Before the VPN client connects, it performs a connectivity test to check if ports 500 and 4500 are open between the client and the VPN. If either of these port tests fail, the client will display a message indicating that there is a problem.
This problem is normally caused by the router or firewall between the client and the Internet blocking traffic. Consult the client's router/firewall documentation for assistance on how to enable outbound traffic on port 500 and 4500.
Note: If the client is connecting via a BT Voyager DSL router, this error will appear. Clicking on retry will enable the client to connect. The VPN client port test can be disabled via the Advanced tab under Settings.
If the VPN Client fails to connect successfully an error code will be displayed by the client. The following table indicates the actions to be taken for each error code.
| Error Code | Resolution |
|---|---|
| 734 | This is a misleading error which normally means that an invalid password has been provided. Confirm the validity of the username and password and retry. |
| 781 | Your VPN Client installation has been corrupted or revoked. Uninstall and re-install the client. |
| 769 | This error normally indicates a problem with your Internet connection. Verify that your Internet connection is up and working and then retry the connection. |
| 789 |
This error is usually related to a firewall blocking IPSec traffic. On consumer routers with firewall features, this can normally be solved by enabling IPSec pass through on the router. If you are behind a corporate firewall, contact your network administrator to configure the firewall to allow IPSec connections. IPSec requires UDP ports 500 and 4500 to be opened. This error can also be caused by third-party security products. For example the 'Internet Worm Detection' feature of Norton AntiVirus 2005 may need to be disabled if installed. |
| 792 | This error is typically caused by a firewall blocking IPSec traffic between the VPN Client and the VPN service. On consumer routers with firewall features, this can normally be solved by enabling IPSec pass through on the router. If you are behind a corporate firewall, contact your network administrator to configure the firewall to allow IPSec connections. |
| 768 | This error is returned if the Windows IPSec Services/IPSec Policy Agent Service is not running. To start the service , go to Control Panel -> Administrative Tools -> Services and select IPSec Services on the service list. Click on the start ('play') icon at the top of the window to start the service. This service is normally running but may be disabled by some 3rd party programs such as VPN clients, anti-virus and personal firewall products. An upgrade to the latest version of the 3rd party VPN client may fix the problem otherwise it should be disabled or un-installed. Some anti-virus and personal firewall products conflict with the IPSec service. Check with your AV or firewall vendor for an upgrade. |
| 786 | This error is caused by the VPN client being unable to find a valid certificate. The certificate may have expired, so click on the settings button on the VPN Client and click on the 'Renew certificate' button. If the button is greyed out, uninstall and reinstall the VPN client to fix the problem. |
When a VPN Client connects, a number of tests are performed to verify that there is a working network.
The VPN client will verify that a VPN Agent is available on the network. If an error is reported, the VPN administrator should verify that the VPN Agent is running and connected.
A message is displayed if the client detects that Network Access Rules are denying all traffic. The VPN administrator should configure the Network Access Rules to permit appropriate traffic.
A notification message is displayed when the client has failed an endpoint check. Network access from the client will be restricted to what is permitted by the Quarantine rules defined by the administrator.
The Status Page on the Administration site provides a status of your VPN. Check this page first to make sure that the VPN agent is connected. You should also verify that rules (Network, Agent and User) are permitting traffic.
Note: If not already permitted explicitly or by an ALL rule, you should permit ICMP and DNS in your Network, User and Agent Access Rules. ICMP is required for diagnostic ping and tracert commands. DNS is required to allow servers to be referenced by name rather than IP address.
The ping command is a low level network connectivity test. Execute the ping tests as follows replacing the IP addresses with your own network addresses. To see what addresses have been assigned to you, issue an ipconfig /all command in a command window. The listing for the PPP adapter shows the client IP address. The DNS server entry for this adapter is the network gateway address.
| Test | Command | Action |
|---|---|---|
| VPN Agent | ping 192.168.1.1 |
If this succeeds, you have connectivity to the system hosting the VPN Agent. If this fails, your VPN Agent is down and inaccessible. Check that your VPN agent is up and connected. If it is not, restart the service. |
| VPN Gateway | ping 10.192.0.3 |
If this fails there is either a routing error or an internal VPN error. Contact technical support for assistance. |
| Network server | ping 192.168.1.2 |
If this fails and the VPN agent test succeeded, the machine hosting the VPN agent can not contact the network server. Verify that the machine hosting the VPN Agent can contact the Network server on the local network. |
If the ping tests by IP address all work, performing a ping using the fully
qualified host name will verify that DNS is working. Note that you need to
specify both the host name and the domain name (mailsrv.example.com,
not just mailsrv).
| Test | Command | Action |
|---|---|---|
| VPN Agent | ping srv.example.com |
If this succeeds, you have connectivity to the system hosting the VPN Agent and your DNS service is working correctly. If this fails, refer to the Verifying DNS section. |
If you can ping by fully qualified host name and are still having application connectivity problems you need to verify that your network, VPN agent and user rules permit application connections.
The VPN service uses the DNS client and the local 'hosts' file on the VPN Agent server to resolve internal server names. Use of the 'hosts' file on the VPN Agent server requires version 1.10 or later of the VPN Agent.
On the machine running the VPN Agent, open a command window and issue
a ping
hostname command where hostname is the fully qualified
name of a server on the network. If the command returns an error indicating
that the server is not found, this indicates that you do not have a correctly
configured DNS server. The options available are:
Note that when NAT is used, the IP address returned to a client will be the NAT address of the internal host. The VPN Service dynamically rewrites DNS replies to use the NAT address.