Your VPN Doctor for Virtual Private Network Troubleshooting VPN Guide

Here are some troubleshooting guides for particular topics.

(1) Your Virtual Network Connection

(2) VPN Troubleshooting Error Messages

(3) VPN Modems Troubleshooting Guide

(4) VPN ISP Troubleshooting Guide.

(1) Your Virtual Private Network Connection

Having trouble connecting to the Internet at home try these steps before calling for help.

1. Do you have an IP address? Try ipconfig /all. If you do not have an IP address reboot your PC. If that doesn’t work power cycle your Cable/DSL modem and routers and reboot your PC again after the network devices are up and stable. Be sure all of your network cables are plugged in tight.

2. After your PC reboots check that your network adapter is active and packets are flowing. Perform the ipconfig /all check again.

3. Check your connectivity by pinging several Internet sites. If that does not work, ping the loopback address 127.0.0.1. If that fails, your adapter may not be working or it is not properly configured.

To check your IP address. From command prompt enter ipconfig /all (as shown in the picture) you should see an IP Address and several DNS Server addresses. The domain name system (DNS) is the way that Internet domain names are located and translated into IP addresses and is required for browsing the Internet.

Ping 127.0.0.1 – loopback Test (as shown in the picture). The loopback test is used to check if the IP stack is responding. If it times out or you get an error the problem may occur if any one or more of the following conditions is true:

*The TCP drivers are corrupted

*The network adapter is not working

*Another service is interfering with IP

Check your network adapter, click the Start menu, Settings, Control Panel, and select Network Connections. Double click on the Local Area Connection or the Wireless Adapter whichever one you are using. Be sure its Connected. If you have multiple network cards disable the one you are not using.

There should be Packets displayed in both the Sent and Received counters. If the Received counter is 0 check that the adapter has an IP address. Select Properties.

Click the check boxes for Show icon and Notify me below. A twin PC icon will appear on the lower right portion of the taskbar in the tray area and will flash while sending and receiving packets. You can place your mouse over the icon to get the status and click on it to get more details.

Tracert displays the connection path to the target location and the number of hops. Each hop is the trip from one router to another. Tracert is a handy tool both for understanding where problems are in the network and for determining latency between hops.

Ping is used to determine whether a host exists and is active on the network and can determine the round trip time to the device. You can enter a host name or an IP address if you know it. If the request times out then the host is not reachable because it’s offline or there is a problem with the connection. Try several sites, if none work then ping the loopback address 127.0.0.1 Also, if your DNS is not working or properly configured you can only ping the host with an IP address and you will not be able to browse the Internet.

If you are having intermittent problems, perform a ping -t for 5 to 6 minutes then hit CTRL C to see the results of the test to determine if you are dropping network packets (lost packets). If you are, this usually indicates an ISP problem or Cable/DSL modem problem. See VPN ISP Troubleshooting Guide

(2) VPN Troubleshooting Error Messages

Q1 Error Message: Remote Host not responding: or Unable to Resolve the IP address of the Remote Server

Cause: This indicates that the Contivity VPN Switch never responded to the connection attempt. The problem could either be with the Contivity switch itself, (switch may be down) or your machine may be having a problem resolving the IP address.

Action: Try pinging your destination name (Example: VPN.something.com). If you received a message that says “Request Timed Out” from the ping command, call your ISP to make sure that their DNS is functioning correctly.

Q2 Error Message: Maximum number of sessions reached

Cause: This indicates that the maximum number of users for the account you are using are currently logged on.

Action: If you are the only user with VPN to your account, it is possible to get this error if you restarted a connection immediately after losing the dial-up connection to your ISP. This is because the Contivity VPN Switch takes up to one hour to determine that your connection has been dropped and log you off from your account.

Q3 Error Message: Login failed, Please consult the switch log for further information

Cause: The User Name or the Password is incorrect for the user name entered.

Action: Verify that the User Name you entered is correct and retype the Password before trying the connection again.

Q4 Error Message: The physical connection has been lost

Cause: Your connection to your ISP was disconnected.

Action: Re-establish your connection to your ISP before you re-establish the Contivity connection to the remote network.

Q5 Error Message: The secure Contivity connection has been lost

This message can result due to a number of different reasons, and there are several recommended actions you can take to try and re-connect.

Cause(s):

If you receive this error before the client connects then something is blocking a necessary port (such as ESP port 50). This can result if your firewall is not configured properly and is restricting the necessary port(s).

If you receive this error during a connection and you suddenly get the error it may mean one of the following:

1. Something closed the connection;

2. The VPN Contivity switch where you were trying to connect to thought your client was down or timed out;

3. Your local ISP did something that interrupted your network connection long enough for the VPN Contivity switch to identify your client was not responding;

4. The VPN Contivity switch that you are connected to has either logged your connection off or the Switch is no longer responding, or a device that does not support IPSEC NAT Traversal is causing the connection failure.

Action(s):

1. Try re-establishing the Contivity connection by clicking the Connect button. If this works, the connection was probably lost due to the Idle Timeout configured on the Contivity VPN Switch. If no data is transferred through the Contivity connection for a long period of time, 15 minutes or more, the Contivity VPN Switch automatically disconnects the connection;

2. If you were unable to successfully re-establish the Contivity Connection, the dial-up connection may be preventing data from traveling between the Contivity VPN Client and the Contivity VPN Switch. Hang up the dial-up connection and reconnect before you try to re-establish a connection to the Contivity VPN Switch;

3. If you are still unable to connect to the Contivity VPN Switch, open a Command Prompt and try pinging the Contivity VPN Switch using the host name or address that you specified in the Destination field.

(a) If you receive a “Destination Unreachable error” there is a routing problem at the ISP.

(b) If you receive a “Request Timed Out” error message, the Contivity VPN Switch is probably not available, and you should contact your Network Administrator.

4. If you keep getting this message and are unable to connect, then it may indicate that the Contivity VPN Switch is unable to communicate with the client because it is behind some kind of NAT (Network Address Translation) device. NAT (Network Address Translation) Traversal allows a number of devices on a private network to access the Internet simultaneously without each requiring its own external IP address. Most hotels and airports that provide Internet connectivity use NAT to connect to the Internet.

Q6 Error Message: Cannot Alter Routing Table

Cause: Message means the you the user, an application on your machine, or your ISP attempted to change the routing table via an ICMP redirect attempt and it was not successful. The client detects the attempt to make the change, determines it’s a security breach and shuts down the client’s connection. Any time you make a VPN connection, you cannot change the routing table, because the VPN Client views this as a security risk and you will get disconnected.

Some applications require an ICMP redirection in order to work such as a game or other third party software.

Action: If you receive this error and cant connect due to an ICMP redirect attempt, shut down any other applications you are using which may be causing the ICMP redirect attempt. If it is the ISP that is doing it, you will need to block the ICMP redirect request. You can identify that ICMP redirect has occurred, by seeing a message saying there has been an IP address routing table change.

Q7 Error Message: Receiving Banner Text Information

Cause: Message means you are experiencing a Banner Sock issue, and will see a window displaying the “Receiving Banner Text” message and then gets disconnected.

Actions:

1. Disable the firewall completely to test. This is a port 500 issue and often means that the you have a personal Firewall that is blocking port 500 or you have a router that does not support IPSEC pass-through, and the you are connecting to a VPN switch that does not have NAT Traversal enabled.

2. If using wireless, temporarily remove Wireless from the picture and focus on the Ethernet card. Check the Ethernet card speed and duplex parameters and then make sure that the hub, switch, or router that is on the other end has the same parameters. If not, the VPN connection will drop as the link goes up and down, or due to a large number of errors on the port from a duplex and or speed mismatch.

3. Firewall that blocks the connection, such that system will crash. (This will rarely happen) NSDF (Norton Symantec Desktop Firewall) and NSPF (Norton Symantec Personal Firewall) can do this though, if you do not trust the IP address of the VPN connection.

If you do not trust the VPN address of the VPN client, the firewall will cause you to crash. In your Internet browser click on “Tools > Internet Options > Security > Trusted Sites > Sites” and add the destination VPN address(es) to your trusted sites.

Q8 Error Message: You already have the maximum number of adapters installed

Cause: You may have installed to many virtual adapters in your IP Stack

Actions:

1. Remove any unnecessary adapters;

2. Create multiple boot scenarios disabling the adapters that are not required for that function;

3. You may also get Banner Sock errors on Win 95 & 98 units with this condition;

4. For more information, see this Microsoft article: KB217744: Unable to Bind Protocols to More Than 5 Network Adapters (copy and paste into the search tool bar > enter).

Q9 Upgrade Errors: The following are some errors that may occur when trying to upgrade / install the Nortel VPN Client 4.65

Error (1): Failed to get Registry key value for NT_IPSECSHM

Cause: This is caused because an important registry key that cannot be found in the system registry.

Actions:

1. Uninstall and Reinstall the VPN Software

Error (2): Login Failure due to: Driver Failure

Cause: This is generally caused by either not having Admin rights to the PC or by trying to install/use a Nortel VPN client that predates the operating system.

Actions:

1. Ensure that you have admin rights to the PC.

2. Update/Install the most current version of the Nortel VPN client.

Error (3): Create socket failed with 10048.

Cause: This problem generally will occur whenever you have another VPN client software installed on the system. The most noted conflicting clients are: AOL, Cisco VPN Client(s), SSH Sentinel and PGP.

Actions:

1. Removing these clients will in most cases, resolve the issue.

(3) VPN Modems Troubleshooting Guide

Q1 Are Cable Modems supported for VPN Access?

Yes, you can use cable modems for VPN access. However you must be aware of the following conditions and be able to work within them:

*Some cable modems require that you log into an NT network to get authenticated.

*Some cable modems use a client similar to the Extranet Client for VPN and both will not run at the same time.

*Some cable modem Contracts/Acceptable Use Policies specify that you cannot use them for business purposes or they want to charge you another fee to use them for business purposes. Make sure you read your contract thoroughly.

*Your Cable modem provider is your ISP. Please see the VPN-connection-guide.html”>ISP Troubleshooting Guide for more information.

Q2 Why does my modem seem to perform erratically?

Always make sure that you do not let the operating system select a generic modem. If required, go to the appropriate web site for the vendor of the modem and get the updated INF file so that the proper parameters are configured for the modem.

Q3 Why do I always seem to get a slower connection speed than others with the same modem?

1. Always check the modem configuration to verify that its maximum speed has been selected.

2. It is common when auto-installing modems that the highest speed is not selected automatically.

3. Do not check the box that says run at maximum speed only.

Q4 I plugged my modem into the phone line at the hotel or customers office and now it does not work.

Always make sure that the phone line you are plugging into when visiting somewhere is an analog line not a digital one. Plugging into a digital line can permanently damage your modem, requiring a replacement unit. To avoid these situations please contact the local site phone support personnel.

Q5 Why cant I get a 56Kb V.90 connection from some locations that I go to?

Here are some of the reasons why you might not get a 56K connection:

1. You are located more than 3 ½ miles from your telephone companys central office (CO).

2. A SLICK or Subscriber Loop System is used in your area.

3. You are calling from a digital PBX system, which creates a Digital to Analog conversion and then an Analog to Digital conversion.

4. Your line contains digital pads or Robbed Bit Signaling (RBS), which can degrade your connection speeds.

5. Your wiring may be of poor quality.

6. Your modem’s firmware may not be up-to-date. Check that your modem has the newest V.90 code installed with all the patches from the vendor’s web site.

Q6 Why cant I get higher speed on my 56K v.90 modem into some NAG?

Here are some possible reasons:

1. A 56k v.90 modem is asymmetric by design where download speed can be as much as 56k but upload speed will be up to 33.6bps. For 56k to work, there must be only one analog-to-digital (A/D) conversion in your local phone loop. Thus when modems at both ends are analogue, 56k speeds will never be achieved as most PSTN exchanges run digital routing between the exchanges.

2. Some NAG sites use analog phone lines with Cisco and standard 56k modems, and most PC’s dial-ups use a similar modem. Between the two modems, it limits the download speed to about 33.6kbps maximum.

3. Also, many users might experience lower connection speeds due to other reasons, such as more poor line quality. These factors will also contribute to the quality and speed of the line.

(4) VPN ISP Troubleshooting Guide

Q1 If you are getting the message “Unable to Resolve the IP address of the Remote Server. Verify the Host Name in the destination field is correct.” when trying to connect with the Extranet Client.

Try pinging your destination name (Example: VPN.something.com) and if it fails call your ISP to make sure that their DNS is functioning correctly.

Q2 Why do I get No Domain Available when dialing my ISP?

On your Internet Service Providers (ISP) dial connection. Right click the mouse and select the properties button. Click on the Server Type tab and make sure that the Log On To Network box is unchecked.

Q3 Why do I seem to be running slowly through my VPN connection?

Try turning off the Software Compression option on your Internet Service Providers (ISP) dial connection as the VPN client has it’s own compression. Right click the mouse and select the properties button. Click on the Server Type tab and uncheck the

Q4 I keep getting busy signals when trying to connect to my ISP, what should I do?

Contact your ISP giving the numbers you are trying to connect to. Many times you will find that can give you an alternate number not published yet that will work just fine. If not you may need to find another ISP that provides better service.

Q5 When configuring the dial icon for my ISP what should I put in the DNS/WINS settings?

Your ISP should supply you with the DNS/WINS settings of your dial connection. Most only give you DNS, in this case just leave the WINS settings blank.

Q6 Why when I load the Extranet Client on my PC and Winpoet is installed on my machine it crashes or does not work properly?

There are issues running Winpoet software on the PC with the Nortel Extranet (VPN) Client.

To repair your system, boot in safe mode and uninstall the Winpoet Software.

A simple solution is to install the Linksys BEFSR41 hardware router. It has a firmware PPPOE connector, which eliminates Winpoet from the PC and provides the added benefit a NAT firewall with the ability to hook up to three other PCs.

A second option is to find a PPPOE Client that does not interfere with VPN Clients.

Please See Your VPN Doctor for Picture Guide and further Details.

Need a Qiuck Fix, Tool, Trick or Tip? Your VPN Doctor has the Cure!

Leave a Reply