This topic describes common types of problems you might encounter with Mobile VPN with L2TP, and describes the solutions that most often resolve these problems. Even after the VPN client connects, client traffic might not be able to reach some network resources because of network or policy configuration problems.
Installation Issues
For information about which operating systems are compatible with each mobile VPN type, see the Operating System Compatibility list in the
Connection Issues
Verify that the user is a member of the L2TP-Users group on the authentication server. In some OS versions, L2TP users might be able to connect even though they are in the wrong group. If you use RADIUS for user authentication, the RADIUS server must return the group membership as the Filter-ID attribute.
For more information about user authentication in Mobile VPN with L2TP, go to About Mobile VPN with L2TP User Authentication.
Verify that the user is a member of the L2TP-Users group on the authentication server. If the user is not in the correct group, the Windows connection might return error code 691. When this type of error occurs, the Firebox log file includes this type of message:
2014-08-14 13:01:44 admd Authentication of L2TPVPN user [johndoe@Firebox-DB] from 198.51.100.2 rejected, user isn't in the right group id="1100-0005" Event
If you use RADIUS to authenticate these users, the RADIUS server must return the group membership as the Filter-ID attribute.
For more information about user authentication in Mobile VPN with L2TP, go to About Mobile VPN with L2TP User Authentication.
Issues After Connection
If the VPN client can connect to a network resource by IP address but not by name, the client device might not have correct WINS and DNS information for your network.
In Fireware v12.2.1 or higher, you can select these options in the Mobile VPN with L2TP configuration:
- Assign or not assign the Network (global) DNS servers to mobile clients
- Assign the DNS servers specified in the mobile VPN configuration to mobile clients
In Fireware v12.2 or lower, your Firebox automatically provides client devices with the DNS IP addresses configured in the Network (global) DNS/WINS settings on your device.
If users cannot use a single-part host name to connect to internal network resources, but can use a Fully Qualified Domain Name to connect, this indicates that the DNS suffix is not defined on the client.
A client without a DNS suffix assigned must use the entire DNS name to resolve a the name to an IP address. For example, if your terminal server has the DNS name RDP.example.net, a user cannot type the address RDP to connect with the terminal server client. Users must also type the DNS suffix, example.net.
To resolve this problem, you must specify the DNS suffix your PC uses to resolve host names when it is connected to the VPN. For more information, go to Configure DNS settings for L2TP VPN clients in the WatchGuard Knowledge Base.
L2TP routes are defined by the client computer. On a Windows client, if you do not select the Use default gateway on remote network check box, the client computer routes traffic through the VPN tunnel only if the traffic destination is the /24 subnet of the virtual IP address assigned to the client computer. For example, if the client is assigned the virtual IP address 10.0.1.225, traffic destined for the 10.0.1.0/24 network is routed through the VPN tunnel, but traffic destined for 10.0.2.0 is not.
For more information about how to configure this option, go to Internet Access Through a Mobile VPN with L2TP Tunnel.
When you enable Mobile VPN with L2TP, the Allow-L2TP-Users policy is automatically created to allow traffic from L2TP clients to internal or external network resources. If you have disabled or removed this policy, clients cannot send traffic to internal or external networks.
For more information about this policy, go to About L2TP Policies.
If your VPN clients can connect to certain parts of the network, but not others, or traffic otherwise fails when log messages show traffic is allowed, this can indicate a routing problem. Confirm that each of these items is true:
- The virtual IP address pool for Mobile VPN with L2TP clients does not overlap with any IP addresses assigned to internal network users.
- The virtual IP address pool does not overlap or conflict with any other routed or VPN networks configured on the Firebox.
- If the Mobile VPN with L2TP users must access a routed or VPN network, the hosts in that routed or VPN network must have a valid route to the virtual IP address pool, or the Firebox must be the default route to the Internet for those hosts.
For more information about how to configure the IP address pool, go to Edit the Mobile VPN with L2TP Configuration.
We recommend that you do not use the private network ranges 192.168.0.0/24 or 192.168.1.0/24 on your corporate or guest networks. These ranges are commonly used on home networks. If a mobile VPN user has a home network range that overlaps with your corporate network range, traffic from the user does not go through the VPN tunnel. To resolve this issue, we recommend that you Migrate to a New Local Network Range.
If you cannot connect to network resources through an established VPN tunnel, go to Troubleshoot Network Connectivity for information about other steps you can take to identify and resolve the issue.