cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
3687
Views
5
Helpful
18
Replies
Highlighted
Beginner

Cisco ISR 4321 L2TP Problem

Hi All

 

This is my first post here so please bear with me.

 

I am trying to connect an L2TP client to Cisco ISR 4321 router (I have previously done this successfully with 29xx series).  The client connects, the virtual interface comes up, IP address gets assigned and a route for the assigned ip gets added to the routing table just like I expected it to.  When I try to ping the assigned ip fom the ISR router it timesout.  When I try to ping the ISR router from the client it times out.  If I run "debug ip packet" I see the ping from the client on the ISR and I also see the ISR reply but the ping response does not arrive at the client. So all traffic that goes out from the ISR on the virtual interface seems to just disappear.

 

I have configured L2TP only (no IPSec).

 

Here is show run

 

Current configuration : 4687 bytes

!

! Last configuration change at 12:02:20 UTC Fri Sep 1 2017 by xxx

!

version 15.5

service timestamps debug datetime msec

service timestamps log datetime msec

no platform punt-keepalive disable-kernel-core

!

hostname sssss

!

boot-start-marker

boot-end-marker

!

!

vrf definition Mgmt-intf

 !

 address-family ipv4

 exit-address-family

 !

 address-family ipv6

 exit-address-family

!

 

!

aaa new-model

!

!         

aaa authentication login default local

aaa authentication ppp vpdn local

aaa authorization network default none 

 

!

aaa session-id common

!

!

 

!

subscriber templating

multilink bundle-name authenticated

vpdn enable

!

vpdn-group L2TP

 ! Default L2TP VPDN group

 ! Default PPTP VPDN group

 accept-dialin

  protocol l2tp

  virtual-template 1

 no l2tp tunnel authentication

!

!

license udi pid ISR4321/K9 sn Fx

!

spanning-tree extend system-id

!

username xxxxx password 0 xxxxxxxx

!         

redundancy

 mode none

!

!

vlan internal allocation policy ascending

!

!!

!

interface Loopback5

 ip address 172.16.254.1 255.255.255.0

!

!         

interface GigabitEthernet0/0/0

 description Connected to inet

 ip address x.x.x.x 255.255.255.224

 negotiation auto

!

interface GigabitEthernet0/0/1

 description Connected to xxx

 ip address xxxxxxx

 negotiation auto

!

interface GigabitEthernet0

 vrf forwarding Mgmt-intf

 no ip address

 negotiation auto

!

interface Virtual-Template1

 ip unnumbered GigabitEthernet0/0/0

 ip mtu 1460

 no peer default ip address

 ppp mtu adaptive

 ppp authentication chap vpdn

!

interface Vlan1

 no ip address

 shutdown

!

ip forward-protocol nd

no ip http server

no ip http secure-server

 

ip route 0.0.0.0 0.0.0.0 x.x.x.x

!

control-plane

!         

!

line con 0

 stopbits 1

line aux 0

 stopbits 1

line vty 0 4

 transport input telnet

!

!

end

 

Any help would be greatly appreciated.

 

Thanks

 

Robert

18 REPLIES 18
Highlighted

Hi roberthudd,

 

Are you doing NAT/PAT on ISR 4321 ? If yes, have you configured NAT exemption for subnet assigned to L2TP client?

SD-WAN Specialist
Spooster IT Services
Highlighted

Hi

 

Thanks for the reply.  I am not running any NAT on the 4321.  I actually gave up and tried using an old 2911 with the exact same config and the L2TP session could successfully send and receive traffic.  I guess there is some bug in the 4321.

 

Thanks


Robert

Highlighted
Beginner

I have the same problem on my ISR 4321. On 2911 this configuration work well. I still can not find a solution.

Highlighted

Here's how I was able to work around it.

 

first from the Privileged EXEC mode, enter

 

license right-to-use move appxk9

 

Then from the Global config mode, enter

 

license boot level appxk9

 

Save config and reload the router for the change to take effect.

 

 

I hope this helps someone who's facing this same issue in the feature.

 

Cheers

 

 

 

Highlighted

Did it really worked for you? It did not work for me

Highlighted
Beginner

Hi,

 

You'll need to active the feature license called "appxk9" to forward l2tp traffic.

 

https://www.cisco.com/c/en/us/td/docs/routers/access/4400/software/configuration/guide/isr4400swcfg/bm_isr_4400_sw_config_guide_chapter_0101.html#concept_EE11CBA65D814447BD6913EF89E8D0C3

In Cisco 4000 Series ISR, although L2TPv2 sessions comes up without appxk9, you need the appxk9 license for the traffic to go through the sessions. You also need the appxk9 license to apply the QoS policies to the L2TPv2 sessions.

 

#show license feature
Feature name Enforcement Evaluation Subscription Enabled RightToUse
appxk9 yes yes no yes yes

 

Hope this helps.

Highlighted

Did it really worked for you? It did not work for me

Highlighted

Yes, it works fine. Could you please post show version and show license to see this feature is enabled or not?

Highlighted

Thanks for replying. Find below

Stef4321#sh ver

Cisco IOS XE Software, Version 03.16.04b.S - Extended Support Release

Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S4b, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2016 by Cisco Systems, Inc.

Compiled Mon 17-Oct-16 20:23 by mcpre

 

Suite License Information for Module:'esg'

 

--------------------------------------------------------------------------------

Suite                 Suite Current         Type           Suite Next reboot    

--------------------------------------------------------------------------------

FoundationSuiteK9     None                  None           None                  

securityk9

appxk9

 

AdvUCSuiteK9          None                  None           None                 

uck9

cme-srst

cube

 

 

Technology Package License Information:

 

-----------------------------------------------------------------

Technology    Technology-package           Technology-package

              Current       Type           Next reboot 

------------------------------------------------------------------

appxk9           appxk9           RightToUse       appxk9

uck9             None             None             None

securityk9       None             None             None

ipbase           ipbasek9         Permanent        ipbasek9

 

cisco ISR4321/K9 (1RU) processor with 1648789K/6147K bytes of memory.

Processor board ID FDO2132A086

6 Gigabit Ethernet interfaces

32768K bytes of non-volatile configuration memory.

4194304K bytes of physical memory.

3223551K bytes of flash memory at bootflash:.

 

 

Configuration register is 0x2102

Stef4321#sh lic

Index 1 Feature: appxk9                        

        Period left: Life time

        License Type: RightToUse

        License State: Active, In Use

        License Count: Non-Counted

        License Priority: Low

Index 2 Feature: uck9                          

        Period left: Life time

        License Type: RightToUse

        License State: Active, Not in Use, EULA accepted

        License Count: Non-Counted

        License Priority: Low

Index 3 Feature: securityk9                    

        Period left: Life time

        License Type: RightToUse

        License State: Active, Not in Use, EULA accepted

        License Count: Non-Counted

        License Priority: Low

Index 4 Feature: ipbasek9                      

        Period left: Life time

        License Type: Permanent

        License State: Active, In Use

        License Count: Non-Counted

        License Priority: Medium

Index 5 Feature: FoundationSuiteK9             

        Period left: Life time

        License Type: RightToUse

        License State: Active, Not in Use, EULA accepted

        License Count: Non-Counted

        License Priority: Low

Index 6 Feature: AdvUCSuiteK9                  

        Period left: Life time

        License Type: RightToUse

        License State: Active, Not in Use, EULA accepted

        License Count: Non-Counted

        License Priority: Low

Index 7 Feature: cme-srst                      

        Period left: Life time

        License Type: RightToUse

        License State: Active, Not in Use, EULA accepted

        License Count: 0/0  (In-use/Violation)

        License Priority: Low

Index 8 Feature: hseck9                        

Index 9 Feature: throughput                    

        Period left: Life time

        License Type: RightToUse

        License State: Active, In Use

        License Count: Non-Counted

        License Priority: Low

Index 10 Feature: internal_service              

 

Highlighted

Additionally

 

Stef4321#sh lic fea
Feature name Enforcement Evaluation Subscription Enabled Right
appxk9 yes yes no yes yes
uck9 yes yes no no yes
securityk9 yes yes no no yes
ipbasek9 no no no yes no
FoundationSuiteK9 yes yes no no yes
AdvUCSuiteK9 yes yes no no yes
cme-srst yes yes no no yes
hseck9 yes no no no no
throughput yes yes no yes yes
internal_service yes no no no no

Highlighted

Thanks for your information. Looks like securityk9 is not enabled. I assume you are using L2tp, you need this to be enabled. Try PPTP if you do not want to enable securityk9.

Highlighted

Yes I'm using L2TP and the securityk9 is now enable as below. Still does not work. Any suggestions please?

 

vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol any
virtual-template 1
l2tp tunnel timeout no-session 15
ip mtu adjust

 

 

interface Virtual-Template1
ip unnumbered GigabitEthernet0/0/1
ip nat inside
ip tcp adjust-mss 1400
peer default ip address pool vpn1
no keepalive
ppp authentication pap chap ms-chap ms-chap-v2 eap
ip virtual-reassembly

 

 

ip local pool vpn1 10.0.5.6 10.0.5.7

 

 

Stef4321#sh lic fea
Feature name Enforcement Evaluation Subscription Enabled Right
appxk9 yes yes no yes yes
uck9 yes yes no no yes
securityk9 yes yes no yes yes
ipbasek9 no no no yes no
FoundationSuiteK9 yes yes no no yes
AdvUCSuiteK9 yes yes no no yes
cme-srst yes yes no no yes
hseck9 yes no no no no
throughput yes yes no yes yes
internal_service yes no no no no

Highlighted

PS: I can connect but cannot ping any device on the network, not even the router itself

 

Highlighted

PS2: I'm using PPTP :) Sorry! I lost track due to many tests

Content for Community-Ad