Troubleshoot Mobile VPN with L2TP

If the VPN client can connect to a network resource by IP address but not by name, the client device might not have correct WINS and DNS information for your network. Your Firebox automatically provides client devices with the WINS and DNS IP addresses configured in the global WINS/DNS settings.

For information about how to configure WINS and DNS IP addresses in Fireware Web UI, see Configure WINS and DNS Servers.

If users cannot use a single-part host name to connect to internal network resources, but can use a Fully Qualified Domain Name to connect, this indicates that the DNS suffix is not defined on the client.

A client without a DNS suffix assigned must use the entire DNS name to resolve a the name to an IP address. For example, if your terminal server has the DNS name RDP.example.net, a user cannot type the address RDP to connect with the terminal server client. Users must also type the DNS suffix, example.net.

To resolve this problem, you must specify the DNS suffix your PC uses to resolve host names when it is connected to the VPN. For more information, see Configure DNS settings for L2TP VPN clients in the WatchGuard Knowledge Base.

L2TP routes are defined by the client computer. On a Windows client, if you do not select the Use default gateway on remote network check box, the client computer routes traffic through the VPN tunnel only if the traffic destination is the /24 subnet of the virtual IP address assigned to the client computer. For example, if the client is assigned the virtual IP address 10.0.1.225, traffic destined for the 10.0.1.0/24 network is routed through the VPN tunnel, but traffic destined for 10.0.2.0 is not.

For more information about how to configure this option, see Internet Access Through a Mobile VPN with L2TP Tunnel.

When you enable Mobile VPN with L2TP, the Allow-L2TP-Users policy is automatically created to allow traffic from L2TP clients to internal or external network resources. If you have disabled or removed this policy, clients cannot send traffic to internal or external networks.

For more information about this policy, see About L2TP Policies.

Verify that the user is a member of the L2TP-Users group on the authentication server. In some OS versions, L2TP users might be able to connect even though they are in the wrong group. If you use RADIUS for user authentication, the RADIUS server must return the group membership as the Filter-ID attribute.

For more information about user authentication in Mobile VPN with L2TP, see About L2TP User Authentication.

Verify that the user is a member of the L2TP-Users group on the authentication server. If the user is not in the correct group, the Windows connection might return error code 691. When this type of error occurs, the Firebox log file includes this type of message:

2014-08-14 13:01:44 admd Authentication of L2TPVPN user [johndoe@Firebox-DB] from 198.51.100.2 rejected, user isn't in the right group id="1100-0005" Event

If you use RADIUS to authenticate these users, the RADIUS server must return the group membership as the Filter-ID attribute.

For more information about user authentication in Mobile VPN with L2TP, see About L2TP User Authentication.

If your VPN clients can connect to certain parts of the network, but not others, or traffic otherwise fails when log messages show traffic is allowed, this can indicate a routing problem. Confirm that each of these items is true:

• The virtual IP address pool for Mobile VPN with L2TP clients does not overlap with any IP addresses assigned to internal network users.
• The virtual IP address pool does not overlap or conflict with any other routed or VPN networks configured on the Firebox.
• If the Mobile VPN with L2TP users must access a routed or VPN network, the hosts in that routed or VPN network must have a valid route to the virtual IP address pool, or the Firebox must be the default route to the Internet for those hosts.

For more information about how to configure the IP address pool, see Edit the Mobile VPN with L2TP Configuration.