Troubleshooting Windows VPN servers

The Windows remote access server allows VPN clients to authenticate and to transparently connect to an internal network as if they have a direct connection to that network. This allows users to work remotely in a secure fashion. This article focuses on some common areas that should be addressed on the server side when troubleshooting VPN connection problems.

There are several aspects of the remote access server that can create issues when a VPN client connects. The VPN server must be configured properly to allow remote access. If a user is experiencing connectivity issues and you have already validated that the client is configured properly and that the end user has network reachability to the server segment, follow these steps.

1. Validate that the server is enabled to allow remote access. Go to the following:
   • Routing and Remote Access Snap-in --> Properties --> General, and validate that the remote access server box is checked

2. Validate the authentication provider.
   • Routing and Remote Access Snap-in --> Properties --> Security, and validate whether RADIUS or Windows Authentication is checked.

3. Validate the authentication method.
   • Routing and Remote Access Snap-in --> Properties --> Security, and select the authentication credential mechanisms. This is usually some form of CHAP.

The server has other settings that must be configured properly, including IP settings such as IP routing, DHCP and PPP. Validate these settings as follows:

1. Validate that the server is enabled to allow IP routing. Go to the following:
   • Routing and Remote Access Snap-in --> Properties --> IP tab, and verify that the server is configured to allow IP routing. Also verify that the server is configured to allow IP-based remote access and demand dial connections.

2. Validate the server is configured to assign IP addresses. This can be done via a static pool of addresses or DHCP.
   • Routing and Remote Access Snap-in --> Properties --> IP Tab, and click either DHCP or Static address pool. If static address pool is clicked, a range of addresses must be configured.

This is the basic set up of the windows VPN server. There are many other features associated with a VPN session, such as authentication and encryption, that can also cause problems. The best bet is to try and get the user to connect and authenticate a simple session. Eliminate all factors outside of standard connectivity; then you can try to overlay the additional security features onto the session.

For more on the client side of the Windows 2000 VPN connection and specific steps to verify the client configuration and validate network connectivity, read the previous tip, Working with Windows VPN clients.

Robbie Harrell (CCIE#3873) is the National Practice Lead for Advanced Infrastructure Solutions for SBC Communications. He has over 10 years of experience providing strategic, business, and technical consulting services to clients. Robbie resides in Atlanta, and is a graduate of Clemson University. His background includes positions as a Principal Architect at International Network Services, Lucent, Frontway and Callisma.