This page contains some things to try if you are experiencing problems with your VPN connection.
A Quick Checklist for VPN using Broadband (DSL/Cable) Connections
- Turn on NAT Transparency in the VPN client.
- Change Firewall policy to permit IPSec traffic.
- Set MTU to 1400 & reboot. For XP/2000, registry change required. Use Dr. TCP for Win9x/Me/NT (DSL).
- If DHCP is active, check the "Exclude DHCP from Tunnel" checkbox.
- If the local subnet is 10.x.x.x, re-number the LAN or use "Exclude Local LAN from Tunnel" checkbox.
- Ensure QoS Packet Scheduler is not active on LAN or Dial-up connections (XP only).
VPN Installation Results in Blue Screen
There has been a reported problem that a blue screen results after installing the VPN client when using the D-Link D-500 wireless card with Windows 2000. The error indicates an issue with CW10.sys, a driver associated with the D-Link card. One solution that has been successful was to use the driver dated January 2002 that is for Windows 98 but is compatible with Windows 2000 and install the most current, high encryption (3DES) VPN client.
Unable to open VPN Software or VPN Software does not respond.
If the VPN software stops responding or if you are unable to open the VPN software, it is recommended that you shut down and restart your computer. Shut down, and completely power off your computer for approximately 30 seconds before restarting it.
Unable to connect to VPN Server
Maintenance and Outages
If you are able to open the VPN software, but unable to connect to the VPN server first check the Network Status Page for any scheduled maintenance or unplanned outages with the VPN servers. If this does not resolve the problem, you may need to uninstall the VPN software and reinstall it.
VPN Software Hangs After Entering the Shared Secret
Make sure that you are connected to the Internet before trying to establish the VPN connection. If you are certain that your Internet connection is functioning properly, check your VPN software configuration settings.
Authentication (Username and Password) Problems
- VPN Server Error (14): User Access Denied
- Error in Internet Key Exchange Protocol (IKE) Authentication
- IKE Error: Authentication Failure.
These errors are most often caused by an incorrect username, password, authentication secret, or shared secret.
- For security purposes, your VPN password should never be the same as your Expedient dialup, DSL, or email password, even if the usernames are the same.
- Your username should be all in lowercase letters.
- You may need to use a special username, or have your username in a special format (e. g. firstname.lastname@example.org). The username for the VPN configuration is generally in a different format than the dial-up username.
- The shared secret will be specific to your company's or school's VPN configuration settings.
- PITT customers: If you have never used your @pitt.edu account, please try logging into http://accounts.pitt.edu then try to connect using VPN.
- On the Configuration tab of the VPN client, click the Advanced button and be sure that "Encrypt Passwords" is NOT checked.
Not getting prompt for Authentication Secret, only Shared Secret
If you receive the "Shared Secret" prompt first but the second prompt asks ONLY for the password but not the Authentication Secret, check that your Login is in the appropriate format.
Routing or Connectivity Problems
Check Internet connectivity
Verify that you have connected to the Internet and obtained full Internet access prior to connecting with the VPN - e.g., check your email, browse to a few websites.
Internet Explorer error: "Unable to establish connection"
When you launch Internet Explorer and you have configured your computer to automatically prompt you to start your VPN connection, your VPN connection may not be established when you click "Connect"; you may instead receive an error message, "Unable to Establish a Connection". This problem can occur if Internet Explorer does not initialize the VPN connection. To resolve the issue, start a VPN session before you start Internet Explorer.
Multiple VPN Clients and Sessions
Only one instance of the Cisco VPN 5000 Client should be installed; other VPN software should be removed. However, please note that native Windows VPN adapters work with the Cisco VPN 5000 Client.
In addition, there cannot be multiple VPN sessions under the same login. Since only one VPN session is allowed for each user at any given time, authentication problems will result if you attempt to log on to the VPN more than once.
Macintosh: VPN Client has trouble initializing or maintaining Open Transport
It's possible that there was not an Internet connection before attempting to connect with the VPN. Also, please be sure the TCP/IP Control Panel been properly configured.
Error 623 or The system could not find the phone book entry for this connection.
If you receive this error, please be sure you have a Dial-up Networking or Phonebook entry for Expedient. If you checked "Auto-Connect to Default before Logon" on the Configuration tab (Windows only), be sure you selected Expedient as the dial-up ("Phonebook") and did not select "LAN" if you are using a modem connection -OR- uncheck the "Auto-Connect..." option and make a VPN connection after connecting to the Internet.
Windows XP and VPN - Uninstall QoS Packet Scheduler
There is a known problem with certain versions of Windows XP and the Cisco VPN software. If you are using Windows XP and experience a slow connection with your dial-up or DSL connection after installing the VPN software, regardless of whether or not the VPN client is active, please uninstall the "QoS Packet Scheduler" on the Network Adapater properties:
- Disconnect the dial-up session, and open the Dial-up properties for the connection.
- Highlight QoS Packet Scheduler then click Uninstall.
- Click OK to save the settings.
Re-install software or install software with higher encryption level (3DES)
Try uninstalling then reinstalling the software. This will (re)-bind it to the adapter. You can also check the encryption of the client (General Tab) and see whether the software is DES or 3DES. If DES, you might try downloding the 3DES (uninstall the DES before installing the 3DES).
Disconnects: DHCP Packets Forwarded into Tunnel
If you have a DSL or Cable Internet connection and the VPN Client disconnects after working for an extended period and you then lose the Internet connection, it may be that the device in use as the broadband router (e.g. Linksys, Westell 2100) has a DHCP server configured as the default LAN configuration.
The computer can be set to have a static IP address rather than use DHCP. Alternatively, you may keep the computer as a DHCP client but make the following change to the VPN Client configuration to resolve this problem:
- Launch the VPN client.
- Click on the VPN connection in use on the General tab and click the Edit button.
- Click on the Advanced button.
- Check the bottom box labeled "Exclude DHCP (bootp) from Tunnel". NOTE: It is recommended to check this box for ANY machine that is set for DHCP.
Unable to Route (Load Pages or Check Email) After Connecting
If you are unable to load pages after connecting to the VPN, you will first need to determine if it is a problem with the VPN connection or the Internet connection:
Disconnect the VPN connection and close the VPN software.
Verify that you can check your email and surf web pages normally. Try sending and receiving email. Try to open a few different web pages outside of the Expedient domain, like: www.yahoo.com, www.cnn.com, www.nytimes.com, or www.about.com.
If you are unable to open web pages or send and receive email like normal,
Click here to troubleshoot Dialup connection problems
Click here to troubleshoot DSL or Cable connection problems
If your Internet connection appears to be functioning properly, you may want to try Pinging the VPN server after reconnecting to the VPN server. Note: If you are using DSL or Cable modem connection and have the option to use NAT Transparency, the Ping option may not function properly.
Click the Start button. Click Run.
Enter command and click OK.
You will get a black screen with a prompt similar to this:
Microsoft(R) Windows DOS
(C)Copyright Microsoft Corp 1990-2001.
Type ping vpn.stargate.net -- Not all customers will be using vpn.stargate.net for their VPN server name. Check your configuration settings to find your VPN server name.
If the VPN is responding properly you should see a response similar to this:
Pinging vpn1.pitdc1.pa.expedient.net [188.8.131.52] with 32 bytes of data:
Reply from 184.108.40.206: bytes=32 time=100ms TTL=44
Reply from 220.127.116.11: bytes=32 time=107ms TTL=44
Reply from 18.104.22.168: bytes=32 time=134ms TTL=44
Reply from 22.214.171.124: bytes=32 time=124ms TTL=44
Ping statistics for 126.96.36.199:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 10ms, Maximum = 34ms, Average = 18ms
Macintosh OS X
- From the Finder, Press Command(apple key) + Option + A on the keyboard to access your Applications folder. You may also open the Applications folder from your Hard Drive.
- In the Applications folder, double click Utilities and double click the Network Utility.
- Click on the Ping tab.
- Below Please enter the network address to ping, enter vpn.stargate.net. -- Not all customers will be using vpn.stargate.net for their VPN server name. Check your configuration settings to find your VPN server name.
- When you click on 'Ping' OS X will attempt to ping the VPN server 10 times.
Macintosh OS 8-9
Personal Firewall programs: Windows XP, Black Ice, Zone Alarm, Norton, McAfee
Personal firewall programs like the Windows XP firewall, Black Ice or Zone alarm can cause problems with the VPN connection. Consult the Help files of your personal firewall software for instructions on allowing IPSec traffic and servers.
If allowing the VPN servers through your personal firewall program does not solve your problems, you may need to disable the firewall program before connecting.
See How to disable common firewalls for Windows XP, Westell 2100, Norton and McAfee firewalls.
To disable the Windows XP Internet Connection Firewall (ICF):
- Log on as a user that is a member of the Administrators group.
- Open the Network Connections folder, right click the desired connection, and then click Properties.
- Click the Advanced tab, and remove the check from Protect my computer and network by limiting or preventing access to this computer from the Internet.
- Click Yes to the dialog windows that asks you to confirm your decision to disable the firewall.
The encrypted nature of IPSec traffic makes it challenging for the client to work properly behind a firewall, proxy, or NAT device. A function built into the VPN client called "NAT Transparency" helps the client traverse these types of devices successfully. NAT Transparency basically disguises the packet as a TCP port 80 connection, or a plain HTTP packet. With the TCP header, it is able to be NAT'd, and is able to be sent through most common firewall policies. When the Client PC is located behind a firewall, NAT device, or Proxy, this setting should be activated.
- Launch the VPN client.
- Click on the VPN connection being used, and click the "Edit" button.
- In the field labeled NAT transparency, check the box.
- The "Port" field will automatically populate with the number 80. Accept this default setting. Changing the port number will cause the connection to fail.
- Click OK, and re-connect the VPN client. The client should then be able to connect and route traffic correctly.
Setting up VPN behind a Linksys Router
If you are having problems accessing VPN behind a Linksys router with a dynamic IP, refer to the Linksys KB article, Setting up a Remote VPN connection behind a Router or go to the Support section of the Linksys website and search for
vpn in the knowledgebase. From the results, select "Setting up a Remote VPN
connection behind a Router".
You might also try using Dynamic DNS. Instead of having to change the IP at the client side all the time because the server uses DHCP, you can use a hostname instead. A hostname is static. Try www.no-ip.org and download the free dynamic DNS tool. Register and install it on the PC that you need to connect to.
You might also try enabling "PPTP Pass Through".
Westell 2100 DSL modem/router firewall and services
There have been occasions in which a firewall or security feature that is running on a broadband router has had a negative affect on the VPN client functionality. For example, on the Westell 2100 DSL modem/router, the firewall setting must be set to "Low" in order to properly permit the VPN client to function. In the case of configuring a firewall for use with the VPN client, the router must permit the following services: ESP (IP Protocol 50), ISAKMP/IKE (UDP port 500), and TCP Port 80 (If NAT Transparency is used).
Software: Proxy Settings
Your web browsers and Internet settings should not be set to use Proxy servers. To check your settings, disconnect your VPN connection and any dialup connections, then:
Windows: Internet Explorer 5 & 6:
- Open the Control Panel and double click Internet Options.
- Click the Connections tab.
- If you are using a Dialup Connection, highlight the connection name and click Settings. Uncheck Automatically Detect Settings and Use a Proxy Server for this Connection. Click OK.
- All connection types (dialup, DSL, LAN, cable, etc.), click the LAN Settings button. Uncheck Automatically Detect Settings and Use a Proxy Server for this Connection. Click OK.
- Click OK and close the Control Panel. Reconnect.
Macintosh: Internet Explorer 5:
- Open Internet Explorer. Click the Edit menu and choose Preferences.
- If necessary, click the arrow next to the Network category to expand it, then choose Proxies.
- Uncheck all options in the Use Proxy Servers box.
- Click OK. Reconnect.
Windows and Macintosh: Netscape 4.x and 6
- Open Netscape. Click the Edit menu and choose Preferences.
- Click the + (plus) sign or arrow next to the Advanced category, then choose Proxies.
Select Direct Connection to the Internet.
- Click OK. Reconnect.
See also Personal Firewall Programs: Windows XP, Black Ice, Zone Alarm
Hibernation or Standby mode
Your computer should not automatically go into Standby mode when there is an active VPN connection. If you manually put your computer in Hibernation or Standby mode while you are connected to the VPN server, you may be disconnected.
VPN connections on a Windows 2000 software may stop working (even after reconnecting) after the computer resumes from Hibernate or Standby mode. If you receive Error 51: The modem (or other connecting device) has reported an error, using a Windows 2000 computer, please review Article Q263956 in the Microsoft Knowledge Base for more information.
VPN Connection is Slow
If you experience extreme latency while connecting to resources over the VPN, inability to transfer large files or properly send/receive email, inability to use any application located at remote network site may indicate an MTU problem. MTU problems typically arise when implementing the VPN client on a DSL-based network. This problem is prevalent in DSL installations, particularly in those that involve PPPoE authentication, such as Expedient's Extreme DSL using Verizon.
Please refer to MTU in the DSL & Cable section for a possible resolution. Symptoms include: "Your network throughput and overall network performance may gradually decrease, sometimes to the point that the computer hangs or becomes completely unresponsive to network requests."
If you are using Windows 98SE, also see the Microsoft KB article 243199: Windows 98 Second Edition Problems with NDIS Intermediate Drivers
VPN Stops Responding When Disconnecting
If the VPN connection stops responding, it may be due to a PPTP driver in the Macintosh OS Version. Verify that you are using the latest Version of Open Transport. If not, update the system software from the Apple website.
Cannot Print using Networked Printers over VPN
If you are unable to connect to networked printers or PCs on your home network while connected to the VPN or are experiencing problems with certain VPN-based applications such that they function poorly or not at all, the best course of resolution is to re-number your home network so that it does not interfere with the VPN client split tunneling. While the re-numbering is the preferred resolution, an alternative solution is as follows when IP re-numbering is not possible.
- Launch the VPN client.
- Click on the VPN connection being used, and click the "Edit" button.
- Click on the "Advanced" button and check the 4th checkbox labeled "Exclude Local LAN from Tunnel".
Was this information helpful?