09-01-2017 05:35 AM - edited 03-12-2019 04:30 AM
Hi All
This is my first post here so please bear with me.
I am trying to connect an L2TP client to Cisco ISR 4321 router (I have previously done this successfully with 29xx series). The client connects, the virtual interface comes up, IP address gets assigned and a route for the assigned ip gets added to the routing table just like I expected it to. When I try to ping the assigned ip fom the ISR router it timesout. When I try to ping the ISR router from the client it times out. If I run "debug ip packet" I see the ping from the client on the ISR and I also see the ISR reply but the ping response does not arrive at the client. So all traffic that goes out from the ISR on the virtual interface seems to just disappear.
I have configured L2TP only (no IPSec).
Here is show run
Current configuration : 4687 bytes
!
! Last configuration change at 12:02:20 UTC Fri Sep 1 2017 by xxx
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname sssss
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp vpdn local
aaa authorization network default none
!
aaa session-id common
!
!
!
subscriber templating
multilink bundle-name authenticated
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
license udi pid ISR4321/K9 sn Fx
!
spanning-tree extend system-id
!
username xxxxx password 0 xxxxxxxx
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
!!
!
interface Loopback5
ip address 172.16.254.1 255.255.255.0
!
!
interface GigabitEthernet0/0/0
description Connected to inet
ip address x.x.x.x 255.255.255.224
negotiation auto
!
interface GigabitEthernet0/0/1
description Connected to xxx
ip address xxxxxxx
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
negotiation auto
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/0/0
ip mtu 1460
no peer default ip address
ppp mtu adaptive
ppp authentication chap vpdn
!
interface Vlan1
no ip address
shutdown
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
transport input telnet
!
!
end
Any help would be greatly appreciated.
Thanks
Robert
09-06-2017 10:12 AM
Hi roberthudd,
Are you doing NAT/PAT on ISR 4321 ? If yes, have you configured NAT exemption for subnet assigned to L2TP client?
09-06-2017 05:39 PM
Hi
Thanks for the reply. I am not running any NAT on the 4321. I actually gave up and tried using an old 2911 with the exact same config and the L2TP session could successfully send and receive traffic. I guess there is some bug in the 4321.
Thanks
Robert
12-14-2017 07:45 PM
I have the same problem on my ISR 4321. On 2911 this configuration work well. I still can not find a solution.
12-31-2018 03:02 AM - edited 12-31-2018 03:07 AM
Here's how I was able to work around it.
first from the Privileged EXEC mode, enter
license right-to-use move appxk9
Then from the Global config mode, enter
license boot level appxk9
Save config and reload the router for the change to take effect.
I hope this helps someone who's facing this same issue in the feature.
Cheers
07-01-2019 05:37 AM
Did it really worked for you? It did not work for me
10-10-2018 09:57 PM
Hi,
You'll need to active the feature license called "appxk9" to forward l2tp traffic.
In Cisco 4000 Series ISR, although L2TPv2 sessions comes up without appxk9, you need the appxk9 license for the traffic to go through the sessions. You also need the appxk9 license to apply the QoS policies to the L2TPv2 sessions.
#show license feature
Feature name Enforcement Evaluation Subscription Enabled RightToUse
appxk9 yes yes no yes yes
Hope this helps.
07-03-2019 02:31 AM
Did it really worked for you? It did not work for me
07-03-2019 03:50 PM
Yes, it works fine. Could you please post show version and show license to see this feature is enabled or not?
07-03-2019 10:44 PM
Thanks for replying. Find below
Stef4321#sh ver
Cisco IOS XE Software, Version 03.16.04b.S - Extended Support Release
Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S4b, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Mon 17-Oct-16 20:23 by mcpre
Suite License Information for Module:'esg'
--------------------------------------------------------------------------------
Suite Suite Current Type Suite Next reboot
--------------------------------------------------------------------------------
FoundationSuiteK9 None None None
securityk9
appxk9
AdvUCSuiteK9 None None None
uck9
cme-srst
cube
Technology Package License Information:
-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
appxk9 appxk9 RightToUse appxk9
uck9 None None None
securityk9 None None None
ipbase ipbasek9 Permanent ipbasek9
cisco ISR4321/K9 (1RU) processor with 1648789K/6147K bytes of memory.
Processor board ID FDO2132A086
6 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
3223551K bytes of flash memory at bootflash:.
Configuration register is 0x2102
Stef4321#sh lic
Index 1 Feature: appxk9
Period left: Life time
License Type: RightToUse
License State: Active, In Use
License Count: Non-Counted
License Priority: Low
Index 2 Feature: uck9
Period left: Life time
License Type: RightToUse
License State: Active, Not in Use, EULA accepted
License Count: Non-Counted
License Priority: Low
Index 3 Feature: securityk9
Period left: Life time
License Type: RightToUse
License State: Active, Not in Use, EULA accepted
License Count: Non-Counted
License Priority: Low
Index 4 Feature: ipbasek9
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Index 5 Feature: FoundationSuiteK9
Period left: Life time
License Type: RightToUse
License State: Active, Not in Use, EULA accepted
License Count: Non-Counted
License Priority: Low
Index 6 Feature: AdvUCSuiteK9
Period left: Life time
License Type: RightToUse
License State: Active, Not in Use, EULA accepted
License Count: Non-Counted
License Priority: Low
Index 7 Feature: cme-srst
Period left: Life time
License Type: RightToUse
License State: Active, Not in Use, EULA accepted
License Count: 0/0 (In-use/Violation)
License Priority: Low
Index 8 Feature: hseck9
Index 9 Feature: throughput
Period left: Life time
License Type: RightToUse
License State: Active, In Use
License Count: Non-Counted
License Priority: Low
Index 10 Feature: internal_service
07-04-2019 06:44 AM
Additionally
Stef4321#sh lic fea
Feature name Enforcement Evaluation Subscription Enabled Right
appxk9 yes yes no yes yes
uck9 yes yes no no yes
securityk9 yes yes no no yes
ipbasek9 no no no yes no
FoundationSuiteK9 yes yes no no yes
AdvUCSuiteK9 yes yes no no yes
cme-srst yes yes no no yes
hseck9 yes no no no no
throughput yes yes no yes yes
internal_service yes no no no no
07-04-2019 04:01 PM
Thanks for your information. Looks like securityk9 is not enabled. I assume you are using L2tp, you need this to be enabled. Try PPTP if you do not want to enable securityk9.
07-04-2019 10:34 PM
Yes I'm using L2TP and the securityk9 is now enable as below. Still does not work. Any suggestions please?
vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol any
virtual-template 1
l2tp tunnel timeout no-session 15
ip mtu adjust
interface Virtual-Template1
ip unnumbered GigabitEthernet0/0/1
ip nat inside
ip tcp adjust-mss 1400
peer default ip address pool vpn1
no keepalive
ppp authentication pap chap ms-chap ms-chap-v2 eap
ip virtual-reassembly
ip local pool vpn1 10.0.5.6 10.0.5.7
Stef4321#sh lic fea
Feature name Enforcement Evaluation Subscription Enabled Right
appxk9 yes yes no yes yes
uck9 yes yes no no yes
securityk9 yes yes no yes yes
ipbasek9 no no no yes no
FoundationSuiteK9 yes yes no no yes
AdvUCSuiteK9 yes yes no no yes
cme-srst yes yes no no yes
hseck9 yes no no no no
throughput yes yes no yes yes
internal_service yes no no no no
07-04-2019 10:52 PM
PS: I can connect but cannot ping any device on the network, not even the router itself
07-04-2019 11:33 PM
PS2: I'm using PPTP :) Sorry! I lost track due to many tests
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide