[asid2006]

Добрый день. Есть Cisco 4331 с настроенным L2TP-сервером. Клиенты подключаются, всё хорошо работает. Но как только число клиентов переваливает за 30, циска перестаёт выдавать им сетевые настройки и у подключающихся клиентов вылезает ошибка 720 (не возможно подключитсья к удалённому компьютеру, возможно потребуется изменение сетевых настроек).

 

sho version:

Spoiler

Cisco IOS XE Software, Version 16.06.03
Cisco IOS Software [Everest], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.3, RELEASE SOFTWARE (fc8)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Wed 28-Feb-18 23:54 by mcpre

Cisco IOS-XE software, Copyright (c) 2005-2018 by cisco Systems, Inc.
All rights reserved.  Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0.  The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.  For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.

ROM: IOS-XE ROMMON

rt-Sbyt-GRE uptime is 27 weeks, 5 days, 9 hours, 34 minutes
Uptime for this control processor is 27 weeks, 5 days, 9 hours, 37 minutes
System returned to ROM by PowerOn at 11:57:45 MSK Sun Dec 9 2018
System restarted at 01:49:44 MSK Thu Sep 12 2019
System image file is "bootflash:isr4300-universalk9.16.06.03.SPA.bin"
Last reload reason: PowerOn

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Suite License Information for Module:'esg'

--------------------------------------------------------------------------------
Suite                 Suite Current         Type           Suite Next reboot
--------------------------------------------------------------------------------
FoundationSuiteK9     None                  None           None
securityk9
appxk9

AdvUCSuiteK9          None                  None           None
uck9
cme-srst
cube

Technology Package License Information:

-----------------------------------------------------------------
Technology    Technology-package           Technology-package
              Current       Type           Next reboot
------------------------------------------------------------------
appxk9           appxk9           Permanent        appxk9
uck9             uck9             RightToUse       uck9
securityk9       securityk9       RightToUse       securityk9
ipbase           ipbasek9         Permanent        ipbasek9

cisco ISR4331/K9 (1RU) processor with 1796073K/6147K bytes of memory.
Processor board ID xxx
3 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
3125247K bytes of flash memory at bootflash:.
0K bytes of WebUI ODM Files at webui:.

Configuration register is 0x2102
 

 

 

Частично порезанный конфиг:

Spoiler

version 16.6
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware throughput level 300000
!
hostname xxx
!
boot-start-marker
boot system bootflash:isr4300-universalk9.16.06.03.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
enable secret 5 xxx
!
aaa new-model
!
!
aaa group server radius radius_ve
 server name radius_XXX
!
aaa authentication login default local
aaa authentication ppp default group radius_XXX
aaa authorization network default if-authenticated
!
!
!
!
!
!
aaa session-id common
clock timezone MSK 3 0
!
!
!
!
!
!
!
ip name-server xxx
ip domain name xxx
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group l2tp
 ! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
 l2tp tunnel timeout no-session 15
 ip pmtu
 ip mtu adjust
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2677205731
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2677205731
 revocation-check none
 rsakeypair TP-self-signed-2677205731
!
!
crypto pki certificate chain TP-self-signed-2677205731
 certificate self-signed 01
  xxx
        quit
!
!
!
!
!
!
!
!
!
license udi pid ISR4331/K9 sn xxx
license accept end user agreement
license boot level appxk9
license boot level uck9
license boot level securityk9
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
username operator privilege 15 secret 5 xxx
!
redundancy
 mode none
!
!
!
!
!
!
track 10 ip sla 10 reachability
 delay down 10 up 5
!
track 11 ip sla 11 reachability
 delay down 10 up 5
!
!
!
!
!
!
!
!
!
crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key xxx address 0.0.0.0         no-xauth
crypto isakmp keepalive 3600
!
!
crypto ipsec transform-set l2tp_tr esp-3des esp-sha-hmac
 mode transport
!
!
!
crypto dynamic-map l2tp_dmap 10
 set nat demux
 set transform-set l2tp_tr
!
!
crypto map l2tp_map 10 ipsec-isakmp dynamic l2tp_dmap
!
!
!
!
!
!
!
!

interface Virtual-Template1
 ip address xxx 255.255.255.0
 ip mtu 1400
 peer default ip address pool VPN
 no keepalive
 ppp authentication ms-chap-v2
!
!
ip local pool VPN 10.10.10.2 10.10.10.254
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
radius server radius_XXX
 address ipv4 xxx auth-port 1645 acct-port 1646
 key 7 xxx
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 transport input none
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 privilege level 15
!
ntp master
ntp server 10.181.17.8
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!

 

Подскажите, в чём причина? Как победить?

Изменено 1 апреля, 2020 пользователем asid2006

[ShyLion]

дык

debug crypto isakmp

debug crypto ipsec

debug vpdn l2x event

debug vpdn l2x error

debug ppp authen

debug ppp author

debug ppp neg

 

[asid2006]

43 minutes ago, ShyLion said:

дык

debug crypto isakmp

debug crypto ipsec

debug vpdn l2x event

debug vpdn l2x error

debug ppp authen

debug ppp author

debug ppp neg

 

 

Дебаг при 720 ошибке
 

Spoiler

Mar 24 11:38:19.897: ISAKMP-PAK: (0):received packet from x.x.x.x dport 500 sport 500 Global (N) NEW SA
Mar 24 11:38:19.897: ISAKMP: (0):Created a peer struct for x.x.x.x, peer port 500
Mar 24 11:38:19.897: ISAKMP: (0):New peer created peer = 0x80007F7FEA40CD08 peer_handle = 0x800000008000065B
Mar 24 11:38:19.897: ISAKMP: (0):Locking peer struct 0x80007F7FEA40CD08, refcount 1 for crypto_isakmp_process_block
Mar 24 11:38:19.897: ISAKMP: (0):local port 500, remote port 500
Mar 24 11:38:19.897: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 80007F7FEA6F1C18
Mar 24 11:38:19.897: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 24 11:38:19.897: ISAKMP: (0):Old State = IKE_READY  New State = IKE_R_MM1

Mar 24 11:38:19.898: ISAKMP: (0):processing SA payload. message ID = 0
Mar 24 11:38:19.898: ISAKMP: (0):processing vendor id payload
Mar 24 11:38:19.898: ISAKMP: (0):processing IKE frag vendor id payload
Mar 24 11:38:19.898: ISAKMP: (0):Support for IKE Fragmentation not enabled
Mar 24 11:38:19.898: ISAKMP: (0):processing vendor id payload
Mar 24 11:38:19.898: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
Mar 24 11:38:19.898: ISAKMP: (0):vendor ID is NAT-T RFC 3947
Mar 24 11:38:19.898: ISAKMP: (0):processing vendor id payload
Mar 24 11:38:19.898: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
Mar 24 11:38:19.898: ISAKMP: (0):vendor ID is NAT-T v2
Mar 24 11:38:19.898: ISAKMP: (0):processing vendor id payload
Mar 24 11:38:19.898: ISAKMP: (0):vendor ID seems Unity/DPD but major 194 mismatch
Mar 24 11:38:19.898: ISAKMP: (0):processing vendor id payload
Mar 24 11:38:19.898: ISAKMP: (0):vendor ID seems Unity/DPD but major 241 mismatch
Mar 24 11:38:19.899: ISAKMP: (0):processing vendor id payload
Mar 24 11:38:19.899: ISAKMP: (0):vendor ID seems Unity/DPD but major 184 mismatch
Mar 24 11:38:19.899: ISAKMP: (0):processing vendor id payload
Mar 24 11:38:19.899: ISAKMP: (0):vendor ID seems Unity/DPD but major 134 mismatch
Mar 24 11:38:19.899: ISAKMP: (0):found peer pre-shared key matching x.x.x.x
Mar 24 11:38:19.899: ISAKMP: (0):local preshared key found
Mar 24 11:38:19.899: ISAKMP: (0):Scanning profiles for xauth ...
Mar 24 11:38:19.899: ISAKMP: (0):Checking ISAKMP transform 1 against priority 20 policy
Mar 24 11:38:19.899: ISAKMP: (0):      encryption AES-CBC
Mar 24 11:38:19.899: ISAKMP: (0):      keylength of 256
Mar 24 11:38:19.899: ISAKMP: (0):      hash SHA
Mar 24 11:38:19.899: ISAKMP: (0):      default group 20
Mar 24 11:38:19.899: ISAKMP: (0):      auth pre-share
Mar 24 11:38:19.900: ISAKMP: (0):      life type in seconds
Mar 24 11:38:19.900: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
Mar 24 11:38:19.900: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Mar 24 11:38:19.900: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
Mar 24 11:38:19.900: ISAKMP: (0):Checking ISAKMP transform 2 against priority 20 policy
Mar 24 11:38:19.900: ISAKMP: (0):      encryption AES-CBC
Mar 24 11:38:19.900: ISAKMP: (0):      keylength of 128
Mar 24 11:38:19.900: ISAKMP: (0):      hash SHA
Mar 24 11:38:19.900: ISAKMP: (0):      default group 19
Mar 24 11:38:19.900: ISAKMP: (0):      auth pre-share
Mar 24 11:38:19.900: ISAKMP: (0):      life type in seconds
Mar 24 11:38:19.900: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
Mar 24 11:38:19.901: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Mar 24 11:38:19.901: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
Mar 24 11:38:19.901: ISAKMP: (0):Checking ISAKMP transform 3 against priority 20 policy
Mar 24 11:38:19.901: ISAKMP: (0):      encryption AES-CBC
Mar 24 11:38:19.901: ISAKMP: (0):      keylength of 256
Mar 24 11:38:19.901: ISAKMP: (0):      hash SHA
Mar 24 11:38:19.901: ISAKMP: (0):      default group 14
Mar 24 11:38:19.901: ISAKMP: (0):      auth pre-share
Mar 24 11:38:19.901: ISAKMP: (0):      life type in seconds
Mar 24 11:38:19.901: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
Mar 24 11:38:19.901: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Mar 24 11:38:19.901: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
Mar 24 11:38:19.901: ISAKMP: (0):Checking ISAKMP transform 4 against priority 20 policy
Mar 24 11:38:19.901: ISAKMP: (0):      encryption 3DES-CBC
Mar 24 11:38:19.901: ISAKMP: (0):      hash SHA
Mar 24 11:38:19.902: ISAKMP: (0):      default group 14
Mar 24 11:38:19.902: ISAKMP: (0):      auth pre-share
Mar 24 11:38:19.902: ISAKMP: (0):      life type in seconds
Mar 24 11:38:19.902: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
Mar 24 11:38:19.902: ISAKMP-ERROR: (0):Diffie-Hellman group offered does not match policy!
Mar 24 11:38:19.902: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
Mar 24 11:38:19.902: ISAKMP: (0):Checking ISAKMP transform 5 against priority 20 policy
Mar 24 11:38:19.902: ISAKMP: (0):      encryption 3DES-CBC
Mar 24 11:38:19.902: ISAKMP: (0):      hash SHA
Mar 24 11:38:19.902: ISAKMP: (0):      default group 2
Mar 24 11:38:19.902: ISAKMP: (0):      auth pre-share
Mar 24 11:38:19.902: ISAKMP: (0):      life type in seconds
Mar 24 11:38:19.902: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
Mar 24 11:38:19.903: ISAKMP: (0):atts are acceptable. Next payload is 0
Mar 24 11:38:19.903: ISAKMP: (0):Acceptable atts:actual life: 3600
Mar 24 11:38:19.903: ISAKMP: (0):Acceptable atts:life: 0
Mar 24 11:38:19.903: ISAKMP: (0):Fill atts in sa vpi_length:4
Mar 24 11:38:19.903: ISAKMP: (0):Fill atts in sa life_in_seconds:28800
Mar 24 11:38:19.903: ISAKMP: (0):Returning Actual lifetime: 3600
Mar 24 11:38:19.903: ISAKMP: (0):Started lifetime timer: 3600.

Mar 24 11:38:19.907: ISAKMP: (0):processing vendor id payload
Mar 24 11:38:19.907: ISAKMP: (0):processing IKE frag vendor id payload
Mar 24 11:38:19.907: ISAKMP: (0):Support for IKE Fragmentation not enabled
Mar 24 11:38:19.907: ISAKMP: (0):processing vendor id payload
Mar 24 11:38:19.907: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
Mar 24 11:38:19.907: ISAKMP: (0):vendor ID is NAT-T RFC 3947
Mar 24 11:38:19.907: ISAKMP: (0):processing vendor id payload
Mar 24 11:38:19.907: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
Mar 24 11:38:19.907: ISAKMP: (0):vendor ID is NAT-T v2
Mar 24 11:38:19.907: ISAKMP: (0):processing vendor id payload
Mar 24 11:38:19.907: ISAKMP: (0):vendor ID seems Unity/DPD but major 194 mismatch
Mar 24 11:38:19.907: ISAKMP: (0):processing vendor id payload
Mar 24 11:38:19.907: ISAKMP: (0):vendor ID seems Unity/DPD but major 241 mismatch
Mar 24 11:38:19.908: ISAKMP: (0):processing vendor id payload
Mar 24 11:38:19.908: ISAKMP: (0):vendor ID seems Unity/DPD but major 184 mismatch
Mar 24 11:38:19.908: ISAKMP: (0):processing vendor id payload
Mar 24 11:38:19.908: ISAKMP: (0):vendor ID seems Unity/DPD but major 134 mismatch
Mar 24 11:38:19.908: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 24 11:38:19.908: ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_R_MM1

Mar 24 11:38:19.908: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
Mar 24 11:38:19.908: ISAKMP-PAK: (0):sending packet to x.x.x.x my_port 500 peer_port 500 (R) MM_SA_SETUP
Mar 24 11:38:19.908: ISAKMP: (0):Sending an IKE IPv4 Packet.
Mar 24 11:38:19.909: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 24 11:38:19.909: ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_R_MM2

Mar 24 11:38:19.930: ISAKMP-PAK: (0):received packet from x.x.x.x dport 500 sport 500 Global (R) MM_SA_SETUP
Mar 24 11:38:19.930: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 24 11:38:19.930: ISAKMP: (0):Old State = IKE_R_MM2  New State = IKE_R_MM3

Mar 24 11:38:19.930: ISAKMP: (0):processing KE payload. message ID = 0
Mar 24 11:38:19.935: ISAKMP: (0):processing NONCE payload. message ID = 0
Mar 24 11:38:19.935: ISAKMP: (0):found peer pre-shared key matching x.x.x.x
Mar 24 11:38:19.935: ISAKMP: (14437):received payload type 20
Mar 24 11:38:19.935: ISAKMP: (14437):His hash no match - this node outside NAT
Mar 24 11:38:19.936: ISAKMP: (14437):received payload type 20
Mar 24 11:38:19.936: ISAKMP: (14437):His hash no match - this node outside NAT
Mar 24 11:38:19.936: ISAKMP: (14437):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 24 11:38:19.936: ISAKMP: (14437):Old State = IKE_R_MM3  New State = IKE_R_MM3

Mar 24 11:38:19.936: ISAKMP-PAK: (14437):sending packet to x.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH
Mar 24 11:38:19.936: ISAKMP: (14437):Sending an IKE IPv4 Packet.
Mar 24 11:38:19.936: ISAKMP: (14437):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 24 11:38:19.936: ISAKMP: (14437):Old State = IKE_R_MM3  New State = IKE_R_MM4

Mar 24 11:38:19.955: ISAKMP-PAK: (14437):received packet from x.x.x.x dport 4500 sport 4500 Global (R) MM_KEY_EXCH
Mar 24 11:38:19.956: ISAKMP: (14437):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 24 11:38:19.956: ISAKMP: (14437):Old State = IKE_R_MM4  New State = IKE_R_MM5

Mar 24 11:38:19.956: ISAKMP: (14437):processing ID payload. message ID = 0
Mar 24 11:38:19.956: ISAKMP: (14437):ID payload
        next-payload : 8
        type         : 1
Mar 24 11:38:19.956: ISAKMP: (14437):   address      : 192.168.103.253
Mar 24 11:38:19.956: ISAKMP: (14437):   protocol     : 0
        port         : 0
        length       : 12
Mar 24 11:38:19.956: ISAKMP: (0):peer matches *none* of the profiles
Mar 24 11:38:19.956: ISAKMP: (14437):processing HASH payload. message ID = 0
Mar 24 11:38:19.956: ISAKMP: (14437):SA authentication status:
        authenticated
Mar 24 11:38:19.956: ISAKMP: (14437):SA has been authenticated with x.x.x.x
Mar 24 11:38:19.956: ISAKMP: (14437):Detected port floating to port = 4500
Mar 24 11:38:19.957: ISAKMP: (0):Trying to insert a peer y.y.y.y/x.x.x.x/4500/,
Mar 24 11:38:19.957: ISAKMP: (0): and inserted successfully 80007F7FEA40CD08.
Mar 24 11:38:19.957: ISAKMP: (14437):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 24 11:38:19.957: ISAKMP: (14437):Old State = IKE_R_MM5  New State = IKE_R_MM5

Mar 24 11:38:19.957: ISAKMP: (14437):SA is doing
Mar 24 11:38:19.958: ISAKMP: (14437):pre-shared key authentication using id type ID_IPV4_ADDR
Mar 24 11:38:19.958: ISAKMP: (14437):ID payload
        next-payload : 8
        type         : 1
Mar 24 11:38:19.958: ISAKMP: (14437):   address      : y.y.y.y
Mar 24 11:38:19.958: ISAKMP: (14437):   protocol     : 17
        port         : 0
        length       : 12
Mar 24 11:38:19.958: ISAKMP: (14437):Total payload length: 12
Mar 24 11:38:19.958: ISAKMP-PAK: (14437):sending packet to x.x.x.x my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
Mar 24 11:38:19.958: ISAKMP: (14437):Sending an IKE IPv4 Packet.
Mar 24 11:38:19.958: ISAKMP: (14437):Returning Actual lifetime: 3600
Mar 24 11:38:19.958: ISAKMP: (14437):set new node 3026085116 to QM_IDLE
Mar 24 11:38:19.958: ISAKMP: (14437):Sending NOTIFY RESPONDER_LIFETIME protocol 1
        spi 9223512224116897392, message ID = 3026085116
Mar 24 11:38:19.959: ISAKMP-PAK: (14437):sending packet to x.x.x.x my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
Mar 24 11:38:19.959: ISAKMP: (14437):Sending an IKE IPv4 Packet.
Mar 24 11:38:19.959: ISAKMP: (14437):purging node 3026085116
Mar 24 11:38:19.959: ISAKMP: (14437):Sending phase 1 responder lifetime 3600

Mar 24 11:38:19.959: ISAKMP: (14437):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 24 11:38:19.959: ISAKMP: (14437):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

Mar 24 11:38:19.959: ISAKMP: (14437):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Mar 24 11:38:19.959: ISAKMP: (14437):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Mar 24 11:38:19.978: ISAKMP-PAK: (14437):received packet from x.x.x.x dport 4500 sport 4500 Global (R) QM_IDLE
Mar 24 11:38:19.978: ISAKMP: (14437):set new node 1 to QM_IDLE
Mar 24 11:38:19.979: ISAKMP: (14437):processing HASH payload. message ID = 1
Mar 24 11:38:19.979: ISAKMP: (14437):processing SA payload. message ID = 1
Mar 24 11:38:19.979: ISAKMP: (14437):processing NAT-OAi payload. addr = 192.168.103.253, message ID = 1
Mar 24 11:38:19.979: ISAKMP: (14437):processing NAT-OAr payload. addr = y.y.y.y, message ID = 1
Mar 24 11:38:19.979: ISAKMP: (14437):Checking IPSec proposal 1
Mar 24 11:38:19.979: ISAKMP: (14437):transform 1, ESP_AES
Mar 24 11:38:19.979: ISAKMP: (14437):   attributes in transform:
Mar 24 11:38:19.979: ISAKMP: (14437):      encaps is 4 (Transport-UDP)
Mar 24 11:38:19.979: ISAKMP: (14437):      key length is 128
Mar 24 11:38:19.979: ISAKMP: (14437):      authenticator is HMAC-SHA
Mar 24 11:38:19.979: ISAKMP: (14437):      SA life type in seconds
Mar 24 11:38:19.979: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xE 0x10
Mar 24 11:38:19.980: ISAKMP: (14437):      SA life type in kilobytes
Mar 24 11:38:19.980: ISAKMP:      SA life duration (VPI) of  0x0 0x3 0xD0 0x90
Mar 24 11:38:19.980: ISAKMP: (14437):atts are acceptable.
Mar 24 11:38:19.980: IPSEC(validate_proposal_request): proposal part #1
Mar 24 11:38:19.980: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= y.y.y.y:0, remote= x.x.x.x:0,
    local_proxy= y.y.y.y/255.255.255.255/17/1701,
    remote_proxy= x.x.x.x/255.255.255.255/17/1701,
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Transport-UDP),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Mar 24 11:38:19.981: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
    {esp-aes esp-sha-hmac }
Mar 24 11:38:19.981: ISAKMP-ERROR: (14437):IPSec policy invalidated proposal with error 256
Mar 24 11:38:19.982: ISAKMP: (14437):Checking IPSec proposal 2
Mar 24 11:38:19.982: ISAKMP: (14437):transform 1, ESP_3DES
Mar 24 11:38:19.982: ISAKMP: (14437):   attributes in transform:
Mar 24 11:38:19.982: ISAKMP: (14437):      encaps is 4 (Transport-UDP)
Mar 24 11:38:19.982: ISAKMP: (14437):      authenticator is HMAC-SHA
Mar 24 11:38:19.982: ISAKMP: (14437):      SA life type in seconds
Mar 24 11:38:19.982: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xE 0x10
Mar 24 11:38:19.982: ISAKMP: (14437):      SA life type in kilobytes
Mar 24 11:38:19.982: ISAKMP:      SA life duration (VPI) of  0x0 0x3 0xD0 0x90
Mar 24 11:38:19.982: ISAKMP: (14437):atts are acceptable.
Mar 24 11:38:19.983: IPSEC(validate_proposal_request): proposal part #1
Mar 24 11:38:19.983: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= y.y.y.y:0, remote= x.x.x.x:0,
    local_proxy= y.y.y.y/255.255.255.255/17/1701,
    remote_proxy= x.x.x.x/255.255.255.255/17/1701,
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Transport-UDP),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Mar 24 11:38:19.983: (ipsec_process_proposal)Map Accepted: l2tp_dmap, 10
Mar 24 11:38:19.983: ISAKMP: (14437):processing NONCE payload. message ID = 1
Mar 24 11:38:19.983: ISAKMP: (14437):processing ID payload. message ID = 1
Mar 24 11:38:19.983: ISAKMP: (14437):processing ID payload. message ID = 1
Mar 24 11:38:19.983: ISAKMP: (14437):received payload type 21
Mar 24 11:38:19.983: ISAKMP: (14437):received payload type 21
Mar 24 11:38:19.984: ISAKMP: (14437):QM Responder gets spi
Mar 24 11:38:19.984: ISAKMP: (14437):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Mar 24 11:38:19.984: ISAKMP: (14437):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
Mar 24 11:38:19.984: ISAKMP: (14437):Node 1, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
Mar 24 11:38:19.984: ISAKMP: (14437):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_IPSEC_INSTALL_AWAIT
Mar 24 11:38:19.984: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Mar 24 11:38:19.984: IPSEC(crypto_ipsec_create_ipsec_sas): Map found l2tp_dmap, 10
Mar 24 11:38:19.985: IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 7F7FEA471408
Mar 24 11:38:19.985: IPSEC(create_sa): sa created,
  (sa) sa_dest= y.y.y.y, sa_proto= 50,
    sa_spi= 0xBA400A66(3124759142),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2043
    sa_lifetime(k/sec)= (250000/3600),
  (identity) local= y.y.y.y:0, remote= x.x.x.x:0,
    local_proxy= y.y.y.y/255.255.255.255/17/1701,
    remote_proxy= x.x.x.x/255.255.255.255/17/4500
Mar 24 11:38:19.986: IPSEC(create_sa): sa created,
  (sa) sa_dest= x.x.x.x, sa_proto= 50,
    sa_spi= 0x33D98824(869894180),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2044
    sa_lifetime(k/sec)= (250000/3600),
  (identity) local= y.y.y.y:0, remote= x.x.x.x:0,
    local_proxy= y.y.y.y/255.255.255.255/17/1701,
    remote_proxy= x.x.x.x/255.255.255.255/17/4500
Mar 24 11:38:19.990: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
Mar 24 11:38:19.990: ISAKMP: (14437):Received IPSec Install callback... proceeding with the negotiation
Mar 24 11:38:19.990: ISAKMP: (14437):Successfully installed IPSEC SA (SPI:0xBA400A66) on GigabitEthernet0/0/1
Mar 24 11:38:19.990: ISAKMP-PAK: (14437):sending packet to x.x.x.x my_port 4500 peer_port 4500 (R) QM_IDLE
Mar 24 11:38:19.990: ISAKMP: (14437):Sending an IKE IPv4 Packet.
Mar 24 11:38:19.990: ISAKMP: (14437):Node 1, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
Mar 24 11:38:19.991: ISAKMP: (14437):Old State = IKE_QM_IPSEC_INSTALL_AWAIT  New State = IKE_QM_R_QM2
Mar 24 11:38:20.011: ISAKMP-PAK: (14437):received packet from x.x.x.x dport 4500 sport 4500 Global (R) QM_IDLE
Mar 24 11:38:20.011: ISAKMP: (14437):deleting node 1 error FALSE reason "QM done (await)"
Mar 24 11:38:20.011: ISAKMP: (14437):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Mar 24 11:38:20.011: ISAKMP: (14437):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
Mar 24 11:38:20.011: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Mar 24 11:38:20.011: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Mar 24 11:38:21.020: L2X  tnl   8275B:________: Create logical tunnel
Mar 24 11:38:21.020: L2TP tnl   8275B:________: Create tunnel
Mar 24 11:38:21.020: L2TP tnl   8275B:________:     version set to V2[1]
Mar 24 11:38:21.020: L2TP tnl   8275B:________:     remote ip set to x.x.x.x
Mar 24 11:38:21.020: L2TP tnl   8275B:________:     local ip set to y.y.y.y
Mar 24 11:38:21.020: L2TP tnl   8275B:000062F6: FSM-CC ev Rx-SCCRQ
Mar 24 11:38:21.020: L2TP tnl   8275B:000062F6: FSM-CC    Idle->Proc-SCCRQ
Mar 24 11:38:21.020: L2TP tnl   8275B:000062F6: FSM-CC do Rx-SCCRQ
Mar 24 11:38:21.020: L2TP tnl   8275B:000062F6: ACCT(000009C0): UID allocated
Mar 24 11:38:21.021: VPN AUTHOR [1260]: Authorizing key
Mar 24 11:38:21.021: VPN AUTHOR [1260]: Got username name 0#y.y.y.y#computername
Mar 24 11:38:21.021: VPN AUTHOR [1260]: AAA request sent for key 0#y.y.y.y#computername
Mar 24 11:38:21.021: L2X        _____:________: Tunnel author started for computername
Mar 24 11:38:21.021: VPN AUTHOR [1260]: Received an AAA pass
Mar 24 11:38:21.021: VPDN/AAA/AUTHOR: Parsing l2x attribute list
Mar 24 11:38:21.022: VPN AUTHOR [1260]: Found info for key 0#y.y.y.y#computername
Mar 24 11:38:21.022: L2X        _____:________: Tunnel author found
Mar 24 11:38:21.022: L2TP tnl   8275B:000062F6: Author reply, data source: "l2tp"
Mar 24 11:38:21.022: L2X        _____:________: class [AAA author, group "l2tp"]
Mar 24 11:38:21.022: L2X        _____:________:   App locked 0->1
Mar 24 11:38:21.022: L2X        _____:________: class [AAA author, group "l2tp"]
Mar 24 11:38:21.022: L2X        _____:________:   Protocol locked 33->34
Mar 24 11:38:21.022: L2TP tnl   8275B:000062F6:     class name AAA author, group "l2tp"
Mar 24 11:38:21.022: L2X        _____:________: class [AAA author, group "l2tp"]
Mar 24 11:38:21.022: L2X        _____:________:   App unlocked 1->0
Mar 24 11:38:21.022: L2TP tnl   8275B:000062F6:     peer cap sync set
Mar 24 11:38:21.022: L2TP tnl   8275B:000062F6: FSM-CC ev SCCRQ-OK
Mar 24 11:38:21.022: L2TP tnl   8275B:000062F6: FSM-CC    Proc-SCCRQ->Wt-SCCCN
Mar 24 11:38:21.022: L2TP tnl   8275B:000062F6: FSM-CC do Tx-SCCRP
Mar 24 11:38:21.022: L2TP tnl   8275B:000062F6: Open sock y.y.y.y:1701->x.x.x.x:4500
Mar 24 11:38:21.023: L2TP tnl   8275B:000062F6: FSM-CC ev Sock-Ready
Mar 24 11:38:21.023: L2TP tnl   8275B:000062F6: FSM-CC    in Wt-SCCCN
Mar 24 11:38:21.023: L2TP tnl   8275B:000062F6: FSM-CC do Ignore-Sock-Up
Mar 24 11:38:21.023: VPN AUTHOR [1260]: Free request
Mar 24 11:38:21.041: L2TP tnl   8275B:000062F6: FSM-CC ev Rx-SCCCN
Mar 24 11:38:21.041: L2TP tnl   8275B:000062F6: FSM-CC    Wt-SCCCN->Proc-SCCCN
Mar 24 11:38:21.041: L2TP tnl   8275B:000062F6: FSM-CC do Rx-SCCCN
Mar 24 11:38:21.041: L2TP tnl   8275B:000062F6: FSM-CC ev SCCCN-OK
Mar 24 11:38:21.041: L2TP tnl   8275B:000062F6: FSM-CC    Proc-SCCCN->established
Mar 24 11:38:21.041: L2TP tnl   8275B:000062F6: FSM-CC do Established
Mar 24 11:38:21.041: L2TP tnl   8275B:000062F6: Tunnel accounting send not possible - no mlist
Mar 24 11:38:21.041: L2TP tnl   8275B:000062F6: Control channel up
Mar 24 11:38:21.041: L2TP tnl   8275B:000062F6:   y.y.y.y<->x.x.x.x
Mar 24 11:38:21.042: L2TP       _____:________: ERROR: ICRQ AVP 1, vendor 311: unknown
Mar 24 11:38:21.042: L2TP tnl   8275B:000062F6: Unknown Vendor 311 AVP 1 in CM ICRQ
Mar 24 11:38:21.042: L2X  _____:_____:________: Create logical session
Mar 24 11:38:21.042: L2TP _____:_____:________: Create session
Mar 24 11:38:21.042: L2TP _____:_____:________:   Using ICRQ FSM
Mar 24 11:38:21.042: L2TP _____:_____:________: FSM-Sn ev created
Mar 24 11:38:21.042: L2TP _____:_____:________: FSM-Sn    Init->Idle
Mar 24 11:38:21.042: L2TP _____:_____:________: FSM-Sn do none
Mar 24 11:38:21.042: L2TP _____:_____:________:     remote ip set to x.x.x.x
Mar 24 11:38:21.042: L2TP _____:_____:________:     local ip set to y.y.y.y
Mar 24 11:38:21.042: L2TP _____:_____:________:   App type set to VPDN
Mar 24 11:38:21.042: L2TP _____:_____:________:   Chose application VPDN
Mar 24 11:38:21.042: L2TP _____:_____:________: VPDN: process AVPs
Mar 24 11:38:21.043: L2TP tnl   8275B:000062F6: FSM-CC ev Session-Conn
Mar 24 11:38:21.043: L2TP tnl   8275B:000062F6: FSM-CC    in established
Mar 24 11:38:21.043: L2TP tnl   8275B:000062F6: FSM-CC do Session-Conn-Est
Mar 24 11:38:21.043: L2TP tnl   8275B:000062F6:   Session count now 1
Mar 24 11:38:21.043: L2TP tnl   8275B:000062F6:   VPDN Session count now 1
Mar 24 11:38:21.043: L2TP _____:8275B:00004732: FSM-Sn ev CC-Up
Mar 24 11:38:21.043: L2TP _____:8275B:00004732: FSM-Sn    in Idle
Mar 24 11:38:21.043: L2TP _____:8275B:00004732: FSM-Sn do CC-Up-Ignore0-1
Mar 24 11:38:21.043: L2TP _____:8275B:00004732: Session attached
Mar 24 11:38:21.043: L2TP _____:8275B:00004732: FSM-Sn ev Rx-ICRQ
Mar 24 11:38:21.043: L2TP _____:8275B:00004732: FSM-Sn    Idle->Proc-ICRQ
Mar 24 11:38:21.043: L2TP _____:8275B:00004732: FSM-Sn do Rx-ICRQ
Mar 24 11:38:21.043: L2TP _____:8275B:00004732:   Chose application VPDN
Mar 24 11:38:21.043: L2TP _____:8275B:00004732:   App type set to VPDN
Mar 24 11:38:21.043: L2TP _____:8275B:00004732: VPDN: process AVPs
Mar 24 11:38:21.044: L2TP _____:8275B:00004732: Set HA epoch to 0
Mar 24 11:38:21.044: L2TP _____:8275B:00004732: Local AC is now UP
Mar 24 11:38:21.044: L2TP _____:8275B:00004732: Remote AC is now UP
Mar 24 11:38:21.044: L2TP tnl   8275B:000062F6: ADJ UP
Mar 24 11:38:21.044: L2TUN APP: uid:112/handle/141151Peer AIE:00000000 Peer-peer 00000000 Ours 0100047B
Mar 24 11:38:21.044: L2TUN APP: uid:112/handle/141151New peer; get switch hdl 0
Mar 24 11:38:21.045: L2TUN APP: uid:112/handle/141151Allocate switch hdl 141152
Mar 24 11:38:21.045: L2TP _____:8275B:00004732:   App type set to VPDN
Mar 24 11:38:21.045: L2TP 00070:8275B:00004732:   Path MTU is enabled
Mar 24 11:38:21.045: L2TP 00070:8275B:00004732:   UDP checksum ignore is enabled
Mar 24 11:38:21.045: L2TP 00070:8275B:00004732:   Sequencing default tx disabled
Mar 24 11:38:21.045: L2TP 00070:8275B:00004732:   Sequencing default rx disabled
Mar 24 11:38:21.045: L2TP 00070:8275B:00004732:   Framing set to sync
Mar 24 11:38:21.045: L2TP 00070:8275B:00004732:   Bearer set to none
Mar 24 11:38:21.045: L2TP 00070:8275B:00004732: no cookies enabled
Mar 24 11:38:21.045: L2TP tnl   8275B:000062F6:   Session PMTU count now 1
Mar 24 11:38:21.046: L2TP 00070:8275B:00004732: FSM-Sn ev ICRQ-OK
Mar 24 11:38:21.046: L2TP 00070:8275B:00004732: FSM-Sn    Proc-ICRQ->Wt-Tx-ICRP
Mar 24 11:38:21.046: L2TP 00070:8275B:00004732: FSM-Sn do Tx-ICRP-Local-Check
Mar 24 11:38:21.046: L2TP 00070:8275B:00004732: FSM-Sn ev Local-Cont
Mar 24 11:38:21.046: L2TP 00070:8275B:00004732: FSM-Sn    Wt-Tx-ICRP->Wt-Rx-ICCN
Mar 24 11:38:21.046: L2TP 00070:8275B:00004732: FSM-Sn do Tx-ICRP
Mar 24 11:38:21.046: L2TP 00070:8275B:00004732: Open sock y.y.y.y:1701->x.x.x.x:4500
Mar 24 11:38:21.046: L2TP 00070:8275B:00004732: FSM-Sn ev Sock-Ready
Mar 24 11:38:21.046: L2TP 00070:8275B:00004732: FSM-Sn    in Wt-Rx-ICCN
Mar 24 11:38:21.046: L2TP 00070:8275B:00004732: FSM-Sn do Ignore-Sock-Up
Mar 24 11:38:21.046: L2TP 00070:8275B:00004732: FSM-Sn ev DP-Setup
Mar 24 11:38:21.047: L2TP 00070:8275B:00004732: FSM-Sn    in Wt-Rx-ICCN
Mar 24 11:38:21.047: L2TP 00070:8275B:00004732: FSM-Sn do Ignore-DP-Setup
Mar 24 11:38:21.063: L2TP 00070:8275B:00004732: FSM-Sn ev Rx-ICCN
Mar 24 11:38:21.063: L2TP 00070:8275B:00004732: FSM-Sn    Wt-Rx-ICCN->Proc-ICCN
Mar 24 11:38:21.063: L2TP 00070:8275B:00004732: FSM-Sn do Rx-ICCN
Mar 24 11:38:21.063: L2TP 00070:8275B:00004732:   MTU is 65535
Mar 24 11:38:21.063: L2TP 00070:8275B:00004732: Dataplane provisioned, segment 276321
Mar 24 11:38:21.063: L2TP 00070:8275B:00004732: VPDN: process AVPs
Mar 24 11:38:21.063: L2TP 00070:8275B:00004732: FSM-Sn ev ICCN-OK
Mar 24 11:38:21.064: L2TP 00070:8275B:00004732: FSM-Sn    Proc-ICCN->established
Mar 24 11:38:21.064: L2TP 00070:8275B:00004732: FSM-Sn do Established
Mar 24 11:38:21.064: L2TP 00070:8275B:00004732: Session up
Mar 24 11:38:21.064: L2TP 00070:8275B:00004732:   y.y.y.y<->x.x.x.x
Mar 24 11:38:21.064: L2TP:(Tnl25334:Sn18226)L2X setup sss switching
Mar 24 11:38:21.064: L2X:Session DB (Tnl/Sn: 25334/18226): Stored the switching session in the session DB
Mar 24 11:38:21.064: L2TP:(Tnl25334:Sn18226)L2X s/w switching session provisioned
Mar 24 11:38:21.066: PPP: Alloc Context [7F7FDA856EC8]
Mar 24 11:38:21.066: ppp112 PPP: Phase is ESTABLISHING
Mar 24 11:38:21.066: ppp112 PPP: Using AAA Unique Id = 9C1
Mar 24 11:38:21.066: ppp112 PPP: Authorization required
Mar 24 11:38:21.066: ppp112 PPP: Using vpn set call direction
Mar 24 11:38:21.066: ppp112 PPP: Treating connection as a callin
Mar 24 11:38:21.066: ppp112 PPP: Session handle[EA000472] Session id[112]
Mar 24 11:38:21.066: ppp112 PPP LCP: negotiation authorized = 1, tacacs author = 0
Mar 24 11:38:21.066: ppp112 LCP: Event[OPEN] State[Initial to Starting]
Mar 24 11:38:21.067: ppp112 PPP LCP: Enter passive mode, state[Stopped]
Mar 24 11:38:21.081: ppp112 LCP: I CONFREQ [Stopped] id 0 len 21
Mar 24 11:38:21.082: ppp112 LCP:    MRU 1400 (0x01040578)
Mar 24 11:38:21.082: ppp112 LCP:    MagicNumber 0x2DAB1519 (0x05062DAB1519)
Mar 24 11:38:21.082: ppp112 LCP:    PFC (0x0702)
Mar 24 11:38:21.082: ppp112 LCP:    ACFC (0x0802)
Mar 24 11:38:21.082: ppp112 LCP:    Callback 6 (0x0D0306)
Mar 24 11:38:21.082: ppp112 PPP LCP: neg is authorized, processing incoming CONFREQ
Mar 24 11:38:21.082: ppp112 LCP: O CONFREQ [Stopped] id 1 len 19
Mar 24 11:38:21.082: ppp112 LCP:    MRU 1464 (0x010405B8)
Mar 24 11:38:21.082: ppp112 LCP:    AuthProto MS-CHAP-V2 (0x0305C22381)
Mar 24 11:38:21.082: ppp112 LCP:    MagicNumber 0x1205A349 (0x05061205A349)
Mar 24 11:38:21.082: ppp112 LCP: O CONFREJ [Stopped] id 0 len 7
Mar 24 11:38:21.082: ppp112 LCP:    Callback 6 (0x0D0306)
Mar 24 11:38:21.083: ppp112 LCP: Event[Receive ConfReq-] State[Stopped to REQsent]
Mar 24 11:38:21.099: ppp112 LCP: I CONFACK [REQsent] id 1 len 19
Mar 24 11:38:21.099: ppp112 LCP:    MRU 1464 (0x010405B8)
Mar 24 11:38:21.099: ppp112 LCP:    AuthProto MS-CHAP-V2 (0x0305C22381)
Mar 24 11:38:21.099: ppp112 LCP:    MagicNumber 0x1205A349 (0x05061205A349)
Mar 24 11:38:21.099: ppp112 LCP: Event[Receive ConfAck] State[REQsent to ACKrcvd]
Mar 24 11:38:21.099: ppp112 LCP: I CONFREQ [ACKrcvd] id 1 len 18
Mar 24 11:38:21.099: ppp112 LCP:    MRU 1400 (0x01040578)
Mar 24 11:38:21.100: ppp112 LCP:    MagicNumber 0x2DAB1519 (0x05062DAB1519)
Mar 24 11:38:21.100: ppp112 LCP:    PFC (0x0702)
Mar 24 11:38:21.100: ppp112 LCP:    ACFC (0x0802)
Mar 24 11:38:21.100: ppp112 PPP LCP: neg is authorized, processing incoming CONFREQ
Mar 24 11:38:21.100: ppp112 LCP: O CONFNAK [ACKrcvd] id 1 len 8
Mar 24 11:38:21.100: ppp112 LCP:    MRU 1464 (0x010405B8)
Mar 24 11:38:21.100: ppp112 LCP: Event[Receive ConfReq-] State[ACKrcvd to ACKrcvd]
Mar 24 11:38:21.117: ppp112 LCP: I CONFREQ [ACKrcvd] id 2 len 18
Mar 24 11:38:21.117: ppp112 LCP:    MRU 1400 (0x01040578)
Mar 24 11:38:21.117: ppp112 LCP:    MagicNumber 0x2DAB1519 (0x05062DAB1519)
Mar 24 11:38:21.117: ppp112 LCP:    PFC (0x0702)
Mar 24 11:38:21.117: ppp112 LCP:    ACFC (0x0802)
Mar 24 11:38:21.117: ppp112 PPP LCP: neg is authorized, processing incoming CONFREQ
Mar 24 11:38:21.117: ppp112 LCP: O CONFNAK [ACKrcvd] id 2 len 8
Mar 24 11:38:21.117: ppp112 LCP:    MRU 1464 (0x010405B8)
Mar 24 11:38:21.117: ppp112 LCP: Event[Receive ConfReq-] State[ACKrcvd to ACKrcvd]
Mar 24 11:38:21.136: ppp112 LCP: I CONFREQ [ACKrcvd] id 3 len 18
Mar 24 11:38:21.137: ppp112 LCP:    MRU 1464 (0x010405B8)
Mar 24 11:38:21.137: ppp112 LCP:    MagicNumber 0x2DAB1519 (0x05062DAB1519)
Mar 24 11:38:21.137: ppp112 LCP:    PFC (0x0702)
Mar 24 11:38:21.137: ppp112 LCP:    ACFC (0x0802)
Mar 24 11:38:21.137: ppp112 PPP LCP: neg is authorized, processing incoming CONFREQ
Mar 24 11:38:21.137: ppp112 LCP: O CONFACK [ACKrcvd] id 3 len 18
Mar 24 11:38:21.137: ppp112 LCP:    MRU 1464 (0x010405B8)
Mar 24 11:38:21.137: ppp112 LCP:    MagicNumber 0x2DAB1519 (0x05062DAB1519)
Mar 24 11:38:21.137: ppp112 LCP:    PFC (0x0702)
Mar 24 11:38:21.137: ppp112 LCP:    ACFC (0x0802)
Mar 24 11:38:21.137: ppp112 LCP: Event[Receive ConfReq+] State[ACKrcvd to Open]
Mar 24 11:38:21.153: ppp112 LCP: I IDENTIFY [Open] id 4 len 18 magic 0x2DAB1519MSRASV5.20
Mar 24 11:38:21.153: ppp112 LCP: I IDENTIFY [Open] id 5 len 31 magic 0x2DAB1519MSRAS-0-KITASU_NB2
Mar 24 11:38:21.154: ppp112 LCP: I IDENTIFY [Open] id 6 len 24 magic 0x2DAB1519Z hJBD+I8@B|Ir(|
Mar 24 11:38:21.154: ppp112 PPP: Phase is AUTHENTICATING, by this end
Mar 24 11:38:21.154: ppp112 MS-CHAP-V2: O CHALLENGE id 1 len 32 from "rt-Sbyt-GRE"
Mar 24 11:38:21.154: ppp112 LCP: State is Open
Mar 24 11:38:21.172: ppp112 MS-CHAP-V2: I RESPONSE id 1 len 62 from "username"
Mar 24 11:38:21.172: ppp112 PPP: Phase is FORWARDING, Attempting Forward
Mar 24 11:38:21.172: ppp112 PPP: Phase is AUTHENTICATING, Unauthenticated User
Mar 24 11:38:21.173: ppp112 PPP: Sent MSCHAP_V2 LOGIN Request
Mar 24 11:38:21.178: ppp112 PPP: Received LOGIN Response PASS
Mar 24 11:38:21.178: ppp112 PPP AUTHOR: Author Data NOT Available
Mar 24 11:38:21.178: ppp112 PPP: Sent LCP AUTHOR Request
Mar 24 11:38:21.178: ppp112 PPP: TACACS authorization is required
Mar 24 11:38:21.178: ppp112 PPP IPCP: negotiation authorized = 0, tacacs author = 1
Mar 24 11:38:21.178: ppp112 PPP: Sent IPCP AUTHOR Request
Mar 24 11:38:21.179: ppp112 IPCP: Authorizing CP
Mar 24 11:38:21.179: ppp112 IPCP: CP stalled on event[Authorize CP]
Mar 24 11:38:21.179: ppp112 LCP: Received AAA AUTHOR Response PASS
Mar 24 11:38:21.179: ppp112 PPP LCP: Merging new AAA attributes recd with existing ones
Mar 24 11:38:21.179: ppp112 PPP LCP: authorization succeeded, un-stalling CP
Mar 24 11:38:21.179: ppp112 PPP: Receive Attrs from[author] Keep[LCP] MERGE
Mar 24 11:38:21.179: ppp112 PPP: Skip Attr: MS-MPPE-Recv-Key     0   66 53 0F 5C 2E 63 F1 3F EE A6 86 71 61 F9 E1 36
Mar 24 11:38:21.179: ppp112 PPP: Skip Attr: MS-MPPE-Send-Key     0   03 51 52 20 14 AB DD B6 38 16 14 CF 62 99 A1 3B
Mar 24 11:38:21.179: ppp112 PPP: Keep Attr: MS-CHAP-V2-Success   0   <hidden>
Mar 24 11:38:21.180: ppp112 PPP: Updated the attr MS-CHAP-V2-Success in datalist
Mar 24 11:38:21.180: ppp112 PPP: Keep Attr: Framed-Protocol      0   1 [PPP]
Mar 24 11:38:21.180: ppp112 PPP: Updated the attr Framed-Protocol in datalist
Mar 24 11:38:21.180: ppp112 PPP: Keep Attr: username             0   "username"
Mar 24 11:38:21.180: ppp112 PPP: Updated the attr username in datalist
Mar 24 11:38:21.180: ppp112 IPCP: Received AAA AUTHOR Response PASS
Mar 24 11:38:21.180: ppp112 PPP IPCP: Merging new AAA attributes recd with existing ones
Mar 24 11:38:21.180: ppp112 PPP IPCP: authorization succeeded, un-stalling CP
Mar 24 11:38:21.181: ppp112 IPCP: CP unstall
Mar 24 11:38:21.181: ppp112 PPP: Phase is FORWARDING, Attempting Forward
Mar 24 11:38:21.181: ppp112 PPP: Receive Attrs from[SSS] Keep[NCPs] MERGE
Mar 24 11:38:21.181: ppp112 PPP: Keep Attr: MS-MPPE-Recv-Key     0   66 53 0F 5C 2E 63 F1 3F EE A6 86 71 61 F9 E1 36
Mar 24 11:38:21.182: ppp112 PPP: Updated the attr MS-MPPE-Recv-Key in datalist
Mar 24 11:38:21.182: ppp112 PPP: Keep Attr: MS-MPPE-Send-Key     0   03 51 52 20 14 AB DD B6 38 16 14 CF 62 99 A1 3B
Mar 24 11:38:21.182: ppp112 PPP: Updated the attr MS-MPPE-Send-Key in datalist
Mar 24 11:38:21.182: ppp112 PPP: Skip Attr: MS-CHAP-V2-Success   0   <hidden>
Mar 24 11:38:21.182: ppp112 PPP: Skip Attr: Framed-Protocol      0   1 [PPP]
Mar 24 11:38:21.182: ppp112 PPP: Skip Attr: username             0   "username"
Mar 24 11:38:21.187: VT[Vi2.34]:Request took 5 msec, 4 msec processing time
Mar 24 11:38:21.188: L2TP 00070:8275B:00004732:   App type set to VPDN
Mar 24 11:38:21.188: L2TP 00070:8275B:00004732:   Sequencing default tx disabled
Mar 24 11:38:21.188: L2TP 00070:8275B:00004732:   Sequencing default rx disabled
Mar 24 11:38:21.188: L2TP 00070:8275B:00004732:   Framing set to sync
Mar 24 11:38:21.188: L2TP 00070:8275B:00004732:   Bearer set to none
Mar 24 11:38:21.189: L2TP:(Tnl25334:Sn18226)PPTP
Mar 24 11:38:21.189: L2TP:(Tnl25334:Sn18226)L2X s/w switching session bound
Mar 24 11:38:21.191: L2TP 00070:8275B:00004732: FSM-Sn ev DP-Up
Mar 24 11:38:21.191: L2TP 00070:8275B:00004732: FSM-Sn    in established
Mar 24 11:38:21.191: L2TP 00070:8275B:00004732: FSM-Sn do Ignore-DP-UP
Mar 24 11:38:21.192: Vi2.34 PPP: Phase is AUTHENTICATING, Authenticated User
Mar 24 11:38:21.192: Vi2.34 LCP AUTHOR: Process LCP Author Data
Mar 24 11:38:21.192: Vi2.34 LCP AUTHOR: Process Attr: MS-CHAP-V2-Success
Mar 24 11:38:21.192: Vi2.34 LCP AUTHOR: Process Attr: Framed-Protocol
Mar 24 11:38:21.192: Vi2.34 LCP AUTHOR: Process Attr: username
Mar 24 11:38:21.192: Vi2.34 LCP AUTHOR: Authorization succeeded
Mar 24 11:38:21.192: Vi2.34 MS-CHAP-V2: O SUCCESS id 1 len 46 msg is "S=3092B0FA950FFA6B987928CC5537170F541E1559"
Mar 24 11:38:21.192: Vi2.34 PPP: No AAA accounting method list
Mar 24 11:38:21.193: Vi2.34 PPP: Store Author Attr: MS-MPPE-Recv-Key
Mar 24 11:38:21.193: Vi2.34 PPP: Store Author Attr: MS-MPPE-Send-Key
Mar 24 11:38:21.193: Vi2.34 PPP: Phase is UP
Mar 24 11:38:21.193: L2TP 00070:8275B:00004732:   App type set to VPDN
Mar 24 11:38:21.193: L2TP 00070:8275B:00004732:   Sequencing default tx disabled
Mar 24 11:38:21.193: L2TP 00070:8275B:00004732:   Sequencing default rx disabled
Mar 24 11:38:21.193: L2TP 00070:8275B:00004732:   Framing set to sync
Mar 24 11:38:21.193: L2TP 00070:8275B:00004732:   Bearer set to none
Mar 24 11:38:21.194: L2TP 00070:8275B:00004732:   App type set to VPDN
Mar 24 11:38:21.194: L2TP 00070:8275B:00004732:   Sequencing default tx disabled
Mar 24 11:38:21.194: L2TP 00070:8275B:00004732:   Sequencing default rx disabled
Mar 24 11:38:21.194: L2TP 00070:8275B:00004732:   Framing set to sync
Mar 24 11:38:21.195: L2TP 00070:8275B:00004732:   Bearer set to none
Mar 24 11:38:21.211: %IOSXE_INFRA-3-CONSOLE_DBUG_DROP: System dropped 17 bytes of console debug messages.

Mar 24 11:38:21.214: Vi2.34 IPV6CP: I CONFREQ [UNKNOWN] id 7 len 14
Mar 24 11:38:21.214: Vi2.34 IPV6CP:    Interface-Id B420:BDBE:3B97:4AD8 (0x010AB420BDBE3B974AD8)
Mar 24 11:38:21.214: Vi2.34 LCP: O PROTREJ [Open] id 2 len 20 protocol IPV6CP (0x0107000E010AB420BDBE3B974AD8)
Mar 24 11:38:21.214: Vi2.34 CCP: I CONFREQ [UNKNOWN] id 8 len 10
Mar 24 11:38:21.214: Vi2.34 CCP:    MS-PPC supported bits 0x01000000 (0x120601000000)
Mar 24 11:38:21.214: Vi2.34 LCP: O PROTREJ [Open] id 3 len 16 protocol CCP (0x0108000A120601000000)
Mar 24 11:38:21.215: Vi2.34 IPCP: I CONFREQ [Initial] id 9 len 34
Mar 24 11:38:21.215: Vi2.34 IPCP:    Address 0.0.0.0 (0x030600000000)
Mar 24 11:38:21.215: Vi2.34 IPCP:    PrimaryDNS 0.0.0.0 (0x810600000000)
Mar 24 11:38:21.215: Vi2.34 IPCP:    PrimaryWINS 0.0.0.0 (0x820600000000)
Mar 24 11:38:21.215: Vi2.34 IPCP:    SecondaryDNS 0.0.0.0 (0x830600000000)
Mar 24 11:38:21.215: Vi2.34 IPCP:    SecondaryWINS 0.0.0.0 (0x840600000000)
Mar 24 11:38:21.215: Vi2.34 LCP: O PROTREJ [Open] id 4 len 40 protocol IPCP
Mar 24 11:38:21.215: Vi2.34 LCP: (0x01090022030600000000810600000000)
Mar 24 11:38:21.215: Vi2.34 LCP: (0x82060000000083060000000084060000)
Mar 24 11:38:21.215: Vi2.34 LCP: (0x0000)
Mar 24 11:38:21.492: Vi2.34 LCP: I TERMREQ [Open] id 10 len 16
Mar 24 11:38:21.493: Vi2.34 LCP: (0x2DAB1519003CCD7400000000)
Mar 24 11:38:21.493: Vi2.34 PPP DISC: Received LCP TERMREQ from peer
Mar 24 11:38:21.493: Vi2.34 PPP: Sending Acct Event[Down] id[9C1]
Mar 24 11:38:21.493: PPP: NET STOP send to AAA.
Mar 24 11:38:21.493: Vi2.34 PPP: Phase is TERMINATING
Mar 24 11:38:21.493: Vi2.34 IPCP: Event[DOWN] State[Initial to Initial]
Mar 24 11:38:21.493: Vi2.34 IPCP: Event[CLOSE] State[Initial to Initial]
Mar 24 11:38:21.493: Vi2.34 LCP: O TERMACK [Open] id 10 len 4
Mar 24 11:38:21.494: Vi2.34 LCP: Event[Receive TermReq] State[Open to Stopping]
Mar 24 11:38:21.519: L2TP 00070:8275B:00004732: FSM-Sn ev Rx-CDN
Mar 24 11:38:21.519: L2TP 00070:8275B:00004732: FSM-Sn    established->Idle
Mar 24 11:38:21.519: L2TP 00070:8275B:00004732: FSM-Sn do Rx-CDN
Mar 24 11:38:21.519: L2TP 00070:8275B:00004732: VPDN: process AVPs
Mar 24 11:38:21.519: L2TP 00070:8275B:00004732:
Mar 24 11:38:21.519: L2TP 00070:8275B:00004732: Shutting down session
Mar 24 11:38:21.519: L2TP 00070:8275B:00004732:   Result Code
Mar 24 11:38:21.519: L2TP 00070:8275B:00004732:     Call disconnected for administrative reasons (3)
Mar 24 11:38:21.519: L2TP 00070:8275B:00004732:   Error Code
Mar 24 11:38:21.519: L2TP 00070:8275B:00004732:     No error (0)
Mar 24 11:38:21.519: L2TP 00070:8275B:00004732:   Vendor Error
Mar 24 11:38:21.520: L2TP 00070:8275B:00004732:     None (0)
Mar 24 11:38:21.520: L2TP 00070:8275B:00004732:
Mar 24 11:38:21.520: L2TP 00070:8275B:00004732: FSM-Sn ev Shut
Mar 24 11:38:21.520: L2TP 00070:8275B:00004732: FSM-Sn    Idle->Dead
Mar 24 11:38:21.520: L2TP 00070:8275B:00004732: FSM-Sn do Destroy
Mar 24 11:38:21.520: L2TP 00070:8275B:00004732: Session down
Mar 24 11:38:21.520: L2TP 00070:8275B:00004732:   y.y.y.y<->x.x.x.x
Mar 24 11:38:21.520: L2TP 00070:8275B:00004732: Destroying session
Mar 24 11:38:21.520: L2TP 00070:8275B:00004732: Dataplane deallocated, segment 0
Mar 24 11:38:21.520: L2TP tnl   8275B:000062F6: FSM-CC ev Session-Disc
Mar 24 11:38:21.520: L2TP tnl   8275B:000062F6: FSM-CC    in established
Mar 24 11:38:21.520: L2TP tnl   8275B:000062F6: FSM-CC do Session-Disc-Est
Mar 24 11:38:21.521: L2TP tnl   8275B:000062F6:   Session count now 0
Mar 24 11:38:21.521: L2TP tnl   8275B:000062F6:   VPDN Session count now 0
Mar 24 11:38:21.521: L2TP tnl   8275B:000062F6:   Session PMTU count now 0
Mar 24 11:38:21.521: L2TP tnl   8275B:000062F6: FSM-CC ev No-Users
Mar 24 11:38:21.521: L2TP tnl   8275B:000062F6: FSM-CC    established->Est-No-User
Mar 24 11:38:21.521: L2TP tnl   8275B:000062F6: FSM-CC do No-Users
Mar 24 11:38:21.521: L2TP tnl   8275B:000062F6: No more cc users, shutdown (likely) in 10 secs
Mar 24 11:38:21.521: L2TP 00070:_____:________: Session detached
Mar 24 11:38:21.521: L2TP 00070:_____:________: sending APP disconnect
Mar 24 11:38:21.523: Vi2.34 PPP: Block vaccess from being freed [0x10]
Mar 24 11:38:21.523: L2TUN APP: uid:112/handle/141151shutdown app session
Mar 24 11:38:21.523: L2TUN APP: uid:112/handle/141151Stopping service selection
Mar 24 11:38:21.523: Vi2.34 LCP: Event[CLOSE] State[Stopping to Closing]
Mar 24 11:38:21.523: VPDN Failed to get session from socket handle 87000079
Mar 24 11:38:21.523: Vi2.34 LCP: Event[DOWN] State[Closing to Initial]
Mar 24 11:38:21.523: ppp_session_ntfy delete, topswidb Vi2.34, va Vi2.34, platform notify 0
Mar 24 11:38:21.524: Vi2.34 PPP: Clearing AAA Unique Id = 9C1
Mar 24 11:38:21.524: Vi2.34 PPP: Unlocked by [0x10] Still Locked by [0x0]
Mar 24 11:38:21.524: Vi2.34 PPP: Free previously blocked vaccess
Mar 24 11:38:21.524: Vi2.34 PPP: Phase is DOWN
Mar 24 11:38:21.524: L2X  00070:_____:________: Destroying logical session
Mar 24 11:38:21.525: L2TP:(Tnl25334:Sn18226)L2X s/w switching session unbound
Mar 24 11:38:21.526: L2TP:(Tnl25334:Sn18226)Vi2.34 Block vaccess from being freed.
Mar 24 11:38:21.527: L2TP:(Tnl25334:Sn18226)Vi2.34 Block vaccess from being freed.
Mar 24 11:38:21.528: L2TP:(Tnl25334:Sn18226)L2X s/w switching session unprovisioned
Mar 24 11:38:21.528: L2X:Session DB (Tnl/Sn: 25334/18226): Removed the switching session from the session DB
Mar 24 11:38:21.583: L2TP tnl   8275B:000062F6: FSM-CC ev Rx-StopCCN
Mar 24 11:38:21.584: L2TP tnl   8275B:000062F6: FSM-CC    in Est-No-User
Mar 24 11:38:21.584: L2TP tnl   8275B:000062F6: FSM-CC do Rx-StopCCN
Mar 24 11:38:21.584: L2TP tnl   8275B:000062F6:
Mar 24 11:38:21.584: L2TP tnl   8275B:000062F6: Shutting down tunnel
Mar 24 11:38:21.584: L2TP tnl   8275B:000062F6:   Result Code
Mar 24 11:38:21.584: L2TP tnl   8275B:000062F6:     Requestor is being shut down
Mar 24 11:38:21.584: L2TP tnl   8275B:000062F6:   Error Code
Mar 24 11:38:21.584: L2TP tnl   8275B:000062F6:     No error
Mar 24 11:38:21.584: L2TP tnl   8275B:000062F6:   Vendor Error
Mar 24 11:38:21.584: L2TP tnl   8275B:000062F6:     None
Mar 24 11:38:21.584: L2TP tnl   8275B:000062F6:
Mar 24 11:38:21.584: L2TP tnl   8275B:000062F6: FSM-CC ev Shut-Now
Mar 24 11:38:21.584: L2TP tnl   8275B:000062F6: FSM-CC    Est-No-User->Wt-STOPACK
Mar 24 11:38:21.585: L2TP tnl   8275B:000062F6: FSM-CC do Shutnow
Mar 24 11:38:21.585: L2TP tnl   8275B:000062F6: FSM-CC ev Shut-Comp
Mar 24 11:38:21.585: L2TP tnl   8275B:000062F6: FSM-CC    Wt-STOPACK->Dead
Mar 24 11:38:21.585: L2TP tnl   8275B:000062F6: FSM-CC do Shutdown-Completed
Mar 24 11:38:21.585: L2TP tnl   8275B:000062F6: Tunnel accounting send not possible - no mlist
Mar 24 11:38:21.585: L2TP tnl   8275B:000062F6: Control channel down
Mar 24 11:38:21.585: L2TP tnl   8275B:000062F6:   y.y.y.y<->x.x.x.x
Mar 24 11:38:21.585: L2TP tnl   8275B:000062F6: ADJ UP
Mar 24 11:38:21.585: L2TP tnl   8275B:000062F6: Destroying tunnel
Mar 24 11:38:21.585: L2X  tnl   8275B:________: Destroying logical tunnel
Mar 24 11:38:21.586: L2X        _____:________: class [AAA author, group "l2tp"]
Mar 24 11:38:21.586: L2X        _____:________:   Protocol unlocked 34->33
Mar 24 11:38:21.587: ISAKMP-PAK: (14437):received packet from x.x.x.x dport 4500 sport 4500 Global (R) QM_IDLE
Mar 24 11:38:21.587: ISAKMP: (14437):set new node 3804393046 to QM_IDLE
Mar 24 11:38:21.587: ISAKMP: (14437):processing HASH payload. message ID = 3804393046
Mar 24 11:38:21.587: ISAKMP: (14437):processing DELETE payload. message ID = 3804393046
Mar 24 11:38:21.587: ISAKMP: (14437):peer does not do paranoid keepalives.
Mar 24 11:38:21.587: ISAKMP: (14437):Enqueued KEY_MGR_DELETE_SAS for IPSEC SA (SPI:0x33D98824)
Mar 24 11:38:21.587: ISAKMP: (14437):deleting node 3804393046 error FALSE reason "Informational (in) state 1"
Mar 24 11:38:21.588: ISAKMP-PAK: (14437):received packet from x.x.x.x dport 4500 sport 4500 Global (R) QM_IDLE
Mar 24 11:38:21.588: ISAKMP: (14437):set new node 3797645767 to QM_IDLE
Mar 24 11:38:21.588: ISAKMP: (14437):processing HASH payload. message ID = 3797645767
Mar 24 11:38:21.588: ISAKMP: (14437):processing DELETE payload. message ID = 3797645767
Mar 24 11:38:21.588: ISAKMP: (14437):peer does not do paranoid keepalives.
Mar 24 11:38:21.588: ISAKMP: (14437):deleting SA reason "No reason" state (R) QM_IDLE       (peer x.x.x.x)
Mar 24 11:38:21.588: ISAKMP: (14437):deleting node 3797645767 error FALSE reason "Informational (in) state 1"
Mar 24 11:38:21.588: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Mar 24 11:38:21.588: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 5419
Mar 24 11:38:21.588: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
Mar 24 11:38:21.588: IPSEC: still in use sa: 0x7F7FE3F70120
Mar 24 11:38:21.588: IPSEC(key_engine_delete_sas): delete SA with spi 0x33D98824 proto 50 for x.x.x.x
Mar 24 11:38:21.589: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
Mar 24 11:38:21.589: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= y.y.y.y, sa_proto= 50,
    sa_spi= 0xBA400A66(3124759142),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2043
    sa_lifetime(k/sec)= (250000/3600),
  (identity) local= y.y.y.y:0, remote= x.x.x.x:0,
    local_proxy= y.y.y.y/255.255.255.255/17/1701,
    remote_proxy= x.x.x.x/255.255.255.255/17/4500
Mar 24 11:38:21.589: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= x.x.x.x, sa_proto= 50,
    sa_spi= 0x33D98824(869894180),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2044
    sa_lifetime(k/sec)= (250000/3600),
  (identity) local= y.y.y.y:0, remote= x.x.x.x:0,
    local_proxy= y.y.y.y/255.255.255.255/17/1701,
    remote_proxy= x.x.x.x/255.255.255.255/17/4500
Mar 24 11:38:21.589: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
Mar 24 11:38:21.590: IPSEC(ident_delete_notify_kmi): Failed to send KEY_ENG_DELETE_SAS
Mar 24 11:38:21.590: ISAKMP: (14437):set new node 446696526 to QM_IDLE
Mar 24 11:38:21.591: ISAKMP-PAK: (14437):sending packet to x.x.x.x my_port 4500 peer_port 4500 (R) QM_IDLE
Mar 24 11:38:21.591: ISAKMP: (14437):Sending an IKE IPv4 Packet.
Mar 24 11:38:21.591: ISAKMP: (14437):purging node 446696526
Mar 24 11:38:21.591: ISAKMP: (14437):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Mar 24 11:38:21.591: ISAKMP: (14437):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

Mar 24 11:38:21.592: ISAKMP: (14437):deleting SA reason "No reason" state (R) QM_IDLE       (peer x.x.x.x)
Mar 24 11:38:21.592: ISAKMP: (0):Unlocking peer struct 0x80007F7FEA40CD08 for isadb_mark_sa_deleted(), count 0
Mar 24 11:38:21.592: ISAKMP: (0):Deleting peer node by peer_reap for x.x.x.x: 80007F7FEA40CD08
Mar 24 11:38:21.593: ISAKMP: (14437):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 24 11:38:21.593: ISAKMP: (14437):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

Mar 24 11:38:21.593: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Mar 24 11:38:21.987: IPSEC(ident_update_final_flow_stats): Collect Final Stats and update MIB
IPSEC get IKMP peer index from peer 0x7F7FEA471408 ikmp handle 0x8000065B
[ident_update_final_flow_stats] : Flow delete complete event received for flow id 0x2400002B,peer index 0
 

 

Но если подключено меньше 30 человек, подключается нормально.

 

Добавлю, нагрузка на циске никакая:

 

show processes cpu:

CPU utilization for five seconds: 2%/0%; one minute: 3%; five minutes: 3%

 

Изменено 24 марта, 2020 пользователем asid2006

[ShyLion]

1 hour ago, asid2006 said:

Mar 24 11:38:21.492: Vi2.34 LCP: I TERMREQ [Open] id 10 len 16
Mar 24 11:38:21.493: Vi2.34 LCP: (0x2DAB1519003CCD7400000000)
Mar 24 11:38:21.493: Vi2.34 PPP DISC: Received LCP TERMREQ from peer

Странно, тут вот вроде как клиент отказывается продолжать.

 

debug radius еще покаж

 

4 hours ago, asid2006 said:

aaa authorization network default if-authenticated

aaa authorization network default  group radius_XXX

[ShyLion]

4 hours ago, asid2006 said:

interface Virtual-Template1
 ip address xxx 255.255.255.0
 ip mtu 1400
 peer default ip address pool VPN
 no keepalive
 ppp authentication ms-chap-v2

ppp authentication ms-chap-v2 callin

 

[asid2006]

Обновили прошивку с 16.06.03 до 16.09.05. Туннели стали подниматься, айпишники выдаваться, но если число сессий больше 30, трафик в туннеле не ходит. Будем пробовать обновлять до 16.06.07. Отпишусь по результатам. Похоже, что дело в прошивке всё-таки...

[kapydan]

С каких устройств люди могут-не могут подключиться - андроид, вин, мак? И есть еще вторая идея - это посмотреть лицензии, которые стоят на 4331 (возможно, там есть какое-то ограничение в них самих, допусти теже самые максимум 30 подключений).

[asid2006]

29 minutes ago, kapydan said:

С каких устройств люди могут-не могут подключиться - андроид, вин, мак? И есть еще вторая идея - это посмотреть лицензии, которые стоят на 4331 (возможно, там есть какое-то ограничение в них самих, допусти теже самые максимум 30 подключений).

Клиенты на Windows.

 

show license feature

Spoiler

Feature name             Enforcement  Evaluation  Subscription   Enabled  RightToUse
appxk9                   yes          yes         no             yes      yes
uck9                     yes          yes         no             yes      yes
securityk9               yes          yes         no             yes      yes
ipbasek9                 no           no          no             yes      no
FoundationSuiteK9        yes          yes         no             yes      yes
AdvUCSuiteK9             yes          yes         no             yes      yes
cme-srst                 yes          yes         no             no       yes
hseck9                   yes          no          no             no       no
throughput               yes          yes         no             yes      yes
internal_service         yes          no          no             no       no
 

 

[kapydan]

в фиченавигаторе написано, что l2tp должно поддерживаться на 4331. возможно, надо глянуть уже описания к релизам для 4331 роутеров. а почему выбран именно l2tp?

[asid2006]

6 minutes ago, kapydan said:

в фиченавигаторе написано, что l2tp должно поддерживаться на 4331. возможно, надо глянуть уже описания к релизам для 4331 роутеров. а почему выбран именно l2tp?

Потому, что клиентам не нужно ничего ставить дополнительно. Его поддерживают и винда, и макось, и андроид.

 

Да и других эта циска не понимает, на сколько я могу судить:

ISR4331_16_06_07(config-vpdn-acc-in)#protocol ?
  any   Use any protocol
  l2tp  Use L2TP
 

Изменено 25 марта, 2020 пользователем asid2006

[fractal]

7 часов назад, asid2006 сказал:

Потому, что клиентам не нужно ничего ставить дополнительно. Его поддерживают и винда, и макось, и андроид.

 

Да и других эта циска не понимает, на сколько я могу судить:

ISR4331_16_06_07(config-vpdn-acc-in)#protocol ?
  any   Use any protocol
  l2tp  Use L2TP
 

 

лицензия, трафика сколько?

 

в логах на перформанс не ругается?

[jffulcrum]

Без HSEC-K9 у вас лимит на 225 туннелей (всех технологий) и 85 Мбит/с шифрованного трафика тотально. По вашим симптомам, у вас именно траф превышен - ядро по превышению тупо дропает пакеты

[Saab95]

Ага, это же циска, в ней все делается аппаратно. Поэтому и ограничивает в 30 туннелей. Никакими подкрутками это не исправить.

[kapydan]

1 час назад, Saab95 сказал:

Ага, это же циска, в ней все делается аппаратно. Поэтому и ограничивает в 30 туннелей. Никакими подкрутками это не исправить.

Не совсем так. Просто циска ну очень хочет денег, вот и придумала эту штуку с лицензированием на isr4000 - security, perfomance... Как и все эти смарт-аккаунты.

[kt]

Цитата

The Cisco 4000 Series has a performance-on-demand license to increase the base forwarding throughput with no hardware changes. Also present is the High Security (HSEC) license, which removes the curtailment enforced by the U.S. government export restrictions on the encrypted tunnel count and encrypted throughput. The HSECK9 license is a separately required license for a feature to have full crypto functionality. Without the HSECK9 license, only 1000 secure tunnels and 250[9] Mbps of crypto bandwidth would be available.

 

The change to 250Mbps was achieved in the IOS-XE version 16.8.1 pursuant to revised Federal regulations

 

[asid2006]

On 3/25/2020 at 7:47 PM, jffulcrum said:

Без HSEC-K9 у вас лимит на 225 туннелей (всех технологий) и 85 Мбит/с шифрованного трафика тотально. По вашим симптомам, у вас именно траф превышен - ядро по превышению тупо дропает пакеты

Похоже на правду. На ней висит немало туннелей GRE. Попробую поудалять лишние, отпишу по результатам.

[asid2006]

On 3/25/2020 at 7:47 PM, jffulcrum said:

Без HSEC-K9 у вас лимит на 225 туннелей (всех технологий) и 85 Мбит/с шифрованного трафика тотально. По вашим симптомам, у вас именно траф превышен - ядро по превышению тупо дропает пакеты

Если проблема не с количеством туннелей, а как вы написали, со скоростью, есть ли шанс как-то решить проблему, чтобы увеличить число подключений?

Вообще, если проверять ситуацию вечером, когда использование каналов минимальное (трафик в моменте даже близко не доходит до 85 мбит), проблема сохраняется.

[kt]

@asid2006 , обновите иос минимум до 16.8.1. Дайте команду platform hardware throughput level 300000. Пропускная и кол. туннелей увеличится.

[asid2006]

37 minutes ago, kt said:

@asid2006 , обновите иос минимум до 16.8.1. Дайте команду platform hardware throughput level 300000. Пропускная и кол. туннелей увеличится.

Сейчас прошивка isr4300-universalk9.16.09.05.SPA.bin и эта команда уже введена.

[AlexDsv]

On 3/24/2020 at 11:39 AM, asid2006 said:

Добрый день. Есть Cisco 4331 с настроенным L2TP-сервером. Клиенты подключаются, всё хорошо работает. Но как только число клиентов переваливает за 30, циска перестаёт выдавать им сетевые настройки и у подключающихся клиентов вылезает ошибка 720 (не возможно подключитсья к удалённому компьютеру, возможно потребуется изменение сетевых настроек).

 

Сегодня тоже появилась ошибка 720 на клиентах.

Количество удаленщиков растет, пул адресов для ВПН кончился. Расширил пул -полетело.

Может у вас тоже что-то с пулом?

 

[fractal]

3 часа назад, kt сказал:

@asid2006 , обновите иос минимум до 16.8.1. Дайте команду platform hardware throughput level 300000. Пропускная и кол. туннелей увеличится.

разве лицензия на perf увеличивает количество туннелей? может вы путаете с hsec?

 

4 часа назад, asid2006 сказал:

Если проблема не с количеством туннелей, а как вы написали, со скоростью, есть ли шанс как-то решить проблему, чтобы увеличить число подключений?

Вообще, если проверять ситуацию вечером, когда использование каналов минимальное (трафик в моменте даже близко не доходит до 85 мбит), проблема сохраняется.

с sec лицензией после прошивка версией не менее 16.8.1 количество туннелей уже 1000, шифрование 250 мбит, циска увеличила параметры

Изменено 27 марта, 2020 пользователем fractal

[kapydan]

14 минут назад, fractal сказал:

разве лицензия на perf увеличивает количество туннелей?

нет, она увеличивает именно производительность. Конкретно на 4331 со 100мб до 300 мб.

[reef]

9 часов назад, asid2006 сказал:

есть ли шанс как-то решить проблему, чтобы увеличить число подключений?

купите у китайцев HSEC  лицензию за 150 баков и не ломайте голову, для интерпрайза это копейки, из за текущий ограничений ваша компания больше потеряет,

даже если вы подрежете некоторое количество уже не используемых тоннелей, вы просто отсрочите на некоторое время полку в которую упираетесь

Изменено 27 марта, 2020 пользователем reef

[fractal]

6 часов назад, reef сказал:

купите у китайцев HSEC  лицензию за 150 баков и не ломайте голову, для интерпрайза это копейки, из за текущий ограничений ваша компания больше потеряет,

даже если вы подрежете некоторое количество уже не используемых тоннелей, вы просто отсрочите на некоторое время полку в которую упираетесь

Он же говорить что у него при 30 туннелях отлуп идёт, а сейчас с 16.9.5 у него 1000 их разрешено

[zhenya`]

sh platform cerm-information