08-04-2005 06:07 AM
We are having problems getting VPN Pass Through to work on a Cisco 828 SDSL Router.
The Windows Server 2003 SBS is configured to allow VPN connections. On our old ADSL (Draytek ADSL modem) the system works perfectly and forwarding port 1723 allows people to login to the VPN and use the network remotely.
Purchased new SDSL line and Cisco 828 SDSL Router. Configured port 1723 and GRE (see config below).
When a client tries to connect it verifies username and password and then returns Error 721 - No response from server (suggesting that GRE is not being handled correctly)
All clients are Windows XP Pro with all service packs and patches.
Have read various posts and comments about this error, but all the suggestions state forward 1723 and enable GRE, which has been done.
Does GRE need to be enabled on the out-going access list? Which I assume is access-list 1
I have a reasonable understanding of networking and routing but this is the first Cisco router I have had to work with.
Any suggestions or help are gratefully received.
=========================================
Network Diagram
=========================================
Internet
|
| (83.X.Y.Z)
CISCO 828 SDSL Router
| (192.168.1.1)
|
| (192.168.1.2)
Windows Server 2003 SBS
| (192.168.32.10)
|
Switch
| | |
Local network / workstations
=========================================
CISCO 828 Router Config
=========================================
Current configuration : 2470 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname i-83-X-Y-Z
!
boot-start-marker
boot system flash c828-oy6-mz.123-11.T3.bin
boot-end-marker
!
enable secret 5 xxxx
!
username admin password 7 xxxx
no aaa new-model
ip subnet-zero
!
!
ip cef
ip domain name myisp.net
ip name-server 194.X.Y.Z
ip name-server 194.X.Y.Z
ip inspect udp idle-time 180
ip inspect tcp idle-time 7500
ip inspect name f2s sip
ip inspect name f2s ftp
ip inspect name f2s icmp
ip inspect name f2s tcp
ip inspect name f2s udp
!
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl equipment-type CPE
dsl operating-mode GSHDSL symmetric annex B
dsl linerate AUTO
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer1
ip address negotiated
ip access-group 150 in
ip accounting output-packets
ip nat outside
ip inspect f2s out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxx
ppp chap password 7 xxxx
ppp pap sent-username xxxx password 7 xxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.2 443 83.X.Y.Z 443 extendable
ip nat inside source static udp 192.168.1.2 443 83.X.Y.Z 443 extendable
ip nat inside source static tcp 192.168.1.2 1723 83.X.Y.Z 1723 extendable
ip nat inside source static udp 192.168.1.2 1723 83.X.Y.Z 1723 extendable
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 150 permit tcp any host 83.X.Y.Z eq 443
access-list 150 permit udp any host 83.X.Y.Z eq 443
access-list 150 permit tcp any host 83.X.Y.Z eq 1723
access-list 150 permit udp any host 83.X.Y.Z eq 1723
access-list 150 permit gre any host 83.X.Y.Z
access-list 150 deny ip any any
snmp-server enable traps tty
no cdp run
!
control-plane
!
!
line con 0
exec-timeout 120 0
transport preferred none
transport output none
stopbits 1
line vty 0 4
exec-timeout 120 0
password 7 xxxx
login
length 0
transport preferred none
transport input telnet
transport output none
!
scheduler max-task-time 5000
08-07-2005 10:28 PM
Hello,
try and take access list 150 off the dialer interface alltogether, for tesing purposes, and check if that makes a difference.
Which VPN client are you using ?
Regards,
GP
08-08-2005 12:12 AM
This has been tried and made no difference. Still getting the same errors.
VPN clients are Windows XP Pro (using the standard windows vpn connection)
08-08-2005 03:09 AM
Hello Matt,
the problem might be with the NAT, which alters the IP address of the VPN server. Try to disable address validation in your XP client´s registry:
1. Click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.
3. Locate the following subkey, where <000x> is the network adapter for the WAN Miniport (PPTP) driver:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\{4D36E972-E325-11CE-BFC1-08002bE10318}\<000x>
4. On the Edit menu, point to New, and then click DWORD Value.
5. Type ValidateAddress, and then press ENTER.
Note By default, the Data value is 0 (Off).
6. Quit Registry Editor.
7. Restart your computer.
Let me know if that does not help...
Regards,
GP
08-08-2005 06:21 AM
Thanks for the advice, but it doesn't seem to make any difference. Still getting the same error.
721: No reposonse from server.
Just FYI 'show access-lists' lists the GRE line with 53 connections. This goes up as people try to connect... No connections are logged on the VPN server.
Could it be anything to do with the IP INSPECT lines?
08-08-2005 06:57 AM
08-16-2005 05:38 AM
I'm having this problem too with my Cisco 877W ADSL.
I've tried IOS version 12.3(8)YI, 12.8(14) and 12.4(2)T, disable cef, but it still exhibits the same problem.
I suspect there's PPTP passthrough problem with the IOS (using a sniffer, fragmented GRE exchanged indefinitely until the windows xp vpn client times out while verifying username/password).
Finally, my workaround was to use allow only 1 client behind the router access VPN (by static NAT to that client). The rest of the clients use PAT.
This is definitely not satisfactory, but at least it enables a machine access vpn.
I'm keen to hear any solution (not ruling out my config error, but i've tried LOTS of variation).
08-16-2005 06:13 AM
Lets hope someone from Cisco looks at these forums and gives us some help. Earth calling Cisco ... anyone there?
Utopian, can you paste your config in here (just the NAT and PAT lines) so I can have a quick look. Do you mean that only 1 client can access the VPN?
I guess that is better than none, but as we have 3 remote workers at home it is not ideal.
08-22-2005 09:53 PM
>Error 721
Problem is with GRE, I don't know how to solve it on Cisco but I had same problem with Linux routers GRE redirection fix it.
Try with this (for tesing):
!
access-list 101 permit ip any any
access-list 101 permit gre any any
!
ip nat inside source list 101 interface Dialer1 overload
!
11-21-2005 08:22 AM
Heres an update if anyone is having the same problems....
Got a Cisco Engineer in on £_loads_a_dosh per hour and he spent a day and a half struggling with it. His comment was the config is perfect. Doing a packet trace shows the connection packets arriving at the router, forwarded to the SBS server, SBS server replies, goes into the router and then promptly disappears. The client never gets a response back and timesout.
Eventually got a new router (Cisco 878) and it worked perfectly first time. The config above is correct.
The problem is with the Cisco 828 routers or buggy IOS code. Haven't been able to try another 828 so it could have just been this one.
Thanks to everyone who offered their help and advice.
03-09-2006 08:03 PM
Hi, may I know what IOS version of your 828 that fixes the issue? I've tried many many versions on my 877 and still doesn't work. Config is similar to yours. Keen to try out the version that works on yours.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide