11-02-2009 02:15 PM - edited 03-04-2019 06:35 AM
I have a router that is currently supporting a central office and a single crypto map vpn tunnel. It also supports a connection to a 3rd party network via a client initiated l2tp tunnel.
UPDATE: fogotten details: router 1841, with 12.4(15)T4
I have a need to begin supporting multiple branch office VPNs so I wanted to implement dmvpn, I also wanted to clean up the config a little.
After switching to the new config, the l2tp tunnel was unable to connect, other than cleaning up and reorganizing I don't believe I changed the what is being filtered, but I did switch from "allow established" to reflexive ACLs.
Also I need to filter traffic from the 3rd party's tunnel from accessing our internal nets, can an inbound ACL be applied to the Virtual-PPP interface, or do I need block with outbound ACLs on our internal interfaces?
cofigs (current-messy;new-clean) and error from l2tp connection attempt attached.
Thanks,
Jeff
current (messy)
11-03-2009 12:21 AM
Hello Jeff,
this kind of errors
12:13.723: %L2TP-3-ILLEGAL: _____:_____: failed to get cc: no l2tp
db hdl, -Traceback= 0x60C1122C 0x61D0E258 0x61D0E410 0x61D0C104 0x61D2EE5C 0x60
6E0DEC 0x606DEB70 0x606E11F0 0x606DFE34 0x61289954 0x6102F318 0x6102F4C8 0x6102F
548 0x6102F74C
*Nov 1 08:12:13.731: %L2TP-3-ILLEGAL: _____:_____: ERROR: [l2tp_db_get_cc::1035
], -Traceback= 0x60C1122C 0x61D0E258 0x61D0E3FC 0x61D0C104 0x61D2EE5C 0x606E0DE
C 0x606DEB70 0x606E11F0 0x606DFE34 0x61289954 0x6102F318 0x6102F4C8 0x6102F548 0
x6102F74C
*Nov 1 08:12:13.735: %L2TP-3-ILLEGAL: _____:_____: failed to get cc: no l2tp
db hdl, -Traceback= 0x60C1122C 0x61D0E258 0x61D0E410 0x61D0C104 0x61D2EE5C 0x60
6E0DEC 0x606DEB70 0x606E11F0 0x606DFE34 0x61289954 0x6102F318 0x6102F4C8 0x6102F
548 0x6102F74C
*Nov 1 08:12:13.743: %L2TP-3-ILLEGAL: _____:_____: ERROR: [l2tp_db_get_cc::1035
], -Traceback= 0x60C1122C 0x61D0E258 0x61D0E3FC 0x61D0C104 0x61D2EE5C 0x606E0DE
C 0x606DEB70 0x606E11F0 0x606DFE34 0x61289954 0x6102F318 0x6102F4C8 0x6102F548 0
x6102F74C
*Nov 1 08:12:13.747: %L2TP-3-ILLEGAL: _____:_____: failed to get cc: no l2tp
db hdl, -Traceback= 0x60C1122C 0x61D0E258 0x61D0E410 0x61D0C104 0x61D2EE5C 0x60
6E
are the sign of a SW defect.
without seeing your configuration it is difficult to say more.
However, you should be able to apply an ACL in virtual-PPP interface, for example in one of our routers we have a crypto map applied in virtual-PPP.
I can see non-zero input packet counters in my virtual-PPP so it should be possible to apply an ACL inbound on it.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide