Home | Troubleshooting |  Quick Setup  |  Cisco How to  |  Data Recovery  |  Forums   | Blog | IT Exam Practice | Services  | About Us | Chicagotech MVP  | Search  | Contact Us  |                 

 

VPN Issues

How to setup VPN
Auto Connect VPN at startup
Can see the remote computers but get access denied
Can't access the Internet after establish Juniper VPN
Can't access the remote network at home only
Can't access VPN
Can't
connect to a VPN server on the outside of the PIX

Can't ping external NIC while RRAS is active
Client VPN IP address must be used as a default gateway

Can XP Home have multi VPN connections open simultaneously, like NT and W2K Pro?

Do not install VPN on a system with ICS running
Enable Allow Local LAN Access on Cisco VPN client
File sharing over VPN
How to assign static IP to VPN client
How to enable RRAS and NAT logs
How  to get VPN client to authenticate on the server with the same credentials that they used to connect to the VPN
How to export/import Remote Access Policies
How to Auto Logoff when logon hours expire
How to install and configure VPN on Windows 2008
How to logon locally and remotely
How to Log on using VPN at Windows 8 Startup  - Step by step with screenshots 
How to manage VPN idle time

How to restrict some users to access the VPN
How to setup a VPN server behind two routers
How to setup Microsoft VPN server to allow client static IP
How to setup to deny VPN access on a user - Step by step with screenshots 
How to setup VPN for MS VPN clients on Cisco PIX
How to setup split-tunnel on Cisco PIX
How to stop other requests flow through the VPN
Internal clients can't access the Internet after a remote client connects to RRAS
Limit VPN clients access other resources
Ping VPN resource by host name instead of FQDN
Routing & Remote access service was unable was to start
Setup DNS suffix For VPN
Some routers may take just one VPN connection
VPN client access denied when accessing shared folder
VPN client disconnection issues
VPN connection appears with a red X
VPN PPTP vs L2TP
Missing WAN Miniport L2TP and PPTP

Vista: VPN client is assigned 255.255.255.255 mask
VPN XP Client Disconnects After One Minute
VPN Win98 can access the resources but not W2K/XP
 

Post your questions, comments, feedbacks and suggestions

Contact a consultant

Can see the remote computers but get access denied

Cause: This is permission issue. You are using local computer credentials to access the remote domain/workgroup network. For consultants, refer to 082004RL.

Can't access the remote network at home only

Symptoms:  you setup VPN on a laptop connecting to the office VPN Server.  At home, you can connect and authenticate just fine but can't ping any address on the remote network. If using the same laptop in a different location, the VPN works.

Cause: The problem is the home LAN (VPN client) using the same IP and Subnet as the remote LAN you were trying to dial into.  

Can't access VPN

1. Make sure the the Routing and Remote Access service on the VPN server is running. To do this go to the Properties of My Computer>Manager>Services.
2. Make sure remote access on the VPN server is enabled. To enable the remote access server, Open Routing and Remote Access, right-click the server name for which you want to enable remote access, and then click Properties. On the General tab, select the Remote access server check box.
3. Make sure PPTP or L2TP ports, or both are enabled for inbound remote access requests. For consultants, refer to case RL040503

Can't connect to a VPN server on the outside of the PIX

Symptom: When attempting to connect to a VPN server on the outside of the PIX it returns error 721, the computer failed to respond.

Resolution: 1) In order to PPTP through a PIX, you must have a one-to-one mapping from the external IP to an internal IP for type 47 GRE packets and port 1723. For example, for pptp add this: conduit permit gre host x.x.x.x any AND conduit permit tcp host x.x.x.x eq 1723. For l2tp over ipsec: conduit permit esp host x.x.x.x any, conduit permit udp host x.x.x.x eq 1701 any AND conduit permit udp host x.x.x.x eq 500 any.

2) If the PIX is V6.3(3) or above, you can enable PPTP fixup, fixup protocol pptp 1723

Can XP Home have multi VPN connections open simultaneously, like NT and W2K Pro?

This is not supported in the Home edition.

Client VPN IP address must be used as a default gateway

Symptom: you setup a VPN server and assign the VPN server IP as a VPN default gateway. While VPN clients connecting to the VPN server, they can't access to the network.

Resolution: the gateway IP address should be the client's IP assigned by the VPN server, not the IP address of the VPN server's Internet interface. You can only determine the IP address of the VPN client's virtual interface when the client is connected by double-clicking the virtual private networking connection object when the VPN connection is active. In the resulting Status dialog box, click the Details tab. Or use ipconfig /all command.

Do not install VPN on W2K with ICS running

Many users have reported that they were experienced some difficulties after installing VPN on w2k/xp running ICS and ICS clients may receive "Error: Page Can Not be Displayed" message. The reason is that establishing a VPN connection on the ICS Host modifies the Routing Table on the ICS Host. that will forces all clients that try to connect to the Internet to use the VPN routing table instead of the ICS routing table used to connect to the Internet service provider (ISP). You may modify the route table to fix this problem, for example, route -p add <network> mask <subnet mask> <router ip>. If you want to add a route for a single host (firewall which is on another subnet), do this route -p add <ip> mask 255.255.255.255 <host ip>, for example, route -p add 192.168.0.100 255.255.255.255 160.213.320.1.

Enable Allow Local LAN Access on Cisco VPN client

Q: I uses Cisco VPN client at home to access my company VPN. However, I can't access my home network while connecting the VPN. Any suggestions?

A: You may enable Allow Local LAN Access. To do this, right-click the connection>transport, check Allow Local LAN Access.

How to enable RRAS and NAT logs

1. To select the event type for RRAS, right-click RRAS>Logging.
2. To select NAT log, right-click NAT.
3. The log files are located %windir%\tracing or %windir%\system32\Logfiles

How  to get VPN client to authenticate on the server with the same credentials that they used to connect to the VPN

Go to the client VPN connection properties>Options, have him select include Windows logon domain.  When he connects to VPN network, he will have to enter the domain name as well as their username and password.

How to manage VPN idle time.

You can create a remote access policy to manage the VPN idle time. Open Routing and Remote Access. Click on Remote Access Policies. Right-click on Connection to Microsoft Routing and Remote Access Server. Click on Edit Profile. In the Dial-in constraints tab, you will have two checkboxes against 'Session timeout' and 'Idle timeout'. You can select this checkbox and specify the time here. Session timeout is
used to disconnect the user after the specified time irrespective of whether
there is activity over the connection or not. Idle timeout is used to
disconnect the user if the connection is idle for the specified time.

How to setup VPN for MS VPN clients on Cisco PIX

To setup VPN for MS VPN clients on Cisco PIX, you need to add the following lines.
access-list 101 permit ip 10.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0
ip local pool bigpool 192.168.1.1-192.168.1.254
nat (inside) 0 access-list 101
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 128
vpdn group 1 client configuration address local bigpool
vpdn group 1 client configuration dns yourdns
vpdn group 1 client configuration wins yourwins
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username username password *********
vpdn enable outside

How to setup split-tunnel on Cisco PIX

To setup VPN for Cisco VPN clients on Cisco PIX, you add the following lines:
access-list split permit ip 10.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0
ip local pool bigpool 192.168.1.1-192.168.1.254
vpngroup vpn3000 address-pool bigpool
vpngroup vpn3000 dns-server yourdns
vpngroup vpn3000 wins-server yourwins
vpngroup vpn3000 default-domain cisco.com
vpngroup vpn3000 split-tunnel split
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********

How to stop other requests flow through the VPN

Q: I just setup VPN on my windows server for my clients to VPN into my network.  The one issue I'm noticing is that all  their DNS requests flow through the VPN.  How can I set  it up so that only the subnets that I control are routed  through the VPN? 

A: Uncheck "Use Gateway on remote network" on the VPN client.

Internal clients can't access the Internet after a remote client connects to RRAS

Symptoms: After a remote client establishes a connection on a RRAS which is installed on a domain controller with DNS, one or more of the following symptoms may occur:

1) Internal clients may no longer be able to browse the Web through Internet Security and Acceleration (ISA) Server, regardless of whether or not Web Proxy or the Firewall Client is being used for Web browsing.
2) A "The page cannot be displayed" error message is generated when you use a Web browser.
3) A "cannot find server or DNS" error occurs.
4) From an internal client, if you use PING to ping the name of the server, PING returns any other address other than the IP address that is bound to the server's internal adapter.
5) You cannot browse through the list of computers in Network Neighborhood or My Network Places.
6) You cannot connect to the following Web page: http://server_name/myconsole
7) You may receive the following event message: Event ID: 4319, Source: Netbt, Description: A duplicate name has been detected on the tcp network. The IP address of the machine that sent the message is in the data. Use NBTSTAT with a switch of N in a command window to see which name is in a conflict state.
8) When a client clicks Update Now from the Firewall Client applet in Control Panel, the client may receive the following error message:

The server is not responding when client requests an update.
Possible causes:
-The server is not an ISA Server.
-The server is down.

9) Windows 2000 LAN clients cannot map a network drive to the server. The client may receive the following error message: No Logon Servers Available to Service your Logon Request.

Resolutions: This issue can occur if the client computer receives a response from DNS that includes the wrong Internet Protocol (IP) address. This address is only returned in a query after a remote client has connected by using Dial-Up Networking. This IP address is registered with DNS if network basic input/output system (NetBIOS) is bound to the RRAS server's dial-in interfaces or if DNS is configured to listen on all interfaces. To resolve this problem, obtain the latest service pack for Windows 2000.

Routing & Remote access service was unable was to start

Causes: The Dependencies such as NetBIOSGroup and RPC may not start.

Some routers may take just one VPN connection

Symptom: you are trying to connect two or more computers to a Windows VPN behind a router.  Each machine connects individually. However, when you try to use two more VPN clients to the VPN simultaneously. Only the first client connects successfully. Other clients may receive Error 721 - Remote PPP peer or computer is not responding.  

Cause: Some router takes only one connection.

VPN connection appears with a red X
Missing WAN Miniport L2TP and PPTP


Symptoms: 1. The VPN connection appears with a red X.
2. You receive the following error message: You do not have sufficient privileges for accessing the connection properties. Contact your administrator.
3. Missing WAN Miniport L2TP and PPTP under Device Manager

Cause: that happens After applying Q318138

VPN client  disconnection issues

1. If it is XP and you use ICS/ICF, disable ICS/ICF or install latest SP.
2. It could be idle time issue. Go to Remote Access Policies to make change.

VPN XP Client Disconnects After One Minute

SYMPTOMS: After you install SP1 for XP, your computer may drop VPN connections after about 55 seconds. This behavior may occur if ICS/ICF is enabled.

RESOLUTION:  1) disable ICS. 2) disable ICF. 3) contact Microsoft Product Support Services to obtain the fix.

VPN Win98 can access the resources but not W2K/XP

We're trying to use a Win2k and w98 laptops to our office over a VPN to our office.  from this location the Win2K client will connect correctly and authorize correctly, but you cannot browse the remote network.  You cannot ping a remote network address, nothing.  At the same location a Win98 client will connect correctly and browse the network no problem.  What's the difference in the networking of the two that would cause this to happened?

A: Win2k and XP both use DNS to find other machines  whereas Win98 uses NetBIOS or Wins. So, you will need to set up the DNS on VPN Server or clients.

 

Hit Counter   This web is provided "AS IS" with no warranties.
Copyright © 2002-2018 ChicagoTech.net, All rights reserved. Unauthorized reproduction forbidden.