Home | Recovery | Cisco How To Net How To | Blog | Search | Forums | Services | Setup Guide | Chicagotech MVP | IT Exam Practice  |  About Us | Contact Us|
Chicago Area Laptop for rent: $35 per day plus $10 for additional day
rental

 

L2TP/IPSec Troubleshooting

1. If the VPN client is behind any network device that is performing NAT, and the L2TP client receive "The remote computer does not support the required data encryption type", it could be encrypted IPSec Encapsulating Security Payload (ESP) packets become corrupted.

2. If L2TP issues a warning that you do not have a certificate, you want to check a computer certificate with a private key, which you can find in the local computer personal certificate store.

3. If IKE gets timeout, make sure the  front of the VPN server allow UDP port 500 through. IKE also times out if the VPN server does not have appropriate IPSec policy configured, which usually means either that the RRAS server does not have L2TP ports enabled or that a manual IPSec policy setting is not correctly configured. When IKE times out, the audit log shows that peer failed to reply and that a network capture trace shows ISAKMP UDP packets initiating only from your client.

4. ESP blocked: When NAT is in front of the client or the routers are in front of the VPN, the server may not allow protocol 50 (ESP) through. Outbound ESP traffic with the SPI number appears, but inbound ESP packets from the gateway, with a different SPI number, do not appear.

5. ESP modified: If NAT, or perhaps a faulty switch or other network node, is modifying or corrupting packets anywhere on the path, the packets are dropped by the IPSec driver, and Event 4285 "Failed to authenticate hash" appears in the System log of the receiving system. Packets can also be corrupted by a network interface that has IPSec offload capabilities. To determine whether an interface has this capability, use the netsh support tool. Type following command:

netsh int ip show offload.

6. If the IPSec offload capability of a NIC is the suspected cause, start a Network Monitor capture and use Ipsecmon.exe to analyze each connection attempt. Examine the "Confidential Bytes Received" counter in Ipsecmon to determine whether packets are being lost on receive. You can also set the HKLM\System\CurrentControlSet\Services\IPSEC\EnableOffload DWORD registry value to 0. If the connection then succeeds, the issue is offload-related. Another troubleshooting alternative is to turn off the IPSec automatic policy.

7. If the IPSec Policy Agent was stopped by using the Services snap-in or the net stop policyagent command, the L2TP automatic IPSec policy configuration is lost. For VPN clients, the policy is automatically plumbed when the client connectoid is started. Make sure that the IPSec policy agent service is started and running before you start the client connectoid. After you click Connect and the connection attempt is in progress, you can use the netdiag /test:ipsec /v /debug command to see IPSec statistics and active filters. Note that you cannot use the /debug option if you do not have domain administrative permissions.

Post your questions, comments, feedbacks and suggestions

Contact a consultant

Related Topics

 
 

Bob Lin Photography services

Real Estate Photography services 

 

  This web is provided "AS IS" with no warranties.
Copyright © 2002-2018 ChicagoTech.net, All rights reserved. Unauthorized reproduction forbidden.