10 common mistakes of VPN and how to fix it

10 common mistakes of VPN and how to fix it Picture 1 Network administrator - VPN is a private network that uses a public network (usually the Internet) to connect remote locations or users to a LAN at the central office. Instead of using a rather complex connection like a digital subscriber line, VPN creates virtual links that are transmitted over the Internet between an organization's private network with a remote location or user. However, like LANs, VPNs sometimes generate some annoying bugs for users.

Here are 10 common errors, along with 10 remedies that can help users resolve themselves when encountering these errors.

1. Cannot install Cisco 3000 VPN workstation when running Internet Connection Sharing

This is not a complicated error. Users only need to turn off ICS (Internet Connection Sharing) on ​​the computer before installing the VPN client. However, you should also replace ICS with a router that matches a firewall system. However, this is not necessary if the VPN machine connects normally via another machine that uses ICS.

To turn off ICS, go to the Start Control Panel Administrative Tools Services Internet Connection Sharing menu , then cancel the Load On Startup option .

However, after canceling this option, Welcome Screen and Fast User Switching on the Windows XP VPN client will also be turned off. Standby mode, Task Manager still works normally, but users will have to enter their username and password into a dialog box instead of on the Welcome Screen screen .

Note : Fast User Switching mode can be reactivated by canceling the Start Before Login feature on the workstation. However, if you re-enable this mode, there will be some problems, so if you don't really need it, you should not reactivate Fast User Switching .

Another thing related to installing a workstation is that Cisco does not recommend installing multiple VPN clients on the same PC. If you have installed multiple VPN clients on your PC, it is best to remove them.

2. Determine the Key error through the logs

If you encounter an error in the logs related to previous shared keys, you may have incorrectly marked the key on the end of the VPN connection. If this error occurs, the logs may display the exchange between the client and the VPN server in IKE primary security mode.

Only a short time after this exchange takes place, the log will report a key error. On the Concentrator , access the Configuration System Tunneling Protocols , then select the IPSec LAN-to-LAN option and select your IPSec configuration. In the Preshare Key field, enter the shared keys.

In Cisco's PIX firewall system used with the Concentrator , run the isakmp key password address xx.xx.xx.xx netmask 255.255.255.255 , where the password is the previously shared key. Notice the exact key used in Concentrator and PIX .

3. Cannot connect to VPN when running security software

Some ports need to be opened in security software like BlackIce (BlackIce exists some issues related to Cisco VPN clients), Zone Alarm , Symantec and some other Internet security programs for Windows as well as pchains and Linux iptables . If users open the following ports in security software, they can still connect to VPN:

1. Ports 500, 1000 and 10000 of UDP

1. IP 50 Protocol (ESP)

1. TCP port is configured for IPSec / TCP

1. NAT-T port 4500

You may have configured ports for IPSec / UDP and IPSec / TCP . You need to open these configured ports on the client software.

4. Cannot access resources on the home network when connecting to VPN

This error usually occurs when Split-tunneling is turned off. Split-tunneling can pose a number of security risks, but these risks can be limited to some extent by using reasonable security policies, and these risks can be automatically distributed to other workstations on the network (for example, a policy may require the installation of an existing antivirus program or require the firewall to be enabled on the system). On PIX , use the following command to run Split-tunneling :

vpngroup vpngroupname split-tunnel split_tunnel_acl

You need to use the appropriate access-list command to allow the IP addresses accessed through the encrypted tunnel and the addresses allowed to access through unencrypted tunnels. For example, use the access-list command split_tunnel_acl permit ip 10.0.0.0 255.255.0.0 any to allow the IP address to access both encrypted tunnels and unencrypted tunnels.

On the Cisco Series 3000 VPN Concentrator , you need to declare the device that needs to be brought into the encrypted tunnel by the network. Go to Configuration User Management Base Group , in the Client Config tab select the Only Tunnel Networks option In The List and create a list of all networks that need to be monitored by VPN at your site and select this network list from the Split Tunneling box Network List .

5. Conflict IP address

This is a typical error for these special operating systems, and can be difficult to troubleshoot. Version 4.6 for Cisco VPN clients tried to fix these conflicting IP addresses, but it did not always work. This IP conflict will hinder the transmission of traffic through the VPN tunnel.

To handle this error, do the following: Go to the Sart Control Panel Network And Dialup Connections Local Adapter menu, then right-click the Adapter and select Properties . In the Properties dialog box, select TCP / IP and click the Properties button. Click on the Advanced option, find the Interface Metric option, and set the value in the box to 1. This value tells the computer to use the second local Adapter . The VPN adapter may have a biometric value of 1 (lower than the new biometric value), placing it as the first choice as a traffic destination.

6. Error of router firmware on VPN client

Cisco VPN clients have problems with some older router firmware versions (even for new routers). If you continue to experience connection problems, you should update the firmware in the router, especially with older routers. Cisco clients often encounter these errors when using the following types of routers:

1. Linksys BEFW11S4 with firmware lower than 1.44 .

1. Asante FR3004 Cable / DSL Routers with firmware lower than 2.15 .

1. Nexland Cable / DSL Routers model ISB2LAN.7 . Connection failed on the workstation.

In this situation, the user will see an error message like this:


This error may be caused by 2 of the following 3 errors:

1. The user may have entered the wrong group password.

1. Users may not enter the correct name or IP address for the remote VPN endpoint.

1. Users may be experiencing Internet connectivity problems.

Basically, for some reason IKE has not worked. Check the client logs (enabled by going to Log Enable ) to find errors in Hash Verification Failed to fix them.

8. Error setting up a VPN connection from a NAT device

This problem can occur on all Cisco VPN hardware when IPSec is enabled when installing standards that allow changing packet headers during transmission.

If you are using a PIX firewall system for the firewall system on your computer and VPN endpoint. Open port 4500 and enable NAT-Traversal in the configuration using the isakmp nat-traversal 20 command, of which 20 is the uptime of NAT . If you have a separate firewall system and a Cisco VPN Concentrator, simply open UDP port 4500 on the firewall system with the destination of the concentrator . Then, on the Concentrator go to Configuration Tunneling and Security IPSec NAT Transparency and mark the IPSec Over NAT-T option . In addition, make sure that all workstations in use must be supported with NAT-T .

9. The connection is not smooth

To fix this, you need to turn off Standby , Hibernate and ScreenSaver mode first . Standby and Hibernate can disconnect the network when the VPN client waits for a fixed link to the VPN server. Users may also have configured their device to turn off the Network Adapter after a certain period of time to save power.

If you are using wifi, the user may be accessing with a poor wifi signal, and consequently the VPN may be disconnected. In addition, users also experience network problems, routers or Internet connections, and many other physical errors.

It may also be the case that VPN endpoints ( PIX or 3000 Concentrator ) have been used up can cause this error on the workstation.

10. The workstation is still visible in the VPN network when the connection is canceled

Other errors may include a computer on the user's network that cannot ping the VPN machine even though the computer still sees all the other computers on the network. This error occurs because the user may have enabled the VPN client's built-in firewall. After being enabled, this firewall system will always run even when the client is turned off. To fix this error, first access the workstation, from the options page, uncheck the next box to select the Stateful Firewall option.