Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
909
Views
0
Helpful
3
Replies

Microsoft PPTP VPN not established through Cisco 1841

comunicjsc
Level 1
Level 1

‎02-09-2009 02:57 PM

Hello,

We have a remote LAN with addressing 172.16.1.0/24 which must be reachable by Windows PPTP VPN clients located wherever. The border gateway between this remote LAN and the Internet is a router Cisco 1841. Inside the LAN, there is a VPN server (172.16.1.11) based on Windows RRAS (Remote Routing and Access Server).

Our problem is that Windows PPTP clients located outside in the Internet are not even authenticated. No traces can be found in RRAS log file in Windows server.

We know that RRAS is well configured because PPTP VPN clients located in the same LAN manage to establish the tunnel very quickly after a successful authentication. So we suspect that the problem is in the router. Relevant configuration is as follows (we already tried without CBAC but unsuccessfully):

ip inspect name CBAC_inspect tcp

ip inspect name CBAC_inspect udp

ip inspect name CBAC_inspect icmp

interface FastEthernet0/0

description LAN

ip address 172.16.1.3 255.255.255.0

ip nat inside

ip inspect CBAC_inspect in

ip virtual-reassembly

speed 100

full-duplex

!

interface FastEthernet0/1

description WAN

ip address xx.yy.zz.tt 255.255.255.240

ip access-group 101 in

ip nat outside

ip virtual-reassembly

speed 100

full-duplex

!

ip nat inside source static tcp 172.16.1.11 1723 xx.yy.zz.tt 1723 extendable

access-list 101 permit tcp any host xx.yy.zz.tt eq 1723

access-list 101 permit gre any host xx.yy.zz.tt

We took some Wireshark/Ethereal captures in VPN server. It seems that the remote client does not receive the "PPP LC Configuration ACK" sent by the VPN server, so he re-tries "PPP LC Configuration Request" over and over again. We don't know why the remote client does not receive this ACK sent by the server, because the router 1841 seems to be configured according to Cisco documentation.

Thank you very much for your help.

Labels:
0 Helpful
3 Replies 3

RAMACHANDRA R
Level 1
Level 1

‎02-10-2009 12:28 AM

Hi

I would suggest you to tweak WAN/LAN Interface with ip tcp adjust-mss command in order to make it work.

adjust the same to 1420 on WAN/LAN.

ip tcp adjust-mss 1420

Regards

Rama

0 Helpful

comunicjsc
Level 1
Level 1
In response to RAMACHANDRA R

‎02-10-2009 03:02 PM

Thank you very much, Rama, but this parameter did not solve our problem.

By the way, why did you suggest 1420?

Anyway, I tried several values (1420, 1452, 542) in both interfaces and only in the WAN interface, but all the connection attempts from Windows PPTP VPN were unsuccessful. Moreover, no trace was logged in the server.

Perhaps the adjustment that you suggested works for typical WAN interfaces, but we have FastEthernet in both sides of the router, our systems are hosted at a ISP.

0 Helpful

RAMACHANDRA R
Level 1
Level 1
In response to comunicjsc

‎02-11-2009 11:24 PM

Hi,

It gives more room for pptp to send messages like flow- and congestion-controll etc.

you try chaging ip mtu on WAN interface along with tcp mss adjust command because this two will work in conjunction

check the debugg log in the router. the final resort would be changing the MTU on the server.

Please refer the below url for mtu and mss adjust command details.

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ft_admss.html#wp1047584

http://support.microsoft.com/kb/826159

Regards

Rama

0 Helpful
Customers Also Viewed These Support Documents