NEED HELP! PPTP CLIENT CANNOT CONNECT TO INTERNET WITH PPTP SERVER

Eric_Lee · ‎07-04-2023

Here's the setup:

Cisco ISR4221 router is to be configured as PPPoE/PPTP/L2TP Server.
One ethernet port (GigabitEthernet0/0/0) of the router is connected to the Internet source, while the second ethernet port (GigabitEthernet0/0/0) is connected to a switch that is also connected to 1 Windows computer that will be used as PPTP client.

My problems:

1. PPTP client can not connect to internet and show below error message on Cisco ISR4221 router.

.Jul 4 09:10:47.105: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
.Jul 4 09:10:47.106: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
.Jul 4 09:10:47.113: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access4, changed state to up
.Jul 4 09:10:47.116: %LINK-3-UPDOWN: Interface Virtual-Access4, changed state to up
.Jul 4 09:10:47.151: %FMANRP_ESS-4-FULLVAI: Session creation failed due to Full Virtual-Access Interfaces not being supported. Check that all applied Virtual-Template and RADIUS features support Virtual-Access sub-interfaces. swidb= 0x80007F58269BA6F0, ifnum= 17

There is the router config:

Building configuration...

Current configuration : 3684 bytes
!
! Last configuration change at 09:08:21 UTC Tue Jul 4 2023
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable password cisco
!
no aaa new-model
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.99.150 192.168.99.200
ip dhcp excluded-address 192.168.150.150 192.168.150.200
!
ip dhcp pool pool99
network 192.168.99.0 255.255.255.0
default-router 192.168.99.1
dns-server 8.8.8.8 8.8.4.4
lease 0 1
!
!
!
no login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
ipv6 unicast-routing
ipv6 dhcp pool pool2222
prefix-delegation pool ForLanPC
address prefix 2222::/64
dns-server 2222::250
domain-name ipv6test.com
!
ipv6 dhcp pool pppoev6
prefix-delegation pool ForPPPoELAN
dns-server 1111::250
domain-name ipv6test2.com
!
ipv6 multicast-routing
!
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group pppcon
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol any
virtual-template 2
l2tp tunnel receive-window 512
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2636929467
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2636929467
revocation-check none
rsakeypair TP-self-signed-2636929467
!
!
crypto pki certificate chain TP-self-signed-2636929467
!
!
license udi pid ISR4221/K9 sn FGL2622L6HL
license accept end user agreement
license boot suite FoundationSuiteK9
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
username cisco privilege 15 password 0 cisco
!
redundancy
mode none
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
bba-group pppoe global
virtual-template 1
!
!
!
interface GigabitEthernet0/0/0
description WAN
ip address dhcp
ip nat outside
negotiation auto
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
ipv6 nd autoconfig default-route
ipv6 dhcp client request vendor
!
interface GigabitEthernet0/0/1
ip address 192.168.99.1 255.255.255.0
ip nat inside
negotiation auto
pppoe enable group global
ipv6 address 2222::1/64
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ipv6 dhcp server pool2222
ip virtual-reassembly
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/0/1
ip mtu 1492
ip nat inside
ip tcp adjust-mss 1452
peer default ip address pool pppoe
peer default ipv6 pool ForPPPoE
ipv6 enable
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ipv6 dhcp server pppoev6
ppp mtu adaptive
ppp authentication chap pap ms-chap ms-chap-v2
ppp ipcp dns 8.8.4.4 8.8.8.8
ip virtual-reassembly
!
interface Virtual-Template2
ip unnumbered GigabitEthernet0/0/1
ip nat inside
peer default ip address pool vpn_pool
no keepalive
ppp encrypt mppe auto
ppp authentication pap chap ms-chap ms-chap-v2
ppp ipcp dns 8.8.4.4 8.8.8.8
ip virtual-reassembly
!
ip local pool pppoe 192.168.99.151 192.168.99.200
ip local pool vpn_pool 192.168.150.151 192.168.150.200
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
!
!
access-list 1 permit any
ipv6 local pool ForLanPC 4444::/48 64
ipv6 local pool ForPPPoELAN 3333::/48 64
ipv6 local pool ForPPPoE 1111::/48 64
!
!
!
!
ipv6 access-list dhcpv6
permit icmp any any
permit ipv6 any any
!
control-plane
!
!
line con 0
exec-timeout 0 0
transport input none
stopbits 1
line vty 0 4
password cisco
login
transport input ssh
line vty 5 15
login
transport input all
!
ntp server 34.208.249.133
!
!
!
!
!
end

MHM Cisco World · ‎07-04-2023

this second post, first one was about PPPoE.
the previous one solved and now you use different protocol ?

Eric_Lee · ‎07-04-2023

Hi,

PPPoE issue has reloved. I add the PPTP/L2TP vpn server on same router because we need to create a testbed.

MHM Cisco World · ‎07-05-2023

https://www.cisco.com/c/en/us/support/docs/dial-access/virtual-private-dialup-network-vpdn/200450-Setting-up-L2TP-Tunnel-between-a-Windows.html

I see some command is missing from your config so above guide help you

Eric_Lee · ‎07-07-2023

Hi,

Thanks for you feedback.

I reference the document you provide and change the configuration on router. but the issue still occur.

It is the configuration on router

vpdn enable
!
vpdn-group pppcon
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol any
virtual-template 2
no l2tp tunnel authentication
l2tp tunnel timeout no-session 600
!

!
interface Loopback1
ip address 192.168.150.1 255.255.255.255
!

interface Virtual-Template2
ip unnumbered Loopback1
ip nat inside
peer default ip address pool vpn_pool
no keepalive
ppp encrypt mppe auto
ppp authentication pap chap ms-chap ms-chap-v2
ppp ipcp dns 8.8.4.4 8.8.8.8
!

ip local pool vpn_pool 192.168.150.151 192.168.150.200

MHM Cisco World · ‎07-07-2023

vpdn enable
!
vpdn-group pppcon
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol any
virtual-template 2
no l2tp tunnel authentication
l2tp tunnel timeout no-session never
!

!
interface Loopback1
ip address 192.168.150.1 255.255.255.255
ip nat inside
!

interface Virtual-Template2
ip unnumbered Loopback1
ip nat inside
peer default ip address pool vpn_pool
no keepalive
~~ppp encrypt mppe auto~~
ppp authentication pap chap ms-chap ms-chap-v2
ppp ipcp dns 8.8.4.4 8.8.8.8
!

ip local pool vpn_pool 192.168.150.151 192.168.150.200

Do above change and check again,

Eric_Lee · ‎07-10-2023

Now don't show below error message on Cisco ISR4221 router but PPTP client still can not connect to Internet.

.Jul 4 09:10:47.105: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
.Jul 4 09:10:47.106: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
.Jul 4 09:10:47.113: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access4, changed state to up
.Jul 4 09:10:47.116: %LINK-3-UPDOWN: Interface Virtual-Access4, changed state to up
.Jul 4 09:10:47.151: %FMANRP_ESS-4-FULLVAI: Session creation failed due to Full Virtual-Access Interfaces not being supported. Check that all applied Virtual-Template and RADIUS features support Virtual-Access sub-interfaces. swidb= 0x80007F58269BA6F0, ifnum= 17

It is the configuration on router

vpdn enable
!
vpdn-group pppcon
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol any
virtual-template 2
no l2tp tunnel authentication
l2tp tunnel timeout no-session never

!
interface Loopback1
ip address 192.168.150.1 255.255.255.255
ip nat inside
no ip virtual-reassembly
!

!
interface Virtual-Template2
ip unnumbered Loopback1
ip nat inside
peer default ip address pool vpn_pool
no keepalive
ppp authentication pap chap ms-chap ms-chap-v2
ppp ipcp dns 8.8.4.4 8.8.8.8
no ip virtual-reassembly
!