[c-nsp] l2tp over ipsec problem with multiple users

[Michael Ulitskiy]

Hello,

I have a strange problem with l2tp over ipsec.
I have a 2811 with AIM-VPN/EPII-PLUS running IOS 15.0(1)M9 configured as LNS.
ipsec protection is configured using regular crypto map on router interface (not using l2tp security profile).
Very standard config. The only difference from examples I've seen on CCO is that VPDN (and ipsec) endpoint
is on Loopback0 (crypto map L2TP-IPSEC local-address Loopback0) and created virtual-access interfaces are put in a vrf.

I also have a cisco 871 configured with client-initiated tunneling (Virtual-PPP) connecting to this LNS and everything works
just fine when only a single client connected to it.

When a 2nd client (identical config, just different username/password) connects to LNS I immediately see bad packet loss
and timeouts to both of them, essentially rendering service unusable to both clients. The interesting fact is that crypto
tunnels are stable. I have isakmp keepalives enabled and tunnels stay up, while vpdn sessions are loosing keepalives and often time out.

Both clients are on public ips, there's no NAT between them and LNS, so it has nothing to do with nat traversal.

I'm at complete loss now. I can show the config if somebody wants to see it, just didn't want to bloat the list as it's very standard.

Does anybody have any ideas, suggestions or pointers?

Thanks,

Michael Ulitskiy