Core issue
The PIX is not configured properly to allow Point-to-Point Tunneling Protocol (PPTP) connections, or the authentication is failing.
Resolution
- Verify that the following commands are in the PIX configuration.
ip local pool pool_name pool_start-address[-pool_end-address] sysopt connection permit-pptp vpdn group group_name accept dialin pptp vpdn group group_name ppp authentication pap vpdn group group_name ppp authentication chap vpdn group group_name ppp authentication mschap vpdn group group_name client configuration address local address_pool_name vpdn enable outside vpdn group group_name client authentication local vpdn username username password password
- Verify that the following command is not in the PIX configuration.
vpdn group group_name ppp encryption mppe auto
- Turn on debug using the debug vpdn event command, and verify that you can still connect with the local username.
- Add the following commands.
aaa-server server_group_name protocol radius|tacacs+ aaa-server server_group_name host ip_address key timeout 5
- Use the vpdn group group_name client authentication aaa server_group_name command to change the authentication to point to the authentication server.
- Turn on the debug ppp uauth command and try to make the connection.
For more information about these commands, see Cisco Secure PIX Firewall Command References.