09-01-2017 05:35 AM - edited 03-12-2019 04:30 AM
Hi All
This is my first post here so please bear with me.
I am trying to connect an L2TP client to Cisco ISR 4321 router (I have previously done this successfully with 29xx series). The client connects, the virtual interface comes up, IP address gets assigned and a route for the assigned ip gets added to the routing table just like I expected it to. When I try to ping the assigned ip fom the ISR router it timesout. When I try to ping the ISR router from the client it times out. If I run "debug ip packet" I see the ping from the client on the ISR and I also see the ISR reply but the ping response does not arrive at the client. So all traffic that goes out from the ISR on the virtual interface seems to just disappear.
I have configured L2TP only (no IPSec).
Here is show run
Current configuration : 4687 bytes
!
! Last configuration change at 12:02:20 UTC Fri Sep 1 2017 by xxx
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname sssss
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp vpdn local
aaa authorization network default none
!
aaa session-id common
!
!
!
subscriber templating
multilink bundle-name authenticated
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
license udi pid ISR4321/K9 sn Fx
!
spanning-tree extend system-id
!
username xxxxx password 0 xxxxxxxx
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
!!
!
interface Loopback5
ip address 172.16.254.1 255.255.255.0
!
!
interface GigabitEthernet0/0/0
description Connected to inet
ip address x.x.x.x 255.255.255.224
negotiation auto
!
interface GigabitEthernet0/0/1
description Connected to xxx
ip address xxxxxxx
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
negotiation auto
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/0/0
ip mtu 1460
no peer default ip address
ppp mtu adaptive
ppp authentication chap vpdn
!
interface Vlan1
no ip address
shutdown
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
transport input telnet
!
!
end
Any help would be greatly appreciated.
Thanks
Robert
07-07-2019 05:27 PM
Hi,
Sorry for the late response.
If you are using L2TP, you will need security9k enabled to let L2TP connect to the router. If you are using PPTP, no security9k needed.
In ISR family, when you successfully connected to the router via L2TP/PPTP, you will need appxk9 enabled to allow traffic go through the router.
In your scenario, you are able to connect to the router via PPTP which is good, could you please double check appxk9 is enabled or not? From memory, when you enable securityk9, you will need to reload the router and you will disable appxk9 after the reload if it is not a permanent license.
If appxk9 is enabled and you are able to PPTP to the router, you should be good to go.
Thanks.
07-07-2019 10:27 PM
Thanks for replying.
I connect PPTP
sh vpdn
%No active L2TP tunnels
PPTP Tunnel and Session Information Total tunnels 1 sessions 1
LocID Remote Name State Remote Address Port Sessions VPDN Group
54967 estabd 192.168.10.5 63950 1 1
LocID RemID TunID Intf Username State Last Chg Uniq ID
27507 63950 54967 Vi2.1 petros estabd 00:04:19 22
appxk9 is enabled
Stef4321#sh lic fea
Feature name Enforcement Evaluation Subscription Enabled Right
appxk9 yes yes no yes yes
uck9 yes yes no yes yes
securityk9 yes yes no yes yes
ipbasek9 no no no yes no
FoundationSuiteK9 yes yes no no yes
AdvUCSuiteK9 yes yes no no yes
cme-srst yes yes no no yes
hseck9 yes no no no no
throughput yes yes no yes yes
internal_service yes no no no no
...but no access to the router
May be
07-08-2019 12:01 AM
Don't know why it is not working.
As securityk9 is enabled, uou can try another - change the vpdn tunnel to L2TP and try to L2TP to this router and try again.
07-08-2019 12:40 AM
I have tried L2TP as well but it does not work.
From my numerous google searches I have seen that PPTP/L2TP is not supported on ISR routers.
Why on earth will Cisco allow the CLI commands, allow connection and leave you wondering why is not working...
Thank you anyway for you support.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide