Re: Cisco ISR 4321 L2TP Problem - Page 2

roberthudd · ‎09-01-2017

Hi All

This is my first post here so please bear with me.

I am trying to connect an L2TP client to Cisco ISR 4321 router (I have previously done this successfully with 29xx series). The client connects, the virtual interface comes up, IP address gets assigned and a route for the assigned ip gets added to the routing table just like I expected it to. When I try to ping the assigned ip fom the ISR router it timesout. When I try to ping the ISR router from the client it times out. If I run "debug ip packet" I see the ping from the client on the ISR and I also see the ISR reply but the ping response does not arrive at the client. So all traffic that goes out from the ISR on the virtual interface seems to just disappear.

I have configured L2TP only (no IPSec).

Here is show run

Current configuration : 4687 bytes

!

! Last configuration change at 12:02:20 UTC Fri Sep 1 2017 by xxx

!

version 15.5

service timestamps debug datetime msec

service timestamps log datetime msec

no platform punt-keepalive disable-kernel-core

!

hostname sssss

!

boot-start-marker

boot-end-marker

!

vrf definition Mgmt-intf

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

aaa new-model

!

aaa authentication login default local

aaa authentication ppp vpdn local

aaa authorization network default none

!

aaa session-id common

!

subscriber templating

multilink bundle-name authenticated

vpdn enable

!

vpdn-group L2TP

! Default L2TP VPDN group

! Default PPTP VPDN group

accept-dialin

protocol l2tp

virtual-template 1

no l2tp tunnel authentication

!

license udi pid ISR4321/K9 sn Fx

!

spanning-tree extend system-id

!

username xxxxx password 0 xxxxxxxx

!

redundancy

mode none

!

vlan internal allocation policy ascending

!

!!

!

interface Loopback5

ip address 172.16.254.1 255.255.255.0

!

interface GigabitEthernet0/0/0

description Connected to inet

ip address x.x.x.x 255.255.255.224

negotiation auto

!

interface GigabitEthernet0/0/1

description Connected to xxx

ip address xxxxxxx

negotiation auto

!

interface GigabitEthernet0

vrf forwarding Mgmt-intf

no ip address

negotiation auto

!

interface Virtual-Template1

ip unnumbered GigabitEthernet0/0/0

ip mtu 1460

no peer default ip address

ppp mtu adaptive

ppp authentication chap vpdn

!

interface Vlan1

no ip address

shutdown

!

ip forward-protocol nd

no ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 x.x.x.x

!

control-plane

!

line con 0

stopbits 1

line aux 0

stopbits 1

line vty 0 4

transport input telnet

!

end

Any help would be greatly appreciated.

Thanks

Robert

15305770925z · ‎07-07-2019

Hi,

Sorry for the late response.

If you are using L2TP, you will need security9k enabled to let L2TP connect to the router. If you are using PPTP, no security9k needed.

In ISR family, when you successfully connected to the router via L2TP/PPTP, you will need appxk9 enabled to allow traffic go through the router.

In your scenario, you are able to connect to the router via PPTP which is good, could you please double check appxk9 is enabled or not? From memory, when you enable securityk9, you will need to reload the router and you will disable appxk9 after the reload if it is not a permanent license.

If appxk9 is enabled and you are able to PPTP to the router, you should be good to go.

Thanks.

itscomputers · ‎07-07-2019

Thanks for replying.

I connect PPTP

sh vpdn

%No active L2TP tunnels

PPTP Tunnel and Session Information Total tunnels 1 sessions 1

LocID Remote Name State Remote Address Port Sessions VPDN Group
54967 estabd 192.168.10.5 63950 1 1

LocID RemID TunID Intf Username State Last Chg Uniq ID
27507 63950 54967 Vi2.1 petros estabd 00:04:19 22

appxk9 is enabled

Stef4321#sh lic fea
Feature name Enforcement Evaluation Subscription Enabled Right
appxk9 yes yes no yes yes
uck9 yes yes no yes yes
securityk9 yes yes no yes yes
ipbasek9 no no no yes no
FoundationSuiteK9 yes yes no no yes
AdvUCSuiteK9 yes yes no no yes
cme-srst yes yes no no yes
hseck9 yes no no no no
throughput yes yes no yes yes
internal_service yes no no no no

...but no access to the router

May be

15305770925z · ‎07-08-2019

Don't know why it is not working.

As securityk9 is enabled, uou can try another - change the vpdn tunnel to L2TP and try to L2TP to this router and try again.

itscomputers · ‎07-08-2019

I have tried L2TP as well but it does not work.

From my numerous google searches I have seen that PPTP/L2TP is not supported on ISR routers.

Why on earth will Cisco allow the CLI commands, allow connection and leave you wondering why is not working...

Thank you anyway for you support.