04-16-2007 04:39 AM - edited 03-11-2019 03:00 AM
I am troubleshooting a PIX 515E.
PPTP has worked fine for as long as I can remember.
Last week it stopped working.
I can't telnet to port 1723 to the outside interface.
The Pix uses radius as auth. I can ping the radius servers fine. Can't telnet to them on radius auth ports if that means something.
Ran Capture command. Some of it is displayed:
22:14:43.186773 172.16.255.64.137 > RADIUS-SERVER-P.137: udp 68
22:14:44.686915 172.16.255.64.137 > RADIUS-SERVER-P.137: udp 68
22:14:46.208180 172.16.255.64.137 > RADIUS-SERVER-P.137: udp 68
22:14:50.312834 172.16.255.63.137 > RADIUS-SERVER-P.137: udp 68
22:14:50.956295 172.16.255.63.1554 > RADIUS-SERVER-P.389: S 3564425411:3564425411(0) win 17136 <mss 1380,nop,nop,sackOK>
22:14:50.990366 172.16.255.63.1554 > RADIUS-SERVER-P.389: . ack 2635887080 win 17940
22:14:51.047757 172.16.255.63.1554 > RADIUS-SERVER-P.389: . 3564425412:3564426792(1380) ack 2635887080 win 17940
22:14:51.052075 172.16.255.63.1554 > RADIUS-SERVER-P.389: P 3564426792:3564426801(9) ack 2635887080 win 17940
22:14:51.096750 172.16.255.63.1554 > RADIUS-SERVER-P.389: P 3564426801:3564426988(187) ack 2635887270 win 17750
22:14:51.139625 172.16.255.63.1554 > RADIUS-SERVER-P.389: P 3564426988:3564427175(187) ack 2635887470 win 17550
22:14:51.179418 172.16.255.63.1554 > RADIUS-SERVER-P.389: P 3564427175:3564427237(62) ack 2635887670 win 17350
22:14:51.184576 172.16.255.63.1554 > RADIUS-SERVER-P.389: F 3564427237:3564427237(0) ack 2635887670 win 17350
22:14:51.214161 172.16.255.63.1554 > RADIUS-SERVER-P.389: . ack 2635887671 win 17350
22:14:51.813815 172.16.255.63.137 > RADIUS-SERVER-P.137: udp 68
22:14:52.185827 172.16.255.64.137 > RADIUS-SERVER-P.137: udp 68
22:14:53.314116 172.16.255.63.137 > RADIUS-SERVER-P.137: udp 68
22:14:53.685694 172.16.255.64.137 > RADIUS-SERVER-P.137: udp 68
22:14:54.966243 172.16.255.64.1573 > RADIUS-SERVER-P.389: S 2587928826:2587928826(0) win 17136 <mss 1260,nop,nop,sackOK>
22:14:54.998254 172.16.255.64.1573 > RADIUS-SERVER-P.389: . ack 3358587918 win 17640
22:14:54.998361 172.16.255.64.1573 > RADIUS-SERVER-P.389: P 2587928827:2587929178(351) ack 3358587918 win 17640
22:14:55.034223 172.16.255.64.1573 > RADIUS-SERVER-P.389: . ack 3358589947 win 17640
22:14:55.050717 172.16.255.64.1573 > RADIUS-SERVER-P.389: . 2587929178:2587930438(1260) ack 3358589947 win 17640
22:14:55.050793 172.16.255.64.1573 > RADIUS-SERVER-P.389: P 2587930438:2587930552(114) ack 3358589947 win 17640
22:14:55.083919 172.16.255.64.1573 > RADIUS-SERVER-P.389: P 2587930552:2587930707(155) ack 3358590137 win 17450
22:14:55.116876 172.16.255.64.1573 > RADIUS-SERVER-P.389: P 2587930707:2587930896(189) ack 3358590353 win 17234
22:14:55.160010 172.16.255.64.1573 > RADIUS-SERVER-P.389: P 2587930896:2587930958(62) ack 3358591396 win 17640
22:14:55.160071 172.16.255.64.1573 > RADIUS-SERVER-P.389: F 2587930958:2587930958(0) ack 3358591396 win 17640
22:14:55.163809 172.16.255.64.1574 > RADIUS-SERVER-P.389: S 1431546852:1431546852(0) win 17136 <mss 1260,nop,nop,sackOK>
22:14:55.184133 172.16.255.64.137 > RADIUS-SERVER-P.137: udp 68
Debug pptp didn't do much. I had to set the clock to a more recent time.
Config is exactly the way it was when it was working.
I have cisco client vpns and site to sites that work fine with radius.
Anybody got any ideas.
thanks
04-17-2007 05:15 AM
Any ideas would be welcome as I need this working. i could reboot the device but only as a last resort as it client owned and they have ipsec VPN's ruuning 24x7.
I am running 6.3(5}
Relevant config attached:
ip local pool PPTP-POOL 172.16.255.1-172.16.255.127
access-list VPN-NO-NAT permit ip 192.168.0.0 255.255.0.0 172.16.255.0 255.255.255.0
nat (inside) 0 access-list VPN-NO-NAT
access-list OUTSIDE-ACCESS-IN permit gre any host 212.168.236.140
access-group OUTSIDE-ACCESS-IN in interface outside
aaa-server PPTP-VPN protocol radius
aaa-server PPTP-VPN max-failed-attempts 3
aaa-server PPTP-VPN deadtime 10
aaa-server PPTP-VPN (inside) host RADIUS-SERVER-PRIMARY Mysecu1ty1138 timeout 20
sysopt connection permit-pptp
vpdn group letin accept dialin pptp
vpdn group letin ppp authentication pap
vpdn group letin ppp authentication chap
vpdn group letin ppp authentication mschap
vpdn group letin ppp encryption mppe auto
vpdn group letin client configuration address local PPTP-POOL
vpdn group letin client authentication aaa PPTP-VPN
vpdn group letin pptp echo 60
vpdn enable outside
I have added to allow 1723 inbound and also tried fixup 1723. Also I have taken off config and reapplied. I have tried local auth as well but no good.
I cannot telnet to the WAN ip on port 1723 where as all the other Pixes I know off I can.
thanks,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: