Jun 18, 2011

Troubleshooting Remote Access VPNs III


Cause: There are not enough addresses in the static IP address pool.
Solution: If the VPN server is configured with a static IP address pool, verify that there are enough addresses in the pool. If all of the addresses in the static pool have been allocated to connected VPN clients, the VPN server cannot allocate an IP address, and the connection attempt is rejected. If all of the addresses in the static pool have been allocated, modify the pool. See the Windows Server 2003 Help and Support Center for more information about TCP/IP and remote access, and how to create a static IP address pool.

Cause: The VPN client is configured to request its own IPX node number and the VPN server is not configured to permit IPX clients to request their own IPX node number.
Solution: Configure the VPN server to permit IPX clients to request their own IPX node number.

Cause: The VPN server is configured with a range of IPX network numbers that are being used elsewhere on your IPX network.
Solution: Configure the VPN server with a range of IPX network numbers that is unique to your IPX network.

Cause: The authentication provider of the VPN server is improperly configured.
Solution: Verify the configuration of the authentication provider. You can configure the VPN server to use either Windows Server 2003 or Remote Authentication Dial-In User Service (RADIUS) to authenticate the credentials of the VPN client.

Cause: The VPN server cannot access Active Directory.
Solution: For a VPN server that is a member server in a mixed-mode or native-mode Windows Server 2003 domain that is configured for Windows Server 2003 authentication, verify that:
The RAS and IAS Servers security group exists. If not, create the group and set the group type to Security and the group scope to Domain local.
The RAS and IAS Servers security group has Read permission to the RAS and IAS Servers Access Check object.
The computer account of the VPN server computer is a member of the RAS and IAS Servers security group. You can use the netsh ras show registeredserver command to view the current registration. You can use thenetsh ras add registered server command to register the server in a specified domain.
If you add (or remove) the VPN server computer to the RAS and IAS Servers security group, the change does not take effect immediately (because of the way that Windows Server 2003 caches Active Directory information). To immediately effect this change, restart the VPN server computer.
The VPN server is a member of the domain.

Cause: A Windows NT 4.0-based VPN server cannot validate connection requests.
Solution: If VPN clients are dialing in to a VPN server running Windows NT 4.0 that is a member of a Windows Server 2003 mixed-mode domain, verify that the Everyone group is added to the Pre-Windows 2000 Compatible Access group with the following command:
"net local group "Pre-Windows 2000 Compatible Access""
If not, type the following command at a command prompt on a domain controller computer, and then restart the domain controller computer:
Net local group "Pre-Windows 2000 Compatible Access" everyone /add

Cause: The VPN server cannot communicate with the configured RADIUS server.
Solution: If you can reach your RADIUS server only through your Internet interface, do one of the following:
Add an input filter and an output filter to the Internet interface for UDP port 1812 (based on RFC 2138, "Remote Authentication Dial-In User Service (RADIUS)"). –Or-
Add an input filter and an output filter to the Internet interface for UDP port 1645 (for older RADIUS servers), for RADIUS authentication and UDP port 1813 (based on RFC 2139, "RADIUS Accounting"). -or-
-Or- Add an input filter and an output filter to the Internet interface for UDP port 1646 (for older RADIUS servers) for RADIUS accounting.

No comments:

Post a Comment