Problem: IPv6 w/ PPPoE on Cisco 2901

Similar Messages

• Nice People HELP ME!!! IPv6 over PPPoE Configuration on Cisco 7206VXR

  I have a 7206VXR which connects to a DSLAM via the router's ATM/DS3 interface. A CPE home router connects to the DSLAM. So it's like:
  PC -----ethernet---- CPE Router ------ dsl line ------ DSLAM ----- atm/pppoe ------- BVI/Virtual-Template/PPPoE on Cisco 7206VXR
  Now the problem is:
  - PC CAN ping the BVI interface of Cisco, but NOT beyond that. For instance he can't ping 7206's loopback ipv6 address.
  - I found something interesting on the CPE, that CPE itself can't ping BVI interface of Cisco, AND it doesn't have a default gateway ::/0 set on itself. I manually added a default router like "route -A inet6 add ::/0 gw <BVI's IPv6 addr>", and the problem got solved and PC can ping Cisco's loop back IP now. But this is not a solution since I want this thing to be automatically ready.
  Note both CPE and PC are happy with global IPv6 addressed assigned.
  I believe this problem is related to how PPPoE/IPCPv6 handles addresses and prefixes.
  Ok, now some configuration details: I use 2001:7:7::/64 for the "WAN" side of CPE, and 2001:8:8::/64 for its LAN side (PCs). And here's the Cisco config (only related stuff is shown here):
  ipv6 unicast-routing
  ipv6 cef
  ipv6 dhcp pool foo
  prefix-delegation pool test
  address prefix 2001:7:7::/64
  bridge irb
  bba-group pppoe global
  virtual-template 2
  sessions max limit 256
  interface Loopback0
  no ip address
  ipv6 address 2001:9:9::1/64
  ipv6 enable
  interface Virtual-Template2
  description Public PPP CHAP
  mtu 1492
  ip unnumbered BVI1
  ip pim sparse-dense-mode
  ip igmp version 3
  ipv6 unnumbered BVI1
  ipv6 enable
  ipv6 mtu 1492
  ipv6 nd managed-config-flag
  ipv6 nd other-config-flag
  ipv6 nd router-preference High
  no ipv6 nd ra suppress
  ipv6 dhcp server foo
  peer default ip address dhcp-pool Public
  peer default ipv6 pool test
  ppp authentication chap
  ppp pap refuse
  interface BVI1
  description Public IP ADSL
  ip address 12.230.197.129 255.255.255.224
  ip pim sparse-dense-mode
  ip igmp version 3
  ipv6 address 2001:7:7::1/64
  ipv6 enable
  ipv6 mtu 1492
  ipv6 nd managed-config-flag
  ipv6 nd other-config-flag
  ipv6 nd router-preference High
  no ipv6 nd ra suppress
  ipv6 nd ra lifetime 60
  ipv6 nd ra interval 40
  ipv6 local pool test 2001:8:8::/56 64
  NICE PEOPLE PLS HELP ME! ^_^

  Thanks Andrew for your response and sorry for the confusion: actually I didn't include all my config lines. For bridging, actually I did what you mentioned and everything works fine with IPv4:
  interface ATM1/0.3 multipoint
  description Public DHCP
  bridge-group 1
  pvc 1/1060
    encapsulation aal5snap
  bridge 1 protocol ieee
  bridge 1 route ip
  bridge 2 protocol ieee
  bridge 2 route ip

• Problem with ipv6 over pppoe

  Dear Sir/Madam,
  I am using ISP that assign me ipv6 by pppoe connection. I dont have any problem with windows and by creating pppoe connection everything works correctly but in os mavericks I don't get ipv6 automatically while I set configure IPv6 automatically in my network preferences.
  It is very important for me because I want to switch IPv6 in my mac.
  Best Regards,
  Massoud

  It works if I set manually but I think because there is no option for receive ip via ppp and the pppoe connection can not receive ipv6 automatically same as ipv4.

• Is Cisco 2901 router suffering from the heartbleed problem?

  I am not quite familiar with networking product. So may be this is a stupid question.
  We have recently bought a Cisco 2901 router.
  http://www.cisco.com/c/en/us/products/routers/2901-integrated-services-router-isr/index.html
  We checked the cisco heartbleed info page.
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
  But Cisco 2901 is not listed neither in "Vulnerable products" or "Products Confirmed Not Vulnerable".
  So, is Cisco 2901 vulnerable or not?
  Or does it depend on the firmware version? How to check?

  Just to add to the above. It actually say's that IOS is NOT affected.
  The following Cisco products have been analyzed and are not affected by this vulnerability:
  Cisco 1000 Series Connected Grid Routers
  Cisco 200 Series Smart Switches
  Cisco 300 Series Managed Switches
  Cisco 500 Series Stackable Managed Switche
  <<<<<<<<SNIPPED>>>>>>>>>
  Cisco Identity Service Engine (ISE)
  Cisco Insight Reporter
  Cisco Integrated Management Controller (IMC)
  Cisco Intelligent Automation for Cloud
  Cisco IOS XR
  Cisco IOS
  Cisco IP Communicator
  Link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

• Connectivity issues between Cisco 2901 and Cisco SG300-52

  Hello,
  I am having some serious connectivity issues between the hosts in my LAN.
  My LAN is based on a Cisco 2901 router and a Cisco SG300-52 port switch.
  The issue that has been happening is that connections between hosts on the LAN (remote desktop, extended ping, etc) is very unstable, at some point I can see a 35% lost packets on an extended ping. This happens at any time of the day and from any host.
  All hosts are on the same Vlan(default Vlan) and on the same subnet. Some hosts have fixed IP addresses (servers and network equipment) and others obtain their IP address trough a DHCP reservation  established on the router (reserved with the MAC address of every host).
  I can provide further details if needed, because this issue is very serious and I would really appreciate any insight or support.
  Many thanks in advanced.
  Sair Amer
  EDIT:  After doing every test we could think of, we finally found the reason behind this problem.
  It turns out that the switch has problems handling communications between clients at different speeds, because most of the hosts connected were working at 100 Mbps but the servers were working at 1000 Mbps (and the communication between host and servers wasn't stable).
  After manually setting the speed on all ports to 100 Mbps the problems have stopped.
  Many thanks for you help on this issue. 

  Building configuration...
  Current configuration : 4123 bytes
  ! Last configuration change at 12:06:16 PCTime Sat Jul 19 2014 by ccp
  version 15.2
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Foninsa
  boot-start-marker
  boot-end-marker
  no logging buffered
  enable secret 5 $1$BDbJ$HN3VP8nmywrGB55RCxPd30
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local 
  aaa session-id common
  clock timezone PCTime -4 0
  clock summer-time PCTime date Apr 6 2003 2:00 Oct 12 2003 12:00
  no ip cef
  ip dhcp excluded-address 192.168.1.1 192.168.1.10
  ip dhcp excluded-address 192.168.1.151 192.168.1.255
  ip dhcp pool FONINSA
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1 
   dns-server 8.8.8.8 8.8.4.4 
  ip dhcp pool Laptop-Sporta-Wifi
   host 192.168.1.10 255.255.255.0
  ip name-server 8.8.8.8
  ip name-server 8.8.4.4
  no ipv6 cef
  multilink bundle-name authenticated
  crypto pki trustpoint TP-self-signed-213585710
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-213585710
   revocation-check none
   rsakeypair TP-self-signed-213585710
  crypto pki certificate chain TP-self-signed-213585710
   certificate self-signed 01
    30820229 30820192
    quit
  license udi pid CISCO2901/K9 sn
  license boot module c2900 technology-package securityk9
  username ccp privilege 15 password
  redundancy
  interface Embedded-Service-Engine0/0
   no ip address
   shutdown
  interface GigabitEthernet0/0
   ip address 190.196.21.98 255.255.255.248
   ip nat outside
   ip virtual-reassembly in
   duplex auto
   speed auto
  interface GigabitEthernet0/1
   ip address 192.168.1.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
   duplex auto
   speed auto
  no ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip nat inside source list 1 interface GigabitEthernet0/0 overload
  ip nat inside source static tcp 192.168.1.3 21 190.196.21.98 21 extendable
  ip nat inside source static tcp 192.168.1.3 80 190.196.21.98 80 extendable
  ip nat inside source static udp 192.168.1.8 1194 190.196.21.98 1194 extendable
  ip nat inside source static tcp 192.168.1.4 3389 190.196.21.98 3389 extendable
  ip nat inside source static tcp 192.168.1.9 3389 190.196.21.98 10000 extendable
  ip nat inside source static tcp 192.168.1.3 3389 190.196.21.98 20000 extendable
  ip route 0.0.0.0 0.0.0.0 190.196.21.97
  access-list 1 permit 192.168.1.0 0.0.0.255
  control-plane
  line con 0
   password $
  line aux 0
  line 2
   no activation-character
   no exec
   transport preferred none
   transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
   stopbits 1
  line vty 0 5
   access-class 23 in
   privilege level 15
   password #
   transport input telnet ssh
  no scheduler allocate
  end

• What's wrong? Verify and compare Cisco 2901 config after loading old config from Cisco 2801

  Hi Cisco Community / Friends,
  I am new to this site though I have cisco account for many years. I am a CCNA ,I  passed my certification on January 2013 I seldom use and utilized my skills on networking becuase of my type of work. I am Project Eng'r working in a System integrator company . Anyway, I would like to ask assistance on the configurations of my Cisco router for this gov't projects.. Here's the situation.
  We have a new project for the VSAT Comm'n of  Coast Watch Station ,  The VSAT was installed 7 years ago. The VSAT was only used for a year by this Gov't agency because of  subscription issue. Now, they wants to revive and use their VSAT facilities for the Coast watch monitoring. Now, some of this routers are working up to now and for some site  are already defective so I need to replace the old 2801 router with a new equivalent model which is Cisco 2901. My plan was just to load the old config into the new Cisco 2901 router. However, after loading it to the new router, I am a little worried because I've got some errors received. I load the old config by copying the old files, edit it in notepad, and load the config using Secure CRT (terminal emulator). When I copy the old config of cisco 2801 to new router cisco 2901 , below are the command not recognized on Cisco 2901. What's wrong ? What are these commands for? 
  Appreciate your comments and help on this matter.. Thank You very much
  Note: I Attached the original config from Cisco 2801 and the other file is the config after I load the config file to Cisco 2901.
  (Errors see below)
  CWS_4_Pandami(config-erm)#mmi polling-interval 60
                                                         ^
  % Invalid input detected at '^' marker.
  CWS_4_Pandami(config-erm)#no mmi auto-configure
                                                         ^
  % Invalid input detected at '^' marker.
  CWS_4_Pandami(config-erm)#no mmi pvc
                                                         ^
  % Invalid input detected at '^' marker.
  CWS_4_Pandami(config-erm)#mmi snmp-timeout 180
                                                          ^
  % Invalid input detected at '^' marker.
  CWS_4_Pandami(config-if)#interface GigabitEthernet0/1
  CWS_4_Pandami(config-if)# description ===CWS4 SAT Modem===
  CWS_4_Pandami(config-if)# bandwidth 256
  CWS_4_Pandami(config-if)# ip address 192.168.42.1 255.255.255.0
  CWS_4_Pandami(config-if)# duplex auto
  CWS_4_Pandami(config-if)# speed auto
  CWS_4_Pandami(config-if)# priority-group 1
                                                      ^
  % Invalid input detected at '^' marker.
  CWS_4_Pandami(config)#access-list 100 permit ip any any dscp cs5
  CWS_4_Pandami(config)#priority-list 1 protocol ip high list 100
                                                  ^
  % Invalid input detected at '^' marker.

  Hi
  From Cisco's website:
  The Modem Management Interface (MMI) is software that enables auto-provisioning for the Cisco 827 routers. The MMI uses a fixed PVC to communicate with the Proxy Element (PE) residing on the digital subscriber line access multiplexer (DSLAM). Using MMI, the Cisco 827 router updates the running image and downloads the prescribed configuration using a configuration file or configuration values in a provisioning information database.
  The customer premise equipment (CPE) can be automatically configured using the Cisco DSL CPE download, but it can be configured only with the image provisioning feature.
  So because this is your device, you don't want to use MMI anyways.
  And "priority-list" is QoS. Probably that QoS-command is old and removed, because now QoS is configured using class-maps and policy-maps.

• PIX515e dual-stack ipv4 & ipv6 over PPPoE

  Hi Everyone,
  In short: I am trying to get ipv4 and ipv6 over PPPoE running on my PIX515e.
  Heres a bit more info about my setup and the scenario:
  My internet provider (residential) has offered me a dual-stack service on my ADSL.
  I get a STATIC ipv4 address, but a DYNAMIC ipv6 address. Additionally I get a STATIC ipv6 /56 prefix for my lan "if my router supports prefix delegation".
  My PIX is the 515e and its running PIX 7.2(4) with ASDM 5.2.
  Getting the ipv4 side of it working isnt an issue - ive configured the pppoe side of it with my username and password, and configured my outside interface (Ethernet 0) with the ipv4 address.
  But I cannot figure out how to get a dynamic ipv6 address on the outside (Ethernet 0) interface.
  At this stage all I care about is getting a dynamic ipv6 address on Ethernet 0. I dont care about the "lan" prefix or Prefix Delegation part of it because I figure I'll just NAT my lan ipv6 addresses out to the internet using the dyanmic ipv6 address on the outside interface.
  Ive read a lot of articles and looked at a lot of examples but none quite explain what im trying to do.
  I have enabled ipv6 on the outside interface - ipv6 enable
  and ive looked at ipv6 address and ive found the autoconfigure option but that doesnt appear to fetch the ipv6 address from my internet provider.
  I guess im expecting to see something like ipv6 address dhcp or ipv6 address pppoe
  So my question is does anyone know how I can get dual-stack working on my outside interface with dynamically assigned ipv6 from pppoe.
  Or do i need to update the PIX software on my device. If so, can anyone suggest which version?
  Any help is greately appreciated.

  I wanted to provide an update on this topic.  It turns out the traffic class that I was testing with was overlapping another class's match statement, which had a much lower bandwidth percentage.
  After making the corrections, it seems the IPv4 and IPv6 work very well together in the queues.  And now that you can run fair-queueing per class, I'm actually impressed with how well it is working.
  Now if only I could classify traffic based on the number of packets/bytes seen in netflow.... then I could shape some really nice QoS policies!

• Enable Web gui on Cisco 2901 ISR running IOS 15...

  I have recently purchased a Cisco 2901 Integrated Service Router that is running IOS 15... and need some help activating the WEB GUI Interface. I have read some documentation and have not had any luck. Some detailed instructions for the command line would be great if someone has the time to help.
  Thanks

  Hi,
  It looks as though there is not a Web GUI available for the 2901. However, Cisco does provide a tool called Cisco Configuration Professional, which provides tools to configure routers. It provides options for configuring many different functions in Cisco routers. You can follow the steps laid out in this article: http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_configuration_professional/guides/CiscoCPqsg.html
  This gives a great overview of how to install and start using Configuration Professional. I hope this helps, and please feel free to respond with any further questions. I will certainly do my best to answer them!
  Garrett

• Configuración Inicial router Cisco 2901

  Estimados, antes que nada, disculpen mi ignorancia.
  Tengo el siguiente escenario, y quiero comenzar a reemplazar algunos equipos.
  Tengo un RV042 conectado a Internet y a un switch 3COM.
  Quiero reemplazar estos equipos por un Cisco 2901 y un switch SG500.
  No he utilizado antes IOS de Cisco, y quiero comenzar configurando lo básico. Salida a Internet. Luego necesitaria agregar VPNs, pero sería un segundo paso.
  Estuve leyendo sobre ACL y las tablas de ruteo, pero no logro hacer funcionar. Puedo pinguear los equipos pero no logro navegar.
  En este momento he vuelto a empezar y tengo el router reseteado de fabrica. 
  Pueden guiarme?
  Gracias

  Gracias por tu respuesta.
  Lo primero que me pregunto es, a diferencia de los routers convencionales, uno configura ciertos parametros:
  IP publica, mascara de red, puerta de enlace (se supone que es el gateway conectado a la fibra) y los dns del ISP.
  Cuando voy a configurar las interfaces de red en IOS, como especifico estos datos?
  Yo defino lo siguiente:
  Int G 0/1
  IP Ad 190.111.249.X 255.255.255.252
  desc Internet
  Int G 0/0 
  IP Ad 192.168.1.1 255.255.255.0
  desc LAN
  Desde ahí como configuro la salida a internet? 
  Cual es la ip que debo configurar en la interface de internet, una propia para la interface que apunte al equipo que tiene la fibra?
  Como seria una regla basica de Nateo para salir a internet?
  Segui tutoriales, configure tal cual leia, y aun asi no lograba navegar.
  Gracias por la ayuda que puedan brindarme.

• Discussion Jabber on Notebooks and Cisco 2901 gateway

  At work we now have Cisco Jabber clients on notebooks. Internal connections are now possible, allthought with great latency because the central "master" resides a thousand kilometers thru europe away behind a VPN-connection. As a country subsidiary a local cisco 2901 should connect to the telephony  as a gateway...
  - How is the general architecture of cisco collaboration?
  - Is it correct to look at our cisco 2901 like a local domain-controller in windows-network?

  Hi
  Thx for the answer. To figure it out more clear on a top-level:
  We are sitting in the south of europe and our master resides up in North. Using Jabber clients on notebooks a telephony-call to customers in our country will go throught vpn-tunnel up north to u-turn and  come down to our cisco2901 which is connected to legacy telephony-(ISDN-)wires and finally to customers...
  Is this a recommended architecture?

• Cisco SSL-VPN / webvpn with Cisco 2901 IOS 15.3.3M

  Dear Community,
  I have a strange issue that I am hoping some of you will be able to assist with.
  I am running an environment with the following specifications
  Cisco ISR G2 2901 with IOS 15.3.3M
  Security Licence enabled
  Data Licence enabled
  VPN Licence enabled
  Cisco ISR G2 2951 with IOS 15.3.3M
  Security Licence enabled
  Data Licence enabled
  SM with ESX server.
  Desktop Environment
  Windows XP SP3
  Internet Explorer 8
  Desktop Environment 2
  Windows 8
  Internet Explorer 10
  I have a ESX server set up with a web page on the 2951. The 2901 unit has a SSL VPN / web vpn service set up on it to allow the Desktop Environments to connect to the 2951 web page. The Desktop Environments are not allowed to directly connect to the 2951 router that is why the SSL-VPN / web vpn is used.
  This system was initially working with IOS 15.2.4M2 however an update of the IOS was required and now the VPN does not fully function correctly.
  PROBLEM: Now the webvpn interface loads with the welcome screen and login. After logging in it has a screen with a link to the webpage on the 2951. When I try open this webpage on the 2951 and the SSL-VPN starts to build I only get half my web page. There seems to be a problem where I only get half a page loading or just a blank page with just HTML headers. I have tried changing the page to just HTML but it still does not display properly. This is with Internet Explorer ( all versions ). With firefox there are no problems but I cannot run this browser as my environment will not allow it.
  If anyone can assit me here it would really make my day.
  Thanks,
  Will

  Can anyone help with this ?

• 5 users limitation using PPPoE on cisco??

  Hello,
  I am trying to use a cisco as a pppoe server. The problem is that its not able to connect mor e than 5 users at a time. I thought the cisco(3620) had some problems and used another (2610) with the same result. What could be the problem?
  TIA
  Shekhar Basnet
  Here are some info.
  System image file is "flash:c2600-ik9o3s-mz.122-31"
  cisco 2610 (MPC860) processor (revision 0x203) with 61440K/4096K bytes of memory
  32K bytes of non-volatile configuration memory.
  16384K bytes of processor board System flash (Read/Write)
  PPPoE# sho run
  Building configuration...
  ip audit notify log
  ip audit po max-events 100
  vpdn enable
  vpdn-group canopy-consumer
  accept-dialin
  protocol pppoe
  virtual-template 10
  pppoe limit per-vlan 300
  interface FastEthernet1/0.630
  description #### PPPoE clients #####
  encapsulation dot1Q 630
  pppoe enable
  interface Virtual-Template10
  ip address 192.168.125.125 255.255.255.252
  peer default ip address pool consumer-pool
  ppp authentication pap
  ip local pool consumer-pool x.x.254.112 x.x.254.119
  Here's a sample log when trying to connect using a 6th customer
  Feb 5 16:49:53: PPPoE 0: I PADI L:ffff.ffff.ffff R:000a.e44f.ba27 630 Fa1/0.630
  Feb 5 16:49:53: PPPoE 0: O PADO L:f730.8100.0276 R:ba27.0003.e3e8 630 Fa1/0.630
  Feb 5 16:49:53: PPPoE 0: I PADR L:0003.e3e8.f730 R:000a.e44f.ba27 630 Fa1/0.630
  Feb 5 16:49:53: PPPoE 396: Creating
  Feb 5 16:49:53: PPPoE 396: Created L:0003.e3e8.f730 R:000a.e44f.ba27 630 Fa1/0.630
  Feb 5 16:49:53: PPPoE 396: O PADS L:0003.e3e8.f730 R:000a.e44f.ba27 630 Fa1/0.630
  Feb 5 16:49:53: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
  Feb 5 16:49:54: PPPoE 396: I PADT L:0003.e3e8.f730 R:000a.e44f.ba27 630 Fa1/0.630
  Feb 5 16:49:54: PPPoE 396: Shutting down
  Feb 5 16:49:54: PPPoE 396: O PADT L:0003.e3e8.f730 R:000a.e44f.ba27 630 Fa1/0.630
  Feb 5 16:49:54: PPPoE 396: Destroying L:0003.e3e8.f730 R:000a.e44f.ba27 630 Fa1/0.630
  Feb 5 16:49:54: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
  PPPoE#sho idb
  Maximum number of IDBs 300
  24 SW IDBs allocated (2624 bytes each)
  19 HW IDBs allocated (4976 bytes each)
  HWIDB#1 1 Ethernet0/0 (HW IFINDEX, Ether)
  HWIDB#2 3 BRI0/0 (HW IFINDEX, HW ISDN, Serial)
  HWIDB#3 4 Serial0/0 (HW IFINDEX, Serial)
  HWIDB#4 5 BRI0/0:1 (HW ISDN, Serial)
  HWIDB#5 6 BRI0/0:2 (HW ISDN, Serial)
  HWIDB#6 7 Serial0/1 (HW IFINDEX, Serial)
  HWIDB#7 8 FastEthernet1/0 (DOT1Q, HW IFINDEX, Ether)
  HWIDB#8 9 Virtual-Access1 (Serial, HW VACCESS)
  HWIDB#9 10 Virtual-Access2 (Serial, HW VACCESS)
  HWIDB#10 11 Virtual-Access3 (Serial, HW VACCESS)
  HWIDB#11 12 Virtual-Access4 (Serial, HW VACCESS)
  HWIDB#12 13 Virtual-Access5 (Serial, HW VACCESS)
  HWIDB#13 14 Virtual-Access6 (Serial, HW VACCESS)
  HWIDB#14 15 Virtual-Template10 (HW IFINDEX, Serial, HW VTEMPLATE)
  HWIDB#15 16 Loopback0 (HW IFINDEX)

  Yahoooo!! Success at last.. Thanks a lot Mak. But I would love to know the reason behind it. So even changing the subnet on VT to /24 would have had no effect then?
  PPPoE#sho user
  Line User Host(s) Idle Location
  * 66 vty 0 shekhar idle 00:00:00 x.x.233.248
  Interface User Mode Idle Peer Address
  Vi1 silt Virtual PPP (PPPoE ) 00:00:05 x.x.225.35
  Vi2 hhc123 Virtual PPP (PPPoE ) 00:00:15 x.x.225.37
  Vi3 mahaguthi Virtual PPP (PPPoE ) 00:00:55 x.x.225.33
  Vi4 atlas Virtual PPP (PPPoE ) 00:00:35 x.x.225.36
  Vi5 hope Virtual PPP (PPPoE ) 00:01:35 x.x.225.34
  Vi6 ktptest Virtual PPP (PPPoE ) 00:00:05 x.x.225.38
  PPPoE#

• Problem with VPN client on Cisco 1801

  Hi,
  I have configured a new router for a customer.
  All works fine but i have a strange issue with the VPN client.
  When i start the VPN the client don't close the connection, ask for password, start to negotiate security policy the show the not connected status.
  This is the log form the VPN client:
  Cisco Systems VPN Client Version 5.0.07.0290
  Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
  Client Type(s): Windows, WinNT
  Running on: 6.1.7601 Service Pack 1
  Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\
  1      14:37:59.133  04/08/13  Sev=Info/6          GUI/0x63B00011
  Reloaded the Certificates in all Certificate Stores successfully.
  2      14:38:01.321  04/08/13  Sev=Info/4          CM/0x63100002
  Begin connection process
  3      14:38:01.335  04/08/13  Sev=Info/4          CM/0x63100004
  Establish secure connection
  4      14:38:01.335  04/08/13  Sev=Info/4          CM/0x63100024
  Attempt connection with server "asgardvpn.dyndns.info"
  5      14:38:02.380  04/08/13  Sev=Info/6          IKE/0x6300003B
  Attempting to establish a connection with 79.52.36.120.
  6      14:38:02.384  04/08/13  Sev=Info/4          IKE/0x63000001
  Starting IKE Phase 1 Negotiation
  7      14:38:02.388  04/08/13  Sev=Info/4          IKE/0x63000013
  SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 79.52.36.120
  8      14:38:02.396  04/08/13  Sev=Info/4          IPSEC/0x63700008
  IPSec driver successfully started
  9      14:38:02.396  04/08/13  Sev=Info/4          IPSEC/0x63700014
  Deleted all keys
  10     14:38:02.460  04/08/13  Sev=Info/5          IKE/0x6300002F
  Received ISAKMP packet: peer = 79.52.36.120
  11     14:38:02.460  04/08/13  Sev=Info/4          IKE/0x63000014
  RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from 79.52.36.120
  12     14:38:02.506  04/08/13  Sev=Info/6          GUI/0x63B00012
  Authentication request attributes is 6h.
  13     14:38:02.460  04/08/13  Sev=Info/5          IKE/0x63000001
  Peer is a Cisco-Unity compliant peer
  14     14:38:02.460  04/08/13  Sev=Info/5          IKE/0x63000001
  Peer supports DPD
  15     14:38:02.460  04/08/13  Sev=Info/5          IKE/0x63000001
  Peer supports DWR Code and DWR Text
  16     14:38:02.460  04/08/13  Sev=Info/5          IKE/0x63000001
  Peer supports XAUTH
  17     14:38:02.460  04/08/13  Sev=Info/5          IKE/0x63000001
  Peer supports NAT-T
  18     14:38:02.465  04/08/13  Sev=Info/6          IKE/0x63000001
  IOS Vendor ID Contruction successful
  19     14:38:02.465  04/08/13  Sev=Info/4          IKE/0x63000013
  SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 79.52.36.120
  20     14:38:02.465  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  21     14:38:02.465  04/08/13  Sev=Info/4          IKE/0x63000083
  IKE Port in use - Local Port =  0xCEFD, Remote Port = 0x1194
  22     14:38:02.465  04/08/13  Sev=Info/5          IKE/0x63000072
  Automatic NAT Detection Status:
     Remote end is NOT behind a NAT device
     This   end IS behind a NAT device
  23     14:38:02.465  04/08/13  Sev=Info/4          CM/0x6310000E
  Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
  24     14:38:02.502  04/08/13  Sev=Info/5          IKE/0x6300002F
  Received ISAKMP packet: peer = 79.52.36.120
  25     14:38:02.502  04/08/13  Sev=Info/4          IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 79.52.36.120
  26     14:38:02.502  04/08/13  Sev=Info/4          CM/0x63100015
  Launch xAuth application
  27     14:38:07.623  04/08/13  Sev=Info/4          CM/0x63100017
  xAuth application returned
  28     14:38:07.623  04/08/13  Sev=Info/4          IKE/0x63000013
  SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 79.52.36.120
  29     14:38:12.656  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  30     14:38:22.808  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  31     14:38:32.949  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  32     14:38:43.089  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  33     14:38:53.230  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  34     14:39:03.371  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  35     14:39:13.514  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  36     14:39:23.652  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  37     14:39:33.807  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  38     14:39:43.948  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  39     14:39:54.088  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  40     14:40:04.233  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  41     14:40:14.384  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  42     14:40:24.510  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  43     14:40:34.666  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  44     14:40:44.807  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  45     14:40:54.947  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  46     14:41:05.090  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  47     14:41:15.230  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  48     14:41:25.370  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  49     14:41:35.524  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  50     14:41:45.665  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  51     14:41:55.805  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  52     14:42:05.951  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  53     14:42:16.089  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  54     14:42:26.228  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  55     14:42:36.383  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  56     14:42:46.523  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  57     14:42:56.664  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  58     14:43:02.748  04/08/13  Sev=Info/4          IKE/0x63000017
  Marking IKE SA for deletion  (I_Cookie=2B1FFC3754E3B290 R_Cookie=73D546631A33B5D6) reason = DEL_REASON_CANNOT_AUTH
  59     14:43:02.748  04/08/13  Sev=Info/4          IKE/0x63000013
  SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to 79.52.36.120
  60     14:43:03.248  04/08/13  Sev=Info/4          IKE/0x6300004B
  Discarding IKE SA negotiation (I_Cookie=2B1FFC3754E3B290 R_Cookie=73D546631A33B5D6) reason = DEL_REASON_CANNOT_AUTH
  61     14:43:03.248  04/08/13  Sev=Info/4          CM/0x63100014
  Unable to establish Phase 1 SA with server "asgardvpn.dyndns.info" because of "DEL_REASON_CANNOT_AUTH"
  62     14:43:03.248  04/08/13  Sev=Info/5          CM/0x63100025
  Initializing CVPNDrv
  63     14:43:03.262  04/08/13  Sev=Info/6          CM/0x63100046
  Set tunnel established flag in registry to 0.
  64     14:43:03.262  04/08/13  Sev=Info/4          IKE/0x63000001
  IKE received signal to terminate VPN connection
  65     14:43:03.265  04/08/13  Sev=Info/4          IPSEC/0x63700014
  Deleted all keys
  66     14:43:03.265  04/08/13  Sev=Info/4          IPSEC/0x63700014
  Deleted all keys
  67     14:43:03.265  04/08/13  Sev=Info/4          IPSEC/0x63700014
  Deleted all keys
  68     14:43:03.265  04/08/13  Sev=Info/4          IPSEC/0x6370000A
  IPSec driver successfully stopped
  And this is the conf from the 1801:
  hostname xxx
  boot-start-marker
  boot-end-marker
  enable secret 5 xxx
  aaa new-model
  aaa authentication login xauthlist local
  aaa authorization network groupauthor local
  aaa session-id common
  dot11 syslog
  no ip cef
  no ip dhcp use vrf connected
  ip dhcp excluded-address 10.0.1.1 10.0.1.10
  ip dhcp excluded-address 10.0.1.60 10.0.1.200
  ip dhcp excluded-address 10.0.1.225
  ip dhcp excluded-address 10.0.1.250
  ip dhcp pool LAN
     network 10.0.1.0 255.255.255.0
     default-router 10.0.1.10
     dns-server 10.0.1.200 8.8.8.8
     domain-name xxx
     lease infinite
  ip name-server 10.0.1.200
  ip name-server 8.8.8.8
  ip name-server 8.8.4.4
  ip inspect log drop-pkt
  ip inspect name Firewall cuseeme
  ip inspect name Firewall dns
  ip inspect name Firewall ftp
  ip inspect name Firewall h323
  ip inspect name Firewall icmp
  ip inspect name Firewall imap
  ip inspect name Firewall pop3
  ip inspect name Firewall rcmd
  ip inspect name Firewall realaudio
  ip inspect name Firewall rtsp
  ip inspect name Firewall esmtp
  ip inspect name Firewall sqlnet
  ip inspect name Firewall streamworks
  ip inspect name Firewall tftp
  ip inspect name Firewall vdolive
  ip inspect name Firewall udp
  ip inspect name Firewall tcp
  ip inspect name Firewall https
  ip inspect name Firewall http
  multilink bundle-name authenticated
  username xxx password 0 xxxx
  crypto isakmp policy 3
  encr 3des
  authentication pre-share
  group 2 
  crypto isakmp client configuration group xxx
  key xxx
  dns 10.0.1.200
  wins 10.0.1.200
  domain xxx
  pool ippool
  acl 101 
  crypto ipsec transform-set myset esp-3des esp-sha-hmac
  crypto ipsec transform-set xauthtransform esp-des esp-md5-hmac
  crypto dynamic-map dynmap 10
  set transform-set myset
  crypto map clientmap client authentication list userauthen
  crypto map clientmap isakmp authorization list groupauthor
  crypto map clientmap client configuration address respond
  crypto map clientmap 10 ipsec-isakmp dynamic dynmap
  archive  
  log config
    hidekeys
  interface ATM0
  no ip address
  no atm ilmi-keepalive
  pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
  dsl operating-mode adsl2+
  hold-queue 224 in
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface Vlan1
  ip address 10.0.1.10 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  interface Dialer0
  ip address negotiated
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  dialer pool 1
  ppp authentication chap callin
  ppp pap sent-username aliceadsl password 0 aliceadsl
  crypto map clientmap
  ip local pool ippool 10.16.20.1 10.16.20.200
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 Dialer0
  ip route 0.0.0.0 0.0.0.0 10.0.1.2
  ip http server
  no ip http secure-server
  ip nat inside source list 1 interface Dialer0 overload
  ip nat inside source static udp 10.0.1.60 1056 interface Dialer0 1056
  ip nat inside source static tcp 10.0.1.60 1056 interface Dialer0 1056
  ip nat inside source static tcp 10.0.1.60 3111 interface Dialer0 3111
  ip nat inside source static udp 10.0.1.60 3111 interface Dialer0 3111
  ip nat inside source list 101 interface Dialer0 overload
  access-list 101 remark *** ACL nonat ***
  access-list 101 deny   ip 10.0.1.0 0.0.0.255 10.16.20.0 0.0.0.255
  access-list 101 permit ip 10.0.1.0 0.0.0.255 any
  access-list 150 remark *** ACL split tunnel ***
  access-list 150 permit ip 10.0.1.0 0.0.0.255 10.16.20.0 0.0.0.255
  control-plane
  line con 0
  no modem enable
  line aux 0
  line vty 0 4
  password xxx
  scheduler max-task-time 5000
  end 
  Anyone can help me ?
  Sometimes the vpn can be vreated using the iPhone or iPad vpn client...

  I am having a simuliar issue with my ASA 5505 that I have set up. I am trying to VPN into the Office. I have no problem accessing the Office network when I am on the internet without the ASA 5505. After I installed the 5505, and there is internet access, I try to connect to the Office network without success. The VPN connects with the following error.
  3 Dec 31 2007 05:30:00 305006 xxx.xx.114.97
  regular translation creation failed for protocol 50 src inside:192.168.1.9 dst outside:xxx.xx.114.97
  HELP?

• VLAN problems with SG200-8P and Cisco ASA 5505 (Sec Plus license)

  Hi,  I've been pulling my hair out trying to get simple vlan trunking working between these devices.
  Basically, no clients on VLAN 99 (guest) will receive DHCP ip addresses when plugged into the SG200.  I have the SG200<>ASA VLAN trunk configured correctly, as I know it, and I've tried numerous variations (set trunk as general tag/untagged, etc., set the ap port to general tag/untag, etc).   Both AP's work properly when connected to the ASA e0/3 port but either will only pull the "inside" VLAN dhcp address when connected to the SG200 switch
  VLAN 1 - inside (has separate dhcp scope assigned by ASA)
  VLAN 99 - guest (has separate dhcp scope assigned by ASA)
  SG200
  purpose
  ASA 5505 (Sec Plus license)
  purpose
  g2
  Trunk 1UP,99T
  Ubiquiti AP (VLAN 1 works, VLAN 99 does not
  g3
  Access port 99T
  vlan 99 does not work
  g8
  Trunk 1UP, 99T
  < Trunk between switch and ASA >
  Int e0/2
  switchport trunk allowed vlan 1,99
   switchport trunk native vlan 1
   switchport mode trunk
  Int e0/3
  switchport trunk allowed vlan 1,99
   switchport trunk native vlan 1
   switchport mode trunk
  Second ubiquiti AP
  Both VLAN 1 and VLAN 99 clients work properly

  Frustrated - yes.  Confused - maybe not as much, but I could have put some more effort into the overall picture.
  There are two VLANs (1 - native) and (99 - guest).   There is a trunk port between the SG200 and the ASA configured as 1-untagged 99 - tagged.    
  No clients connected to the SG200 on VLAN 99  are able to access the ASA VLAN 99 using either a static VLAN IP address or DHCP.   The problem occurs whether I configure the SG200 with an access port 99-tagged or Trunk port 1UP, 99T or general port 1U, 99UP or any combination thereof.
  Anything connected to the SG200 on the native VLAN works properly.
  Anything connected to the ASA VLANs (1 or 99) works properly
  I have not yet tried to see what the switch is doing with the VLAN tags but I suspect I have some mismatch with the Linksys/Cisco SG200 way of setting up a VLAN and how traditional Cisco switches work.
  I was hoping someone with a working SG200 - Cisco ASA setup could share their port/trunk/VLAN settings or perhaps point me in the right direction.
  SG200 g2 - trunk port (1UP, 99T) -- Access Point
  SG200 g2 - access port (99U)
  SG200 g8 - trunk port (1UP, 99T)  connected to ASA5505  e0/3  
  ASA5505 e0/3  (switchport trunk allowed vlan 1,99,  switchport trunk native vlan 1,  switchport mode trunk)
  Thanks,

• Communication problem between ASA 5510 and Cisco 3750, L2 Decode drops

  Having problem with communication between ASA 5510 an Cisco Catalyst 3750.
  Here is the Cisco switch port facing the ASA 5510 configuration:
  interface FastEthernet2/0/6
  description Trunk to ASA 5510
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 50
  switchport trunk allowed vlan 131,500
  switchport mode trunk
  switchport nonegotiate
  And here is the ASA 5510 port configuration:
  interface Ethernet0/3
  speed 100
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3.500
  vlan 500
  nameif outside
  security-level 0
  ip address X.X.X.69 255.255.255.0
  There is a default route on ASA to X.X.X.1.
  When I try to ping from ASA X.X.X.1 i get:
  Sending 5, 100-byte ICMP Echos to 31.24.36.1, timeout is 2 seconds:
  Also in the output of show interface eth 0/3 on the ASA i can see that the L2 Decode drop counter increases.
  I have also changed the ports on the Switch and ASA but the same error stays.
  Any thoughts?

  I don't see anything wrong with your trunk configuration; I have a similar one working between an ASA 5520 and a Catalyst 3750G.
  Maybe you should adjust the "speed 100"?  In my experience, partial autoconfiguration results in duplex mis-matches, which results in dropped packets.
  I'd try removing the "speed 100" and letting the ASA port autonegotiate with the switch.  Alternatively, have both sides set
     speed 100
     duplex full
  and see if things improve.
  -- Jim Leinweber, WI State Lab of Hygiene