Jun 18, 2011

Troubleshooting Remote Access VPNs II

 Cause: The VPN server does not support the tunneling protocol of the VPN client. 

By default, Windows Server 2003 remote access VPN clients use the Automaticserver type option, which means that they try to establish an L2TP over IPSec-based VPN connection first, and then they try to establish a PPTP-based VPN connection. If VPN clients use either thePoint-to-Point Tunneling Protocol (PPTP) or Layer-2 Tunneling Protocol (L2TP) server type option, verify that the selected tunneling protocol is supported by the VPN server. 

By default, a computer running Windows Server 2003 Server and the Routing and Remote Access service is a PPTP and L2TP server with five L2TP ports and five PPTP ports. To create a PPTP-only server, set the number of L2TP ports to zero. To create an L2TP-only server, set the number of PPTP ports to zero. 

Solution:- Verify that the appropriate number of PPTP or L2TP ports is configured.


 Cause:- The VPN client and the VPN server in conjunction with a remote access policy are not configured to use at least one common authentication method. 

Solution: Configure the VPN client and the VPN server in conjunction with a remote access policy to use at least one common authentication method.

Cause: The VPN client and the VPN server in conjunction with a remote access policy are not configured to use at least one common encryption method. 

Solution: Configure the VPN client and the VPN server in conjunction with a remote access policy to use at least one common encryption method.

Cause: The VPN connection does not have the appropriate permissions through dial-in properties of the user account and remote access policies. 

Solution: Verify that the VPN connection has the appropriate permissions through dial-in properties of the user account and remote access policies. For the connection to be established, the settings of the connection attempt must:

o    Match all of the conditions of at least one remote access policy.

o    Be granted remote access permission through the user account (set to Allow access) or through the user account (set to Control access through Remote Access Policy) and the remote access permission of the matching remote access policy (set to Grant remote access permission).

o     Match all the settings of the profile.
o     Match all the settings of the dial-in properties of the user account.
See the Windows Server 2003 Help and Support Center for an introduction to remote access policies, and for more information about how to accept a connection attempt. Click Start to access the Windows Server 2003 Help and Support Center.

Cause:- The settings of the remote access policy profile are in conflict with properties of the VPN server.

The properties of the remote access policy profile and the properties of the VPN server both contain settings for:
o    Multilink.
o    Bandwidth allocation protocol (BAP).
o    Authentication protocols.
If the settings of the profile of the matching remote access policy are in conflict with the settings of the VPN server, the connection attempt is rejected. For example, if the matching remote access policy profile specifies that the Extensible Authentication Protocol - Transport Level Security (EAP-TLS) authentication protocol must be used and EAP is not enabled on the VPN server, the connection attempt is rejected. 

Solution:
 Verify that the settings of the remote access policy profile are not in conflict with properties of the VPN server.

See the Windows Server 2003 Help and Support Center for more information about additional information about multilink, BAP and authentication protocols. Click Start to access the Windows Server 2003 Help and Support Center.


Cause: The answering router cannot validate the credentials of the calling router (user name, password, and domain name). 

Solution: Verify that the credentials of the VPN client (user name, password, and domain name) are correct and can be validated by the VPN server.


No comments:

Post a Comment