Cisco Router and VPN Using PPTP

Mustapha Arakji · ‎07-24-2012

Hi,

I have a router working as PPTP only, find the config attached. Everything is working fine accept that it restarts from time to time (around 30 minutes). Checking the crash info, I found that it's a software issue. I tried to upgrade to several IOS version, but nothing solved the issue.

Using the show log, i can see the below error:

Jul 24 09:50:02.195: %IP_VFR-7-FEATURE_DISABLE_IN: VFR(in) is manually disabled through CLI; VFR support for features that have internally enabled, will be made available only when VFR is enabled manually on interface Virtual-Access2.26

I have noticed that this error keep showing and the log is filled with it. Also note that ip virtual-reassembly is enabled, also tried to disable it but with no successs.

Please advise.

Peter Paluch · ‎08-05-2012

Hello Mustapha,

This is a blind show but try replacing all the ip virtual-reassembly in commands with ip virtual-reassembly. This should activate the VFR feature for both incoming and outgoing packets and stop the log messages from occuring. Whether it helps to prevent your router from crashing is unclear, though.

I am also concerned about these lines from your configuration:

ip nat inside source list vpn-pptp-pool1 interface GigabitEthernet0/1 overload

ip nat inside source list vpn-pptp-pool2 interface GigabitEthernet0/1 overload

ip nat inside source list vpn-pptp-pool3 interface GigabitEthernet0/1 overload

In these commands, you are referring to ACLs named vpn-pptp-pool1, vpn-pptp-pool2 and vpn-pptp-pool3. These ACLs do not exist in your configuration. There are local IP pools named identically, but they are irrelevant to this NAT configuration. It may be possible that referencing a non-existent ACL may be causing your issues. Please double check your configuration here - it seems that these three lines can be removed. At least, they should reference an existing ACL, and this must not act as "permit any".

Best regards,

Peter

Mustapha Arakji · ‎08-05-2012

Thanks for the reply,

When I enter "ip virtual-reassembly" it automatically set it to "in".

I tried to specifiy "ip virtual-reassembly out", and now the both commands appear on the interface, but this didn't solve the log messages.

interface GigabitEthernet0/1

ip nat outside

ip virtual-reassembly in

ip virtual-reassembly out

interface virtual-template 1

ip virtual-reassembly in

ip virtual-reassembly out

As for the ip nat, you're right, I noticed that later on, and i removed them, with other non-related commands....

Also i remove the "ip unnumbered" on the "virtual-template 1" interface, and give it a static ip, and i deleted all the loopack interfaces. Also removed the commad "ip route 0.0.0.0 0.0.0.0 null0". after that my router now waits around 12 to 13 hrs before next restart!!!

I have attached the latest config.

Regards,

Peter Paluch · ‎08-05-2012

Hello Mustapha,

Thank you for the quick turnaround. I have went over your latest config and these are my observations/questions:

The ip virtual-reassembly out does not appear to be present. But I take it as my failed attempt to solve the error message so I am not going to pursue it further.
You are running a fairly new IOS. Would you be willing to actually downgrade to a more stable version? The latest M version for your platform appears to be 15.1(4)M3. Your configuration is quite basic and I do not think that running the bleeding edge 'T' versions is necessary for you.
With the current changes to the configuration, does the router produce any more logging messages? Also, has the stability improved, or is the router still crashing?

Thank you!

Best regards,

Peter

Mustapha Arakji · ‎08-07-2012

Hi,

1. I configured the "ip virutal-reasembly out" command, but that didn't solve the log messages problem. anyway as you advised, I will keep it under the interfaces.

2. I have dowgraded my router to version 15.1(4)M4.

3. With the current changes, adding the "ip virtual-reassembly out" command, i'm still recieving log messages. No other logs appear accept for the virutal-access interface status change up and down.

For now the router is still restarting after 12 to 13 hours. But let me wait for the next restart after the downgrade. I will keep you posted.

Jul 24 09:50:02.195: %IP_VFR-7-FEATURE_DISABLE_IN: VFR(in) is manually disabled through CLI; VFR support for features that have internally enabled, will be made available only when VFR is enabled manually on interface Virtual-Access2.26

Thanks.

Mustapha Arakji · ‎08-07-2012

Problem not solved yet. Router is still restarting.

During my previours troubleshooting, I tried to move the configuration to another router, and the same behaviour surfaced. But the problem surfaced only after the users started to VPN to the router, i couldn't define exactly when.

Now i have left the configuration on the other router but stopped the users from accessing the router through VPN, and the router has been up for two weeks.

Also note that i tried to limit the number of similtanous connected users to 30 (configuring the range of IPs in the PPTP pool), suspecting a limitation in number of sessions, but that didn't work...

I was suspecting the problem in NAT now, as i have found some bugs that point to similar situation!!! What do you think.

What could be done to isolate the issue?