VPN Connection is Slow VPN slow issues Client can log on but can't browse the LAN or browse

the LAN slow "The Network name is no longer available" VPN drops the connection. VPN is very slow. VPN slow issues Symptom 1: You experience extreme slow while accessing to remote resources over the VPN. Cause: This could be the MTU issue. Suggestion: How to determine the optimal MTU How to determine the optimal MTU. In a case you may need to modify the MTU size and wonder how to determine the optimal MTU for your system. ... http://www.howtonetworking.com/VPN/mtu4.htm Symptom 2: When running an application over the VPN, it takes over 10 minutes to open it. Causes: 1. The application is written for a LAN no for a WAN. 2. The VPN client run the application using name instead of IP. Symptom 3: Browsing the shared folders of remote computers is very slow, for example changing one folder to another it takes around 5 minutes. Cause: Computer browser is involved NetBIOS and name resolution. Suggestion: 1. Use IP instead of host name. 2. Use TCP/IP only. Symptom 4: Browsing some shared folders is normal while others is very slow. Cause: If the folder has too many subfolders and files, browsing may be slow. Symptom 5: The download is very slow on VPN client after establishing the VPN. Cause: The VPN Client may use the remote network gateway. Suggestion: Change the default gateway from remote to local. To do this, go to properties of the VPN connection>Properties of TCP/IP>Advanced, uncheck Use default gateway on remote network.

Symptom 6: The client run Access over VPN. It takes over several minutes to open a database. Suggestion: Setup Terminal Server running Access. Then have all VPN clients run TS over VPN. Client can log on but can't browse the LAN or browse the LAN slow 1. It is better to set the workgroup to match the domain name on all Win9x clients. 2. You might not want your clients to browse if you have more than 15 or 20 nodes because browsing a large network over a slow dial-up connection can be extremely slow. Instead, predefining or manually mapping UNC connections to needed shares and resources after establishing the VPN. 3. Make sure you have correct IP, Default Gateway, DNS and WINS settings. "The Network name is no longer available" VPN drops the connection. VPN is very slow. Symptom: 1. You have setup VPN to connect two offices through DSL line successfully. The both offices can browse over the VPN without problem. You can copy a small file between two offices but it may drop the VPN connection when copying a large file and receive this message: "The Network name is no longer available". 2. You have setup a VPN server in the office for home users accessing through DSL line. The VPN clients can access the office without any problems. However, the speed is very slow. Also, you may receive "The Network name is no longer available" message when you try to copy a file from the VPN client to the Server. Resolution: modify the MTU.( http://www.howtonetworking.com/VPN/mtu1.htm) Can't run logon scripts - Can't access roaming profiles and home folders Symptoms: 1. When a VPN client, he can't run the logon scripts and can't access to group policies, roaming profiles, and home folders. 2. You may receive the following event: Event ID 5719 - No Windows NT or Windows 2000 domain controller is available for domain {domain name} the following error occurred: There are currently no logon servers available to service the logon request. 3. When checking the ipconfig, you may find that the client is configured to use p-node or m-node for NetBIOS name resolution. Note: This node type may have been set manually, or through a Dynamic Host Configuration Protocol (DHCP) lease that sets DHCP option 46.

Resolutions: This problem is a result of a timing issue that prevents the RAS client from locating a logon server. 1. Apply latest SP. 2. You can work around this problem by using hybrid mode. Can't run logon script by using VPN Symptoms: When trying to log on to a domain from a w2k/xp VPN client, you may not be able to run logon script and access to group policies, roaming profiles, and home folders. The following event may also be logged in the System event log: "Event ID 5719 No Windows NT or Windows 2000 domain controller is available for domain {domain name} the following error occurred: There are currently no logon servers available to service the logon request." This problem occurs only if the client is configured to use p-node or m-node for NetBIOS name resolution. This node type may have been set manually, or through a Dynamic Host Configuration Protocol (DHCP) lease that sets DHCP option 46. Resolutions: 1) You can run regedit to change the mode to hybrid mode NetBIOS name resolution. 2) Or download the latest service pack for Windows 2000. How to authenticate a remote client to the DC 1. Setup site to site VPN. 2. Use "Log on using Dial-Up connection". How to limit VPN user logon time 1. If you have domain control, setup Logon Hours under AD Users and Computers 2. Use Remote Access Policy to setup access time (see attached). 3. Use net user command line to restrict logon hour. VPN logon using NT logon ID and password To let a user logon from VPN using the same NT logon ID and password, you can 1) setup the VPN user ID and password same as NT ID and password; 2) you can authenticate to a Radius and then point to the NT domain server for PPTP user authentication. Can ping VPN server only but not other resources

Symptom: after establishing VPN, you can ping and access the VPN server, but not other servers and the network resources. Cause: 1. incorrect NAT/Firewall settings. 2. ISA/Proxy blocking. 3. Disable IP routing/forwarding. Can't access the internal server when remote client establishes VPN Symptoms: Two offices are connected using a vpn. Both offices run W2K servers, RAS & TS. When office A connects to Office B you can not connect to office A from anywhere except from office B. You can not connect using TS, or a vpn connection. In order to gain access to office A, you have to connect to office B, disconnect the client in RAS, then you can connect to office A. Resolution: When establishing VPN to the office A, the routing table changes. To fix this issue, disable the "Use default gateway on remote network"" on the VPN client conenction. Or modify the routing table manually. Can't access the Internet while using VPN Symptom: after establishing a VPN connection, you may not be able to access the Internet because the VPN takes over your existing connection and all traffic to use the VPN default gateway on the remote network. The remote network may not allow VPN clients to access the Internet via their gateway. Resolutions: 1) If you don't need to access the entire VPN resources, disable the "use default gateway on remote network" option in the properties of the VPN connection. 2) Edit route table manually if you know how to or check routing page on this web site. 3) For the security reason, some firewall/routers like Cisco PIX do not allow access the Internet after establishing the VPN and you cannot modify the routing table. You may setup split-tunnel. Can't access the remote network after unchecking "Use default gateway on Remote Network" Symptom: After following above instruction and uncheck "Use default gateway on Remote Network" on VPN connection, you can't access to the remote network any more. For example, your LAN network is 192.0.0.0 and

default gateway is 192.0.0.1; the VPN is 192.0.1.0 and gateway 192.0.1.1.that is connecting to the remote network 10.0.0.0. After establishing the VPN connection and unchecking "Use default gateway on Remote Network", your computer use 192.0.0.1 as gateway instead of 192.0.1.1 and can't find a way to 10.0.0.0 network. Resolution: you need modify the route table manually or refer to our Routing page on this web. Or check "Use default gateway on Remote Network" on VPN connection. Can't access the remote network from VPN clients Symptoms: Your VPN client can ping/access the server but not other computers in the remote network. Resolutions: 1) if you have two NICs in the VPN server, you may need to enable IP Routing. To do this, go to the RRAS>the Properties of the server>IP, check IP Routing. 2) Make sure you don't uncheck Use the remote default gateway on VPN client's VPN connection. 3) Make sure VPN client's LAN and the remote LAN are using the different IP range and subnet. 4) Check routing table for troubleshooting. Can my VPN server as a VPN server and also act as a router SYMPTOMS: If you enable VPN on a server, the RRAS will accept incoming VPN connections only and secures the RRAS by enabling filters that only accept PPTP or L2TP traffic. Then network traffic over the VPN connections and the internal LAN connection are normal but the RRAS will not forward packets over the interface except PPTP or L2TP traffic. RESOLUTION: If you want your server to be a VPN server and also act as a router, you should select Manually configured server from above options and configure the RRAS as a router. Connectivity issue after enabling VPN in multihomed server Symptoms: after you enable VPN on a server as a router or with two or more NICs, you may experience some issues. 1) the internal computers can't access the Internet; 2) outside VPN clients can't access the VPN server; 3) can't access the server using TS and VNC form the internal or outside.

Causes: for the security reason, the RRAS modify the routing table and enable incoming VPN connections only so that no other forward packets over the interface except PPTP or L2TP traffic. For consultants, refer to case 090804RL. TTL expired in transit and Destination host unreachable Symptoms: After enabling VPN on a Windows 2000 server you may have these issues: 1. From the server, you receive "Destination host unreachable" when ping outside IP. 2. You receive Time out or "Reply from x.x.x.x: TTL expired in transit" when ping the server from outside. Cause: Outside NIC Filter is enabled. Can ping FQDN but not host name Symptoms: after establishing VPN, you can't ping the server name. However, you can ping FQDN, for example, server1.chicagotech.net. Cause 1: The VPN user can access all servers using host name except one. However, we can ping the server using iP or FQDN. We found hiss laptop has lmhosts pointing the server using different IP address. Removing the IP address from the lmhosts, it works. Case 2. Missing the DNS suffixes. Setup DNS suffixes. Case 3: install the WINS server on the VPN server and assign the WINS server to VPN client. Can't ping VPN client by name
Symptom: you can ping the vpn client by ip but when attempting to ping a vpn client from remote LAN, you get time out. Resolution: 1) if you have correct DNS and WINS settings, you should be able to ping vpn client by name. 2) If you get the time out with a different ip (for example, ping ip is 192.168.100.7 and real ip is 192.168.100.13), check the dns and wins records and delete the 192.168.100.7. 3) If the dns and wins records don't show the

client record, make sure it points to the same and correct dns and wins. 4) If the VPN client doesn't register its DNS, you may need to go the VPN connection properties>networking>TCP/IP. On the DNS tab, enter the DNS server IP in DNS suffix for this connection and check Register this connection's addresses in DNS. Or use ipconfig /registerdns command. 5) Also make sure all computers are pointing to the same DNS.

Connection issues on DC, ISA, DNS and WINS server as VPN server Symptom: You have a Windows 2000/2003 server is configured as VPN running DNS, WINS, you may experience some connection issues. 1) the internal computers can't ping the server by name; 2) if the server is a DC and Master Browser, you may have a computer browsing issue; 3) you may receive Event ID: 4319 - A duplicate name has been detected on the tcp network; 4) You may receive error messages like "No Logon Servers Available to Service your Logon Request" when you try to open file shares or map network drives to the Routing and Remote Access server; 5) if the server is also a DC, you may not be able to logon the domain; 6) if the server is also running ISA, you cannot browse the Web from client computers on the local network, regardless of whether the computers are configured to use Web Proxy or the Microsoft Firewall Client. For example, "The page cannot be displayed" may appear in the Web browser with a "cannot find server or DNS" error message.
Cause: When a VPN client connects to the VPN server, the server creates a PPP adapter to communicate with the remote computer. The server may then register the IP address of this PPP adapter in the DNS or the WINS database. When the internal computers try to connect to the IP address of the PPP adapter, them cannot reach the PPP adapter, then the connections fail.

Resolution: Name resolution and connectivity issues on a RRAS that also runs DC, DNS or WINS
How to assign DNS and WINS on VPN client manually Name resolution is big issue in VPN access. If your VPN server doesn't setup correctly or the VPN client can't receive the VPN DNS and WINS settings, you may

setup them yourself. To do this, go to the VPN connection>properties>TCP/IP properties>Advanced. Click DNS and WINS tabs to assign the VPN server's DNS and WINS.

Name resolution Issue in a VPN client To assign the DNS and WINS to a VPN client for name resolution, you should configure VPN server with the IP addresses of the appropriate DNS and WINS servers. The VPN client inherits the DNS and WINS configured on the VPN server. If name resolution does not work from the VPN server, it will not work for VPN clients. Note: WINS is name resolution for host name or NetBIOS name and DNS is for FDQN. If you can't ping the host name, you may try to ping FQDN. Name Resolution and Connectivity Issues on W2K Domain Controller with RRAS and DNS Installed Symptoms: You may experience some name resolution and connectivity issues if the W2K domain controller is configured with RRAS and DNS. After a remote client establishes a connection by using Dial-Up Networking, one or more of the following symptoms may occur: 1. Internal clients may no longer be able to browse the Web. 2. A "cannot find server or DNS" error occurs when using nslookup. 3. When using PING to ping the name of the server on an Internal client, it returns any other address other than the IP address that is bound to the server's internal adapter. 4. You cannot browse through the list of computers in Network Neighborhood or My Network Places. 5. You may receive Event ID: 4319, Source: Netbt. Description: A duplicate name has been detected on the tcp network. The IP address of the machine that sent the message is in the data. Use NBTSTAT with a switch of N in a command window to see which name is in a conflict state. 6. W2K/XP clients cannot map a network drive to the server. The client may receive the following error message: No Logon Servers Available to Service your Logon Request.
Resolutions: 1. Install the latest service pack. 2. Make sure the clients have correct DNS and WINS settings. 3. Disable NetBIOS for all RRAS connections.

4. Double-click on the entries for the servername[00h], and servername[20h] to verify that there is only 1 IP address on them.

Note: Refer to MS Q292822 "No domain server was available" while the dialup connection is active Symptom: you have windows 2000 domain controller with DNS, DHCP, WINS and Dialup connection. Whenever the dialup connection is active, none client can't logon and gets a message "No domain server was available to to validate your password. You may not be able to gain access to some network resources" Resolution: On the server, make sure you don't have "Register this connection's addresses in DNS" checked under TCP/IP Advanced DNS settings. To check this, go to the Properties of the dialup connection> the Properties of the TCP/IP>Advanced>DNS, uncheck "Register this connection's addresses in DNS" VPN server is a Virtual Multihomed Server After enabling RRAS on a DC with WINS and DNS server, you may have some Master Browser, WINS or/and connectivity issues. That reason is that VPN server is a Virtual Multihomed Server. The resolution is to disable NetBIOS Over TCP/IP and DNS register on all interfaces including RRAS interfaces except the internal interface. VPN client don't appear in remote LAN's Network Neighborhood/My Network Places Normally, VPN clients don't appears in Network Neighborhood/My Network Places on the LAN. If you want the VPN clients to appear on the LAN browse list, you may need to install NetBEUI on the RAS server and RAS clients. This peculiarity is a known problem with RAS, but no fix is available at press time. http://www.chicagotech.net/casestudy/vpncases.htm Don't have IP protocol 47 (GRE) A PPTP connection will fail if the firewall/router blocks GRE, which is IP protocol 47, and you may receive error 721. If your router does not mention GRE by name or by IP protocol number, look for switches like PPTP pass-through or PPTP Forwarding or even VPN pass-through mode. In some routers, you may have an option to open other ports.

Port 42 for name resolution To use VPN, you may need to open port 42 for name resolution. Can access to the mail system but not share Symptoms: 1) After establishing a VPN, the VPN client can access the mail system to receive/send mails but can't access other network resources. 2) When attempting to access a shared folder, the client may be asked for the username and password. 3) Some of users may not have this issue. Cause: This is cached credentials issue, especially you use third party VPN. For the consultants, refer to case 0304TL. How to browse via incoming connection
Assuming you don't have DNS, WINS or other name resolution option to resolves NetBIOS names, you should use IP to browse the remote computers after establishing the connection. To do this, you need to find the IPs by double-clicking the VPN connection icon>Details. This will give you the "virtual" IP allocated to both machines. Then use net use command to map the remote computer. If you get access denied error, try to add /user:username option to cache credentials.

Unable to access the resources on the network 1) Check the DNS and WINS setting. 2) Verify that either the protocol is enabled for routing or the Entire network option is selected for LAN protocols being used by the VPN clients. Unable to browse through PPTP/VPN connection Symptoms: 1. If the WINS server is on the same computer as the PPTP/VPN server, and you attempt to connect to a computer using a PPTP/VPN client, you may experience following problem: 1) The NetBIOS name of the computer to which you are attempting to connect is not resolved. 2) You may receive an error message similar to the following error message: "System error 53 has occurred. The network path was not found" when using net view or opening Network Knighthood. 2. If the WINS server is not on the same computer as the PPTP server and you attempt to connect to a computer using a PPTP client, you may be able to connect to computers on your local area network (LAN), but you may be unable to connect to network shares or resources on the PPTP server. Resolutions: Inability to browse often means the client can't resolve NetBIOS names. 1. If this is a workgroup network, enable NetBIOS over TCP/IP on the server and clients.

2. If this is domain network and the WINS server is on the same computer as the PPTP/VPN server, move the WINS server to a different computer. 3. Add the NetBEUI protocol for your PPTP tunnel instead of, or in addition to, TCP/IP. 4. By default, most routers and firewalls prevent the transmission of NetBIOS names unless you enable UDP ports 137 and 138 and TCP port 139. Try to enable UDP ports 137 and 138 and TCP port 139 across all routers and firewalls between the PPTP/VPN client and PPTP/VPN server. 5. Make sure the client has correct DNS, WINS and Master Browser settings. 6. Make sure the default gateway points to the remote network rather than to the ISP. 7. Some ISP might block ports required for NetBIOS name broadcasts. 8. If WINS address is not distributed upon connection to VPN, LMHOSTS should be configured to enable Domain to be located. 9. If you try these techniques and the client still can't browse, try to use UNC to connect to the remote resources by ip, for example, use the net use h: \\serverip\sharename command. http://www.chicagotech.net/vpnerrors.htm

The ports need to open for IPSec IP protocol 51 and 51, and UDP port 500: Time out when using ping command

Symptom 1:. You have correct windows IPSec client setup and you can ping the remote I VPN without Cisco PIX Firewall. But if your computer behind the PIX, you get time out wh attempting to ping the remote IP of the VPN. Cause 1: the PIX may have the same ip pool as the IP subnet of the remote VPN.

Symptom 2: You are accessing a VPN and is assigned 192.168.1.2. You get time out whe attempting to ping the remote computer with IPSec client setup.

Cause 2: The IPSec is using the same IP range as 192.168.1.0. Un-assign IP filter will dis IPSec.

Symptom 3: After create IPSec policy, you receive Time out when you do ping remote co Cause 3: Incorrect IP Filter List or other IPSec settings. For consultants, refer to 101404RL Troubleshooting IPSec

1. Audit Policy: To troubleshoot IPSec when it does not behave the way that you expe first check the results of the Phase One and Phase Two exchanges by enabling Audi which causes security events to be logged in the security log of the Event Viewer. 2. Netdiag: netdiag /test:ipsec /debug. If both Phases are Outbound or Inbound, ch Tunnel Settings. 3. If the logged events indicate that Phase One Main Mode exchange is failing, do b following: 1) Check the IKE settings in your IPSec policy properties: Click the Gene click the Advanced tab, and then click the Methods tab. 2) Check the configured I authentication methods in your IPSec policy properties: Select the IP Security rule t want to check, click Edit, and then click the Authentication Methods tab. 4. If the logged events indicate that Phase Two Quick Mode is failing, check the IPS security methods configured on your IPSec rules in your IPSec policy properties: Se Security rule that you want to check, click Edit, select the Filter Action tab, select action that is enabled, and then click Edit. 5. IP Security Monitor: The IP Security Monitor can be used to monitor SAs, IPSec, statistics. To start IP Security Monitor, click Start, click Run, and then type ipsecmo 6. Checking Oakley Log: To enable Oakley Log, use Registry Editor to locate the foll in the registry, and if it does not exist, create it:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakley Add a REG_DWORD value named EnableLogging with a value of 1 to this key. The Oakley.log file is created in the %SystemRoot%\debug folder. NOTE: A value of 0 f EnableLogging disables logging. 7. Check VPN server log. 8. Netsh: we can use netsh ipsec static show gpoassignedpolicy or netsh ipsec dy show all to view the name of an active IPSec policy and the name of the Group Pol to which the active IPSec policy is assigned can be useful for troubleshooting policy precedence issues Viewing IPSec policy assignment information. Other computers can't ping remote computers

Symptom: after created a site to site IPSce connection, you ping the remote computers fr IPSec enabled computer but not other computers. Resolution: add the routing table for accessing remote computers. Negotiating IP Security and never receive Reply

Symptom: After created a IPSec Policy, you may receive Negotiating IP Security when yo remote computer IP. And you never receive the reply. Cause: 1. Incorrect Tunnel Settings. 2. NAT/Firewall block the traffic. 3. Mismatched key exchange, authentication method, or security method. For consultants, refer to 101404RL How to use Netdiag to view the policies of IPSec/L2TP Without an active IPSec/L2TP connection, you can use netdiag to view the policy of IPSe example, netdiag /test:ipsec /debug.

Note: The Netdiag tool is available after installing the Windows Support Tools package. Th package is located in the Support\Tools folder on the Windows CD-ROM. After you install package, Netdiag is located in the Program Files\Support Tools folder. How to use Ipsecmon to view the policies of IPSec/L2TP

With a IPSec/L2TP connection , you can use the Ipsecmon utility to view the policies that effect. For example, you may see items similar to the following sample output for a defau L2TP/IPSec connection (client-to-server or server-to-server): Policy name: L2TP Rule

Security: ESP DES/CBC HMAC MD5 Filter name: No Name - Mirror Source address: IP address or name of computer Dest. address: IP address or name of computer Protocol: UPD Src. port: 1701 Dest. port: 0 Tunnel endpoint: <none> IPSec name resolution issue

Symptom: you setup IPSec to connect two LANs and you can ping each other by IP but n Cause: You have a name resolution issue and check the DNS and WINS settings. For consultants, refer to case 110704RL.