Absurd PPTP problems: PPTP out no longer works.

Hello I have a weird problem that I am trying to resolve from 15hours now...

I have the exact identical problems on two sites , the first is C2611 with 12.3(25) ADVSEC

the second site is a 2650 with 12.4(18) ADVSEC

here is the conf:

The problem is that ANY PPTP outgoing doesn't work at all. I was disperate and "downgraded" the 2650 (conf is below) to a 12.2(9)T and it worked.

Current configuration : 7099 bytes ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service internal service sequence-numbers no service dhcp ! hostname 89-186-68-6.dcpool.ip ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 4096 notifications no logging console no logging monitor enable password 7 xxxxxxxxxxxxxxxxxxxxxxxxxx! no aaa new-model clock timezone CET 1 no network-clock-participate slot 1 no network-clock-participate wic 0 no ip source-route no ip gratuitous-arps ip cef ! ! ip inspect log drop-pkt ip inspect max-incomplete low 300 ip inspect max-incomplete high 400 ip inspect one-minute low 500 ip inspect one-minute high 600 ip inspect udp idle-time 20 ip inspect tcp idle-time 60 ip inspect tcp synwait-time 45 ip inspect tcp max-incomplete host 300 block-time 0 ip inspect name OUT-IN esmtp ip inspect name OUT-IN pop3 ip inspect name OUT-IN pop3s ip inspect name OUT-IN http ip inspect name OUT-IN https ip inspect name OUT-IN imap ip inspect name OUT-IN imaps ip inspect name OUT-IN ftp ip inspect name OUT-IN ftps ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! ip ips sdf location flash:128mb.sdf ip ips signature 2004 0 disable ip ips signature 2001 0 disable ip ips name AUDIT no ip bootp server ip domain round-robin ip domain name kpnqwest.it ip name-server 217.97.32.2 ip name-server 217.97.32.7 login block-for 120 attempts 5 within 60 login on-failure log ! ! ! ! username xxxxxxxxxxxxxxx ! ! ip tcp selective-ack ip tcp synwait-time 10 ip ssh time-out 90 ip ssh version 2 ! ! ! ! interface Null0 no ip unreachables ! interface ATM0/0 description KPNQWest ADSL 2048/512 no ip address no ip redirects no ip proxy-arp no ip mroute-cache atm ilmi-keepalive dsl operating-mode auto hold-queue 224 in ! interface ATM0/0.1 point-to-point description Point to Point Uplink bandwidth 2048 ip address 89.186.68.6 255.255.255.252 ip access-group 100 in no ip redirects no ip proxy-arp ip inspect OUT-IN in ip ips AUDIT in ip nat outside ip virtual-reassembly max-fragments 16 max-reassemblies 64 no ip mroute-cache pvc 8/35 encapsulation aal5snap ! ! interface FastEthernet0/0 ip address 172.16.0.12 255.255.255.240 no ip redirects no ip proxy-arp ip nat inside no ip virtual-reassembly no ip mroute-cache duplex auto speed auto no cdp enable hold-queue 100 in ! no ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 ATM0/0.1 ! no ip http server no ip http secure-server ip nat translation timeout 3600 ip nat translation tcp-timeout 1200 ip nat translation udp-timeout 100 ip nat translation finrst-timeout 15 ip nat translation syn-timeout 45 ip nat translation icmp-timeout 120 ip nat inside source list 102 interface ATM0/0.1 overload ip nat inside source static tcp 172.16.0.1 25 89.186.68.6 25 extendable ip nat inside source static tcp 172.16.0.1 80 89.186.68.6 80 extendable ip nat inside source static tcp 172.16.0.1 110 89.186.68.6 110 extendable ip nat inside source static tcp 172.16.0.1 443 89.186.68.6 443 extendable ip nat inside source static tcp 172.16.0.1 465 89.186.68.6 465 extendable ip nat inside source static tcp 172.16.0.1 995 89.186.68.6 995 extendable ip nat inside source static tcp 172.16.0.1 3389 89.186.68.6 3389 extendable ip nat inside source static tcp 172.16.0.10 33389 89.186.68.6 33389 extendable ! ! no logging trap access-list 100 deny ip 0.0.0.0 0.255.255.255 any access-list 100 deny ip 10.0.0.0 0.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 deny ip 169.254.0.0 0.0.255.255 any access-list 100 deny ip 172.16.0.0 0.15.255.255 any access-list 100 deny ip 192.0.2.0 0.0.0.255 any access-list 100 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 access-list 100 deny ip 192.168.0.0 0.0.255.255 any access-list 100 deny ip 224.0.0.0 15.255.255.255 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip host 89.186.68.6 any access-list 100 permit udp host 77.93.230.26 eq isakmp host 89.186.68.6 access-list 100 permit esp host 77.93.230.26 host 89.186.68.6 access-list 100 permit udp host 77.93.230.26 host 89.186.68.6 range snmp snmptrap access-list 100 permit udp 77.93.229.208 0.0.0.7 host 89.186.68.6 range snmp snmptrap access-list 100 deny tcp any lt 1023 any lt 1023 access-list 100 permit udp any eq ntp any access-list 100 permit udp any eq domain any access-list 100 deny udp any lt 1023 any lt 1023 access-list 100 permit ip any any fragments access-list 100 permit icmp any any echo access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any time-exceeded access-list 100 permit icmp any any packet-too-big access-list 100 permit icmp any any unreachable access-list 100 permit icmp any any source-quench access-list 100 deny icmp any any access-list 100 deny udp any any eq echo access-list 100 deny udp any any range 33400 34400 access-list 100 permit tcp any any range ftp-data ftp access-list 100 permit tcp host 77.93.230.26 host 89.186.68.6 eq 22 access-list 100 permit tcp 77.93.229.208 0.0.0.7 host 89.186.68.6 eq 22 access-list 100 deny tcp any any eq 22 access-list 100 permit tcp any any eq smtp access-list 100 permit tcp any any eq www access-list 100 permit tcp any any eq pop3 access-list 100 permit tcp any any eq 443 access-list 100 permit tcp any any eq 465 access-list 100 deny udp any any range snmp snmptrap access-list 100 permit tcp any any eq 990 access-list 100 permit tcp any any eq 995 access-list 100 permit tcp any any access-list 100 permit udp any any access-list 100 permit 41 any any access-list 100 permit gre any any access-list 100 deny ip any any log access-list 102 permit ip 172.16.0.0 0.0.0.255 any snmp-server community public RO snmp-server ifindex persist snmp-server contact xxxxxxxx no cdp run ! ! control-plane ! ! ! banner login ^C You are connected to $(hostname).$(domain) on line $(line). If you are not authorized to access this system, disconnect now.

THIS IS FOR AUTHORIZED USE ONLY

Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.

Network Administrator: snipped-for-privacy@paradise.org ! line con 0 login local transport output telnet stopbits 1 line aux 0 login local transport preferred none transport output telnet stopbits 1 line vty 0 4 login local transport preferred none transport input ssh transport output all flowcontrol software ! scheduler max-task-time 5000 ntp server 192.43.244.18 ntp server 193.204.114.105 ! end

Reply to
Elia Spadoni
Loading thread data ...

If I enable debug I just see:

%FW-6-DROP_TCP_PKT: Dropping tcp pkt 83.233.181.2:1723 => 172.16.0.9:3519 due to SYN inside current window -- ip ident 0 tcpflags 0xA012 seq.no

96264208 ack 3269803051

since that IP is one of my PPTP servers, it may be the cause

how can I resolve that issue?

Reply to
Elia Spadoni

Open a case with the Cisco TAC

Reply to
Merv

What if i dont have any service contracts?

the config is correct?

"Merv" ha scritto nel messaggio news: snipped-for-privacy@y21g2000hsf.googlegroups.com...

Reply to
Elia Spadoni

Just tried to downgrade to 12.4 IPBASEK9 with the same config. Doesn't work.

Downgraded to 12.3(25) ADVSEC K9, it works perfectly.

Reply to
Elia Spadoni

There have been a number of issues reported with PPTP in 12.4

then don't call the TAC ;-))

Reply to
Merv

Hello Merv, I have done some progress:

Well:

on 12.4 (assuming that we use always the same config, just swap the IOS and restart the router) I CANNOT connect to a remote PPTP server. on a second site I have a /29 range and I can succesfully connect to a remote pptp server, but in this case i have the public /29 ip address directly on the ETH of the pc from wich i initiate the connection.

"Merv" ha scritto nel messaggio news: snipped-for-privacy@59g2000hsb.googlegroups.com...

Reply to
Elia Spadoni

PPTP uses a control channel (TCP session on port 1723) and a separate data channel using a GRE tunnel which carries the PPP traffic.

Your PC will open the control channel first

see the PPTP RFC for protocol details:

formatting link

With the 12.4 IOS version, the handling of one or both of these channels must have changed in some fashion.

You might want to see if modifying your config ( which) you should not have to do) as per the Cisco do "Configuring PPTP Through PAT to a Microsoft PPTP Server"

formatting link
makes any difference with 12.4

Basically you are adding the keyword overload and also using the keyword interface instead of explicit IP address:

Reply to
Merv

Hello

Thank you for your link. I think it is a bug of the IOS.

Since with the SAME IDENTICAL config, it works perfectly on 12.4(8) ADV SEC. I am now trying to flash the 12.4(12)a, b, et c, and also the 12.4(17) and

17a to se what is the latest relase that works.

"Merv" ha scritto nel messaggio news: snipped-for-privacy@z38g2000hsc.googlegroups.com...

formatting link

Reply to
Elia Spadoni

Solved my issue the bugged relase is the 12.4(18) - any relase, tested IPBASEK9, ADVIPSERVICES and ADVSECURITY dont'work.

Tested the 12.4(17a) works perfectly, and also the previous releases of 12.4

Reply to
Elia Spadoni

If one 12.4(18) is broken then it would be expected that all Feature Sets in that version would be similarly broken. Unless of course the particular buggy feature was not in the Feature Set.

This may apply less strictly to other Trains. eg T, XLQ whatever they come up with next.

IPBASEK9, ADVIPSERVICES, ADVSECURITY being Feature Sets.

Well done figuring it out.

Reply to
Bod43

Hello

since I did not need any particular feature, I first tried with the IPBASE so I was sure that a lighter IOS was loaded. I just needed to connect to a pptp server with a pc in the nat, a very simple thing to do!

every 12.4(18) I tried, returns me errors in PPTP link. Any PPTP vpn outgoing don't work. With 12.4(17a) everything works PERFECTLY.

I begin to think that all my troubles with the Ipsec + gre tunnel could be related to this buggy IOS.

ha scritto nel messaggio news: snipped-for-privacy@b1g2000hsg.googlegroups.com...

Reply to
Elia Spadoni

Elia, go for the extra bonus points and determine the Cisco bug id ;-)))

Reply to
Merv

Hello

how can I do that?

Reply to
Elia Spadoni

You need a Cisco CCO account to do that - you can register for a guest account I guess

Not sure if the bug toolkit would be visible to guest accounts or not

formatting link

Reply to
Merv

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.