Hello
I have a weird problem that I am trying to resolve from 15hours now...

I have the exact identical problems on two sites ,
the first is C2611 with 12.3(25) ADVSEC

the second site is a 2650 with 12.4(18) ADVSEC

here is the conf:

The problem is that ANY PPTP outgoing doesn't work at all. I was disperate
and "downgraded" the 2650 (conf is below) to a 12.2(9)T and it worked.

Current configuration : 7099 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
no service dhcp
!
hostname 89-186-68-6.dcpool.ip
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 notifications
no logging console
no logging monitor
enable password 7 xxxxxxxxxxxxxxxxxxxxxxxxxx!
no aaa new-model
clock timezone CET 1
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip source-route
no ip gratuitous-arps
ip cef
!
!
ip inspect log drop-pkt
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 500
ip inspect one-minute high 600
ip inspect udp idle-time 20
ip inspect tcp idle-time 60
ip inspect tcp synwait-time 45
ip inspect tcp max-incomplete host 300 block-time 0
ip inspect name OUT-IN esmtp
ip inspect name OUT-IN pop3
ip inspect name OUT-IN pop3s
ip inspect name OUT-IN http
ip inspect name OUT-IN https
ip inspect name OUT-IN imap
ip inspect name OUT-IN imaps
ip inspect name OUT-IN ftp
ip inspect name OUT-IN ftps
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip ips sdf location flash:128mb.sdf
ip ips signature 2004 0 disable
ip ips signature 2001 0 disable
ip ips name AUDIT
no ip bootp server
ip domain round-robin
ip domain name kpnqwest.it
ip name-server 217.97.32.2
ip name-server 217.97.32.7
login block-for 120 attempts 5 within 60
login on-failure log
!
!
!
!
username xxxxxxxxxxxxxxx
!
!
ip tcp selective-ack
ip tcp synwait-time 10
ip ssh time-out 90
ip ssh version 2
!
!
!
!
interface Null0
no ip unreachables
!
interface ATM0/0
description KPNQWest ADSL 2048/512
no ip address
no ip redirects
no ip proxy-arp
no ip mroute-cache
atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0/0.1 point-to-point
description Point to Point Uplink
bandwidth 2048
ip address 89.186.68.6 255.255.255.252
ip access-group 100 in
no ip redirects
no ip proxy-arp
ip inspect OUT-IN in
ip ips AUDIT in
ip nat outside
ip virtual-reassembly max-fragments 16 max-reassemblies 64
no ip mroute-cache
pvc 8/35
encapsulation aal5snap
!
!
interface FastEthernet0/0
ip address 172.16.0.12 255.255.255.240
no ip redirects
no ip proxy-arp
ip nat inside
no ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
no cdp enable
hold-queue 100 in
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0/0.1
!
no ip http server
no ip http secure-server
ip nat translation timeout 3600
ip nat translation tcp-timeout 1200
ip nat translation udp-timeout 100
ip nat translation finrst-timeout 15
ip nat translation syn-timeout 45
ip nat translation icmp-timeout 120
ip nat inside source list 102 interface ATM0/0.1 overload
ip nat inside source static tcp 172.16.0.1 25 89.186.68.6 25 extendable
ip nat inside source static tcp 172.16.0.1 80 89.186.68.6 80 extendable
ip nat inside source static tcp 172.16.0.1 110 89.186.68.6 110 extendable
ip nat inside source static tcp 172.16.0.1 443 89.186.68.6 443 extendable
ip nat inside source static tcp 172.16.0.1 465 89.186.68.6 465 extendable
ip nat inside source static tcp 172.16.0.1 995 89.186.68.6 995 extendable
ip nat inside source static tcp 172.16.0.1 3389 89.186.68.6 3389 extendable
ip nat inside source static tcp 172.16.0.10 33389 89.186.68.6 33389
extendable
!
!
no logging trap
access-list 100 deny ip 0.0.0.0 0.255.255.255 any
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip 169.254.0.0 0.0.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.0.2.0 0.0.0.255 any
access-list 100 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 224.0.0.0 15.255.255.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip host 89.186.68.6 any
access-list 100 permit udp host 77.93.230.26 eq isakmp host 89.186.68.6
access-list 100 permit esp host 77.93.230.26 host 89.186.68.6
access-list 100 permit udp host 77.93.230.26 host 89.186.68.6 range snmp
snmptrap
access-list 100 permit udp 77.93.229.208 0.0.0.7 host 89.186.68.6 range snmp
snmptrap
access-list 100 deny tcp any lt 1023 any lt 1023
access-list 100 permit udp any eq ntp any
access-list 100 permit udp any eq domain any
access-list 100 deny udp any lt 1023 any lt 1023
access-list 100 permit ip any any fragments
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any source-quench
access-list 100 deny icmp any any
access-list 100 deny udp any any eq echo
access-list 100 deny udp any any range 33400 34400
access-list 100 permit tcp any any range ftp-data ftp
access-list 100 permit tcp host 77.93.230.26 host 89.186.68.6 eq 22
access-list 100 permit tcp 77.93.229.208 0.0.0.7 host 89.186.68.6 eq 22
access-list 100 deny tcp any any eq 22
access-list 100 permit tcp any any eq smtp
access-list 100 permit tcp any any eq www
access-list 100 permit tcp any any eq pop3
access-list 100 permit tcp any any eq 443
access-list 100 permit tcp any any eq 465
access-list 100 deny udp any any range snmp snmptrap
access-list 100 permit tcp any any eq 990
access-list 100 permit tcp any any eq 995
access-list 100 permit tcp any any
access-list 100 permit udp any any
access-list 100 permit 41 any any
access-list 100 permit gre any any
access-list 100 deny ip any any log
access-list 102 permit ip 172.16.0.0 0.0.0.255 any
snmp-server community public RO
snmp-server ifindex persist
snmp-server contact xxxxxxxx
no cdp run
!
!
control-plane
!
!
!
banner login ^C
You are connected to $(hostname).$(domain) on line $(line).
If you are not authorized to access this system, disconnect now.

THIS IS FOR AUTHORIZED USE ONLY

Unauthorized or improper use of this system may result in
administrative disciplinary action and civil and criminal penalties.
By continuing to use this system you indicate your awareness of and
consent
to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not
agree to the conditions stated in this warning.

Network Administrator: GOD@paradise.org
!
line con 0
login local
transport output telnet
stopbits 1
line aux 0
login local
transport preferred none
transport output telnet
stopbits 1
line vty 0 4
login local
transport preferred none
transport input ssh
transport output all
flowcontrol software
!
scheduler max-task-time 5000
ntp server 192.43.244.18
ntp server 193.204.114.105
!
end

If I enable debug I just see:

%FW-6-DROP_TCP_PKT: Dropping tcp pkt 83.233.181.2:1723 => 172.16.0.9:3519
due to SYN inside current window -- ip ident 0 tcpflags 0xA012 seq.no
96264208 ack 3269803051


since that IP is one of my PPTP servers, it may be the cause

how can I resolve that issue?

Open a case with the Cisco TAC

What if i dont have any service contracts?

the config is correct?


"Merv" <merv.hrabi@rogers.com> ha scritto nel messaggio
news:189da732-2c0c-46a8-b60c-60b906f59376@y21g2000hsf.googlegroups.com...

Just tried to downgrade to 12.4 IPBASEK9 with the same config. Doesn't work.

Downgraded to 12.3(25) ADVSEC K9, it works perfectly.

On Mar 30, 8:08 am, "Elia Spadoni" <ad...@NOSPAMspadhausen.com> wrote:

There have been a number of issues reported with PPTP in 12.4


then don't call the TAC ;-))

Hello Merv,
I have done some progress:

Well:

on 12.4 (assuming that we use always the same config, just swap the IOS and
restart the router) I CANNOT connect to a remote PPTP server. on a second
site I have a /29 range and I can succesfully connect to a remote pptp
server, but in this case i have the public /29 ip address directly on the
ETH of the pc from wich i initiate the connection.


"Merv" <merv.hrabi@rogers.com> ha scritto nel messaggio
news:a3f5326f-dffb-434c-ad08-1cec6b44230c@59g2000hsb.googlegroups.com...

PPTP uses a control channel (TCP session on port 1723) and a separate
data channel using a GRE tunnel which carries the PPP traffic.

Your PC will open the control channel first

see the PPTP RFC for protocol details: http://www.ietf.org/rfc/rfc2637.txt


With the 12.4 IOS version, the handling of one or both of these
channels must have changed in some fashion.


You might want to see if modifying your config ( which) you should not
have to do) as per the Cisco do
"Configuring PPTP Through PAT to a Microsoft PPTP Server"
http://www.cisco.com/en/US/tech/tk82...0949c0 .shtml

makes any difference with 12.4

Basically you are adding the keyword overload and also using the
keyword interface instead of explicit IP address:

Hello

Thank you for your link.
I think it is a bug of the IOS.

Since with the SAME IDENTICAL config, it works perfectly on 12.4(8) ADV SEC.
I am now trying to flash the 12.4(12)a, b, et c, and also the 12.4(17) and
17a to se what is the latest relase that works.


"Merv" <merv.hrabi@rogers.com> ha scritto nel messaggio
news:db66690b-87d3-4766-9d2e-5e117ff0bcc6@z38g2000hsc.googlegroups.com...

Solved my issue
the bugged relase is the 12.4(18) - any relase, tested IPBASEK9,
ADVIPSERVICES and ADVSECURITY
dont'work.

Tested the 12.4(17a) works perfectly, and also the previous releases of 12.4

On 30 Mar, 18:17, "Elia Spadoni" <ad...@NOSPAMspadhausen.com> wrote:
If one 12.4(18) is broken then it would be expected that
all Feature Sets in that version would be similarly
broken. Unless of course the particular buggy feature
was not in the Feature Set.

This may apply less strictly to other Trains. eg T, XLQ
whatever they come up with next.

IPBASEK9, ADVIPSERVICES, ADVSECURITY
being Feature Sets.

Well done figuring it out.

Hello

since I did not need any particular feature, I first tried with the IPBASE
so I was sure that a lighter IOS was loaded.
I just needed to connect to a pptp server with a pc in the nat, a very
simple thing to do!

every 12.4(18) I tried, returns me errors in PPTP link. Any PPTP vpn
outgoing don't work.
With 12.4(17a) everything works PERFECTLY.

I begin to think that all my troubles with the Ipsec + gre tunnel could be
related to this buggy IOS.


<Bod43@hotmail.co.uk> ha scritto nel messaggio
news:c06b5201-a197-4316-a9ce-afe8637675f8@b1g2000hsg.googlegroups.com...

On Mar 30, 1:20 pm, "Elia Spadoni" <ad...@NOSPAMspadhausen.com> wrote:

Elia, go for the extra bonus points and determine the Cisco bug
id ;-)))

Hello

how can I do that?

On Mar 30, 2:08 pm, "Elia Spadoni" <ad...@NOSPAMspadhausen.com> wrote:

You need a Cisco CCO account to do that - you can register for a guest
account I guess

Not sure if the bug toolkit would be visible to guest accounts or not

http://tools.cisco.com/Support/BugTo...ion=searchBugs

perhaps it is

CSCsm34632 PPTP doesn't pass through static NAT

Symptoms: PPTP connection does not get established properly. Users are
stuck in authentication phase

Conditions: Occurs when PPTP server is behind a NAT router configured
with a static NAT entry.

1st Found-In: 12.4(17.4)T, 12.4(17.8)M

Fixed-In: 12.4(19.11)M, 12.4(19.11)T