Microsoft PPTP VPN not established through Cisco 1841

Unanswered Question
Feb 9th, 2009
User Badges:


We have a remote LAN with addressing which must be reachable by Windows PPTP VPN clients located wherever. The border gateway between this remote LAN and the Internet is a router Cisco 1841. Inside the LAN, there is a VPN server ( based on Windows RRAS (Remote Routing and Access Server).

Our problem is that Windows PPTP clients located outside in the Internet are not even authenticated. No traces can be found in RRAS log file in Windows server.

We know that RRAS is well configured because PPTP VPN clients located in the same LAN manage to establish the tunnel very quickly after a successful authentication. So we suspect that the problem is in the router. Relevant configuration is as follows (we already tried without CBAC but unsuccessfully):

ip inspect name CBAC_inspect tcp

ip inspect name CBAC_inspect udp

ip inspect name CBAC_inspect icmp

interface FastEthernet0/0

description LAN

ip address

ip nat inside

ip inspect CBAC_inspect in

ip virtual-reassembly

speed 100



interface FastEthernet0/1

description WAN

ip address

ip access-group 101 in

ip nat outside

ip virtual-reassembly

speed 100



ip nat inside source static tcp 1723 1723 extendable

access-list 101 permit tcp any host eq 1723

access-list 101 permit gre any host

We took some Wireshark/Ethereal captures in VPN server. It seems that the remote client does not receive the "PPP LC Configuration ACK" sent by the VPN server, so he re-tries "PPP LC Configuration Request" over and over again. We don't know why the remote client does not receive this ACK sent by the server, because the router 1841 seems to be configured according to Cisco documentation.

Thank you very much for your help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
RAMACHANDRA R Tue, 02/10/2009 - 00:28
User Badges:


I would suggest you to tweak WAN/LAN Interface with ip tcp adjust-mss command in order to make it work.

adjust the same to 1420 on WAN/LAN.

ip tcp adjust-mss 1420



comunicjsc Tue, 02/10/2009 - 15:02
User Badges:

Thank you very much, Rama, but this parameter did not solve our problem.

By the way, why did you suggest 1420?

Anyway, I tried several values (1420, 1452, 542) in both interfaces and only in the WAN interface, but all the connection attempts from Windows PPTP VPN were unsuccessful. Moreover, no trace was logged in the server.

Perhaps the adjustment that you suggested works for typical WAN interfaces, but we have FastEthernet in both sides of the router, our systems are hosted at a ISP.

RAMACHANDRA R Wed, 02/11/2009 - 23:24
User Badges:


It gives more room for pptp to send messages like flow- and congestion-controll etc.

you try chaging ip mtu on WAN interface along with tcp mss adjust command because this two will work in conjunction

check the debugg log in the router. the final resort would be changing the MTU on the server.

Please refer the below url for mtu and mss adjust command details.




This Discussion