LAB 7 IS3220 INFORMATION TECHNOLOGY INFRASTRUCTURE SECURITY
VPN connectivity troubleshooting checklist
1. Users can't access file servers If the user can access the file server using an IP address but not a name, then the most likely reason for failure to connect is a name resolution problem. Name resolution can fail for NetBIOS or DNS host names. If the client operating system is NetBIOS dependent, the VPN clients should be assigned a WINS server address by the VPN server. If the client operating system uses DNS preferentially, VPN clients should be assigned an internal DNS server that can resolve internal network host names.
When using DNS to resolve internal network host names for VPN clients, make sure that these clients are able to correctly resolve unqualified fully qualified domain names used on the corporate network. This problem is seen most often when non-domain computers attempt to use DNS to resolve server names on the internal network behind the VPN server.
2. Users can't access anything on the corporate network
Sometimes users will be able to connect to the remote access VPN server but are unable to connect to any resources on the corporate network. They are unable to resolve host names and unable to even ping resources on the corporate network.
The most common reason for this problem is that users are connected to a network on the same network ID as the corporate network located behind the VPN server. For example, the user is connected to a hotel broadband network and is assigned a private IP address on network ID 10.0.0.0/24. If the corporate network is also on network ID 10.0.0.0/24, they won't able to connect because the VPN client machine sees the destination as being on the local network and will not send the connection to the remote network through the VPN interface.
Another common reason for communications failures is that the VPN clients are not allowed access to resources on the corporate network due to firewall rules on the collocated VPN server/firewall device to which they are connected.
1. Users can't access file servers If the user can access the file server using an IP address but not a name, then the most likely reason for failure to connect is a name resolution problem. Name resolution can fail for NetBIOS or DNS host names. If the client operating system is NetBIOS dependent, the VPN clients should be assigned a WINS server address by the VPN server. If the client operating system uses DNS preferentially, VPN clients should be assigned an internal DNS server that can resolve internal network host names.
When using DNS to resolve internal network host names for VPN clients, make sure that these clients are able to correctly resolve unqualified fully qualified domain names used on the corporate network. This problem is seen most often when non-domain computers attempt to use DNS to resolve server names on the internal network behind the VPN server.
2. Users can't access anything on the corporate network
Sometimes users will be able to connect to the remote access VPN server but are unable to connect to any resources on the corporate network. They are unable to resolve host names and unable to even ping resources on the corporate network.
The most common reason for this problem is that users are connected to a network on the same network ID as the corporate network located behind the VPN server. For example, the user is connected to a hotel broadband network and is assigned a private IP address on network ID 10.0.0.0/24. If the corporate network is also on network ID 10.0.0.0/24, they won't able to connect because the VPN client machine sees the destination as being on the local network and will not send the connection to the remote network through the VPN interface.
Another common reason for communications failures is that the VPN clients are not allowed access to resources on the corporate network due to firewall rules on the collocated VPN server/firewall device to which they are connected.