cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
313
Views
0
Helpful
1
Replies

PPTP Stopped working on PIX for some reason

cameronjohn
Level 1
Level 1

I am troubleshooting a PIX 515E.

PPTP has worked fine for as long as I can remember.

Last week it stopped working.

I can't telnet to port 1723 to the outside interface.

The Pix uses radius as auth. I can ping the radius servers fine. Can't telnet to them on radius auth ports if that means something.

Ran Capture command. Some of it is displayed:

22:14:43.186773 172.16.255.64.137 > RADIUS-SERVER-P.137: udp 68

22:14:44.686915 172.16.255.64.137 > RADIUS-SERVER-P.137: udp 68

22:14:46.208180 172.16.255.64.137 > RADIUS-SERVER-P.137: udp 68

22:14:50.312834 172.16.255.63.137 > RADIUS-SERVER-P.137: udp 68

22:14:50.956295 172.16.255.63.1554 > RADIUS-SERVER-P.389: S 3564425411:3564425411(0) win 17136 <mss 1380,nop,nop,sackOK>

22:14:50.990366 172.16.255.63.1554 > RADIUS-SERVER-P.389: . ack 2635887080 win 17940

22:14:51.047757 172.16.255.63.1554 > RADIUS-SERVER-P.389: . 3564425412:3564426792(1380) ack 2635887080 win 17940

22:14:51.052075 172.16.255.63.1554 > RADIUS-SERVER-P.389: P 3564426792:3564426801(9) ack 2635887080 win 17940

22:14:51.096750 172.16.255.63.1554 > RADIUS-SERVER-P.389: P 3564426801:3564426988(187) ack 2635887270 win 17750

22:14:51.139625 172.16.255.63.1554 > RADIUS-SERVER-P.389: P 3564426988:3564427175(187) ack 2635887470 win 17550

22:14:51.179418 172.16.255.63.1554 > RADIUS-SERVER-P.389: P 3564427175:3564427237(62) ack 2635887670 win 17350

22:14:51.184576 172.16.255.63.1554 > RADIUS-SERVER-P.389: F 3564427237:3564427237(0) ack 2635887670 win 17350

22:14:51.214161 172.16.255.63.1554 > RADIUS-SERVER-P.389: . ack 2635887671 win 17350

22:14:51.813815 172.16.255.63.137 > RADIUS-SERVER-P.137: udp 68

22:14:52.185827 172.16.255.64.137 > RADIUS-SERVER-P.137: udp 68

22:14:53.314116 172.16.255.63.137 > RADIUS-SERVER-P.137: udp 68

22:14:53.685694 172.16.255.64.137 > RADIUS-SERVER-P.137: udp 68

22:14:54.966243 172.16.255.64.1573 > RADIUS-SERVER-P.389: S 2587928826:2587928826(0) win 17136 <mss 1260,nop,nop,sackOK>

22:14:54.998254 172.16.255.64.1573 > RADIUS-SERVER-P.389: . ack 3358587918 win 17640

22:14:54.998361 172.16.255.64.1573 > RADIUS-SERVER-P.389: P 2587928827:2587929178(351) ack 3358587918 win 17640

22:14:55.034223 172.16.255.64.1573 > RADIUS-SERVER-P.389: . ack 3358589947 win 17640

22:14:55.050717 172.16.255.64.1573 > RADIUS-SERVER-P.389: . 2587929178:2587930438(1260) ack 3358589947 win 17640

22:14:55.050793 172.16.255.64.1573 > RADIUS-SERVER-P.389: P 2587930438:2587930552(114) ack 3358589947 win 17640

22:14:55.083919 172.16.255.64.1573 > RADIUS-SERVER-P.389: P 2587930552:2587930707(155) ack 3358590137 win 17450

22:14:55.116876 172.16.255.64.1573 > RADIUS-SERVER-P.389: P 2587930707:2587930896(189) ack 3358590353 win 17234

22:14:55.160010 172.16.255.64.1573 > RADIUS-SERVER-P.389: P 2587930896:2587930958(62) ack 3358591396 win 17640

22:14:55.160071 172.16.255.64.1573 > RADIUS-SERVER-P.389: F 2587930958:2587930958(0) ack 3358591396 win 17640

22:14:55.163809 172.16.255.64.1574 > RADIUS-SERVER-P.389: S 1431546852:1431546852(0) win 17136 <mss 1260,nop,nop,sackOK>

22:14:55.184133 172.16.255.64.137 > RADIUS-SERVER-P.137: udp 68

Debug pptp didn't do much. I had to set the clock to a more recent time.

Config is exactly the way it was when it was working.

I have cisco client vpns and site to sites that work fine with radius.

Anybody got any ideas.

thanks

1 Reply 1

cameronjohn
Level 1
Level 1

Any ideas would be welcome as I need this working. i could reboot the device but only as a last resort as it client owned and they have ipsec VPN's ruuning 24x7.

I am running 6.3(5}

Relevant config attached:

ip local pool PPTP-POOL 172.16.255.1-172.16.255.127

access-list VPN-NO-NAT permit ip 192.168.0.0 255.255.0.0 172.16.255.0 255.255.255.0

nat (inside) 0 access-list VPN-NO-NAT

access-list OUTSIDE-ACCESS-IN permit gre any host 212.168.236.140

access-group OUTSIDE-ACCESS-IN in interface outside

aaa-server PPTP-VPN protocol radius

aaa-server PPTP-VPN max-failed-attempts 3

aaa-server PPTP-VPN deadtime 10

aaa-server PPTP-VPN (inside) host RADIUS-SERVER-PRIMARY Mysecu1ty1138 timeout 20

sysopt connection permit-pptp

vpdn group letin accept dialin pptp

vpdn group letin ppp authentication pap

vpdn group letin ppp authentication chap

vpdn group letin ppp authentication mschap

vpdn group letin ppp encryption mppe auto

vpdn group letin client configuration address local PPTP-POOL

vpdn group letin client authentication aaa PPTP-VPN

vpdn group letin pptp echo 60

vpdn enable outside

I have added to allow 1723 inbound and also tried fixup 1723. Also I have taken off config and reapplied. I have tried local auth as well but no good.

I cannot telnet to the WAN ip on port 1723 where as all the other Pixes I know off I can.

thanks,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: