Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2630
Views
0
Helpful
2
Replies

pptp client behind 851 cannot connect

sbigley0494
Level 1
Level 1

‎06-19-2010 02:17 PM

Group,

    I'm relatively new to Cisco having come from the sysadmin world.   I have a small remote site with 5 clients that sits behind a 851w router.   No clients behind the router can intiate a pptp session with a remote VPN server over the internet from that site.   But, another remote client site is accessed from behind the 851 using IPsec and the clients can connect with no problems.  When monitoring syslog messages, I did notice that the following messages are logged when trying to connect to the remote pptp server:

Jun 19 16:02:56 192.168.1.1 47: 000042: *May 16 19:35:04.811 UTC: %IP_VFR-3-SYST
EM_ERROR: : IP VFR System failure - A fragment packet with out pak-subblock
Jun 19 16:03:00 192.168.1.1 48: 000043: *May 16 19:35:08.795 UTC: %IP_VFR-3-SYST
EM_ERROR: : IP VFR System failure - A fragment packet with out pak-subblock
Jun 19 16:03:06 192.168.1.1 49: 000044: *May 16 19:35:14.771 UTC: %IP_VFR-3-SYST
EM_ERROR: : IP VFR System failure - A fragment packet with out pak-subblock

Any ideas?   I've included my config for reference:

Current configuration : 4087 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
no ip source-route
no ip dhcp use vrf connected
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.1.1 192.168.1.99
!
ip dhcp pool Internal-Net
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
!
!
ip cef
ip inspect log drop-pkt
ip inspect name MYFW tcp
ip inspect name MYFW udp
ip inspect name MYFW pptp
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name xxxxxxxxxxxxxxx
ip name-server 208.67.220.220
ip name-server 208.67.222.222
ip ssh version 2
!
!
!
username xxxxxxxxxxxxx privilege 15 password 7 xxxxxxxxxxxxxxxxxxxxx
!
!
bridge irb
!
!
interface FastEthernet0
description Windows 7
spanning-tree portfast
!
interface FastEthernet1
description Linux Server
spanning-tree portfast
!
interface FastEthernet2
description Vonage
spanning-tree portfast
!
interface FastEthernet3
description Uplink to Desktop Switch
spanning-tree portfast
!
interface FastEthernet4
description xxxxxxxxxxxxxxxxxxxx
ip address dhcp
ip access-group Internet-inbound-ACL in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect MYFW out
ip nat outside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
!
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
!
encryption vlan 1 key 1 size 128bit 7 xxxxxxxxxxxxxxxxxxxxxx transmit-key
encryption vlan 1 mode wep mandatory
!
ssid xxxxx
    vlan 1
    authentication open
    wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxxxxxxx
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
channel 2412
station-role root
no dot11 extension aironet
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description Bridge to Internal Network $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
ip classless
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip https server
ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended Internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
permit tcp any any eq 3389
permit tcp any any eq 1723
!
logging trap debugging
logging 192.168.1.3
access-list 1 permit 192.168.1.0 0.0.0.255
no cdp run
!
control-plane
!
bridge 1 route ip
banner motd ^C
*******************************************
*
*
* This is a private device and unauthorized
* access is prohibited.  All activity both
* authorized and unathorized is logged and
* monitored.
*
*
********************************************
^C
!
line con 0
exec-timeout 0 0
password 7 xxxxxxxxxxxxxx
logging synchronous
no modem enable
line aux 0
line vty 0 4
session-timeout 45
password 7xxxxxxxxxxxxxxxxxxxxxxxxxxxx
logging synchronous
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Labels:
0 Helpful
2 Replies 2

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎06-22-2010 11:43 AM

Hi,

Check if PPTP is building the translation in the NAT table. (sh ip nat trans)

Check if PPTP is being inspected correctly (sh ip inspect sess)

Check if PPTP traffic is matching against the ACL applied to the outside interface (sh access-list Internet-inbound-AC)

Federico.

0 Helpful

sbigley0494
Level 1
Level 1
In response to Federico Coto Fajardo

‎06-23-2010 11:56 AM

Here's the output I got:

router#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global

tcp 71.244.30.27:1288  192.168.1.100:1288 128.242.245.43:80  128.242.245.43:80
tcp 71.244.30.27:1289  192.168.1.100:1289 128.242.245.43:80  128.242.245.43:80
tcp 71.244.30.27:1290  192.168.1.100:1290 15.219.153.212:1723 15.219.153.212:1723
tcp 71.244.30.27:1291  192.168.1.100:1291 128.242.245.43:80  128.242.245.43:80
tcp 71.244.30.27:1292  192.168.1.100:1292 128.242.245.43:80  128.242.245.43:80
gre 71.244.30.27:49152 192.168.1.100:49152 15.219.153.212:49152 15.219.153.212:49152

gre 71.244.30.27:51943 192.168.1.100:51943 15.219.153.212:51943 15.219.153.212:51943

router#sh access-lists Internet-inbound-ACL
Extended IP access list Internet-inbound-ACL
    10 permit udp any eq bootps any eq bootpc (286 matches)
    20 permit icmp any any echo (12 matches)
    30 permit icmp any any echo-reply (27 matches)
    40 permit icmp any any traceroute
    50 permit gre any any (7 matches)
    60 permit esp any any (27 matches)
    70 permit tcp any any eq 3389 (39 matches)
    80 permit tcp any any eq 1723
router#show ip inspect sess
Established Sessions
Session 82729E14 (192.168.1.100:3843)=>(15.216.108.152:443) tcp SIS_OPEN
Session 8272E4C4 (192.168.1.100:4811)=>(15.200.32.67:443) tcp SIS_OPEN
Session 82726604 (192.168.1.100:3847)=>(15.216.108.152:443) tcp SIS_OPEN
Session 82726874 (192.168.1.100:1290)=>(15.219.153.212:1723) pptp SIS_OPEN

Its seems like the session is being initiated.  Are you seeing the same?

0 Helpful
Customers Also Viewed These Support Documents