Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
745
Views
0
Helpful
5
Replies

pptp authentication fails only from outside

dan.letkeman
Level 4
Level 4

‎12-12-2010 05:43 PM

Hello,

Version 12.4(25d). 2821 router and 2811 router.

I can make the vpn connection from inside the network but from outside the network it fails to authenticate.

Config on the non-working 2821

vpdn enable

!

vpdn-group 1

! Default PPTP VPDN group

accept-dialin

  protocol pptp

  virtual-template 1

!

interface Virtual-Template1

description pptp vpn

ip address 10.55.1.1 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1420

peer default ip address pool pptp-vpn

keepalive 20

ppp encrypt mppe 128

ppp authentication ms-chap ms-chap-v2

!

ip local pool pptp-vpn 10.55.1.2 10.55.1.3

!

interface GigabitEthernet0/0.888

description outside interface

bandwidth 30000

encapsulation dot1Q 888

ip address 100.100.100.102 255.255.255.192 secondary

ip address 100.100.100.101 255.255.255.192

ip access-group firewall in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect SDM_LOW out

ip virtual-reassembly

no cdp enable

!

ip access-list extended firewall

permit gre any host 100.100.100.102

permit tcp any host 100.100.100.102 eq 1723

deny   ip any any log

!

This exact same configuration on the 2811 (difference being that the 2811 is only using one IP address on the outside interface, and it does not have the ip inspect command). works fine from inside and outside of the network. 

If I try and use the primary ip on the 2821 I don't even see any gre matches on the firewall access list.

Is there something with the ip inspect command that doesn't work?  I have tried adding pptp to the inspect list and that just makes it worse.

Thanks,

Dan.

Labels:
0 Helpful
5 Replies 5

mulatif
Cisco Employee
Cisco Employee

‎12-14-2010 11:47 AM

Hi,

Does it work if you connect to 100.100.100.101 (Update the Inbound ACL accordingly) i.e. the Primary Address ? As opposed to .102, which is the secondary address.

There might be an issue with termination on a secondary IP.

Let us know the results.

Thanks,

Naman

0 Helpful

dan.letkeman
Level 4
Level 4
In response to mulatif

‎12-14-2010 03:27 PM

No, I have the same results if I use the primary or secondary ip, yet from the inside of the network it works fine.  There is one more difference and that is that the 2821 has it's outside ip's on a sub interface and not on a physical interface.  Can a pptp connection not terminate on a sub interface?

Dan.

0 Helpful

mulatif
Cisco Employee
Cisco Employee
In response to dan.letkeman

‎12-16-2010 09:37 AM

When you say inside, you are still connecting to the IP configured on the Same Router but on the Internal Interface ?

No. Subinterface shouldn't make a difference.

Can you attempt and get the debug as below ?

debug ppp authentication

debug ppp negotiation

debug vpdn event

debug vpdn error

Thanks,

Naman

0 Helpful

dan.letkeman
Level 4
Level 4
In response to mulatif

‎12-16-2010 11:34 AM

If I attempt those debugs I still see nothing on the console.  Not a hint of any connection except and increment on the acl for port 1723.

Dan.

0 Helpful

mulatif
Cisco Employee
Cisco Employee
In response to dan.letkeman

‎12-17-2010 06:39 AM

Hi Dan,

You should see something in the debugs. At this time I would recommend opening a TAC case so we can work with you on a WebEx session.

Thanks,

Naman

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents