Unable to Establish a Remote Access VPN Connection
- Cause: The machine name of the client computer is the same as the machine name of another computer on the network.
Solution: Verify that the machine names of all computers on the network and connecting to the network are using unique machine names. - Cause: The Routing and Remote Access service is not started on the VPN server.
Solution: Verify the state of the Routing and Remote Access service on the VPN server.
See Windows 2000 online Help for more information about how to monitor the Routing and Remote Access service, and how to start and stop the Routing and Remote Access service. - Cause: Remote access is not enabled on the VPN server.
Solution: Enable remote access on the VPN server.
See Windows 2000 online Help for more information about how to enable the remote access server. - Cause: PPTP or L2TP ports are not enabled for inbound remote access requests.
Solution: Enable PPTP or L2TP ports, or both, for inbound remote access requests.
See Windows 2000 online Help for more information about how to configure ports for remote access. - Cause: The LAN protocols used by the VPN clients are not enabled for remote access on the VPN server.
Solution: Enable the LAN protocols used by the VPN clients for remote access on the VPN server.
See Windows 2000 online Help for more information about how to view properties of the remote access server. - Cause: All of the PPTP or L2TP ports on the VPN server are already being used by currently connected remote access clients or demand-dial routers.
Solution: Verify that all of the PPTP or L2TP ports on the VPN server are not already being used by clicking Ports in Routing and Remote Access. If necessary, change the number of PPTP or L2TP ports to allow more concurrent connections.
See Windows 2000 online Help for more information about how to add PPTP or L2TP ports. - Cause: the VPN server does not support The tunneling protocol of the VPN client.
By default, Windows 2000 remote access VPN clients use the Automatic server type option, which means that they try to establish an L2TP over IPSec-based VPN connection first, and then they try a PPTP-based VPN connection. If VPN clients use either the Point-to-Point Tunneling Protocol (PPTP) or Layer-2 Tunneling Protocol (L2TP) server type option, verify that the selected tunneling protocol is supported by the VPN server.
By default, a computer running Windows 2000 Server and the Routing and Remote Access service is a PPTP and L2TP server with five L2TP ports and five PPTP ports. To create a PPTP-only server, set the number of L2TP ports to zero. To create an L2TP-only server, set the number of PPTP ports to zero.
Solution: Verify that the appropriate number of PPTP or L2TP ports is configured.
See Windows 2000 online Help for more information about how to add PPTP or L2TP ports. - Cause: The VPN client and the VPN server in conjunction with a remote access policy are not configured to use at least one common authentication method.
Solution: Configure the VPN client and the VPN server in conjunction with a remote access policy to use at least one common authentication method.
See Windows 2000 online Help for more information about how to configure authentication. - Cause: The VPN client and the VPN server in conjunction with a remote access policy are not configured to use at least one common encryption method.
Solution: Configure the VPN client and the VPN server in conjunction with a remote access policy to use at least one common encryption method.
See Windows 2000 online Help for more information about how to configure encryption. - Cause: The VPN connection does not have the appropriate permissions through dial-in properties of the user account and remote access policies.
Solution: Verify that the VPN connection has the appropriate permissions through dial-in properties of the user account and remote access policies. In order for the connection to be established, the settings of the connection attempt must:- Match all of the conditions of at least one remote access policy.
- Be granted remote access permission through the user account (set to Allow access) or through the user account (set to Control access through Remote Access Policy) and the remote access permission of the matching remote access policy (set to Grant remote access permission).
- Match all the settings of the profile.
- Match all the settings of the dial-in properties of the user account.
- Cause: The settings of the remote access policy profile are in conflict with properties of the VPN server.
The properties of the remote access policy profile and the properties of the VPN server both contain settings for:- Multilink
- Bandwidth allocation protocol
- Authentication protocols
Solution: Verify that the settings of the remote access policy profile are not in conflict with properties of the VPN server.
See Windows 2000 online Help for more information about how to enable authentication protocols, and how to configure authentication. - Cause: The answering router is unable to validate the credentials of the calling router (user name, password, and domain name).
Solution: Verify that the credentials of the VPN client (user name, password, and domain name) are correct and can be validated by the VPN server. - Cause: There are not enough addresses in the static IP address pool.
Solution: If the VPN server is configured with a static IP address pool, verify that there are enough addresses in the pool. If all of the addresses in the static pool have been allocated to connected VPN clients, the VPN server is unable to allocate an IP address, and the connection attempt is rejected. Modify the static IP address pool if needed. See Windows 2000 online Help for more information about TCP/IP and remote access, and how to create a static IP address pool. - Cause: The VPN client is configured to request its own IPX node number and the VPN server is not configured to allow IPX clients to request their own IPX node number.
Solution: Configure the VPN server to allow IPX clients to request their own IPX node number.
See Windows 2000 online Help for more information about IPX and remote access. - Cause: The VPN server is configured with a range of IPX network numbers that are being used elsewhere on your IPX network.
Solution: Configure the VPN server with a range of IPX network numbers that is unique to your IPX network.
See Windows 2000 online Help for more information about IPX and remote access. - Cause: The authentication provider of the VPN server is improperly configured.
Solution: Verify the configuration of the authentication provider. You can configure the VPN server to use either Windows 2000 or RADIUS to authenticate the credentials of the VPN client.
See Windows 2000 online Help for more information about authentication and accounting providers, and how to use RADIUS authentication. - Cause: The VPN server cannot access Active Directory.
Solution: For a VPN server that is a member server in a mixed-mode or native-mode Windows 2000 domain that is configured for Windows 2000 authentication, verify the following:- The RAS and IAS Servers security group exists. If not, create the group and set the group type to Security and the group scope to Domain local.
- The RAS and IAS Servers security group has Read permission to the RAS and IAS Servers Access Check object.
- The computer account of the VPN server computer is a member of the RAS and IAS Servers security group. You can use the netsh ras show registeredserver command to view the current registration. You can use the "netsh ras add registeredserver" command to register the server in a specified domain.
If you add (or remove) the VPN server computer to the RAS and IAS Servers security group, the change does not take effect immediately (due to the way that Windows 2000 caches Active Directory information). To immediately effect this change, you need to restart the VPN server computer. - For a native-mode domain, the VPN server has joined the domain.
- Cause: A Windows NT 4.0 VPN server cannot validate connection requests.
Solution: If VPN clients are dialing in to a VPN server running Windows NT 4.0 that is a member of a Windows 2000 mixed-mode domain, verify that the Everyone group is added to the Pre-Windows 2000 Compatible Access group with the following command:"net localgroup "Pre-Windows 2000 Compatible Access""If not, type the following command at a command prompt on a domain controller computer, and then restart the domain controller computer:net localgroup "Pre-Windows 2000 Compatible Access" everyone /addSee Windows 2000 online Help for more information about Windows NT 4.0 remote access server in a Windows 2000 domain. - Cause: The VPN server is unable to communicate with the configured RADIUS server.
Solution: If your RADIUS server is only reachable through your Internet interface, add an input filter and an output filter to the Internet interface for UDP port 1812 (based on RFC 2138, "Remote Authentication Dial-In User Service (RADIUS)"), or UDP port 1645 (for older RADIUS servers) for RADIUS authentication and UDP port 1813 (based on RFC 2139, "RADIUS Accounting"), or UDP port 1646 (for older RADIUS servers) for RADIUS accounting.
See Windows 2000 online Help for more information about how to add a packet filter. - Cause:Cannot connect to the VPN server over the Internet using the Ping.exe utility.
Solution: Due to the PPTP and L2TP over IPSec packet filtering that is configured on the Internet interface of the VPN server, Internet Control Message Protocol (ICMP) packets used by the ping command are filtered out. To enable the VPN server to respond to ICMP (ping) packets, you need to add an input filter and an output filter that allow traffic for IP protocol 1 (ICMP traffic).
See Windows 2000 online Help for more information about how to add a packet filter.
Troubleshooting Router-to-Router VPNs
Unable to Establish a Router-to-Router VPN Connection- Cause: The Routing and Remote Access service is not started on the VPN client (the calling router) and the VPN server (the answering router).
Solution: Verify the state of the Routing and Remote Access service on the VPN client and the VPN server.
See Windows 2000 online Help for more information about how to monitor the Routing and Remote Access service, and how to start and stop the Routing and Remote Access service. - Cause: LAN and WAN routing is not enabled on the calling router and the answering router.
Solution: Enable Local and remote routing (LAN and WAN router) on the calling router and the answering router.
See Windows 2000 online Help for more information about how to enable LAN and WAN routing. - Cause: PPTP or L2TP ports are not enabled for inbound and outbound demand-dial routing connections.
Solution: Enable PPTP or L2TP ports, or both, for inbound and outbound demand-dial routing connections.
See Windows 2000 online Help for more information about how to enable routing on ports. - Cause: All of the PPTP or L2TP ports on the calling or answering router are currently in use by connected remote access clients or demand-dial routers.
Solution: Verify that all of the PPTP or L2TP ports on the VPN server are not already being used by clicking Ports in Routing and Remote Access. If necessary, change the number of PPTP or L2TP ports to allow more concurrent connections.
See Windows 2000 online Help for more information about how to add PPTP or L2TP ports. - Cause: The answering router does not support the tunneling protocol used by the calling router.
By default, Windows 2000 demand-dial interfaces use the Automatic server type option, which means that they attempt to establish an L2TP over IPSec-based VPN connection first, and then a PPTP-based VPN connection. If calling routers use either the Point-to-Point Tunneling Protocol (PPTP) or Layer-2 Tunneling Protocol (L2TP) server type option, verify that the selected tunneling protocol is supported by the answering router.
By default, a computer running Windows 2000 Server and the Routing and Remote Access service is a PPTP and L2TP-capable demand dial router with five L2TP ports and five PPTP ports. To create a PPTP-only router, set the number of L2TP ports to zero. To create an L2TP-only router, set the number of PPTP ports to zero.
Solution: Verify that the appropriate number of PPTP or L2TP ports is configured on the calling router and the answering router.
See Windows 2000 online Help for more information about how to add PPTP or L2TP ports. - Cause: The calling router and the answering router in conjunction with a remote access policy are not configured to use at least one common authentication method.
Solution: Configure the calling router and the answering router in conjunction with a remote access policy to use at least one common authentication method.
See Windows 2000 online Help for more information about how to configure authentication. - Cause: The calling router and the answering router in conjunction with a remote access policy are not configured to use at least one common encryption method.
Solution: Configure the calling router and the answering router in conjunction with a remote access policy to use at least one common encryption method.
See Windows 2000 online Help for more information about how to configure encryption. - Cause: The VPN connection does not have the appropriate permissions through dial-in properties of the user account and remote access policies.
Solution: Verify that the VPN connection has the appropriate permissions through dial-in properties of the user account and remote access policies. In order for the connection to be established, the settings of the connection attempt must:- Match all of the conditions of at least one remote access policy.
- Be granted remote access permission through the user account (set to Allow access) or through the user account (set to Control access through Remote Access Policy) and the remote access permission of the matching remote access policy (set to Grant remote access permission).
- Match all the settings of the profile.
- Match all the settings of the dial-in properties of the user account.
- Cause: The settings of the remote access policy profile are in conflict with properties of the answering router. The properties of the remote access policy profile and the properties of the answering router both contain settings for:
- Multilink
- Bandwidth allocation protocol
- Authentication protocols
Solution: Verify that the settings of the remote access policy profile are not in conflict with properties of the remote access router.
See Windows 2000 online Help for more information about how to enable authentication protocols, and how to configure authentication. - Cause: The credentials of the calling router (user name, password, and domain name) are incorrect and cannot be validated by the answering router.
Solution: Verify that the credentials of the calling router (user name, password, and domain name) are correct and can be validated by the answering router. - Cause: There are not enough addresses in the static IP address pool.
Solution: If the answering router is configured with a static IP address pool, verify that there are enough addresses in the pool. If all of the addresses in the static pool have been allocated to connected remote access clients or demand-dial routers, the answering router is unable to allocate an IP address, and the connection attempt is rejected. Modify the static IP address pool if needed.
See Windows 2000 online Help for more information about TCP/IP and remote access, and how to create a static IP address pool. - Cause: The answering router is configured with a range of IPX network numbers that are in use elsewhere on your IPX network.
Solution: Configure the answering router with a range of IPX network numbers that are unique to your IPX network.
See Windows 2000 online Help for more information about IPX and remote access. - Cause: The authentication provider of the answering router is incorrectly configured.
Solution: Verify the configuration of the authentication provider. You can configure the answering router to use either Windows 2000 or RADIUS to authenticate the credentials of the VPN client.
See Windows 2000 online Help for more information about authentication and accounting providers, and how to use RADIUS authentication. - Cause: The answering router cannot access Active Directory.
Solution: For an answering router that is a member server in mixed-mode or native-mode Windows 2000 domain that is configured for Windows 2000 authentication, verify that:- The RAS and IAS Servers security group exists. If not, then create the group and set the group type to Security and the group scope to Domain local.
- The RAS and IAS Servers security group has Read permission to the RAS and IAS Servers Access Check object.
- The computer account of the answering router computer is a member of the RAS and IAS Servers security group. You can use the following command to view the current registration: "netsh ras show registeredserver"You can use the following command to register the server in a specified domain:"netsh ras add registeredserver"If you add the answering router computer to, or remove the answering router computer from the RAS and IAS Servers security group, the change does not take effect immediately (due to the way that Windows 2000 caches Active Directory information). For the change to take effect immediately, you must restart the answering router computer.
- For a native-mode domain, the answering router has joined the domain.
- Cause: An answering router running Windows NT 4.0 with the Routing and Remote Access Service (RRAS) cannot validate connection requests.
Solution: If calling routers are dialing in to an answering router running Windows NT 4.0 with RRAS that is a member of a Windows 2000 mixed-mode domain, verify that the Everyone group is added to the Pre-Windows 2000 Compatible Access group with the following command:"net localgroup "Pre-Windows 2000 Compatible Access""If not, type the following command at a command prompt on a domain controller computer and then restart the domain controller computer:"net localgroup "Pre-Windows 2000 Compatible Access" everyone /add"See Windows 2000 online Help for more information about Windows NT 4.0 remote access server in a Windows 2000 domain. - Cause: The answering router is unable to communicate with the configured RADIUS server.
Solution: If your RADIUS server is only reachable through your Internet interface, add an input filter and an output filter to the Internet interface for UDP port 1812 (based on RFC 2138, "Remote Authentication Dial-In User Service (RADIUS)") or to UDP port 1645 (for older RADIUS servers) for RADIUS authentication and UDP port 1813 (based on RFC 2139, "RADIUS Accounting") or to UDP port 1646 (for older RADIUS servers) for RADIUS accounting.
See Windows 2000 online Help for more information about how to add a packet filter. - Cause: Cannot connect to the answering router from the Internet by using the Ping.exe utility.
Solution: Due to the PPTP and L2TP over IPSec packet filtering that is configured on the Internet interface of the answering router, Internet Control Message Protocol (ICMP) packets used by the Ping command are filtered out. To enable the answering router to respond to ICMP packets, you must add an input filter and an output filter that allow traffic for IP protocol 1 (ICMP traffic).
See Windows 2000 online Help for more information about how to add a packet filter.
- Cause: The appropriate demand-dial interface has not been added to the protocol being routed.
Solution: Add the appropriate demand-dial interface to the protocol being routed.
See Windows 2000 online Help for more information about how to add a routing interface. - Cause: There are no routes on both sides of the router-to-router VPN connection that support the two-way exchange of traffic.
Solution: Unlike a remote access VPN connection, a router-to-router VPN connection does not automatically create a default route. You need to create routes on both sides of the router-to-router VPN connection so that traffic can be routed to and from the other side of the router-to-router VPN connection.
You can manually add static routes to the routing table, or you can add static routes through routing protocols. For persistent VPN connections, you can enable Open Shortest Path First (OSPF) or Routing Information Protocol (RIP) across the VPN connection. For on-demand VPN connections, you can automatically update routes through an auto-static RIP update. See Windows 2000 online Help for more information about how to add an IP routing protocol, how to add a static route, and how to perform auto-static updates - Cause: A two-way initiated, the answering router as a remote access connection is interpreting router-to-router VPN connection.
Solution: If the user name in the credentials of the calling router appears under Dial-In Clients in Routing and Remote Access, the answering router may interpret the calling router as a remote access client. Verify that the user name in the credentials of the calling router matches the name of a demand-dial interface on the answering router. If the incoming caller is a router, the port on which the call was received shows a status of Active and the corresponding demand-dial interface is in a Connected state.
See Windows 2000 online Help for more information about how to check the status of the port on the answering router, and how to check the status of the demand-dial interface. - Cause: Packet filters on the demand-dial interfaces of the calling router and answering router are preventing the flow of traffic.
Solution: Verify that there are no packet filters on the demand-dial interfaces of the calling router and answering router that prevent the sending or receiving of traffic. You can configure each demand-dial interface with IP and IPX input and output filters to control the exact nature of TCP/IP and IPX traffic that is allowed into and out of the demand-dial interface.
See Windows 2000 online Help for more information about how to manage packet filters. - Cause: Packet filters on the remote access policy profile are preventing the flow of IP traffic.
Solution: Verify that there are no configured TCP/IP packet filters on the profile properties of the remote access policies on the VPN server (or the RADIUS server if Internet Authentication Service is used) that are preventing the sending or receiving of TCP/IP traffic. You can use remote access policies to configure TCP/IP input and output packet filters that control the exact nature of TCP/IP traffic allowed on the VPN connection. Verify that the profile TCP/IP packet filters are not preventing the flow of needed traffic.
See Windows 2000 online Help for more information about how to configure IP options.
Category: | 0 Comments
0 comments to “Troubleshooting VPN”