp-echo 8.8.8.8 source-interface Dialer1
ip sla schedule 1 life forever start-time now
ip access-list extended 197
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
!
route-map track-primary-if permit 1
match ip address 197
set interface Dialer1
!
route-map NAT-2-TS permit 10
match ip address LAN_NAT
match interface Dialer2
!
route-map NAT-1-DR permit 10
match ip address LAN_NAT
match interface Dialer1
!
!
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
!
ntp logging
ntp source Dialer2
ntp server 0.ru.pool.ntp.org
!
!
!
!
!
end

 

1 ACCEPTED SOLUTION

Accepted Solutions
Georg Pauwen
VIP Expert

Hello,

 

chances are that this is caused by the MPPE encryption and/or the ms-chap. Try and remove that from the virtual template:

 

interface Virtual-Template1
ip unnumbered Loopback1
peer default ip address dhcp-pool L2TP_POOL
--> no ppp encrypt mppe auto
ppp authentication ms-chap ms-chap-v2

 

interface Virtual-Template1
ip unnumbered Loopback1
peer default ip address dhcp-pool L2TP_POOL
--> no ppp encrypt mppe auto
--> ppp authentication chap

View solution in original post

3 REPLIES 3
Georg Pauwen
VIP Expert

Hello,

 

chances are that this is caused by the MPPE encryption and/or the ms-chap. Try and remove that from the virtual template:

 

interface Virtual-Template1
ip unnumbered Loopback1
peer default ip address dhcp-pool L2TP_POOL
--> no ppp encrypt mppe auto
ppp authentication ms-chap ms-chap-v2

 

interface Virtual-Template1
ip unnumbered Loopback1
peer default ip address dhcp-pool L2TP_POOL
--> no ppp encrypt mppe auto
--> ppp authentication chap

View solution in original post

Hello!

 

 

Removing MPPE helped:

no ppp encrypt mppe auto

 

Thank you very much!

MHM Cisco World
Collaborator

follow