This is my first post here so please bear with me.
I am trying to connect an L2TP client to Cisco ISR 4321 router (I have previously done this successfully with 29xx series). The client connects, the virtual interface comes up, IP address gets assigned and a route for the assigned ip gets added to the routing table just like I expected it to. When I try to ping the assigned ip fom the ISR router it timesout. When I try to ping the ISR router from the client it times out. If I run "debug ip packet" I see the ping from the client on the ISR and I also see the ISR reply but the ping response does not arrive at the client. So all traffic that goes out from the ISR on the virtual interface seems to just disappear.
I have configured L2TP only (no IPSec).
Here is show run
Current configuration : 4687 bytes
! Last configuration change at 12:02:20 UTC Fri Sep 1 2017 by xxx
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
vrf definition Mgmt-intf
aaa authentication login default local
aaa authentication ppp vpdn local
aaa authorization network default none
aaa session-id common
multilink bundle-name authenticated
! Default L2TP VPDN group
! Default PPTP VPDN group
no l2tp tunnel authentication
license udi pid ISR4321/K9 sn Fx
spanning-tree extend system-id
username xxxxx password 0 xxxxxxxx
vlan internal allocation policy ascending
ip address 172.16.254.1 255.255.255.0
description Connected to inet
ip address x.x.x.x 255.255.255.224
description Connected to xxx
ip address xxxxxxx
vrf forwarding Mgmt-intf
no ip address
ip unnumbered GigabitEthernet0/0/0
ip mtu 1460
no peer default ip address
ppp mtu adaptive
ppp authentication chap vpdn
no ip address
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 x.x.x.x
line con 0
line aux 0
line vty 0 4
transport input telnet
Any help would be greatly appreciated.
Sorry for the late response.
If you are using L2TP, you will need security9k enabled to let L2TP connect to the router. If you are using PPTP, no security9k needed.
In ISR family, when you successfully connected to the router via L2TP/PPTP, you will need appxk9 enabled to allow traffic go through the router.
In your scenario, you are able to connect to the router via PPTP which is good, could you please double check appxk9 is enabled or not? From memory, when you enable securityk9, you will need to reload the router and you will disable appxk9 after the reload if it is not a permanent license.
If appxk9 is enabled and you are able to PPTP to the router, you should be good to go.
Thanks for replying.
I connect PPTP
%No active L2TP tunnels
PPTP Tunnel and Session Information Total tunnels 1 sessions 1
LocID Remote Name State Remote Address Port Sessions VPDN Group
54967 estabd 192.168.10.5 63950 1 1
LocID RemID TunID Intf Username State Last Chg Uniq ID
27507 63950 54967 Vi2.1 petros estabd 00:04:19 22
appxk9 is enabled
Stef4321#sh lic fea
Feature name Enforcement Evaluation Subscription Enabled Right
appxk9 yes yes no yes yes
uck9 yes yes no yes yes
securityk9 yes yes no yes yes
ipbasek9 no no no yes no
FoundationSuiteK9 yes yes no no yes
AdvUCSuiteK9 yes yes no no yes
cme-srst yes yes no no yes
hseck9 yes no no no no
throughput yes yes no yes yes
internal_service yes no no no no
...but no access to the router
Don't know why it is not working.
As securityk9 is enabled, uou can try another - change the vpdn tunnel to L2TP and try to L2TP to this router and try again.
I have tried L2TP as well but it does not work.
From my numerous google searches I have seen that PPTP/L2TP is not supported on ISR routers.
Why on earth will Cisco allow the CLI commands, allow connection and leave you wondering why is not working...
Thank you anyway for you support.