Networking

Troubleshoot VPN connections with these 10 tips

Targeting the cause of a VPN problem requires a systematic troubleshooting process. Brien Posey explains steps you can follow to zero in on the culprit.

VPNs can involve several systems working together to provide functionality, which makes pinpointing problems a little tricky. The best approach to troubleshooting VPN problems is to use the process of elimination. In this article, I will show you 10 things to look for when you're trying to determine the cause of VPN errors. This isn't intended to be a comprehensive guide to VPN troubleshooting, but it should help you get started with the process.

Note: This article is also available as a PDF download and was originally published in November 2010 in the 10 Things Blog.

1: Find out who is affected

The first step in troubleshooting any VPN problem is to determine who is affected by it. That information can go a long way toward helping you figure out where to start looking for the problem. For example, if everyone in the company is having problems, you might look for a hardware failure on your VPN server, an incorrect firewall rule, or perhaps a configuration problem on your VPN server.

On the other hand, if the only person who is having a problem is that guy from Marketing who can never seem to remember his password or the woman from Accounting who insists on connecting from her home computer, that too can tell you a lot about what may be going on.

2: Check to see whether users can establish VPN connectivity

When you begin the actual troubleshooting process, I recommend you start by determining whether the affected users can establish VPN connectivity. Remember, not all VPN problems involve connection failures. Sometimes, users can connect, but they can't access network resources. Determining whether the user can establish VPN connectivity will help you narrow down the areas in which you should be looking for problems.

3: Look for policies preventing connectivity

If you find that certain users are having trouble establishing connectivity, have them try to log in from a known good machine. If that doesn't work, there may be a policy in place preventing them from logging in. For example, if you are operating in a Windows Server environment, you should check the Active Directory Users and Computers console to verify that the user has been given permission to log in remotely. Likewise, some VPNs are designed so that users are allowed to log in only during certain times of the day.

4: Don't rule out the client

If only a single user is affected by the problem and has no trouble logging in from another computer, the problem is most likely related to the computer that he or she was trying to connect from.

Several years ago, one of my users was having trouble connecting to a VPN from a home computer. When I tried talking him through the problem, he kept telling me that what he was seeing didn't match what I was asking him to do. It turned out that the user had installed a freeware VPN client because a friend had told him it was much better than what he'd been using. On another occasion, I had someone who was unable to establish VPN connectivity because a virus had destroyed the computer's TCP/IP stack.

If users are attempting to connect from their own computer, you can't assume anything about the system they're using.

5: Try logging in locally

This probably sounds silly, but when users tell me that they are having trouble logging in to the VPN, one of the first things I do is verify that they can log in locally.

I once had a user complain of VPN problems. I spent a lot of time trying to troubleshoot the issue. When nothing I tried seemed to make any difference, I decided to double-check the user's account to see whether there were any restrictions on it. When I did, I noticed that the account was locked out. I unlocked the account and tried again, but it wasn't long before the account was locked again.

I reset the user's password and was able to log in without any problems. When I told the user about it, he told me that he'd never been able to log in with that account. When I asked how he got his work done each day, he told me that he always logged in as one of his coworkers. (You can't make this stuff up.) Ever since that incident, I always like to verify that the user's account is working properly.

6: See if affected users are behind NAT firewalls

Another thing I like to check is whether affected users are connecting from computers that are behind a NAT firewall. Normally, NAT firewalls aren't a problem. However, some older firewalls don't work properly with VPN connections.

7: Check for Network Access Protection issues

Microsoft created the Network Access Protection feature as a way for administrators to protect network resources against remote users whose computers are not configured in a secure manner. Although Network Access Protection (NAP) works well, it has been known to cause problems for end users.

One problem I have seen a few times is that Network Access Protection is based on group policy settings. Therefore, if a user attempts to connect from a computer that is not a domain member, NAP will not work properly. Depending on how the VPN is configured, either the health of the user's computer will be ignored or the user will be denied access to the network.

It is also common to configure NAP so that if a user's computer fails the various health checks, a VPN connection is established to an isolated network segment containing only the resources necessary to address the health problem (sometimes through automatic remediation). When this happens, some users may not understand what is going on and may assume that there is a problem with the VPN.

8: Try accessing various network resources

If users can log in to the VPN but they can't do anything once they're connected, the next step is to systematically attempt to connect to various resources on the network. This is important because you may find that some network segments are accessible while others are not.

For example, when a user connects to a VPN server, the computer is typically assigned an IP address by a DHCP server. However, I once saw a situation in which the DHCP server had been configured incorrectly, and users who were assigned addresses from one specific scope couldn't access remote network segments.

9: Test connecting to resources by IP address rather than server name

You can also try connecting to network resources by their IP address instead of by their name. If you can access previously inaccessible resources by using IP addresses, you can bet that a DNS problem is to blame. If that happens, you should check to see which DNS server VPN clients are configured to use.

10: Determine if users are having performance problems

Sometimes, users may find that although a VPN connection is functional, it is painfully slow. When this happens, you will have no choice but to do some performance monitoring on your infrastructure servers to ensure that they are not experiencing performance bottlenecks.

I have found that if the infrastructure servers are the source of performance problems, you will usually have multiple users complaining about poor performance. If only a single user is complaining, the problem is likely to be related to that user's Internet connection. I recently stayed at a hotel whose Internet service was so slow that I had difficulty even checking my email. If that happened to an end user, he or she might assume that the hotel's Internet service was running at a normal speed but that the VPN server was having problems.

About

Brien Posey is a seven-time Microsoft MVP. He has written thousands of articles and written or contributed to dozens of books on a variety of IT subjects.

6 comments
velmaniThangaraj
velmaniThangaraj

We have a VPN server in USA.We used to connect with that server.But now from linux machine we could able to connect with vpn server but from MAC adn window machine able to connect with VPN server.And one more thing from linux machine they able to ssh into that VPN server machine.But can do nothing.

kelly-wilson
kelly-wilson

Very nice artcile.But wouldn't it be even better if you have a corporate VPN service provider who look after these issues itself??I would definitely prefer such a provider

devnullius
devnullius

Hello, Just wanted to inform about my problems... And the solution. Might help some :) First, an overview of all I experienced... http://www.chromeboard.com/showthread.php?t=33327 http://social.technet.microsoft.com/Forums/pl-PL/w7itproinstall/thread/2ecc35aa-7a28-4873-84ce-fb15b11adbc4?prof=required http://www.google.com/support/forum/p/Chrome/thread?tid=569ec0e1b45a5900&hl=en I also had a big sound stuttering problem, which seems irrelevant, as described here: http://www.sevenforums.com/sound-audio/26494-does-anyone-actually-have-sound-stuttering-fix-5.html I mention the corrupted sound because someone mentioned that it could be caused by a Privacy tool, he did not say which one. I solved the sound probem pretty much, but once I got it back (only to react normal again after hibernation :|). So I again remembered the remark about privacy tools. I tested a LOT of them ; ) Which one could it be? And could it cause my Chrome and other browsers to ignore my network settings completely, although the software itself insisted all was connected well? I found a strange file in c:\windows\system32\PCProxy.dll . Trying to remove it failed! PCProxy.dll was used by pretyy much all programs and services on my computer. The usage is easily to check with fileunlocker 1.9.x. Removing it failed in all manners. So I decided to first boot with a Live DVD running a Windows system. (Safe Mode fails on official downloaded 30-days trial for Windows Enterprise - anyone a fix for this? ;)). With the Live cd (use Bit Che and uTorrent to find one) I removed the colprut file. Rebooting back into Windows gave MANY errors! All network related programs were upset, including Avast antivirus. The fix was easy! PCProxy.dll is a file installed by NotMyIp (I started all this troubleshooting when I wanted to try that program again: a newer version refused to install because of the old unremovable installation). So I re-ran the installation of Notmyip. This time all went well. After a new reboot, all programs were happy. NotmyIP used all my CPU idle time, messing up my system big time. So I immediately removed it again from my system. This time, no problems with NotMyIp or PCProxy-file in system32's folder. Now I could finally connect my freeopenvpn portable client again. Smooth playback (@240 that is) of hulu. All I wanted to begin with :P Peace! Devvie ~~~ devnullius@googlewave.com ~~~ Cuisvis hominis est errare, nullius nisi insipientis in errore persevare ------ All spelling mistakes are my own and may only be distributed under the GNU General Public License! - (?? 95-1 by Coredump; 2-011 by DevNullius)

Mark W. Kaelin
Mark W. Kaelin

Have you had trouble with your VPN connections lately? Tell us about it and how you did your troubleshooting.

devnullius
devnullius

Hello, Just wanted to inform about my problems... And the solution. Might help some :) First, an overview of all I experienced... http://www.chromeboard.com/showthread.php?t=33327 http://social.technet.microsoft.com/Forums/pl-PL/w7itproinstall/thread/2ecc35aa-7a28-4873-84ce-fb15b11adbc4?prof=required http://www.google.com/support/forum/p/Chrome/thread?tid=569ec0e1b45a5900&hl=en I also had a big sound stuttering problem, which seems irrelevant, as described here: http://www.sevenforums.com/sound-audio/26494-does-anyone-actually-have-sound-stuttering-fix-5.html I mention the corrupted sound because someone mentioned that it could be caused by a Privacy tool, he did not say which one. I solved the sound probem pretty much, but once I got it back (only to react normal again after hibernation :|). So I again remembered the remark about privacy tools. I tested a LOT of them ; ) Which one could it be? And could it cause my Chrome and other browsers to ignore my network settings completely, although the software itself insisted all was connected well? I found a strange file in c:\windows\system32\PCProxy.dll . Trying to remove it failed! PCProxy.dll was used by pretyy much all programs and services on my computer. The usage is easily to check with fileunlocker 1.9.x. Removing it failed in all manners. So I decided to first boot with a Live DVD running a Windows system. (Safe Mode fails on official downloaded 30-days trial for Windows Enterprise - anyone a fix for this? ;)). With the Live cd (use Bit Che and uTorrent to find one) I removed the colprut file. Rebooting back into Windows gave MANY errors! All network related programs were upset, including Avast antivirus. The fix was easy! PCProxy.dll is a file installed by NotMyIp (I started all this troubleshooting when I wanted to try that program again: a newer version refused to install because of the old unremovable installation). So I re-ran the installation of Notmyip. This time all went well. After a new reboot, all programs were happy. NotmyIP used all my CPU idle time, messing up my system big time. So I immediately removed it again from my system. This time, no problems with NotMyIp or PCProxy-file in system32's folder. Now I could finally connect my freeopenvpn portable client again. Smooth playback (@240 that is) of hulu. All I wanted to begin with :P Peace! Devvie ~~~ devnullius@googlewave.com ~~~ Cuisvis hominis est errare, nullius nisi insipientis in errore persevare ------ All spelling mistakes are my own and may only be distributed under the GNU General Public License! - (?? 95-1 by Coredump; 2-011 by DevNullius)

Kevin@Quealy.net
Kevin@Quealy.net

When our remote users call because their VPN won't connect the FIRST thing we check is whether they have a connection to the internet. This specifically comes up when our guys are at a hotel. Even hotels with free wifi usually require you to open a browser and accept a usage agreement before it will allow traffic to flow. VPN connections will fail until this is done.

Editor's Picks