02-09-2009 02:57 PM
Hello,
We have a remote LAN with addressing 172.16.1.0/24 which must be reachable by Windows PPTP VPN clients located wherever. The border gateway between this remote LAN and the Internet is a router Cisco 1841. Inside the LAN, there is a VPN server (172.16.1.11) based on Windows RRAS (Remote Routing and Access Server).
Our problem is that Windows PPTP clients located outside in the Internet are not even authenticated. No traces can be found in RRAS log file in Windows server.
We know that RRAS is well configured because PPTP VPN clients located in the same LAN manage to establish the tunnel very quickly after a successful authentication. So we suspect that the problem is in the router. Relevant configuration is as follows (we already tried without CBAC but unsuccessfully):
ip inspect name CBAC_inspect tcp
ip inspect name CBAC_inspect udp
ip inspect name CBAC_inspect icmp
interface FastEthernet0/0
description LAN
ip address 172.16.1.3 255.255.255.0
ip nat inside
ip inspect CBAC_inspect in
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet0/1
description WAN
ip address xx.yy.zz.tt 255.255.255.240
ip access-group 101 in
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
!
ip nat inside source static tcp 172.16.1.11 1723 xx.yy.zz.tt 1723 extendable
access-list 101 permit tcp any host xx.yy.zz.tt eq 1723
access-list 101 permit gre any host xx.yy.zz.tt
We took some Wireshark/Ethereal captures in VPN server. It seems that the remote client does not receive the "PPP LC Configuration ACK" sent by the VPN server, so he re-tries "PPP LC Configuration Request" over and over again. We don't know why the remote client does not receive this ACK sent by the server, because the router 1841 seems to be configured according to Cisco documentation.
Thank you very much for your help.
02-10-2009 12:28 AM
Hi
I would suggest you to tweak WAN/LAN Interface with ip tcp adjust-mss command in order to make it work.
adjust the same to 1420 on WAN/LAN.
ip tcp adjust-mss 1420
Regards
Rama
02-10-2009 03:02 PM
Thank you very much, Rama, but this parameter did not solve our problem.
By the way, why did you suggest 1420?
Anyway, I tried several values (1420, 1452, 542) in both interfaces and only in the WAN interface, but all the connection attempts from Windows PPTP VPN were unsuccessful. Moreover, no trace was logged in the server.
Perhaps the adjustment that you suggested works for typical WAN interfaces, but we have FastEthernet in both sides of the router, our systems are hosted at a ISP.
02-11-2009 11:24 PM
Hi,
It gives more room for pptp to send messages like flow- and congestion-controll etc.
you try chaging ip mtu on WAN interface along with tcp mss adjust command because this two will work in conjunction
check the debugg log in the router. the final resort would be changing the MTU on the server.
Please refer the below url for mtu and mss adjust command details.
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ft_admss.html#wp1047584
http://support.microsoft.com/kb/826159
Regards
Rama
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide