VPN connectivity troubleshooting checklist
1. Users can't access file servers
If the user can access the file server using an IP address but not a name, then the most likely reason for failure to connect is a name resolution problem. Name resolution can fail for NetBIOS or DNS host names. If the client operating system is NetBIOS dependent, the VPN clients should be assigned a WINS server address by the VPN server. If the client operating system uses DNS preferentially, VPN clients should be assigned an internal DNS server that can resolve internal network host names.
When using DNS to resolve internal network host names for VPN clients, make sure that these clients are ...view middle of the document...
The solution is to configure the firewall to allow the VPN clients access to the appropriate network resources.
3. Users can't connect to VPN server from behind NAT devices
most firewalls and NAT routers support the PPTP VPN protocol from behind a NAT. However, some high profile network equipment vendors don't include a NAT editor for the PPTP VPN protocol. If the user is located behind such a device, the VPN connection will fail for PPTP attempts but may work for alternate VPN protocols.
All NAT devices and firewalls support IPSecpassthrough for IPSec-based VPN protocols. These VPN protocols include proprietary implementations of IPSec tunnel mode and RFC compliant L2TP/IPSec. These VPN protocols can support NAT traversal by encapsulating the IPSec communications in a UDP header.
If your VPN client and server support NAT traversal and the client attempts to use L2TP/IPSec to connect to a NAT-T compliant VPN server from across a NAT, the most likely reason for this failure is that the client is running Windows XP Service Pack 2. Service Pack 2 "broke" NAT traversal for L2TP/IPSec VPN clients. You can solve this problem with a Registry entry on the VPN client computer.
4. Users complain of slow performance
Slow performance is one of the most difficult problems to troubleshoot. There are a number of reasons for why VPN clients appear to perform poorly and its critical to have the users describe exactly what they are doing when they experience poor performance.
One of the more common reasons for poor performance for VPN clients is when those clients are located behind DSL networks employing PPPoE. These network connections often encounter MTU problems that can cause both connectivity and performance issues
5. Users can connect via PPTP but not L2TP/IPSec
PPTP is a simple protocol to set up on both the VPN server and client. All the user requires is the built-in VPN client software included with all versions of Microsoft operating system and a valid user name and password for an account that has remote access permissions. The VPN server component, if based on Windows Routing and Remote Access Service (and just about any other VPN server supporting PPTP remote access VPN client connections) is easy to set up and usually works automatically after running a short configuration wizard.
L2TP/IPSec is more complex. Both the user and the user's machine must be able to authenticate with the VPN server. Machine authentication can use either a pre-shared key or machine certificate. If you use pre-shared keys (not recommended for security reasons), check that the VPN client is configured to use the same pre-shared key as the server. If you use machine certificates, confirm that the VPN client machine has a machine certificate and that is also trusts the certificate authority that issued the VPN server's machine certificate.
6. Site-to-site VPNs connect but no traffic passes between the VPN gateways
When creating site-to-site...