l2tp client initiated tunnel fails to connect after new config with dmvpn

Unanswered Question

I have a router that is currently supporting a central office and a single crypto map vpn tunnel. It also supports a connection to a 3rd party network via a client initiated l2tp tunnel.

UPDATE: fogotten details: router 1841, with 12.4(15)T4

I have a need to begin supporting multiple branch office VPNs so I wanted to implement dmvpn, I also wanted to clean up the config a little.

After switching to the new config, the l2tp tunnel was unable to connect, other than cleaning up and reorganizing I don't believe I changed the what is being filtered, but I did switch from "allow established" to reflexive ACLs.

Also I need to filter traffic from the 3rd party's tunnel from accessing our internal nets, can an inbound ACL be applied to the Virtual-PPP interface, or do I need block with outbound ACLs on our internal interfaces?

cofigs (current-messy;new-clean) and error from l2tp connection attempt attached.

Thanks,

Jeff

current (messy)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Tue, 11/03/2009 - 00:21

Hello Jeff,

this kind of errors

12:13.723: %L2TP-3-ILLEGAL: _____:_____: failed to get cc: no l2tp

db hdl, -Traceback= 0x60C1122C 0x61D0E258 0x61D0E410 0x61D0C104 0x61D2EE5C 0x60

6E0DEC 0x606DEB70 0x606E11F0 0x606DFE34 0x61289954 0x6102F318 0x6102F4C8 0x6102F

548 0x6102F74C

*Nov 1 08:12:13.731: %L2TP-3-ILLEGAL: _____:_____: ERROR: [l2tp_db_get_cc::1035

], -Traceback= 0x60C1122C 0x61D0E258 0x61D0E3FC 0x61D0C104 0x61D2EE5C 0x606E0DE

C 0x606DEB70 0x606E11F0 0x606DFE34 0x61289954 0x6102F318 0x6102F4C8 0x6102F548 0

x6102F74C

*Nov 1 08:12:13.735: %L2TP-3-ILLEGAL: _____:_____: failed to get cc: no l2tp

db hdl, -Traceback= 0x60C1122C 0x61D0E258 0x61D0E410 0x61D0C104 0x61D2EE5C 0x60

6E0DEC 0x606DEB70 0x606E11F0 0x606DFE34 0x61289954 0x6102F318 0x6102F4C8 0x6102F

548 0x6102F74C

*Nov 1 08:12:13.743: %L2TP-3-ILLEGAL: _____:_____: ERROR: [l2tp_db_get_cc::1035

], -Traceback= 0x60C1122C 0x61D0E258 0x61D0E3FC 0x61D0C104 0x61D2EE5C 0x606E0DE

C 0x606DEB70 0x606E11F0 0x606DFE34 0x61289954 0x6102F318 0x6102F4C8 0x6102F548 0

x6102F74C

*Nov 1 08:12:13.747: %L2TP-3-ILLEGAL: _____:_____: failed to get cc: no l2tp

db hdl, -Traceback= 0x60C1122C 0x61D0E258 0x61D0E410 0x61D0C104 0x61D2EE5C 0x60

6E

are the sign of a SW defect.

without seeing your configuration it is difficult to say more.

However, you should be able to apply an ACL in virtual-PPP interface, for example in one of our routers we have a crypto map applied in virtual-PPP.

I can see non-zero input packet counters in my virtual-PPP so it should be possible to apply an ACL inbound on it.

Hope to help

Giuseppe

Actions

This Discussion