The problem is finally resolved in 15.1(4)M3. Looks like it might be related to this bug: CSCtq88777 Symptoms: VDSL controller and ATM interface remains up, however ATM PVC becomes inactive and virtual interface goes down. Conditions: The symptom is observed when the ATM PVC becomes inactive causing the virtual interface to go down. Workaround: Use a VBR-NRT value that is lower than trained upstream speed. If this is the case , it should then be also fixed in 15.1(3)T3.
... View more
I never got to the bottom of this, but I can confirm version 15.0(1)M4 is the last one in the 15.0 branch where this problem doesn't happen; this is the version I'm using now, I've been using it for some months and the connection is completely stable under any load. Although some more releases did come up in the meantime, I didn't try any one of them. Maybe I'll do some more tests in the future, but for now I'm keeping the only firmware I know for sure works.
... View more
I have been using a cisco 877 router at home for more than a year and I've always been quite happy with it, but I've stumbled upon a very strange issue after an IOS update. I was using IOS 15.0(1)M until last week, when I decided to configure the router as a VPN server (both for PPTP and L2TP/IPSEC) in order to be able to connect to my home network from outside; then I realized that IOS has a nasty bug on PPTP VPNs (it just ignores the ppp encrypt mppe auto instruction), so I updated it to the latest 15.1 release I could find, 15.1(3)T1. Everything worked. Until I launched Emule with some heavy download, and the connection dropped. And didn't come up again, even after a clear interface ATM 0 : only rebooting the router solved the problem. Which, upon launching Emule again, again happened. The problem seems to be related to opening lots of connections at the same time; "simple" heavy load (like downloading a big file at full speed) doesn't do any harm to the line, and configuring Emule to use a smaller number of connections and opening it more slowly seems to mitigate the problem, which anyway keeps happening after a while. The strangest thing is, this is definitely related to the IOS version. It didn't happen before the upgrade, and I confirmed it stops happening if I reload the previous IOS on the router. Out of curiosity, I also tested some other IOS releases: 15.1(1)T, 15.0(1)M5 and even 12.4(24)T5. It always happens, only 15.0(1)M seems to prevent it... but it also seems to hate VPN encryption. And let's not even start talking about 15.1(4)M: I tried it and I wasn't ever able to succesfully authenticate a VPN connection. Of course, when tried different IOS releases, the router's configuration always stayed the same. Here is it (stripped of personal details): no service pad service timestamps debug datetime localtime service timestamps log datetime localtime service password-encryption ! hostname Cisco877 ! boot-start-marker boot system flash c870-advipservicesk9-mz.151-3.T1.bin boot-end-marker ! logging buffered 1048576 ! aaa new-model aaa authentication login default local-case aaa authentication ppp default local aaa authorization console aaa authorization exec default local aaa session-id common ! clock timezone WEST 1 0 clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 2:00 clock save interval 8 ! dot11 syslog ! ip source-route ip cef ip domain name <ISP DOMAIN NAME> ip name-server <ISP DNS SERVER> ip name-server <ISP DNS SERVER> ip name-server <ISP DNS SERVER> login on-failure log login on-success log no ipv6 cef ! multilink bundle-name authenticated ! vpdn enable ! vpdn-group VPN_CLIENTS ! Default L2TP VPDN group ! Default PPTP VPDN group accept-dialin protocol any virtual-template 1 no l2tp tunnel authentication l2tp tunnel timeout no-session 15 ! password encryption aes ! username <USERNAME> privilege 15 password 7 <PASSWORD> ! ip ssh version 2 ! crypto pki token default removal timeout 0 crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key 6 <KEY> address 0.0.0.0 0.0.0.0 crypto ipsec transform-set VPN_TS esp-3des esp-sha-hmac mode transport crypto dynamic-map VPN_DYN_MAP 1 set nat demux set transform-set VPN_TS crypto map VPN_MAP 1 ipsec-isakmp dynamic VPN_DYN_MAP ! interface ATM0 no ip address no atm ilmi-keepalive ! interface ATM0.1 point-to-point pvc 8/75 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet0 spanning-tree portfast ! interface FastEthernet1 spanning-tree portfast ! interface FastEthernet2 spanning-tree portfast ! interface FastEthernet3 spanning-tree portfast ! interface Virtual-Template1 ip unnumbered Vlan1 ip nat inside ip virtual-reassembly in peer default ip address pool VPN_POOL ppp encrypt mppe auto ppp authentication ms-chap-v2 ms-chap chap ! interface Vlan1 ip address 192.168.42.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Dialer0 ip address negotiated ip nat outside ip virtual-reassembly in encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication pap callin ppp pap sent-username <ISP USERNAME> password 7 <ISP PASSWORD> crypto map VPN_MAP ! ip local pool VPN_POOL 192.168.42.240 192.168.42.249 ip forward-protocol nd ip http server ip http access-class 2 ip http authentication aaa no ip http secure-server ! ip dns server ! ip nat inside source list 1 interface Dialer0 overload ! These two static NATs are for Emule ip nat inside source static tcp 192.168.42.42 24242 188.8.131.52 24242 extendable ip nat inside source static udp 192.168.42.42 24242 184.108.40.206 24242 extendable ip route 0.0.0.0 0.0.0.0 Dialer0 ! logging esm config logging trap debugging access-list 1 permit 192.168.42.0 0.0.0.255 access-list 2 permit 192.168.42.0 0.0.0.255 dialer-list 1 protocol ip permit ! control-plane ! line con 0 exec-timeout 0 0 no modem enable line aux 0 line vty 0 4 access-class 2 in exec-timeout 0 0 transport input ssh ! scheduler max-task-time 5000 ntp logging ntp server <PUBLIC NTP SERVER> How can I fix this without reloading the buggy IOS I was using before? If you need any debug information, feel free to ask and I'll provide it. This is the current show version : Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 15.1(3)T1, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2011 by Cisco Systems, Inc. Compiled Sun 27-Mar-11 12:37 by prod_rel_team ROM: System Bootstrap, Version 12.3(8r)YI6, RELEASE SOFTWARE Cisco877 uptime is 34 minutes System returned to ROM by reload at 19:55:24 CEST Wed Jul 6 2011 System restarted at 19:56:23 CEST Wed Jul 6 2011 System image file is "flash:c870-advipservicesk9-mz.151-3.T1.bin" Last reload reason: Reload Command <snip> Cisco 877 (MPC8272) processor (revision 2.0) with 236544K/25600K bytes of memory. Processor board ID FCZ1124217M MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10 4 FastEthernet interfaces 1 ATM interface 1 Virtual Private Network (VPN) Module 128K bytes of non-volatile configuration memory. 53248K bytes of processor board System flash (Intel Strataflash) And this is the current output of show dsl interface ATM 0 : ATM0 Alcatel 20190 chipset information ATU-R (DS) ATU-C (US) Modem Status: Showtime (DMTDSL_SHOWTIME) DSL Mode: ITU G.992.1 (G.DMT) Annex A ITU STD NUM: 0x01 0x1 Vendor ID: 'STMI' 'GSPN' Vendor Specific: 0x0000 0x0008 Vendor Country: 0x0F 0xFF Chip ID: C196 (0) DFE BOM: DFE3.0 Annex A (1) Capacity Used: 77% 80% Noise Margin: 14.5 dB 14.0 dB Output Power: 18.5 dBm 12.0 dBm Attenuation: 30.5 dB 16.5 dB FEC ES Errors: 0 0 ES Errors: 1 1 SES Errors: 0 0 LOSES Errors: 0 0 UES Errors: 0 0 Defect Status: None None Last Fail Code: None Watchdog Counter: 0x78 Watchdog Resets: 0 Selftest Result: 0x00 Subfunction: 0x00 Interrupts: 4123 (0 spurious) PHY Access Err: 0 Activations: 1 LED Status: ON LED On Time: 100 LED Off Time: 100 Init FW: init_AMR-4.0.015_no_bist.bin Operation FW: AMR-4.0.015.bin FW Source: embedded FW Version: 4.0.15 Interleave Fast Interleave Fast Speed (kbps): 8608 0 640 0 DS User cells: 24118 0 US User & Idle cells: 3245456 0 Reed-Solomon EC: 20 0 0 0 CRC Errors: 1 0 3 0 Header Errors: 1 0 0 0 Total BER: 5969E-13 0E-0 Leakage Average BER: 5969E-13 0E-0 ATU-R (DS) ATU-C (US) Bitswap: enabled enabled LOM Monitoring : Disabled DMT Bits Per Bin 000: 0 0 0 0 0 0 2 3 6 7 8 9 9 9 9 A 010: A A A A A A A 9 9 8 8 8 8 0 0 0 020: 0 7 9 9 9 B B C C C C C D D D D 030: D D D D D D C D D D D D D D D D 040: 0 D D D C D C C C C C C C C C C 050: C C C C C C C C C C C C C C C 2 060: C C C C C B C C C C C C B C C C 070: C B B B B B B B B B B B B B B B 080: B B B B B B B B B B B B B B B B 090: B B B B B B B B B B B B B B B B 0A0: B B B B B B B B B A A A A A A A 0B0: A A A A A A A A A A A A A A A A 0C0: A A A A A A A A A A A A A A A A 0D0: A A A A A 9 9 9 9 9 9 9 9 9 9 9 0E0: 9 9 9 9 9 9 9 8 9 9 9 9 9 9 9 9 0F0: 8 8 9 9 8 8 8 9 9 9 8 8 8 8 7 6 DSL: Training log buffer capability is not enabled Also, any suggestion at fine-tuning the router would be greatly appreciated; I can currently reach 7M/512K top speed, on a very stable line. Thanks for any help
... View more
I have a Cisco 877 router and I configured it to act as a VPN server, supporting both PPTP and L2TP VPNs. I can succesfully connect to it from Windows computers using the built-in VPN software. There is only one problem: when using a PPTP VPN, encryption doesn't work. If I configure the client to require encryption (default setting), the connection fails with an error about the remote endpoint not supporting it. If I remove the encryption requirement, the connection succeeds. I've also tried tweaking the encryption settings (40/128 bits), but this didn't work either. This is the relevant part of the router's configuration: vpdn enable
ip local pool VPN_Pool 192.168.42.250 192.168.42.254
ip unnumbered Vlan1
ip nat inside
peer default ip address pool VPN_Pool
ppp encrypt mppe auto required
ppp authentication ms-chap-v2 ms-chap chap
The router's IOS version is 15, and it fully supports encryption. The strangest thing is, encryption is actually required in the router config; but not only the router doesn't seem to offer it... it also accepts unencrypted connections, which it shouldn't. It's like the ppp encrypt mppe auto required command is completely ignored. How can I fix this?
... View more
Looks like having to use password instead of secret is by design: http://www.cisco.com/en/US/docs/ios/12_1/12_1e8/feature/guide/8e_md5.html. Still no luck with the encryption issue, though... Also, it looks like the encryption issue was a bug; I updated the router's IOS from version 15.0(1) to 15.1(3) and now the problem is gone.
... View more
I have a Cisco 877 router at home, and I'm trying to configure it to act as a VPN server in order to be able to connect to my home network when I'm outside; I want it to work with standard Microsoft VPN client software (which supports PPTP and L2TP). This is the output of the "show version" command: Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 15.0(1)M, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Wed 30-Sep-09 08:42 by prod_rel_team ROM: System Bootstrap, Version 12.3(8r)YI6, RELEASE SOFTWARE The router has quite a basic setup: a single username with privilege level 15, a single VLAN comprising all four Ethernet ports, an ADSL connection to my ISP, an internal IP address of 192.168.42.1/24, an external IP address assigned by my ISP, NAT enabled. This is my current configuration (stripped of non-relevant or private informations): service password-encryption aaa new-model aaa authentication login default local aaa authorization console aaa authorization exec default local aaa session-id common ip source-route ip cef ip domain name <my ISP's DNS name> ip name-server <my ISP's DNS server> no ipv6 cef password encryption aes username <Router's username> privilege 15 secret 5 <The encrypted password for my user account> interface ATM0 no ip address no atm ilmi-keepalive interface ATM0.1 point-to-point pvc 8/75 encapsulation aal5mux ppp dialer dialer pool-member 1 interface FastEthernet0 spanning-tree portfast interface FastEthernet1 spanning-tree portfast interface FastEthernet2 spanning-tree portfast interface FastEthernet3 spanning-tree portfast interface Vlan1 ip address 192.168.42.1 255.255.255.0 ip nat inside ip virtual-reassembly interface Dialer0 ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication pap callin ppp pap sent-username <My ISP's username> password 7 <The encrypted ISP password> ip forward-protocol nd ip dns server ip nat inside source list 1 interface Dialer0 overload ip route 0.0.0.0 0.0.0.0 Dialer0 access-list 1 permit 192.168.42.0 0.0.0.255 dialer-list 1 protocol ip permit This is the configuration I'm currently testing for PPTP VPN (I'd prefer L2TP, but it looks a lot more complex, so I think it's better to get PPTP working before that): vpdn enable vpdn-group 1 accept-dialin protocol pptp virtual-template 1 interface Virtual-Template1 ip unnumbered Vlan1 peer default ip address pool clients no keepalive ppp encrypt mppe auto required ppp authentication ms-chap-v2 ms-chap ip local pool clients 192.168.42.250 192.168.42.254 This sort of works, but I'm having some very strange problems with authentication and encryption: Authentication only works if I configure user accounts using password instead of secret. That is, my main (and usually only) user account, which uses secret, doesn't work at all; if I create another one using secret, it doesn't work; if I create it using password, it then works. Is this supposed to work this way (and if so, why?), or is this some sort of bug? Why wouldn't secret work for VPN clients authentication? Encryption doesn't work at all, even if I'm running a firmware which supports it, and I configured it in the Virtual-Template interface. If I configure my client to require encryption (which is the default), it fails the connection saying the remote endpoint doesn't support it; if I configure it to not require it, it connects succesfully, even if it shouldn't, because the router is configured to require it. What am I missing here? Also, as a side note: I'm assigning local addresses to VPN clients; but what if I wanted to use other addresses for them and then route them to my local network? I've tried, but the client doesn't get a routing table entry for 192.168.42.0/24, so it can't talk with it. How should this be configured? Thanks for any help.
... View more
That covers almost every possible scenario... excluding my one! Amazing It sure sheds some light... I'll do some other tests. Howewer, if someone knows how to allow L2TP/IPSEC connections from Windows clients without using the VPN client, I'd appreciate it a lot
... View more
I've been trying for a while to setup my Cisco 877 router as a VPN server, in order to be able to access my nework from the outside. My goal is to use standard Windows (or Linux) VPN client software to connect, without the need for Cisco VPN Client. Is this possible at all? I'd think so, but I've been unable to make it work. Also, although I have quite a bit of Cisco routers/switchs experience, I'm very confused at the whole crypto/isakmp thing; I've read tons of documentation and tried out some configurations, but I just don't seem to have grasped enough of it. My goals: As I said, I want to be able to connect from any client system which natively supports VPNs, without the need for the Cisco VPN Client. I want to use L2TP/IPSEC. I want to use a pre-shared key (no certificates, please). I want the router to assign internal IP addresses from a defined pool (no DHCP). I want to use the router's own authentication (no RADIUS). I want to be able to connect the same way from anywhere (no ACLs or custom VPN profiles based on peer address). Some details about my configuration: IOS version is "(C870-ADVIPSERVICESK9-M), Version 15.0(1)M" The router has four Ethernet ports belonging to the default VLAN 1, where it has the IP address 192.168.42.1/24. The WAN interface is a PPP ADSL with a single (static but dynamically-assigned) public IP address; the external interface is Dialer0. The router does NAT for the internal network. The router is already using AAA, thus configured: aaa authentication login default local aaa authorization console aaa authorization exec default local aaa authorization network default local There is a single local user with privilege level 15, let's call it "username"; it's ok for me to use the same one for VPN access. I can post samples of the various configurations I tried, but I'm not quite sure what is correct and what is not about them, so I'm not posting them for now; I will, if asked. Can someone please provide me a working configuration for this setup? Thanks
... View more