asid2006 Опубликовано 24 марта, 2020 (изменено) · Жалоба Добрый день. Есть Cisco 4331 с настроенным L2TP-сервером. Клиенты подключаются, всё хорошо работает. Но как только число клиентов переваливает за 30, циска перестаёт выдавать им сетевые настройки и у подключающихся клиентов вылезает ошибка 720 (не возможно подключитсья к удалённому компьютеру, возможно потребуется изменение сетевых настроек). sho version: Spoiler Cisco IOS XE Software, Version 16.06.03 Cisco IOS Software [Everest], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.3, RELEASE SOFTWARE (fc8) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2018 by Cisco Systems, Inc. Compiled Wed 28-Feb-18 23:54 by mcpre Cisco IOS-XE software, Copyright (c) 2005-2018 by cisco Systems, Inc. All rights reserved. Certain components of Cisco IOS-XE software are licensed under the GNU General Public License ("GPL") Version 2.0. The software code licensed under GPL Version 2.0 is free software that comes with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such GPL code under the terms of GPL Version 2.0. For more details, see the documentation or "License Notice" file accompanying the IOS-XE software, or the applicable URL provided on the flyer accompanying the IOS-XE software. ROM: IOS-XE ROMMON rt-Sbyt-GRE uptime is 27 weeks, 5 days, 9 hours, 34 minutes Uptime for this control processor is 27 weeks, 5 days, 9 hours, 37 minutes System returned to ROM by PowerOn at 11:57:45 MSK Sun Dec 9 2018 System restarted at 01:49:44 MSK Thu Sep 12 2019 System image file is "bootflash:isr4300-universalk9.16.06.03.SPA.bin" Last reload reason: PowerOn This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at:http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. Suite License Information for Module:'esg' -------------------------------------------------------------------------------- Suite Suite Current Type Suite Next reboot -------------------------------------------------------------------------------- FoundationSuiteK9 None None None securityk9 appxk9 AdvUCSuiteK9 None None None uck9 cme-srst cube Technology Package License Information: ----------------------------------------------------------------- Technology Technology-package Technology-package Current Type Next reboot ------------------------------------------------------------------ appxk9 appxk9 Permanent appxk9 uck9 uck9 RightToUse uck9 securityk9 securityk9 RightToUse securityk9 ipbase ipbasek9 Permanent ipbasek9 cisco ISR4331/K9 (1RU) processor with 1796073K/6147K bytes of memory. Processor board ID xxx 3 Gigabit Ethernet interfaces 32768K bytes of non-volatile configuration memory. 4194304K bytes of physical memory. 3125247K bytes of flash memory at bootflash:. 0K bytes of WebUI ODM Files at webui:. Configuration register is 0x2102 Частично порезанный конфиг: Spoiler version 16.6 service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec service timestamps log datetime msec service password-encryption platform qfp utilization monitor load 80 no platform punt-keepalive disable-kernel-core platform hardware throughput level 300000 ! hostname xxx ! boot-start-marker boot system bootflash:isr4300-universalk9.16.06.03.SPA.bin boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! enable secret 5 xxx ! aaa new-model ! ! aaa group server radius radius_ve server name radius_XXX ! aaa authentication login default local aaa authentication ppp default group radius_XXX aaa authorization network default if-authenticated ! ! ! ! ! ! aaa session-id common clock timezone MSK 3 0 ! ! ! ! ! ! ! ip name-server xxx ip domain name xxx ! ! ! ! ! ! ! ! ! ! subscriber templating ! ! ! ! ! ! ! multilink bundle-name authenticated vpdn enable ! vpdn-group l2tp ! Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 1 no l2tp tunnel authentication l2tp tunnel timeout no-session 15 ip pmtu ip mtu adjust ! ! ! ! ! ! ! ! crypto pki trustpoint TP-self-signed-2677205731 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2677205731 revocation-check none rsakeypair TP-self-signed-2677205731 ! ! crypto pki certificate chain TP-self-signed-2677205731 certificate self-signed 01 xxx quit ! ! ! ! ! ! ! ! ! license udi pid ISR4331/K9 sn xxx license accept end user agreement license boot level appxk9 license boot level uck9 license boot level securityk9 diagnostic bootup level minimal spanning-tree extend system-id ! ! ! username operator privilege 15 secret 5 xxx ! redundancy mode none ! ! ! ! ! ! track 10 ip sla 10 reachability delay down 10 up 5 ! track 11 ip sla 11 reachability delay down 10 up 5 ! ! ! ! ! ! ! ! ! crypto isakmp policy 20 encr 3des authentication pre-share group 2 lifetime 3600 crypto isakmp key xxx address 0.0.0.0 no-xauth crypto isakmp keepalive 3600 ! ! crypto ipsec transform-set l2tp_tr esp-3des esp-sha-hmac mode transport ! ! ! crypto dynamic-map l2tp_dmap 10 set nat demux set transform-set l2tp_tr ! ! crypto map l2tp_map 10 ipsec-isakmp dynamic l2tp_dmap ! ! ! ! ! ! ! ! interface Virtual-Template1 ip address xxx 255.255.255.0 ip mtu 1400 peer default ip address pool VPN no keepalive ppp authentication ms-chap-v2 ! ! ip local pool VPN 10.10.10.2 10.10.10.254 ip forward-protocol nd no ip http server no ip http secure-server ! ! ! ! ! ! ! radius server radius_XXX address ipv4 xxx auth-port 1645 acct-port 1646 key 7 xxx ! ! ! control-plane ! ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! ! ! ! ! ! line con 0 exec-timeout 0 0 privilege level 15 transport input none stopbits 1 line aux 0 stopbits 1 line vty 0 4 exec-timeout 0 0 privilege level 15 ! ntp master ntp server 10.181.17.8 wsma agent exec ! wsma agent config ! wsma agent filesys ! wsma agent notify ! ! Подскажите, в чём причина? Как победить? Изменено 1 апреля, 2020 пользователем asid2006 Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
ShyLion Опубликовано 24 марта, 2020 · Жалоба дык debug crypto isakmp debug crypto ipsec debug vpdn l2x event debug vpdn l2x error debug ppp authen debug ppp author debug ppp neg Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
asid2006 Опубликовано 24 марта, 2020 (изменено) · Жалоба 43 minutes ago, ShyLion said: дык debug crypto isakmp debug crypto ipsec debug vpdn l2x event debug vpdn l2x error debug ppp authen debug ppp author debug ppp neg Дебаг при 720 ошибке Spoiler Mar 24 11:38:19.897: ISAKMP-PAK: (0):received packet from x.x.x.x dport 500 sport 500 Global (N) NEW SA Mar 24 11:38:19.897: ISAKMP: (0):Created a peer struct for x.x.x.x, peer port 500 Mar 24 11:38:19.897: ISAKMP: (0):New peer created peer = 0x80007F7FEA40CD08 peer_handle = 0x800000008000065B Mar 24 11:38:19.897: ISAKMP: (0):Locking peer struct 0x80007F7FEA40CD08, refcount 1 for crypto_isakmp_process_block Mar 24 11:38:19.897: ISAKMP: (0):local port 500, remote port 500 Mar 24 11:38:19.897: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 80007F7FEA6F1C18 Mar 24 11:38:19.897: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Mar 24 11:38:19.897: ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1 Mar 24 11:38:19.898: ISAKMP: (0):processing SA payload. message ID = 0 Mar 24 11:38:19.898: ISAKMP: (0):processing vendor id payload Mar 24 11:38:19.898: ISAKMP: (0):processing IKE frag vendor id payload Mar 24 11:38:19.898: ISAKMP: (0):Support for IKE Fragmentation not enabled Mar 24 11:38:19.898: ISAKMP: (0):processing vendor id payload Mar 24 11:38:19.898: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch Mar 24 11:38:19.898: ISAKMP: (0):vendor ID is NAT-T RFC 3947 Mar 24 11:38:19.898: ISAKMP: (0):processing vendor id payload Mar 24 11:38:19.898: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch Mar 24 11:38:19.898: ISAKMP: (0):vendor ID is NAT-T v2 Mar 24 11:38:19.898: ISAKMP: (0):processing vendor id payload Mar 24 11:38:19.898: ISAKMP: (0):vendor ID seems Unity/DPD but major 194 mismatch Mar 24 11:38:19.898: ISAKMP: (0):processing vendor id payload Mar 24 11:38:19.898: ISAKMP: (0):vendor ID seems Unity/DPD but major 241 mismatch Mar 24 11:38:19.899: ISAKMP: (0):processing vendor id payload Mar 24 11:38:19.899: ISAKMP: (0):vendor ID seems Unity/DPD but major 184 mismatch Mar 24 11:38:19.899: ISAKMP: (0):processing vendor id payload Mar 24 11:38:19.899: ISAKMP: (0):vendor ID seems Unity/DPD but major 134 mismatch Mar 24 11:38:19.899: ISAKMP: (0):found peer pre-shared key matching x.x.x.x Mar 24 11:38:19.899: ISAKMP: (0):local preshared key found Mar 24 11:38:19.899: ISAKMP: (0):Scanning profiles for xauth ... Mar 24 11:38:19.899: ISAKMP: (0):Checking ISAKMP transform 1 against priority 20 policy Mar 24 11:38:19.899: ISAKMP: (0): encryption AES-CBC Mar 24 11:38:19.899: ISAKMP: (0): keylength of 256 Mar 24 11:38:19.899: ISAKMP: (0): hash SHA Mar 24 11:38:19.899: ISAKMP: (0): default group 20 Mar 24 11:38:19.899: ISAKMP: (0): auth pre-share Mar 24 11:38:19.900: ISAKMP: (0): life type in seconds Mar 24 11:38:19.900: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 Mar 24 11:38:19.900: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy! Mar 24 11:38:19.900: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3 Mar 24 11:38:19.900: ISAKMP: (0):Checking ISAKMP transform 2 against priority 20 policy Mar 24 11:38:19.900: ISAKMP: (0): encryption AES-CBC Mar 24 11:38:19.900: ISAKMP: (0): keylength of 128 Mar 24 11:38:19.900: ISAKMP: (0): hash SHA Mar 24 11:38:19.900: ISAKMP: (0): default group 19 Mar 24 11:38:19.900: ISAKMP: (0): auth pre-share Mar 24 11:38:19.900: ISAKMP: (0): life type in seconds Mar 24 11:38:19.900: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 Mar 24 11:38:19.901: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy! Mar 24 11:38:19.901: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3 Mar 24 11:38:19.901: ISAKMP: (0):Checking ISAKMP transform 3 against priority 20 policy Mar 24 11:38:19.901: ISAKMP: (0): encryption AES-CBC Mar 24 11:38:19.901: ISAKMP: (0): keylength of 256 Mar 24 11:38:19.901: ISAKMP: (0): hash SHA Mar 24 11:38:19.901: ISAKMP: (0): default group 14 Mar 24 11:38:19.901: ISAKMP: (0): auth pre-share Mar 24 11:38:19.901: ISAKMP: (0): life type in seconds Mar 24 11:38:19.901: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 Mar 24 11:38:19.901: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy! Mar 24 11:38:19.901: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3 Mar 24 11:38:19.901: ISAKMP: (0):Checking ISAKMP transform 4 against priority 20 policy Mar 24 11:38:19.901: ISAKMP: (0): encryption 3DES-CBC Mar 24 11:38:19.901: ISAKMP: (0): hash SHA Mar 24 11:38:19.902: ISAKMP: (0): default group 14 Mar 24 11:38:19.902: ISAKMP: (0): auth pre-share Mar 24 11:38:19.902: ISAKMP: (0): life type in seconds Mar 24 11:38:19.902: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 Mar 24 11:38:19.902: ISAKMP-ERROR: (0):Diffie-Hellman group offered does not match policy! Mar 24 11:38:19.902: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3 Mar 24 11:38:19.902: ISAKMP: (0):Checking ISAKMP transform 5 against priority 20 policy Mar 24 11:38:19.902: ISAKMP: (0): encryption 3DES-CBC Mar 24 11:38:19.902: ISAKMP: (0): hash SHA Mar 24 11:38:19.902: ISAKMP: (0): default group 2 Mar 24 11:38:19.902: ISAKMP: (0): auth pre-share Mar 24 11:38:19.902: ISAKMP: (0): life type in seconds Mar 24 11:38:19.902: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 Mar 24 11:38:19.903: ISAKMP: (0):atts are acceptable. Next payload is 0 Mar 24 11:38:19.903: ISAKMP: (0):Acceptable atts:actual life: 3600 Mar 24 11:38:19.903: ISAKMP: (0):Acceptable atts:life: 0 Mar 24 11:38:19.903: ISAKMP: (0):Fill atts in sa vpi_length:4 Mar 24 11:38:19.903: ISAKMP: (0):Fill atts in sa life_in_seconds:28800 Mar 24 11:38:19.903: ISAKMP: (0):Returning Actual lifetime: 3600 Mar 24 11:38:19.903: ISAKMP: (0):Started lifetime timer: 3600. Mar 24 11:38:19.907: ISAKMP: (0):processing vendor id payload Mar 24 11:38:19.907: ISAKMP: (0):processing IKE frag vendor id payload Mar 24 11:38:19.907: ISAKMP: (0):Support for IKE Fragmentation not enabled Mar 24 11:38:19.907: ISAKMP: (0):processing vendor id payload Mar 24 11:38:19.907: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch Mar 24 11:38:19.907: ISAKMP: (0):vendor ID is NAT-T RFC 3947 Mar 24 11:38:19.907: ISAKMP: (0):processing vendor id payload Mar 24 11:38:19.907: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch Mar 24 11:38:19.907: ISAKMP: (0):vendor ID is NAT-T v2 Mar 24 11:38:19.907: ISAKMP: (0):processing vendor id payload Mar 24 11:38:19.907: ISAKMP: (0):vendor ID seems Unity/DPD but major 194 mismatch Mar 24 11:38:19.907: ISAKMP: (0):processing vendor id payload Mar 24 11:38:19.907: ISAKMP: (0):vendor ID seems Unity/DPD but major 241 mismatch Mar 24 11:38:19.908: ISAKMP: (0):processing vendor id payload Mar 24 11:38:19.908: ISAKMP: (0):vendor ID seems Unity/DPD but major 184 mismatch Mar 24 11:38:19.908: ISAKMP: (0):processing vendor id payload Mar 24 11:38:19.908: ISAKMP: (0):vendor ID seems Unity/DPD but major 134 mismatch Mar 24 11:38:19.908: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Mar 24 11:38:19.908: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1 Mar 24 11:38:19.908: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID Mar 24 11:38:19.908: ISAKMP-PAK: (0):sending packet to x.x.x.x my_port 500 peer_port 500 (R) MM_SA_SETUP Mar 24 11:38:19.908: ISAKMP: (0):Sending an IKE IPv4 Packet. Mar 24 11:38:19.909: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Mar 24 11:38:19.909: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2 Mar 24 11:38:19.930: ISAKMP-PAK: (0):received packet from x.x.x.x dport 500 sport 500 Global (R) MM_SA_SETUP Mar 24 11:38:19.930: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Mar 24 11:38:19.930: ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_R_MM3 Mar 24 11:38:19.930: ISAKMP: (0):processing KE payload. message ID = 0 Mar 24 11:38:19.935: ISAKMP: (0):processing NONCE payload. message ID = 0 Mar 24 11:38:19.935: ISAKMP: (0):found peer pre-shared key matching x.x.x.x Mar 24 11:38:19.935: ISAKMP: (14437):received payload type 20 Mar 24 11:38:19.935: ISAKMP: (14437):His hash no match - this node outside NAT Mar 24 11:38:19.936: ISAKMP: (14437):received payload type 20 Mar 24 11:38:19.936: ISAKMP: (14437):His hash no match - this node outside NAT Mar 24 11:38:19.936: ISAKMP: (14437):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Mar 24 11:38:19.936: ISAKMP: (14437):Old State = IKE_R_MM3 New State = IKE_R_MM3 Mar 24 11:38:19.936: ISAKMP-PAK: (14437):sending packet to x.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH Mar 24 11:38:19.936: ISAKMP: (14437):Sending an IKE IPv4 Packet. Mar 24 11:38:19.936: ISAKMP: (14437):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Mar 24 11:38:19.936: ISAKMP: (14437):Old State = IKE_R_MM3 New State = IKE_R_MM4 Mar 24 11:38:19.955: ISAKMP-PAK: (14437):received packet from x.x.x.x dport 4500 sport 4500 Global (R) MM_KEY_EXCH Mar 24 11:38:19.956: ISAKMP: (14437):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Mar 24 11:38:19.956: ISAKMP: (14437):Old State = IKE_R_MM4 New State = IKE_R_MM5 Mar 24 11:38:19.956: ISAKMP: (14437):processing ID payload. message ID = 0 Mar 24 11:38:19.956: ISAKMP: (14437):ID payload next-payload : 8 type : 1 Mar 24 11:38:19.956: ISAKMP: (14437): address : 192.168.103.253 Mar 24 11:38:19.956: ISAKMP: (14437): protocol : 0 port : 0 length : 12 Mar 24 11:38:19.956: ISAKMP: (0):peer matches *none* of the profiles Mar 24 11:38:19.956: ISAKMP: (14437):processing HASH payload. message ID = 0 Mar 24 11:38:19.956: ISAKMP: (14437):SA authentication status: authenticated Mar 24 11:38:19.956: ISAKMP: (14437):SA has been authenticated with x.x.x.x Mar 24 11:38:19.956: ISAKMP: (14437):Detected port floating to port = 4500 Mar 24 11:38:19.957: ISAKMP: (0):Trying to insert a peer y.y.y.y/x.x.x.x/4500/, Mar 24 11:38:19.957: ISAKMP: (0): and inserted successfully 80007F7FEA40CD08. Mar 24 11:38:19.957: ISAKMP: (14437):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Mar 24 11:38:19.957: ISAKMP: (14437):Old State = IKE_R_MM5 New State = IKE_R_MM5 Mar 24 11:38:19.957: ISAKMP: (14437):SA is doing Mar 24 11:38:19.958: ISAKMP: (14437):pre-shared key authentication using id type ID_IPV4_ADDR Mar 24 11:38:19.958: ISAKMP: (14437):ID payload next-payload : 8 type : 1 Mar 24 11:38:19.958: ISAKMP: (14437): address : y.y.y.y Mar 24 11:38:19.958: ISAKMP: (14437): protocol : 17 port : 0 length : 12 Mar 24 11:38:19.958: ISAKMP: (14437):Total payload length: 12 Mar 24 11:38:19.958: ISAKMP-PAK: (14437):sending packet to x.x.x.x my_port 4500 peer_port 4500 (R) MM_KEY_EXCH Mar 24 11:38:19.958: ISAKMP: (14437):Sending an IKE IPv4 Packet. Mar 24 11:38:19.958: ISAKMP: (14437):Returning Actual lifetime: 3600 Mar 24 11:38:19.958: ISAKMP: (14437):set new node 3026085116 to QM_IDLE Mar 24 11:38:19.958: ISAKMP: (14437):Sending NOTIFY RESPONDER_LIFETIME protocol 1 spi 9223512224116897392, message ID = 3026085116 Mar 24 11:38:19.959: ISAKMP-PAK: (14437):sending packet to x.x.x.x my_port 4500 peer_port 4500 (R) MM_KEY_EXCH Mar 24 11:38:19.959: ISAKMP: (14437):Sending an IKE IPv4 Packet. Mar 24 11:38:19.959: ISAKMP: (14437):purging node 3026085116 Mar 24 11:38:19.959: ISAKMP: (14437):Sending phase 1 responder lifetime 3600 Mar 24 11:38:19.959: ISAKMP: (14437):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Mar 24 11:38:19.959: ISAKMP: (14437):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE Mar 24 11:38:19.959: ISAKMP: (14437):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE Mar 24 11:38:19.959: ISAKMP: (14437):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Mar 24 11:38:19.978: ISAKMP-PAK: (14437):received packet from x.x.x.x dport 4500 sport 4500 Global (R) QM_IDLE Mar 24 11:38:19.978: ISAKMP: (14437):set new node 1 to QM_IDLE Mar 24 11:38:19.979: ISAKMP: (14437):processing HASH payload. message ID = 1 Mar 24 11:38:19.979: ISAKMP: (14437):processing SA payload. message ID = 1 Mar 24 11:38:19.979: ISAKMP: (14437):processing NAT-OAi payload. addr = 192.168.103.253, message ID = 1 Mar 24 11:38:19.979: ISAKMP: (14437):processing NAT-OAr payload. addr = y.y.y.y, message ID = 1 Mar 24 11:38:19.979: ISAKMP: (14437):Checking IPSec proposal 1 Mar 24 11:38:19.979: ISAKMP: (14437):transform 1, ESP_AES Mar 24 11:38:19.979: ISAKMP: (14437): attributes in transform: Mar 24 11:38:19.979: ISAKMP: (14437): encaps is 4 (Transport-UDP) Mar 24 11:38:19.979: ISAKMP: (14437): key length is 128 Mar 24 11:38:19.979: ISAKMP: (14437): authenticator is HMAC-SHA Mar 24 11:38:19.979: ISAKMP: (14437): SA life type in seconds Mar 24 11:38:19.979: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10 Mar 24 11:38:19.980: ISAKMP: (14437): SA life type in kilobytes Mar 24 11:38:19.980: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90 Mar 24 11:38:19.980: ISAKMP: (14437):atts are acceptable. Mar 24 11:38:19.980: IPSEC(validate_proposal_request): proposal part #1 Mar 24 11:38:19.980: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= y.y.y.y:0, remote= x.x.x.x:0, local_proxy= y.y.y.y/255.255.255.255/17/1701, remote_proxy= x.x.x.x/255.255.255.255/17/1701, protocol= ESP, transform= esp-aes esp-sha-hmac (Transport-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 Mar 24 11:38:19.981: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: {esp-aes esp-sha-hmac } Mar 24 11:38:19.981: ISAKMP-ERROR: (14437):IPSec policy invalidated proposal with error 256 Mar 24 11:38:19.982: ISAKMP: (14437):Checking IPSec proposal 2 Mar 24 11:38:19.982: ISAKMP: (14437):transform 1, ESP_3DES Mar 24 11:38:19.982: ISAKMP: (14437): attributes in transform: Mar 24 11:38:19.982: ISAKMP: (14437): encaps is 4 (Transport-UDP) Mar 24 11:38:19.982: ISAKMP: (14437): authenticator is HMAC-SHA Mar 24 11:38:19.982: ISAKMP: (14437): SA life type in seconds Mar 24 11:38:19.982: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10 Mar 24 11:38:19.982: ISAKMP: (14437): SA life type in kilobytes Mar 24 11:38:19.982: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90 Mar 24 11:38:19.982: ISAKMP: (14437):atts are acceptable. Mar 24 11:38:19.983: IPSEC(validate_proposal_request): proposal part #1 Mar 24 11:38:19.983: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= y.y.y.y:0, remote= x.x.x.x:0, local_proxy= y.y.y.y/255.255.255.255/17/1701, remote_proxy= x.x.x.x/255.255.255.255/17/1701, protocol= ESP, transform= esp-3des esp-sha-hmac (Transport-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 Mar 24 11:38:19.983: (ipsec_process_proposal)Map Accepted: l2tp_dmap, 10 Mar 24 11:38:19.983: ISAKMP: (14437):processing NONCE payload. message ID = 1 Mar 24 11:38:19.983: ISAKMP: (14437):processing ID payload. message ID = 1 Mar 24 11:38:19.983: ISAKMP: (14437):processing ID payload. message ID = 1 Mar 24 11:38:19.983: ISAKMP: (14437):received payload type 21 Mar 24 11:38:19.983: ISAKMP: (14437):received payload type 21 Mar 24 11:38:19.984: ISAKMP: (14437):QM Responder gets spi Mar 24 11:38:19.984: ISAKMP: (14437):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH Mar 24 11:38:19.984: ISAKMP: (14437):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE Mar 24 11:38:19.984: ISAKMP: (14437):Node 1, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI Mar 24 11:38:19.984: ISAKMP: (14437):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT Mar 24 11:38:19.984: IPSEC(key_engine): got a queue event with 1 KMI message(s) Mar 24 11:38:19.984: IPSEC(crypto_ipsec_create_ipsec_sas): Map found l2tp_dmap, 10 Mar 24 11:38:19.985: IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 7F7FEA471408 Mar 24 11:38:19.985: IPSEC(create_sa): sa created, (sa) sa_dest= y.y.y.y, sa_proto= 50, sa_spi= 0xBA400A66(3124759142), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2043 sa_lifetime(k/sec)= (250000/3600), (identity) local= y.y.y.y:0, remote= x.x.x.x:0, local_proxy= y.y.y.y/255.255.255.255/17/1701, remote_proxy= x.x.x.x/255.255.255.255/17/4500 Mar 24 11:38:19.986: IPSEC(create_sa): sa created, (sa) sa_dest= x.x.x.x, sa_proto= 50, sa_spi= 0x33D98824(869894180), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2044 sa_lifetime(k/sec)= (250000/3600), (identity) local= y.y.y.y:0, remote= x.x.x.x:0, local_proxy= y.y.y.y/255.255.255.255/17/1701, remote_proxy= x.x.x.x/255.255.255.255/17/4500 Mar 24 11:38:19.990: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list Mar 24 11:38:19.990: ISAKMP: (14437):Received IPSec Install callback... proceeding with the negotiation Mar 24 11:38:19.990: ISAKMP: (14437):Successfully installed IPSEC SA (SPI:0xBA400A66) on GigabitEthernet0/0/1 Mar 24 11:38:19.990: ISAKMP-PAK: (14437):sending packet to x.x.x.x my_port 4500 peer_port 4500 (R) QM_IDLE Mar 24 11:38:19.990: ISAKMP: (14437):Sending an IKE IPv4 Packet. Mar 24 11:38:19.990: ISAKMP: (14437):Node 1, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE Mar 24 11:38:19.991: ISAKMP: (14437):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2 Mar 24 11:38:20.011: ISAKMP-PAK: (14437):received packet from x.x.x.x dport 4500 sport 4500 Global (R) QM_IDLE Mar 24 11:38:20.011: ISAKMP: (14437):deleting node 1 error FALSE reason "QM done (await)" Mar 24 11:38:20.011: ISAKMP: (14437):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH Mar 24 11:38:20.011: ISAKMP: (14437):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE Mar 24 11:38:20.011: IPSEC(key_engine): got a queue event with 1 KMI message(s) Mar 24 11:38:20.011: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP Mar 24 11:38:21.020: L2X tnl 8275B:________: Create logical tunnel Mar 24 11:38:21.020: L2TP tnl 8275B:________: Create tunnel Mar 24 11:38:21.020: L2TP tnl 8275B:________: version set to V2[1] Mar 24 11:38:21.020: L2TP tnl 8275B:________: remote ip set to x.x.x.x Mar 24 11:38:21.020: L2TP tnl 8275B:________: local ip set to y.y.y.y Mar 24 11:38:21.020: L2TP tnl 8275B:000062F6: FSM-CC ev Rx-SCCRQ Mar 24 11:38:21.020: L2TP tnl 8275B:000062F6: FSM-CC Idle->Proc-SCCRQ Mar 24 11:38:21.020: L2TP tnl 8275B:000062F6: FSM-CC do Rx-SCCRQ Mar 24 11:38:21.020: L2TP tnl 8275B:000062F6: ACCT(000009C0): UID allocated Mar 24 11:38:21.021: VPN AUTHOR [1260]: Authorizing key Mar 24 11:38:21.021: VPN AUTHOR [1260]: Got username name 0#y.y.y.y#computername Mar 24 11:38:21.021: VPN AUTHOR [1260]: AAA request sent for key 0#y.y.y.y#computername Mar 24 11:38:21.021: L2X _____:________: Tunnel author started for computername Mar 24 11:38:21.021: VPN AUTHOR [1260]: Received an AAA pass Mar 24 11:38:21.021: VPDN/AAA/AUTHOR: Parsing l2x attribute list Mar 24 11:38:21.022: VPN AUTHOR [1260]: Found info for key 0#y.y.y.y#computername Mar 24 11:38:21.022: L2X _____:________: Tunnel author found Mar 24 11:38:21.022: L2TP tnl 8275B:000062F6: Author reply, data source: "l2tp" Mar 24 11:38:21.022: L2X _____:________: class [AAA author, group "l2tp"] Mar 24 11:38:21.022: L2X _____:________: App locked 0->1 Mar 24 11:38:21.022: L2X _____:________: class [AAA author, group "l2tp"] Mar 24 11:38:21.022: L2X _____:________: Protocol locked 33->34 Mar 24 11:38:21.022: L2TP tnl 8275B:000062F6: class name AAA author, group "l2tp" Mar 24 11:38:21.022: L2X _____:________: class [AAA author, group "l2tp"] Mar 24 11:38:21.022: L2X _____:________: App unlocked 1->0 Mar 24 11:38:21.022: L2TP tnl 8275B:000062F6: peer cap sync set Mar 24 11:38:21.022: L2TP tnl 8275B:000062F6: FSM-CC ev SCCRQ-OK Mar 24 11:38:21.022: L2TP tnl 8275B:000062F6: FSM-CC Proc-SCCRQ->Wt-SCCCN Mar 24 11:38:21.022: L2TP tnl 8275B:000062F6: FSM-CC do Tx-SCCRP Mar 24 11:38:21.022: L2TP tnl 8275B:000062F6: Open sock y.y.y.y:1701->x.x.x.x:4500 Mar 24 11:38:21.023: L2TP tnl 8275B:000062F6: FSM-CC ev Sock-Ready Mar 24 11:38:21.023: L2TP tnl 8275B:000062F6: FSM-CC in Wt-SCCCN Mar 24 11:38:21.023: L2TP tnl 8275B:000062F6: FSM-CC do Ignore-Sock-Up Mar 24 11:38:21.023: VPN AUTHOR [1260]: Free request Mar 24 11:38:21.041: L2TP tnl 8275B:000062F6: FSM-CC ev Rx-SCCCN Mar 24 11:38:21.041: L2TP tnl 8275B:000062F6: FSM-CC Wt-SCCCN->Proc-SCCCN Mar 24 11:38:21.041: L2TP tnl 8275B:000062F6: FSM-CC do Rx-SCCCN Mar 24 11:38:21.041: L2TP tnl 8275B:000062F6: FSM-CC ev SCCCN-OK Mar 24 11:38:21.041: L2TP tnl 8275B:000062F6: FSM-CC Proc-SCCCN->established Mar 24 11:38:21.041: L2TP tnl 8275B:000062F6: FSM-CC do Established Mar 24 11:38:21.041: L2TP tnl 8275B:000062F6: Tunnel accounting send not possible - no mlist Mar 24 11:38:21.041: L2TP tnl 8275B:000062F6: Control channel up Mar 24 11:38:21.041: L2TP tnl 8275B:000062F6: y.y.y.y<->x.x.x.x Mar 24 11:38:21.042: L2TP _____:________: ERROR: ICRQ AVP 1, vendor 311: unknown Mar 24 11:38:21.042: L2TP tnl 8275B:000062F6: Unknown Vendor 311 AVP 1 in CM ICRQ Mar 24 11:38:21.042: L2X _____:_____:________: Create logical session Mar 24 11:38:21.042: L2TP _____:_____:________: Create session Mar 24 11:38:21.042: L2TP _____:_____:________: Using ICRQ FSM Mar 24 11:38:21.042: L2TP _____:_____:________: FSM-Sn ev created Mar 24 11:38:21.042: L2TP _____:_____:________: FSM-Sn Init->Idle Mar 24 11:38:21.042: L2TP _____:_____:________: FSM-Sn do none Mar 24 11:38:21.042: L2TP _____:_____:________: remote ip set to x.x.x.x Mar 24 11:38:21.042: L2TP _____:_____:________: local ip set to y.y.y.y Mar 24 11:38:21.042: L2TP _____:_____:________: App type set to VPDN Mar 24 11:38:21.042: L2TP _____:_____:________: Chose application VPDN Mar 24 11:38:21.042: L2TP _____:_____:________: VPDN: process AVPs Mar 24 11:38:21.043: L2TP tnl 8275B:000062F6: FSM-CC ev Session-Conn Mar 24 11:38:21.043: L2TP tnl 8275B:000062F6: FSM-CC in established Mar 24 11:38:21.043: L2TP tnl 8275B:000062F6: FSM-CC do Session-Conn-Est Mar 24 11:38:21.043: L2TP tnl 8275B:000062F6: Session count now 1 Mar 24 11:38:21.043: L2TP tnl 8275B:000062F6: VPDN Session count now 1 Mar 24 11:38:21.043: L2TP _____:8275B:00004732: FSM-Sn ev CC-Up Mar 24 11:38:21.043: L2TP _____:8275B:00004732: FSM-Sn in Idle Mar 24 11:38:21.043: L2TP _____:8275B:00004732: FSM-Sn do CC-Up-Ignore0-1 Mar 24 11:38:21.043: L2TP _____:8275B:00004732: Session attached Mar 24 11:38:21.043: L2TP _____:8275B:00004732: FSM-Sn ev Rx-ICRQ Mar 24 11:38:21.043: L2TP _____:8275B:00004732: FSM-Sn Idle->Proc-ICRQ Mar 24 11:38:21.043: L2TP _____:8275B:00004732: FSM-Sn do Rx-ICRQ Mar 24 11:38:21.043: L2TP _____:8275B:00004732: Chose application VPDN Mar 24 11:38:21.043: L2TP _____:8275B:00004732: App type set to VPDN Mar 24 11:38:21.043: L2TP _____:8275B:00004732: VPDN: process AVPs Mar 24 11:38:21.044: L2TP _____:8275B:00004732: Set HA epoch to 0 Mar 24 11:38:21.044: L2TP _____:8275B:00004732: Local AC is now UP Mar 24 11:38:21.044: L2TP _____:8275B:00004732: Remote AC is now UP Mar 24 11:38:21.044: L2TP tnl 8275B:000062F6: ADJ UP Mar 24 11:38:21.044: L2TUN APP: uid:112/handle/141151Peer AIE:00000000 Peer-peer 00000000 Ours 0100047B Mar 24 11:38:21.044: L2TUN APP: uid:112/handle/141151New peer; get switch hdl 0 Mar 24 11:38:21.045: L2TUN APP: uid:112/handle/141151Allocate switch hdl 141152 Mar 24 11:38:21.045: L2TP _____:8275B:00004732: App type set to VPDN Mar 24 11:38:21.045: L2TP 00070:8275B:00004732: Path MTU is enabled Mar 24 11:38:21.045: L2TP 00070:8275B:00004732: UDP checksum ignore is enabled Mar 24 11:38:21.045: L2TP 00070:8275B:00004732: Sequencing default tx disabled Mar 24 11:38:21.045: L2TP 00070:8275B:00004732: Sequencing default rx disabled Mar 24 11:38:21.045: L2TP 00070:8275B:00004732: Framing set to sync Mar 24 11:38:21.045: L2TP 00070:8275B:00004732: Bearer set to none Mar 24 11:38:21.045: L2TP 00070:8275B:00004732: no cookies enabled Mar 24 11:38:21.045: L2TP tnl 8275B:000062F6: Session PMTU count now 1 Mar 24 11:38:21.046: L2TP 00070:8275B:00004732: FSM-Sn ev ICRQ-OK Mar 24 11:38:21.046: L2TP 00070:8275B:00004732: FSM-Sn Proc-ICRQ->Wt-Tx-ICRP Mar 24 11:38:21.046: L2TP 00070:8275B:00004732: FSM-Sn do Tx-ICRP-Local-Check Mar 24 11:38:21.046: L2TP 00070:8275B:00004732: FSM-Sn ev Local-Cont Mar 24 11:38:21.046: L2TP 00070:8275B:00004732: FSM-Sn Wt-Tx-ICRP->Wt-Rx-ICCN Mar 24 11:38:21.046: L2TP 00070:8275B:00004732: FSM-Sn do Tx-ICRP Mar 24 11:38:21.046: L2TP 00070:8275B:00004732: Open sock y.y.y.y:1701->x.x.x.x:4500 Mar 24 11:38:21.046: L2TP 00070:8275B:00004732: FSM-Sn ev Sock-Ready Mar 24 11:38:21.046: L2TP 00070:8275B:00004732: FSM-Sn in Wt-Rx-ICCN Mar 24 11:38:21.046: L2TP 00070:8275B:00004732: FSM-Sn do Ignore-Sock-Up Mar 24 11:38:21.046: L2TP 00070:8275B:00004732: FSM-Sn ev DP-Setup Mar 24 11:38:21.047: L2TP 00070:8275B:00004732: FSM-Sn in Wt-Rx-ICCN Mar 24 11:38:21.047: L2TP 00070:8275B:00004732: FSM-Sn do Ignore-DP-Setup Mar 24 11:38:21.063: L2TP 00070:8275B:00004732: FSM-Sn ev Rx-ICCN Mar 24 11:38:21.063: L2TP 00070:8275B:00004732: FSM-Sn Wt-Rx-ICCN->Proc-ICCN Mar 24 11:38:21.063: L2TP 00070:8275B:00004732: FSM-Sn do Rx-ICCN Mar 24 11:38:21.063: L2TP 00070:8275B:00004732: MTU is 65535 Mar 24 11:38:21.063: L2TP 00070:8275B:00004732: Dataplane provisioned, segment 276321 Mar 24 11:38:21.063: L2TP 00070:8275B:00004732: VPDN: process AVPs Mar 24 11:38:21.063: L2TP 00070:8275B:00004732: FSM-Sn ev ICCN-OK Mar 24 11:38:21.064: L2TP 00070:8275B:00004732: FSM-Sn Proc-ICCN->established Mar 24 11:38:21.064: L2TP 00070:8275B:00004732: FSM-Sn do Established Mar 24 11:38:21.064: L2TP 00070:8275B:00004732: Session up Mar 24 11:38:21.064: L2TP 00070:8275B:00004732: y.y.y.y<->x.x.x.x Mar 24 11:38:21.064: L2TP:(Tnl25334:Sn18226)L2X setup sss switching Mar 24 11:38:21.064: L2X:Session DB (Tnl/Sn: 25334/18226): Stored the switching session in the session DB Mar 24 11:38:21.064: L2TP:(Tnl25334:Sn18226)L2X s/w switching session provisioned Mar 24 11:38:21.066: PPP: Alloc Context [7F7FDA856EC8] Mar 24 11:38:21.066: ppp112 PPP: Phase is ESTABLISHING Mar 24 11:38:21.066: ppp112 PPP: Using AAA Unique Id = 9C1 Mar 24 11:38:21.066: ppp112 PPP: Authorization required Mar 24 11:38:21.066: ppp112 PPP: Using vpn set call direction Mar 24 11:38:21.066: ppp112 PPP: Treating connection as a callin Mar 24 11:38:21.066: ppp112 PPP: Session handle[EA000472] Session id[112] Mar 24 11:38:21.066: ppp112 PPP LCP: negotiation authorized = 1, tacacs author = 0 Mar 24 11:38:21.066: ppp112 LCP: Event[OPEN] State[Initial to Starting] Mar 24 11:38:21.067: ppp112 PPP LCP: Enter passive mode, state[Stopped] Mar 24 11:38:21.081: ppp112 LCP: I CONFREQ [Stopped] id 0 len 21 Mar 24 11:38:21.082: ppp112 LCP: MRU 1400 (0x01040578) Mar 24 11:38:21.082: ppp112 LCP: MagicNumber 0x2DAB1519 (0x05062DAB1519) Mar 24 11:38:21.082: ppp112 LCP: PFC (0x0702) Mar 24 11:38:21.082: ppp112 LCP: ACFC (0x0802) Mar 24 11:38:21.082: ppp112 LCP: Callback 6 (0x0D0306) Mar 24 11:38:21.082: ppp112 PPP LCP: neg is authorized, processing incoming CONFREQ Mar 24 11:38:21.082: ppp112 LCP: O CONFREQ [Stopped] id 1 len 19 Mar 24 11:38:21.082: ppp112 LCP: MRU 1464 (0x010405B8) Mar 24 11:38:21.082: ppp112 LCP: AuthProto MS-CHAP-V2 (0x0305C22381) Mar 24 11:38:21.082: ppp112 LCP: MagicNumber 0x1205A349 (0x05061205A349) Mar 24 11:38:21.082: ppp112 LCP: O CONFREJ [Stopped] id 0 len 7 Mar 24 11:38:21.082: ppp112 LCP: Callback 6 (0x0D0306) Mar 24 11:38:21.083: ppp112 LCP: Event[Receive ConfReq-] State[Stopped to REQsent] Mar 24 11:38:21.099: ppp112 LCP: I CONFACK [REQsent] id 1 len 19 Mar 24 11:38:21.099: ppp112 LCP: MRU 1464 (0x010405B8) Mar 24 11:38:21.099: ppp112 LCP: AuthProto MS-CHAP-V2 (0x0305C22381) Mar 24 11:38:21.099: ppp112 LCP: MagicNumber 0x1205A349 (0x05061205A349) Mar 24 11:38:21.099: ppp112 LCP: Event[Receive ConfAck] State[REQsent to ACKrcvd] Mar 24 11:38:21.099: ppp112 LCP: I CONFREQ [ACKrcvd] id 1 len 18 Mar 24 11:38:21.099: ppp112 LCP: MRU 1400 (0x01040578) Mar 24 11:38:21.100: ppp112 LCP: MagicNumber 0x2DAB1519 (0x05062DAB1519) Mar 24 11:38:21.100: ppp112 LCP: PFC (0x0702) Mar 24 11:38:21.100: ppp112 LCP: ACFC (0x0802) Mar 24 11:38:21.100: ppp112 PPP LCP: neg is authorized, processing incoming CONFREQ Mar 24 11:38:21.100: ppp112 LCP: O CONFNAK [ACKrcvd] id 1 len 8 Mar 24 11:38:21.100: ppp112 LCP: MRU 1464 (0x010405B8) Mar 24 11:38:21.100: ppp112 LCP: Event[Receive ConfReq-] State[ACKrcvd to ACKrcvd] Mar 24 11:38:21.117: ppp112 LCP: I CONFREQ [ACKrcvd] id 2 len 18 Mar 24 11:38:21.117: ppp112 LCP: MRU 1400 (0x01040578) Mar 24 11:38:21.117: ppp112 LCP: MagicNumber 0x2DAB1519 (0x05062DAB1519) Mar 24 11:38:21.117: ppp112 LCP: PFC (0x0702) Mar 24 11:38:21.117: ppp112 LCP: ACFC (0x0802) Mar 24 11:38:21.117: ppp112 PPP LCP: neg is authorized, processing incoming CONFREQ Mar 24 11:38:21.117: ppp112 LCP: O CONFNAK [ACKrcvd] id 2 len 8 Mar 24 11:38:21.117: ppp112 LCP: MRU 1464 (0x010405B8) Mar 24 11:38:21.117: ppp112 LCP: Event[Receive ConfReq-] State[ACKrcvd to ACKrcvd] Mar 24 11:38:21.136: ppp112 LCP: I CONFREQ [ACKrcvd] id 3 len 18 Mar 24 11:38:21.137: ppp112 LCP: MRU 1464 (0x010405B8) Mar 24 11:38:21.137: ppp112 LCP: MagicNumber 0x2DAB1519 (0x05062DAB1519) Mar 24 11:38:21.137: ppp112 LCP: PFC (0x0702) Mar 24 11:38:21.137: ppp112 LCP: ACFC (0x0802) Mar 24 11:38:21.137: ppp112 PPP LCP: neg is authorized, processing incoming CONFREQ Mar 24 11:38:21.137: ppp112 LCP: O CONFACK [ACKrcvd] id 3 len 18 Mar 24 11:38:21.137: ppp112 LCP: MRU 1464 (0x010405B8) Mar 24 11:38:21.137: ppp112 LCP: MagicNumber 0x2DAB1519 (0x05062DAB1519) Mar 24 11:38:21.137: ppp112 LCP: PFC (0x0702) Mar 24 11:38:21.137: ppp112 LCP: ACFC (0x0802) Mar 24 11:38:21.137: ppp112 LCP: Event[Receive ConfReq+] State[ACKrcvd to Open] Mar 24 11:38:21.153: ppp112 LCP: I IDENTIFY [Open] id 4 len 18 magic 0x2DAB1519MSRASV5.20 Mar 24 11:38:21.153: ppp112 LCP: I IDENTIFY [Open] id 5 len 31 magic 0x2DAB1519MSRAS-0-KITASU_NB2 Mar 24 11:38:21.154: ppp112 LCP: I IDENTIFY [Open] id 6 len 24 magic 0x2DAB1519Z hJBD+I8@B|Ir(| Mar 24 11:38:21.154: ppp112 PPP: Phase is AUTHENTICATING, by this end Mar 24 11:38:21.154: ppp112 MS-CHAP-V2: O CHALLENGE id 1 len 32 from "rt-Sbyt-GRE" Mar 24 11:38:21.154: ppp112 LCP: State is Open Mar 24 11:38:21.172: ppp112 MS-CHAP-V2: I RESPONSE id 1 len 62 from "username" Mar 24 11:38:21.172: ppp112 PPP: Phase is FORWARDING, Attempting Forward Mar 24 11:38:21.172: ppp112 PPP: Phase is AUTHENTICATING, Unauthenticated User Mar 24 11:38:21.173: ppp112 PPP: Sent MSCHAP_V2 LOGIN Request Mar 24 11:38:21.178: ppp112 PPP: Received LOGIN Response PASS Mar 24 11:38:21.178: ppp112 PPP AUTHOR: Author Data NOT Available Mar 24 11:38:21.178: ppp112 PPP: Sent LCP AUTHOR Request Mar 24 11:38:21.178: ppp112 PPP: TACACS authorization is required Mar 24 11:38:21.178: ppp112 PPP IPCP: negotiation authorized = 0, tacacs author = 1 Mar 24 11:38:21.178: ppp112 PPP: Sent IPCP AUTHOR Request Mar 24 11:38:21.179: ppp112 IPCP: Authorizing CP Mar 24 11:38:21.179: ppp112 IPCP: CP stalled on event[Authorize CP] Mar 24 11:38:21.179: ppp112 LCP: Received AAA AUTHOR Response PASS Mar 24 11:38:21.179: ppp112 PPP LCP: Merging new AAA attributes recd with existing ones Mar 24 11:38:21.179: ppp112 PPP LCP: authorization succeeded, un-stalling CP Mar 24 11:38:21.179: ppp112 PPP: Receive Attrs from[author] Keep[LCP] MERGE Mar 24 11:38:21.179: ppp112 PPP: Skip Attr: MS-MPPE-Recv-Key 0 66 53 0F 5C 2E 63 F1 3F EE A6 86 71 61 F9 E1 36 Mar 24 11:38:21.179: ppp112 PPP: Skip Attr: MS-MPPE-Send-Key 0 03 51 52 20 14 AB DD B6 38 16 14 CF 62 99 A1 3B Mar 24 11:38:21.179: ppp112 PPP: Keep Attr: MS-CHAP-V2-Success 0 <hidden> Mar 24 11:38:21.180: ppp112 PPP: Updated the attr MS-CHAP-V2-Success in datalist Mar 24 11:38:21.180: ppp112 PPP: Keep Attr: Framed-Protocol 0 1 [PPP] Mar 24 11:38:21.180: ppp112 PPP: Updated the attr Framed-Protocol in datalist Mar 24 11:38:21.180: ppp112 PPP: Keep Attr: username 0 "username" Mar 24 11:38:21.180: ppp112 PPP: Updated the attr username in datalist Mar 24 11:38:21.180: ppp112 IPCP: Received AAA AUTHOR Response PASS Mar 24 11:38:21.180: ppp112 PPP IPCP: Merging new AAA attributes recd with existing ones Mar 24 11:38:21.180: ppp112 PPP IPCP: authorization succeeded, un-stalling CP Mar 24 11:38:21.181: ppp112 IPCP: CP unstall Mar 24 11:38:21.181: ppp112 PPP: Phase is FORWARDING, Attempting Forward Mar 24 11:38:21.181: ppp112 PPP: Receive Attrs from[SSS] Keep[NCPs] MERGE Mar 24 11:38:21.181: ppp112 PPP: Keep Attr: MS-MPPE-Recv-Key 0 66 53 0F 5C 2E 63 F1 3F EE A6 86 71 61 F9 E1 36 Mar 24 11:38:21.182: ppp112 PPP: Updated the attr MS-MPPE-Recv-Key in datalist Mar 24 11:38:21.182: ppp112 PPP: Keep Attr: MS-MPPE-Send-Key 0 03 51 52 20 14 AB DD B6 38 16 14 CF 62 99 A1 3B Mar 24 11:38:21.182: ppp112 PPP: Updated the attr MS-MPPE-Send-Key in datalist Mar 24 11:38:21.182: ppp112 PPP: Skip Attr: MS-CHAP-V2-Success 0 <hidden> Mar 24 11:38:21.182: ppp112 PPP: Skip Attr: Framed-Protocol 0 1 [PPP] Mar 24 11:38:21.182: ppp112 PPP: Skip Attr: username 0 "username" Mar 24 11:38:21.187: VT[Vi2.34]:Request took 5 msec, 4 msec processing time Mar 24 11:38:21.188: L2TP 00070:8275B:00004732: App type set to VPDN Mar 24 11:38:21.188: L2TP 00070:8275B:00004732: Sequencing default tx disabled Mar 24 11:38:21.188: L2TP 00070:8275B:00004732: Sequencing default rx disabled Mar 24 11:38:21.188: L2TP 00070:8275B:00004732: Framing set to sync Mar 24 11:38:21.188: L2TP 00070:8275B:00004732: Bearer set to none Mar 24 11:38:21.189: L2TP:(Tnl25334:Sn18226)PPTP Mar 24 11:38:21.189: L2TP:(Tnl25334:Sn18226)L2X s/w switching session bound Mar 24 11:38:21.191: L2TP 00070:8275B:00004732: FSM-Sn ev DP-Up Mar 24 11:38:21.191: L2TP 00070:8275B:00004732: FSM-Sn in established Mar 24 11:38:21.191: L2TP 00070:8275B:00004732: FSM-Sn do Ignore-DP-UP Mar 24 11:38:21.192: Vi2.34 PPP: Phase is AUTHENTICATING, Authenticated User Mar 24 11:38:21.192: Vi2.34 LCP AUTHOR: Process LCP Author Data Mar 24 11:38:21.192: Vi2.34 LCP AUTHOR: Process Attr: MS-CHAP-V2-Success Mar 24 11:38:21.192: Vi2.34 LCP AUTHOR: Process Attr: Framed-Protocol Mar 24 11:38:21.192: Vi2.34 LCP AUTHOR: Process Attr: username Mar 24 11:38:21.192: Vi2.34 LCP AUTHOR: Authorization succeeded Mar 24 11:38:21.192: Vi2.34 MS-CHAP-V2: O SUCCESS id 1 len 46 msg is "S=3092B0FA950FFA6B987928CC5537170F541E1559" Mar 24 11:38:21.192: Vi2.34 PPP: No AAA accounting method list Mar 24 11:38:21.193: Vi2.34 PPP: Store Author Attr: MS-MPPE-Recv-Key Mar 24 11:38:21.193: Vi2.34 PPP: Store Author Attr: MS-MPPE-Send-Key Mar 24 11:38:21.193: Vi2.34 PPP: Phase is UP Mar 24 11:38:21.193: L2TP 00070:8275B:00004732: App type set to VPDN Mar 24 11:38:21.193: L2TP 00070:8275B:00004732: Sequencing default tx disabled Mar 24 11:38:21.193: L2TP 00070:8275B:00004732: Sequencing default rx disabled Mar 24 11:38:21.193: L2TP 00070:8275B:00004732: Framing set to sync Mar 24 11:38:21.193: L2TP 00070:8275B:00004732: Bearer set to none Mar 24 11:38:21.194: L2TP 00070:8275B:00004732: App type set to VPDN Mar 24 11:38:21.194: L2TP 00070:8275B:00004732: Sequencing default tx disabled Mar 24 11:38:21.194: L2TP 00070:8275B:00004732: Sequencing default rx disabled Mar 24 11:38:21.194: L2TP 00070:8275B:00004732: Framing set to sync Mar 24 11:38:21.195: L2TP 00070:8275B:00004732: Bearer set to none Mar 24 11:38:21.211: %IOSXE_INFRA-3-CONSOLE_DBUG_DROP: System dropped 17 bytes of console debug messages. Mar 24 11:38:21.214: Vi2.34 IPV6CP: I CONFREQ [UNKNOWN] id 7 len 14 Mar 24 11:38:21.214: Vi2.34 IPV6CP: Interface-Id B420:BDBE:3B97:4AD8 (0x010AB420BDBE3B974AD8) Mar 24 11:38:21.214: Vi2.34 LCP: O PROTREJ [Open] id 2 len 20 protocol IPV6CP (0x0107000E010AB420BDBE3B974AD8) Mar 24 11:38:21.214: Vi2.34 CCP: I CONFREQ [UNKNOWN] id 8 len 10 Mar 24 11:38:21.214: Vi2.34 CCP: MS-PPC supported bits 0x01000000 (0x120601000000) Mar 24 11:38:21.214: Vi2.34 LCP: O PROTREJ [Open] id 3 len 16 protocol CCP (0x0108000A120601000000) Mar 24 11:38:21.215: Vi2.34 IPCP: I CONFREQ [Initial] id 9 len 34 Mar 24 11:38:21.215: Vi2.34 IPCP: Address 0.0.0.0 (0x030600000000) Mar 24 11:38:21.215: Vi2.34 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000) Mar 24 11:38:21.215: Vi2.34 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000) Mar 24 11:38:21.215: Vi2.34 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000) Mar 24 11:38:21.215: Vi2.34 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000) Mar 24 11:38:21.215: Vi2.34 LCP: O PROTREJ [Open] id 4 len 40 protocol IPCP Mar 24 11:38:21.215: Vi2.34 LCP: (0x01090022030600000000810600000000) Mar 24 11:38:21.215: Vi2.34 LCP: (0x82060000000083060000000084060000) Mar 24 11:38:21.215: Vi2.34 LCP: (0x0000) Mar 24 11:38:21.492: Vi2.34 LCP: I TERMREQ [Open] id 10 len 16 Mar 24 11:38:21.493: Vi2.34 LCP: (0x2DAB1519003CCD7400000000) Mar 24 11:38:21.493: Vi2.34 PPP DISC: Received LCP TERMREQ from peer Mar 24 11:38:21.493: Vi2.34 PPP: Sending Acct Event[Down] id[9C1] Mar 24 11:38:21.493: PPP: NET STOP send to AAA. Mar 24 11:38:21.493: Vi2.34 PPP: Phase is TERMINATING Mar 24 11:38:21.493: Vi2.34 IPCP: Event[DOWN] State[Initial to Initial] Mar 24 11:38:21.493: Vi2.34 IPCP: Event[CLOSE] State[Initial to Initial] Mar 24 11:38:21.493: Vi2.34 LCP: O TERMACK [Open] id 10 len 4 Mar 24 11:38:21.494: Vi2.34 LCP: Event[Receive TermReq] State[Open to Stopping] Mar 24 11:38:21.519: L2TP 00070:8275B:00004732: FSM-Sn ev Rx-CDN Mar 24 11:38:21.519: L2TP 00070:8275B:00004732: FSM-Sn established->Idle Mar 24 11:38:21.519: L2TP 00070:8275B:00004732: FSM-Sn do Rx-CDN Mar 24 11:38:21.519: L2TP 00070:8275B:00004732: VPDN: process AVPs Mar 24 11:38:21.519: L2TP 00070:8275B:00004732: Mar 24 11:38:21.519: L2TP 00070:8275B:00004732: Shutting down session Mar 24 11:38:21.519: L2TP 00070:8275B:00004732: Result Code Mar 24 11:38:21.519: L2TP 00070:8275B:00004732: Call disconnected for administrative reasons (3) Mar 24 11:38:21.519: L2TP 00070:8275B:00004732: Error Code Mar 24 11:38:21.519: L2TP 00070:8275B:00004732: No error (0) Mar 24 11:38:21.519: L2TP 00070:8275B:00004732: Vendor Error Mar 24 11:38:21.520: L2TP 00070:8275B:00004732: None (0) Mar 24 11:38:21.520: L2TP 00070:8275B:00004732: Mar 24 11:38:21.520: L2TP 00070:8275B:00004732: FSM-Sn ev Shut Mar 24 11:38:21.520: L2TP 00070:8275B:00004732: FSM-Sn Idle->Dead Mar 24 11:38:21.520: L2TP 00070:8275B:00004732: FSM-Sn do Destroy Mar 24 11:38:21.520: L2TP 00070:8275B:00004732: Session down Mar 24 11:38:21.520: L2TP 00070:8275B:00004732: y.y.y.y<->x.x.x.x Mar 24 11:38:21.520: L2TP 00070:8275B:00004732: Destroying session Mar 24 11:38:21.520: L2TP 00070:8275B:00004732: Dataplane deallocated, segment 0 Mar 24 11:38:21.520: L2TP tnl 8275B:000062F6: FSM-CC ev Session-Disc Mar 24 11:38:21.520: L2TP tnl 8275B:000062F6: FSM-CC in established Mar 24 11:38:21.520: L2TP tnl 8275B:000062F6: FSM-CC do Session-Disc-Est Mar 24 11:38:21.521: L2TP tnl 8275B:000062F6: Session count now 0 Mar 24 11:38:21.521: L2TP tnl 8275B:000062F6: VPDN Session count now 0 Mar 24 11:38:21.521: L2TP tnl 8275B:000062F6: Session PMTU count now 0 Mar 24 11:38:21.521: L2TP tnl 8275B:000062F6: FSM-CC ev No-Users Mar 24 11:38:21.521: L2TP tnl 8275B:000062F6: FSM-CC established->Est-No-User Mar 24 11:38:21.521: L2TP tnl 8275B:000062F6: FSM-CC do No-Users Mar 24 11:38:21.521: L2TP tnl 8275B:000062F6: No more cc users, shutdown (likely) in 10 secs Mar 24 11:38:21.521: L2TP 00070:_____:________: Session detached Mar 24 11:38:21.521: L2TP 00070:_____:________: sending APP disconnect Mar 24 11:38:21.523: Vi2.34 PPP: Block vaccess from being freed [0x10] Mar 24 11:38:21.523: L2TUN APP: uid:112/handle/141151shutdown app session Mar 24 11:38:21.523: L2TUN APP: uid:112/handle/141151Stopping service selection Mar 24 11:38:21.523: Vi2.34 LCP: Event[CLOSE] State[Stopping to Closing] Mar 24 11:38:21.523: VPDN Failed to get session from socket handle 87000079 Mar 24 11:38:21.523: Vi2.34 LCP: Event[DOWN] State[Closing to Initial] Mar 24 11:38:21.523: ppp_session_ntfy delete, topswidb Vi2.34, va Vi2.34, platform notify 0 Mar 24 11:38:21.524: Vi2.34 PPP: Clearing AAA Unique Id = 9C1 Mar 24 11:38:21.524: Vi2.34 PPP: Unlocked by [0x10] Still Locked by [0x0] Mar 24 11:38:21.524: Vi2.34 PPP: Free previously blocked vaccess Mar 24 11:38:21.524: Vi2.34 PPP: Phase is DOWN Mar 24 11:38:21.524: L2X 00070:_____:________: Destroying logical session Mar 24 11:38:21.525: L2TP:(Tnl25334:Sn18226)L2X s/w switching session unbound Mar 24 11:38:21.526: L2TP:(Tnl25334:Sn18226)Vi2.34 Block vaccess from being freed. Mar 24 11:38:21.527: L2TP:(Tnl25334:Sn18226)Vi2.34 Block vaccess from being freed. Mar 24 11:38:21.528: L2TP:(Tnl25334:Sn18226)L2X s/w switching session unprovisioned Mar 24 11:38:21.528: L2X:Session DB (Tnl/Sn: 25334/18226): Removed the switching session from the session DB Mar 24 11:38:21.583: L2TP tnl 8275B:000062F6: FSM-CC ev Rx-StopCCN Mar 24 11:38:21.584: L2TP tnl 8275B:000062F6: FSM-CC in Est-No-User Mar 24 11:38:21.584: L2TP tnl 8275B:000062F6: FSM-CC do Rx-StopCCN Mar 24 11:38:21.584: L2TP tnl 8275B:000062F6: Mar 24 11:38:21.584: L2TP tnl 8275B:000062F6: Shutting down tunnel Mar 24 11:38:21.584: L2TP tnl 8275B:000062F6: Result Code Mar 24 11:38:21.584: L2TP tnl 8275B:000062F6: Requestor is being shut down Mar 24 11:38:21.584: L2TP tnl 8275B:000062F6: Error Code Mar 24 11:38:21.584: L2TP tnl 8275B:000062F6: No error Mar 24 11:38:21.584: L2TP tnl 8275B:000062F6: Vendor Error Mar 24 11:38:21.584: L2TP tnl 8275B:000062F6: None Mar 24 11:38:21.584: L2TP tnl 8275B:000062F6: Mar 24 11:38:21.584: L2TP tnl 8275B:000062F6: FSM-CC ev Shut-Now Mar 24 11:38:21.584: L2TP tnl 8275B:000062F6: FSM-CC Est-No-User->Wt-STOPACK Mar 24 11:38:21.585: L2TP tnl 8275B:000062F6: FSM-CC do Shutnow Mar 24 11:38:21.585: L2TP tnl 8275B:000062F6: FSM-CC ev Shut-Comp Mar 24 11:38:21.585: L2TP tnl 8275B:000062F6: FSM-CC Wt-STOPACK->Dead Mar 24 11:38:21.585: L2TP tnl 8275B:000062F6: FSM-CC do Shutdown-Completed Mar 24 11:38:21.585: L2TP tnl 8275B:000062F6: Tunnel accounting send not possible - no mlist Mar 24 11:38:21.585: L2TP tnl 8275B:000062F6: Control channel down Mar 24 11:38:21.585: L2TP tnl 8275B:000062F6: y.y.y.y<->x.x.x.x Mar 24 11:38:21.585: L2TP tnl 8275B:000062F6: ADJ UP Mar 24 11:38:21.585: L2TP tnl 8275B:000062F6: Destroying tunnel Mar 24 11:38:21.585: L2X tnl 8275B:________: Destroying logical tunnel Mar 24 11:38:21.586: L2X _____:________: class [AAA author, group "l2tp"] Mar 24 11:38:21.586: L2X _____:________: Protocol unlocked 34->33 Mar 24 11:38:21.587: ISAKMP-PAK: (14437):received packet from x.x.x.x dport 4500 sport 4500 Global (R) QM_IDLE Mar 24 11:38:21.587: ISAKMP: (14437):set new node 3804393046 to QM_IDLE Mar 24 11:38:21.587: ISAKMP: (14437):processing HASH payload. message ID = 3804393046 Mar 24 11:38:21.587: ISAKMP: (14437):processing DELETE payload. message ID = 3804393046 Mar 24 11:38:21.587: ISAKMP: (14437):peer does not do paranoid keepalives. Mar 24 11:38:21.587: ISAKMP: (14437):Enqueued KEY_MGR_DELETE_SAS for IPSEC SA (SPI:0x33D98824) Mar 24 11:38:21.587: ISAKMP: (14437):deleting node 3804393046 error FALSE reason "Informational (in) state 1" Mar 24 11:38:21.588: ISAKMP-PAK: (14437):received packet from x.x.x.x dport 4500 sport 4500 Global (R) QM_IDLE Mar 24 11:38:21.588: ISAKMP: (14437):set new node 3797645767 to QM_IDLE Mar 24 11:38:21.588: ISAKMP: (14437):processing HASH payload. message ID = 3797645767 Mar 24 11:38:21.588: ISAKMP: (14437):processing DELETE payload. message ID = 3797645767 Mar 24 11:38:21.588: ISAKMP: (14437):peer does not do paranoid keepalives. Mar 24 11:38:21.588: ISAKMP: (14437):deleting SA reason "No reason" state (R) QM_IDLE (peer x.x.x.x) Mar 24 11:38:21.588: ISAKMP: (14437):deleting node 3797645767 error FALSE reason "Informational (in) state 1" Mar 24 11:38:21.588: IPSEC(key_engine): got a queue event with 1 KMI message(s) Mar 24 11:38:21.588: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 5419 Mar 24 11:38:21.588: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP Mar 24 11:38:21.588: IPSEC: still in use sa: 0x7F7FE3F70120 Mar 24 11:38:21.588: IPSEC(key_engine_delete_sas): delete SA with spi 0x33D98824 proto 50 for x.x.x.x Mar 24 11:38:21.589: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list Mar 24 11:38:21.589: IPSEC(delete_sa): deleting SA, (sa) sa_dest= y.y.y.y, sa_proto= 50, sa_spi= 0xBA400A66(3124759142), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2043 sa_lifetime(k/sec)= (250000/3600), (identity) local= y.y.y.y:0, remote= x.x.x.x:0, local_proxy= y.y.y.y/255.255.255.255/17/1701, remote_proxy= x.x.x.x/255.255.255.255/17/4500 Mar 24 11:38:21.589: IPSEC(delete_sa): deleting SA, (sa) sa_dest= x.x.x.x, sa_proto= 50, sa_spi= 0x33D98824(869894180), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2044 sa_lifetime(k/sec)= (250000/3600), (identity) local= y.y.y.y:0, remote= x.x.x.x:0, local_proxy= y.y.y.y/255.255.255.255/17/1701, remote_proxy= x.x.x.x/255.255.255.255/17/4500 Mar 24 11:38:21.589: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Mar 24 11:38:21.590: IPSEC(ident_delete_notify_kmi): Failed to send KEY_ENG_DELETE_SAS Mar 24 11:38:21.590: ISAKMP: (14437):set new node 446696526 to QM_IDLE Mar 24 11:38:21.591: ISAKMP-PAK: (14437):sending packet to x.x.x.x my_port 4500 peer_port 4500 (R) QM_IDLE Mar 24 11:38:21.591: ISAKMP: (14437):Sending an IKE IPv4 Packet. Mar 24 11:38:21.591: ISAKMP: (14437):purging node 446696526 Mar 24 11:38:21.591: ISAKMP: (14437):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL Mar 24 11:38:21.591: ISAKMP: (14437):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA Mar 24 11:38:21.592: ISAKMP: (14437):deleting SA reason "No reason" state (R) QM_IDLE (peer x.x.x.x) Mar 24 11:38:21.592: ISAKMP: (0):Unlocking peer struct 0x80007F7FEA40CD08 for isadb_mark_sa_deleted(), count 0 Mar 24 11:38:21.592: ISAKMP: (0):Deleting peer node by peer_reap for x.x.x.x: 80007F7FEA40CD08 Mar 24 11:38:21.593: ISAKMP: (14437):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Mar 24 11:38:21.593: ISAKMP: (14437):Old State = IKE_DEST_SA New State = IKE_DEST_SA Mar 24 11:38:21.593: IPSEC(key_engine): got a queue event with 1 KMI message(s) Mar 24 11:38:21.987: IPSEC(ident_update_final_flow_stats): Collect Final Stats and update MIB IPSEC get IKMP peer index from peer 0x7F7FEA471408 ikmp handle 0x8000065B [ident_update_final_flow_stats] : Flow delete complete event received for flow id 0x2400002B,peer index 0 Но если подключено меньше 30 человек, подключается нормально. Добавлю, нагрузка на циске никакая: show processes cpu: CPU utilization for five seconds: 2%/0%; one minute: 3%; five minutes: 3% Изменено 24 марта, 2020 пользователем asid2006 Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
ShyLion Опубликовано 24 марта, 2020 · Жалоба 1 hour ago, asid2006 said: Mar 24 11:38:21.492: Vi2.34 LCP: I TERMREQ [Open] id 10 len 16 Mar 24 11:38:21.493: Vi2.34 LCP: (0x2DAB1519003CCD7400000000) Mar 24 11:38:21.493: Vi2.34 PPP DISC: Received LCP TERMREQ from peer Странно, тут вот вроде как клиент отказывается продолжать. debug radius еще покаж 4 hours ago, asid2006 said: aaa authorization network default if-authenticated aaa authorization network default group radius_XXX Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
ShyLion Опубликовано 24 марта, 2020 · Жалоба 4 hours ago, asid2006 said: interface Virtual-Template1 ip address xxx 255.255.255.0 ip mtu 1400 peer default ip address pool VPN no keepalive ppp authentication ms-chap-v2 ppp authentication ms-chap-v2 callin Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
asid2006 Опубликовано 25 марта, 2020 · Жалоба Обновили прошивку с 16.06.03 до 16.09.05. Туннели стали подниматься, айпишники выдаваться, но если число сессий больше 30, трафик в туннеле не ходит. Будем пробовать обновлять до 16.06.07. Отпишусь по результатам. Похоже, что дело в прошивке всё-таки... Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
kapydan Опубликовано 25 марта, 2020 · Жалоба С каких устройств люди могут-не могут подключиться - андроид, вин, мак? И есть еще вторая идея - это посмотреть лицензии, которые стоят на 4331 (возможно, там есть какое-то ограничение в них самих, допусти теже самые максимум 30 подключений). Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
asid2006 Опубликовано 25 марта, 2020 · Жалоба 29 minutes ago, kapydan said: С каких устройств люди могут-не могут подключиться - андроид, вин, мак? И есть еще вторая идея - это посмотреть лицензии, которые стоят на 4331 (возможно, там есть какое-то ограничение в них самих, допусти теже самые максимум 30 подключений). Клиенты на Windows. show license feature Spoiler Feature name Enforcement Evaluation Subscription Enabled RightToUse appxk9 yes yes no yes yes uck9 yes yes no yes yes securityk9 yes yes no yes yes ipbasek9 no no no yes no FoundationSuiteK9 yes yes no yes yes AdvUCSuiteK9 yes yes no yes yes cme-srst yes yes no no yes hseck9 yes no no no no throughput yes yes no yes yes internal_service yes no no no no Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
kapydan Опубликовано 25 марта, 2020 · Жалоба в фиченавигаторе написано, что l2tp должно поддерживаться на 4331. возможно, надо глянуть уже описания к релизам для 4331 роутеров. а почему выбран именно l2tp? Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
asid2006 Опубликовано 25 марта, 2020 (изменено) · Жалоба 6 minutes ago, kapydan said: в фиченавигаторе написано, что l2tp должно поддерживаться на 4331. возможно, надо глянуть уже описания к релизам для 4331 роутеров. а почему выбран именно l2tp? Потому, что клиентам не нужно ничего ставить дополнительно. Его поддерживают и винда, и макось, и андроид. Да и других эта циска не понимает, на сколько я могу судить: ISR4331_16_06_07(config-vpdn-acc-in)#protocol ? any Use any protocol l2tp Use L2TP Изменено 25 марта, 2020 пользователем asid2006 Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
fractal Опубликовано 25 марта, 2020 · Жалоба 7 часов назад, asid2006 сказал: Потому, что клиентам не нужно ничего ставить дополнительно. Его поддерживают и винда, и макось, и андроид. Да и других эта циска не понимает, на сколько я могу судить: ISR4331_16_06_07(config-vpdn-acc-in)#protocol ? any Use any protocol l2tp Use L2TP лицензия, трафика сколько? в логах на перформанс не ругается? Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
jffulcrum Опубликовано 25 марта, 2020 · Жалоба Без HSEC-K9 у вас лимит на 225 туннелей (всех технологий) и 85 Мбит/с шифрованного трафика тотально. По вашим симптомам, у вас именно траф превышен - ядро по превышению тупо дропает пакеты Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
Saab95 Опубликовано 26 марта, 2020 · Жалоба Ага, это же циска, в ней все делается аппаратно. Поэтому и ограничивает в 30 туннелей. Никакими подкрутками это не исправить. Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
kapydan Опубликовано 26 марта, 2020 · Жалоба 1 час назад, Saab95 сказал: Ага, это же циска, в ней все делается аппаратно. Поэтому и ограничивает в 30 туннелей. Никакими подкрутками это не исправить. Не совсем так. Просто циска ну очень хочет денег, вот и придумала эту штуку с лицензированием на isr4000 - security, perfomance... Как и все эти смарт-аккаунты. Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
kt Опубликовано 27 марта, 2020 · Жалоба Цитата The Cisco 4000 Series has a performance-on-demand license to increase the base forwarding throughput with no hardware changes. Also present is the High Security (HSEC) license, which removes the curtailment enforced by the U.S. government export restrictions on the encrypted tunnel count and encrypted throughput. The HSECK9 license is a separately required license for a feature to have full crypto functionality. Without the HSECK9 license, only 1000 secure tunnels and 250[9] Mbps of crypto bandwidth would be available. The change to 250Mbps was achieved in the IOS-XE version 16.8.1 pursuant to revised Federal regulations Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
asid2006 Опубликовано 27 марта, 2020 · Жалоба On 3/25/2020 at 7:47 PM, jffulcrum said: Без HSEC-K9 у вас лимит на 225 туннелей (всех технологий) и 85 Мбит/с шифрованного трафика тотально. По вашим симптомам, у вас именно траф превышен - ядро по превышению тупо дропает пакеты Похоже на правду. На ней висит немало туннелей GRE. Попробую поудалять лишние, отпишу по результатам. Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
asid2006 Опубликовано 27 марта, 2020 · Жалоба On 3/25/2020 at 7:47 PM, jffulcrum said: Без HSEC-K9 у вас лимит на 225 туннелей (всех технологий) и 85 Мбит/с шифрованного трафика тотально. По вашим симптомам, у вас именно траф превышен - ядро по превышению тупо дропает пакеты Если проблема не с количеством туннелей, а как вы написали, со скоростью, есть ли шанс как-то решить проблему, чтобы увеличить число подключений? Вообще, если проверять ситуацию вечером, когда использование каналов минимальное (трафик в моменте даже близко не доходит до 85 мбит), проблема сохраняется. Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
kt Опубликовано 27 марта, 2020 · Жалоба @asid2006 , обновите иос минимум до 16.8.1. Дайте команду platform hardware throughput level 300000. Пропускная и кол. туннелей увеличится. Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
asid2006 Опубликовано 27 марта, 2020 · Жалоба 37 minutes ago, kt said: @asid2006 , обновите иос минимум до 16.8.1. Дайте команду platform hardware throughput level 300000. Пропускная и кол. туннелей увеличится. Сейчас прошивка isr4300-universalk9.16.09.05.SPA.bin и эта команда уже введена. Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
AlexDsv Опубликовано 27 марта, 2020 · Жалоба On 3/24/2020 at 11:39 AM, asid2006 said: Добрый день. Есть Cisco 4331 с настроенным L2TP-сервером. Клиенты подключаются, всё хорошо работает. Но как только число клиентов переваливает за 30, циска перестаёт выдавать им сетевые настройки и у подключающихся клиентов вылезает ошибка 720 (не возможно подключитсья к удалённому компьютеру, возможно потребуется изменение сетевых настроек). Сегодня тоже появилась ошибка 720 на клиентах. Количество удаленщиков растет, пул адресов для ВПН кончился. Расширил пул -полетело. Может у вас тоже что-то с пулом? Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
fractal Опубликовано 27 марта, 2020 (изменено) · Жалоба 3 часа назад, kt сказал: @asid2006 , обновите иос минимум до 16.8.1. Дайте команду platform hardware throughput level 300000. Пропускная и кол. туннелей увеличится. разве лицензия на perf увеличивает количество туннелей? может вы путаете с hsec? 4 часа назад, asid2006 сказал: Если проблема не с количеством туннелей, а как вы написали, со скоростью, есть ли шанс как-то решить проблему, чтобы увеличить число подключений? Вообще, если проверять ситуацию вечером, когда использование каналов минимальное (трафик в моменте даже близко не доходит до 85 мбит), проблема сохраняется. с sec лицензией после прошивка версией не менее 16.8.1 количество туннелей уже 1000, шифрование 250 мбит, циска увеличила параметры Изменено 27 марта, 2020 пользователем fractal Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
kapydan Опубликовано 27 марта, 2020 · Жалоба 14 минут назад, fractal сказал: разве лицензия на perf увеличивает количество туннелей? нет, она увеличивает именно производительность. Конкретно на 4331 со 100мб до 300 мб. Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
reef Опубликовано 27 марта, 2020 (изменено) · Жалоба 9 часов назад, asid2006 сказал: есть ли шанс как-то решить проблему, чтобы увеличить число подключений? купите у китайцев HSEC лицензию за 150 баков и не ломайте голову, для интерпрайза это копейки, из за текущий ограничений ваша компания больше потеряет, даже если вы подрежете некоторое количество уже не используемых тоннелей, вы просто отсрочите на некоторое время полку в которую упираетесь Изменено 27 марта, 2020 пользователем reef Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
fractal Опубликовано 28 марта, 2020 · Жалоба 6 часов назад, reef сказал: купите у китайцев HSEC лицензию за 150 баков и не ломайте голову, для интерпрайза это копейки, из за текущий ограничений ваша компания больше потеряет, даже если вы подрежете некоторое количество уже не используемых тоннелей, вы просто отсрочите на некоторое время полку в которую упираетесь Он же говорить что у него при 30 туннелях отлуп идёт, а сейчас с 16.9.5 у него 1000 их разрешено Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
zhenya` Опубликовано 28 марта, 2020 · Жалоба sh platform cerm-information Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...