Troubleshooting VPN Connections

Troubleshooting VPN Connections
Herb Poppe
hpoppe@ucar.edu
NCAR - SCD - DSG
(303) 497-1296
October 2003
Edition 1.0

Overview

While some network services at UCAR are made available to the public at large from external networks (the Internet), and some services (such as "internal" Web pages and the Time Card System) are available to staff from external networks through their UCAS login, many services (such as access to IMAP and POP e-mail servers) are restricted to access from internal UCAR networks only. The internal networks are separated from the external Internet by our security perimeter (firewall). While the security perimeter allows users on the internal networks to originate most protocol requests to, and receive replies from, the Internet, it blocks all protocol requests to protected hosts and most protocol requests to exposed hosts from the Internet. The security perimeter protects machines on the internal networks from malicious attack from external networks.

By accessing UCAR's VPN (Virtual Private Network) server (a Cisco 3000 Series) from your laptop, VPN allows you to securely access UCAR's internal networks from an external network just as if you had an Ethernet connection inside our security perimeter (firewall). At UCAR, you use VPN from our external conference room network (the .43 subnet) or wireless network. These networks are external because they are publicly accessible. At home, you use VPN in conjunction with your own ISP (Internet Service Provider) to access UCAR via a dial-up or broadband (cable, DSL, community wireless or satellite) connection. When you travel, you use VPN from an Ethernet or wireless connection at a company, university or hotel, or a Global AT&T dial-up account, if you have one.

Note: if you dial-up (either local or long distance) to UCAR's RAS (Remote Access Server) then you have a connection to the internal network and do not need to use VPN. (VPN could be used for security reasons, but the client configuration for an internal connection is different than an external connection and won't be discussed here.)

This troubleshooting guide is aimed at situations you may encounter when you travel, where the networking infrastructure is not under your, or UCAR's, control. It assumes that your Cisco VPN Client (called the VPN Dialer in Version 3) has been properly installed and configured (IP address, group authentication name and password) to access UCAR's VPN server. Before you travel, you should ensure that you can successfully access UCAR via VPN.

Screenshots displayed below are from a system running the Cisco Version 4 VPN Client on Windows XP and equivalent Version 3 Client screenshots running on Windows 2000. You will see nearly the same interface running on other supported Windows operating systems. The user interface for the Version 4 VPN Client running on Mac OS X is the same as that on Windows XP, with suitable allowances for the Aqua "look and feel".

Problem Areas

In order for you to connect to UCAR's VPN server, you must first have a viable connection to the local network media, either wired or wireless.

Your machine must obtain an IP (Internet Protocol) address appropriate to the local network, usually from a DHCP (Dynamic Host Configuration Protocol) server.

Once you have an IP address, you can verify that you can access a network service on an external network.

A local firewall might complicate your connection to UCAR's VPN server.

You may be able to reconfigure transparent tunneling to successfully deal with the local firewall.

You must use the correct username and password to login to UCAR's VPN server.

UCAR's VPN server may not be operational.

You may have successfully connected to our VPN server, but the important network service you need to access may be down.

When all else fails, you may still have a lifeline, at least for e-mail.

Wired connection problems

It is important that the Ethernet cable plug is properly seated in both the wallplate jack and the jack on your computer. Push the plug in until you hear or feel the latching lever click into place.

Some Ethernet cables have a vinyl sleeve that covers the plug; the sleeve is designed to prevent the latching lever from snagging on other cables when the cable is pulled across the floor. This sleeve may make it difficult to completely insert the plug into the jack. If you have this problem, just twist the sleeve back down the cable, away from the plug.

The network jack on your computer (or on the plug-in Ethernet card) may have lights that indicate an active Ethernet connection. Typically, when the Ethernet connection is active, one light will be lit continuously (usually green) to show the presence of carrier and another (usually yellow) will blink to show network activity. A red light usually indicates a serious problem. It would be a good idea to familiarize yourself with the behavior of these lights before you travel, so you will know what to expect on the road.

If these lights do not illuminate, you may have a bad cable or a bad card.

If you suspect a bad cable, ask for another. It is a good idea to carry your own network cable with you. This will be a lifesaver if the hotel supplied cable "walked off", and another cannot be immediately located.

If these lights do not illuminate, the wallplate jack may be inactive. If you have arranged with the hotel for high-speed Internet access (for a fee), the hotel may not have activated the port since you registered, or they may have activated a jack in the wrong room. If there is more than one jack, you may have plugged into the wrong one.

You can determine if your machine has an active Ethernet connection by typing the command "command /K ipconfig /all" in the "Run" window displayed when you select "Run..." from the "Start" menu. (See Figures 1 and 2.)

Figure 1: Open the "Run" window to test the wired connection.

Figure 2: Enter the "ipconfig" command in the "Run" window to test the wired connection.

Figure 3: Result from running the "ipconfig" command.

You do not have an active Ethernet connection if the line "Media State: Media disconnected." (or similar) appears in the "command.com" listing.

Type "exit" to close the window.

Wireless connection problems

The company or institution you are visiting, or the hotel at which you are staying, should provide you with instructions for accessing their wireless network. Contact their staff if you are having problems setting up access.

You can verify that you have "associated" (established a radio link) with a wireless access point and that the signal strength and quality are adequate. On Windows XP, select "Wireless Network Connection" from the "Connect to" menu item from the "Start" menu. (See Figure 4.) (Windows XP is used here as an example because it has a consistent wireless user interface, regardless of the wireless card installed. For other Windows systems, the software, and user interface, varies by vendor.)

Figure 4: Select "Wireless Network Connection" from the "Start" menu to display the "Wireless Network Connection Status" dialog box.

If the "Connect to" menu item is not shown in your "Start" menu, select "Control Panel" and navigate to, and select, "Network Connections". In the "Network Connections" window, open the "Wireless Network Connection" icon.

(You can customize the "Start" menu to display the "Connect to" menu item: Right-click on the "Start" menu and select "Properties"; in the "Start Menu" tab of the "Taskbar and Start Menu Properties" dialog box, click on "Customize..."; in the "Advanced " tab of the "Customize Start Menu" dialog box, scroll down through the "Start menu items:" pane and select the "Display as Connect to menu" radiobutton for "Network Connections".)

Figure 5: The "Wireless Network Connection Status" dialog box.

If a wireless connection is active, the "Wireless Network Connection Status" dialog box is displayed, showing the signal strength and other parameters of the wireless connection.

If a wireless connection is not active, the "Wireless Network Connection" dialog box is displayed, showing available networks (if any). Consult Windows XP Help or the documentation supplied by the wireless site (hotel, conference, etc.) to learn how to establish a connection.

If you fail to associate, or the signal strength and quality are such that you cannot maintain a link, try moving closer to the access point. You must be within a few hundred feet of an access point for successful communication. Be sure there are no large metal objects between your computer and the access point.

IP address problems

In order to access Internet services, your machine must obtain a unique IP address, that is compatible with the Ethernet segment or wireless link that you have connected to. Hopefully, the local site will provide you with the range of IP addresses that are appropriate for a connection to their network.

To discover the IP address assigned to your machine, type "command /K ipconfig /all" in the "Run" window displayed when you select "Run..." from the "Start" menu. (See Figures 1 and 2.)

(In Windows XP this information can easily be obtained by looking in the "Networks Connections" Control Panel, clicking on the "Wireless Network Connection" icon, and looking at "Details" in the left-hand pane.)

Figure 6: Result from running the "ipconfig" command to list the IP address.

Here, the example system obtained the IP address "128.117.43.28" for the wired Ethernet port. If you see more than one adapter in the listing (wireless, for example), be sure to recognize the one associated with your type of connection.

Type "exit" to close the window.

If you obtain a IP address in the range 169.254.XXX.XXX you probably did not receive an address from a DHCP server. Addresses in this range are so-called "auto-configuration addresses" and are usually the result of connecting to a network with no DHCP server (see below).

When all computers were big and heavy, it was unlikely that they would be moved around and connected to different networks. They were configured with a static IP address. Laptops, on the other hand, are quintessentially portable, and with the popularity of built-in Ethernet and wireless networking, they may be easily connected to many different networks. Laptops should be configured to obtain their IP address dynamically, typically from a server. If your laptop has been configured with a static IP address for a UCAR network, or for a company or institution you previously visited, it is imperative that it be reconfigured for dynamic addressing in order to work with most sites.

For Windows NT, 2000 and XP systems, you must have administrator access to your laptop in order to reconfigure the TCP/IP settings. Typical users do not, so if your division still uses static addresses on laptops, your machine must be reconfigured by your administrator before you leave on a trip. It is a good idea if your machine has a local account that is a member of the local Administrators group, but that is not the normal Administrator account. There are other situations, besides reconfiguring TCP/IP settings (such as installing certain software) that require Administrator access to your machine. If this account is available, your systems admin could, by phone, walk you through TCP/IP reconfiguration, software installation, etc. that may be critical to the mission of your trip.

You can tell if TCP/IP is configured to obtain its address dynamically if the line "DHCP Enabled: Yes" (or similar) appears in the "ipconfig" listing; the line will read "DHCP Enabled: No" for a static configuration. You can see in Figure 6 that the example system obtained its address dynamically.

If you have trouble obtaining an appropriate dynamic address for your machine (and it is not configured for static addressing), you may find it useful to reboot. Alternatively, you can type "ipconfig /release" (followed by the "Enter" key) and then "ipconfig /renew" (followed by the "Enter" key) in the "command.com" window (Figure 6).

Problems accessing an external network

Once you have a valid IP address, you should attempt to connect to a site on the Internet. Be aware, however, that the company, institution, or hotel you are connecting from may have their own firewall, and may be blocking the protocols of certain network services. If they aren't blocking all outgoing protocols, the one protocol that should be permitted is HTTP, the protocol of the World Wide Web. To test your ability to reach the Internet, try opening www.google.com from your Web browser.

The local firewall and VPN

If you were successful in reaching a Web site on the Internet, your local firewall might still block the protocols that the VPN client uses to access its server.

To test a VPN connection, launch the Cisco VPN Client (also called the "VPN Dialer") and attempt a connection to the UCAR VPN server (click on the "Connect" button).

Figure 7a: Click "Connect" to attempt a connection to the UCAR VPN server (Version 4 client).

Figure 7b: Click "Connect" to attempt a connection to the UCAR VPN server (Version 3 client).

If you fail to connect, it may be because the local firewall is blocking the protocol that the VPN client is currently using to reach the server. You can reconfigure transparent tunneling to try different protocols; hopefully, one of the three possibilities will work.

Reconfiguring Transparent Tunneling

In order to reconfigure your VPN client, you need to disconnect the client from UCAR, if connected; restart the client.

In Version 4 (Figure 7a), click on the "Modify" button; in Version 3 (Figure 7b), click on the "Options" button and select "Properties..." from the pop-up menu (Figure 8b).

Figure 8b: Select "Properties" (Version 3 client).

The "Properties for UCAR" dialog box opens (Figures 9a or 9b).

Select the "Transport" tab (V4) or the "General" tab (V3), if not already selected.

IPSec over TCP

Click the "Enable Transparent Tunneling" checkbox, if not already checked.

Click on the "Use IPSec over TCP (NAT/PAT/Firewall)" radiobutton.

Be sure that "TCP port:" is set to "10000".

Figure 9a: Check "Enable Transparent Tunneling" and select "Use IPSec over TCP" (Version 4 client).

Figure 9b: Check "Enable Transparent Tunneling" and select "Use IPSec over TCP" (Version 3 client).

Click on the "Save" or "OK" button at the bottom of the dialog box.

From the main VPN client window, try to make your connection.

IPSec over UDP

If you can't connect with "IPSec over TCP", try "IPSec over UDP".

Click the "Enable Transparent Tunneling" checkbox, if not already checked.

Click on the "Use IPSec over UDP (NAT/PAT)" radiobutton.

Figure 10a: Check "Enable Transparent Tunneling" and select "Use IPSec over UDP" (Version 4 client).

Figure 10b: Check "Enable Transparent Tunneling" and select "Use IPSec over UDP" (Version 3 client).

Click on the "Save" or "OK" button at the bottom of the dialog box.

From the main VPN client window, try to make your connection.

Disable Transparent Tunneling

If you can't connect with "IPSec over UDP", try disabling transparent tunneling.

Click the "Enable Transparent Tunneling" checkbox, if checked.

Figure 11a: Uncheck "Enable Transparent Tunneling" (Version 4 client).

Figure 11b: Uncheck "Enable Transparent Tunneling" (Version 3 client).

Click on the "Save" or "OK" button at the bottom of the dialog box.

From the main VPN client window, try to make your connection.

If, after trying the three different transparent tunneling configurations, you still fail to connect to UCAR's VPN server, you may want to contact personnel at the local site and ask them about their firewall and its interaction with VPN. If you learn that your hotel does not support VPN, you may wish to express an opinion that their management is "business user hostile".

Note: When connected to UCAR's Conference Room subnet (.43), any of the three tunneling methods will work. When connected to UCAR's wireless subnet (.228), only the third tunneling method (Disable Transparent Tunneling) works reliably.

Problems while logging into the VPN server

If you can connect to UCAR's VPN server, but the server rejects your login name or password, remember that the correct username and password is your UCAS (Time Card) username and your Cryptocard.

The VPN server is down

The VPN server is reliable, and it also has a "automatic hot spare". It should seldom fail but it may be inaccessible because of scheduled maintenance. Prior to departure on your trip, it would be a good idea to check if maintenance on the VPN server has been scheduled. Scheduled maintenance of the VPN server is announced in the Daily Bulletin, which can be read online at http://www.scd.ucar.edu/cpg/dailyb/todays.html. Also, the VPN server may be working but may not be accessible because of other UCAR network infrastructure problems. You can call the SCD Computer Room Operations Staff at (303) 497-1200 to inquire about the status of the VPN server.

Or is it?

If you cannot reach important network services in your division after successfully connecting to the UCAR VPN server, it may not be a problem with the VPN server. Those systems may be down or are inaccessible because of other UCAR network infrastructure problems.

When all else fails

Usually, e-mail is the most important service for which VPN is required: you need it if you access your e-mail via a POP or IMAP client like Netscape, Eudora, Outlook or Outlook Express. Your division may support Web access to e-mail, which doesn't require VPN, only the HTTP protocol, which most firewalls pass. You can also use this method to read e-mail when you don't have access to your laptop, but can find an Internet cafe. You may wish to try Web access to e-mail before your trip, and bookmark the URL, just in case.