Solved: Re: vpdn l2tp internal network cannot ping - Page 4

kev_mas01 · ‎11-21-2020

i have the below config on the router VPN from windows 10 pc is connected but cannot ping internal network please guide me

!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login telnet local
aaa authorization exec default local
!
!
!
!
!
!
aaa session-id common
!
transport-map type persistent telnet telnethandler
connection wait none
!
!
!
!
!
!
!
!
ip name-server 84.X.X.55 84.XX.X.230

multilink bundle-name authenticated
vpdn enable
!
vpdn-group l2tp
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication

!
crypto isakmp policy 1
encryption 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key cisco address 0.0.0.0 no-xauth
!
crypto isakmp client configuration group cisco
key cisco123
pool vpnpool
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
mode transport
!
!
!
!
crypto dynamic-map mymap 1
set nat demux
set transform-set myset
reverse-route
!
!
!
crypto map mymap client configuration address respond
crypto map mymap 1 ipsec-isakmp dynamic mymap

interface Loopback1
ip address 192.168.160.1 255.255.255.0
!
interface GigabitEthernet0/0/0
ip address 51.X.X.247 255.255.255.0
ip nat outside
negotiation auto
crypto map mymap
!
interface GigabitEthernet0/0/1
ip address 10.10.40.1 255.255.255.0
ip nat inside
media-type rj45
negotiation auto
!
interface GigabitEthernet0/0/2
ip address 10.0.2.2 255.255.255.0
ip nat inside
media-type sfp
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 50.50.50.1 255.255.255.0
negotiation auto
!
interface Virtual-Template1
ip unnumbered Loopback1
ip nat inside
peer default ip address pool vpnpool
ppp encrypt mppe 128
ppp authentication ms-chap-v2
!
router ospf 1
network 10.10.40.1 0.0.0.0 area 0
network 51.211.161.247 0.0.0.0 area 0
!
ip local pool PP 192.168.0.10 192.168.0.15
ip local pool vpnpool 192.168.160.1 192.168.160.10
ip http server
ip http secure-server
ip forward-protocol nd
ip nat inside source list natlist interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 51.X.X.246
ip route 10.0.0.0 255.255.255.0 10.0.2.1
ip route 10.0.1.0 255.255.255.0 10.0.2.1
ip route 10.0.2.0 255.255.255.0 10.0.2.1
ip route 10.0.3.0 255.255.255.0 10.0.2.1
ip route 10.0.4.0 255.255.255.0 10.0.2.1
ip route 10.10.50.0 255.255.255.0 10.10.40.2
ip route 10.100.0.0 255.255.255.0 10.0.2.1
ip route 10.110.0.0 255.255.255.0 10.0.2.1
ip route 10.120.0.0 255.255.255.0 10.0.2.1
ip route 20.20.20.0 255.255.255.0 10.10.40.2
ip route 192.168.1.0 255.255.255.0 10.0.2.1
ip route 192.168.10.0 255.255.255.0 10.0.2.1
ip route 192.168.50.0 255.255.255.0 10.10.40.2
ip route 192.168.160.0 255.255.255.0 10.10.40.2
!

ip access-list extended natlist
10 permit ip 10.10.20.0 0.0.0.255 any
20 permit ip 10.0.2.0 0.0.0.255 any
30 permit ip 10.0.3.0 0.0.0.255 any
40 permit ip 10.0.4.0 0.0.0.255 any
50 permit ip 10.100.0.0 0.0.0.255 any
60 permit ip 10.110.0.0 0.0.0.255 any
70 permit ip 10.120.0.0 0.0.0.255 any
80 permit ip 10.0.0.0 0.0.0.255 any
90 permit ip 10.0.1.0 0.0.0.255 any
100 permit ip 192.168.10.0 0.0.0.255 any
110 permit ip 192.168.50.0 0.0.0.255 any
120 permit ip 10.10.30.0 0.0.0.255 any
130 permit ip 192.168.40.0 0.0.0.255 any
140 permit ip 192.168.2.0 0.0.0.255 any
150 permit ip 20.20.20.0 0.0.0.255 any
160 permit ip 10.10.40.0 0.0.0.255 any
170 permit ip 10.10.50.0 0.0.0.255 any
180 permit ip 192.168.3.0 0.0.0.255 any
190 permit ip 192.168.160.0 0.0.0.255 any
200 permit ip 192.168.1.0 0.0.0.255 any
!
!

Please guide me to able to ping to internal network 10.10.40.2 as i have my core switch connected on this port

kev_mas01 · ‎11-24-2020

AtheerISR#sh license all
Smart Licensing Status
======================

Smart Licensing is ENABLED

License Conversion:
Automatic Conversion Enabled: False
Status: Not started

Export Authorization Key:
Features Authorized:
<none>

Utility:
Status: DISABLED

Smart Licensing Using Policy:
Status: ENABLED

Data Privacy:
Sending Hostname: yes
Callhome hostname privacy: DISABLED
Smart Licensing hostname privacy: DISABLED
Version privacy: DISABLED

Transport:
Type: Callhome

Miscellaneous:
Custom Id: <empty>

Policy:
Policy in use: Merged from multiple sources.
Reporting ACK required: yes (CISCO default)
Unenforced/Non-Export Perpetual Attributes:
First report requirement (days): 365 (CISCO default)
Reporting frequency (days): 0 (CISCO default)
Report on change (days): 90 (CISCO default)
Unenforced/Non-Export Subscription Attributes:
First report requirement (days): 90 (CISCO default)
Reporting frequency (days): 90 (CISCO default)
Report on change (days): 90 (CISCO default)
Enforced (Perpetual/Subscription) License Attributes:
First report requirement (days): 0 (CISCO default)
Reporting frequency (days): 0 (CISCO default)
Report on change (days): 0 (CISCO default)
Export (Perpetual/Subscription) License Attributes:
First report requirement (days): 0 (CISCO default)
Reporting frequency (days): 0 (CISCO default)
Report on change (days): 0 (CISCO default)

Usage Reporting:
Last ACK received: <none>
Next ACK deadline: Nov 16 06:25:01 2021 UTC
Reporting push interval: 30 days
Next ACK push check: <none>
Next report push: Nov 24 15:01:31 2020 UTC
Last report push: <none>
Last report file write: <none>

Trust Code Installed: <none>

License Usage
=============

appxk9 (ISR_4331_Application):
Description: appxk9
Count: 1
Version: 1.0
Status: IN USE
Export status: NOT RESTRICTED
Feature Name: appxk9
Feature Description: appxk9
Enforcement type: NOT ENFORCED
License type: Perpetual

securityk9 (ISR_4331_Security):
Description: securityk9
Count: 1
Version: 1.0
Status: IN USE
Export status: NOT RESTRICTED
Feature Name: securityk9
Feature Description: securityk9
Enforcement type: NOT ENFORCED
License type: Perpetual

Product Information
===================
UDI: PID:ISR4331/K9,SN:FDO24370BT3

Agent Version
=============
Smart Agent for Licensing: 5.0.6_rel/47

License Authorizations
======================
Overall status:
Active: PID:ISR4331/K9,SN:FDO24370BT3
Status: NOT INSTALLED
Status:PAK

Legacy License Info:
regid.2014-12.com.cisco.ISR_4331_Security,1.0_dba7c7eb-f2b3-4824-9690-10e46d998fa5:
DisplayName: securityk9
Description: securityk9
Total available count: 1
Term information:
Active: PID:ISR4331/K9,SN:FDO24370BT3
License type: PERPETUAL
Term Count: 1

Please check if its activated..

kev_mas01 · ‎11-26-2020

i tried ...

sh license summary
License Usage:
License Entitlement Tag Count Status
-----------------------------------------------------------------------------
appxk9 (ISR_4331_Application) 1 IN USE
securityk9 (ISR_4331_Security) 1 IN USE

This is the licenses active..

sh license usage
License Authorization:
Status: Not Applicable

appxk9 (ISR_4331_Application):
Description: appxk9
Count: 1
Version: 1.0
Status: IN USE
Export status: NOT RESTRICTED
Feature Name: appxk9
Feature Description: appxk9
Enforcement type: NOT ENFORCED
License type: Perpetual

securityk9 (ISR_4331_Security):
Description: securityk9
Count: 1
Version: 1.0
Status: IN USE
Export status: NOT RESTRICTED
Feature Name: securityk9
Feature Description: securityk9
Enforcement type: NOT ENFORCED
License type: Perpetual

i feel there is some issue with the configuration or the ios image needs to be changed to the stable version. because i feel that ios image i had put is he amsterdam one...i m thinking to downgrade to 16.9

amikat · ‎11-26-2020

Hi,

Thanks for the response. While I have checked the bug tool and have not identified any bug which could be related I think it is a good idea to downgrade. As I have already mentioned my lab setup using your router configuration works just fine but at the moment I have not your router model available so I am using a different box with another IOS release.

I would be interested to see the "debug cry isakmp" and "debug cry ipsec" outputs taken when VPN connection is attempted - please beware these are rather chatty.

Best regards,

Antonin

kev_mas01 · ‎11-28-2020

i have attached the debug file please check the txt file..

kev_mas01 · ‎11-28-2020

i have attached the debug file please check

MHM Cisco World · ‎11-29-2020

.....

kev_mas01 · ‎11-29-2020

i m still getting same error of port is closed.. router config is attached this is latest.. Please check

kev_mas01 · ‎11-30-2020

i put the config what u have guided me still no luck port is closed it says.. i m attaching the new debug info

amikat · ‎11-29-2020

Hi,

Thanks for the information supplied. The indication of your issue is almost at the end of the debug:

"%FMANRP_ESS-4-FULLVAI: Session creation failed due to Full Virtual-Access Interfaces not being supported. ......"

There are couple of bugs found relating this message but none fits exactly to your box. Before we go any further can you please post your current router configuration as I understand you have changed it several times since the original one. Please BEWARE that up to now you have published quite a lot of the sensitive information as for your configuration so PLEASE change at least your authentication data (ie. username/password) with the IMMEDIATE EFFECT and do not publish these any more.

Thanks & Regards,

Antonin

kev_mas01 · ‎11-29-2020

i have attached my latest router config.. Please check still i get that the port is closed i dont understand it at all...

amikat · ‎11-30-2020

Hi,

Thanks for the reply and the information supplied. Will you please adjust your current router configuration as per beneath:

1) Please change your pre-shared key (cisco) to another secret (both sides) and do NOT publish this any more.

2) Please add the command "reverse-route" under the "crypto dynamic-map ipnet-map 10".

3) Please add the command "ip nat inside" under the "interface Virtual-Template2".

4) Please add the command "permit ip 172.10.1.0 0.0.0.255 any" under the "ip access-list extended natlist".

5) Please check your WAN miniport L2TP configuration as follows: Properties > Networking tab > double click on IPv4 > click Advanced > check Use default gateway on remote network (default setting).

If still experiencing VPN error 619 can you please post the debug output (debug cry isakmp, debug cry ipsec, debug ppp negot) taken when VPN is initiated.

Thanks & Regards,

Antonin

kev_mas01 · ‎11-30-2020

i have attached the new debug with new config.. please check

amikat · ‎11-30-2020

Hi,

Thanks for the reply. Can you please try to remove the configuration command "ppp encrypt mppe 40" under the "interface Virtual-Template2" and try again.

Thanks & Regards,

Antonin

kev_mas01 · ‎11-30-2020

hey, thanks when i remove ppp encrypt it now connects great !!!

but i have another small issue is that cannot ping my internal network...Please guide me for that

amikat · ‎12-01-2020

Hi,

Thanks for the update. Can you please post the "sh ip int br" and "sh ip rou" commands output (router) and also "ipconfig /all" (PC).

Best regards,

Antonin