Deploying Virtual Private Networks with Microsoft Windows Server 2003 (Technical Reference) - page 69
Summary
Windows VPN clients and VPN servers provide a large set of troubleshooting tools for diagnosing and gathering information about remote access VPN connections. VPN
clients
and servers can use TCP/IP troubleshooting tools such as Ping and Tracert. A VPN server can use authentication and accounting logging, event logging, tracing, Oakley logging, and Network Monitor.
The most common problems with remote access VPN connections are the inability to establish a successful connection and the inability to reach locations beyond the VPN server. Make sure to follow the processes and steps in this chapter closely— they are the same troubleshooting steps the Windows product team uses to test the Windows operating system, so you should be able to get all the issues worked out quickly and easily.
Chapter 12:
Troubleshooting Site-to-Site VPN Connections
Overview
In Chapter 11, “Troubleshooting Remote Access VPN Connections,” we went through the
extensive
and involved procedures for troubleshooting remote access virtual private networks (VPNs). The process for troubleshooting site-to-site VPNs is similar in many ways and uses the same procedures. We will go through the process in detail again for many areas so that you have a complete and comprehensive troubleshooting methodology to use. Where it doesn’t make sense to repeat information, we will refer to Chapter 11. In this chapter, we list the set of troubleshooting tools provided with Microsoft Windows that you can use to gather information about connections, and then describe what to look for to correct the most common problems with site-to-site VPN connections. Remember from the previous chapter, the two things to keep in mind when trying to troubleshoot VPNs:
-
“Divide and conquer.”
To isolate the problem, rule out
components
individually, and eliminate them from the troubleshooting equation.
-
“This troubleshooting stuff really works!”
Don’t get discouraged. Keep plugging away if you are having problems, and make sure you work with all the tools available.
Troubleshooting Tools
As stated in Chapter 11, the Microsoft Windows Server 2003 family provides the following tools to troubleshoot VPN connections:
-
Transmission Control Protocol/Internet Protocol (TCP/IP) troubleshooting tools
-
Authentication and account logging
-
Event logging
-
Internet Authentication Services (IAS) event logging
-
Point-to-Point Protocol (PPP) logging
-
Tracing
-
Oakley logging
-
Network Monitor
We did an
extensive
overview of these tools in the previous chapter and won’t repeat their uses here. For more information about these tools, see Chapter 11.
One new tool you need to be aware of for site-to-site connections is the Unreachability Reason facility, which you can use to investigate a site-to-site VPN connection problem. When a
demand-dial
interface fails to make a connection, the interface is left in an unreachable state and the Routing And Remote Access service records the reason why the connection attempt failed in the Unreachability Reason facility. Using this tool can save you a lot of time and effort, so be sure to check it for results of failures.
To view the unreachability reason tool
-
From the console tree in the Routing And Remote Access snap-in, click Network Interfaces.
-
In the details pane, right-click the demand-dial interface, and then click Unreachability Reason.