VPN Trouble-Shooting Tips The VPN service is made up of 3 components; Internet Access, Digital Certificate authentication, and VPN authentication. It is helpful to understand the 3 components when trouble-shooting problems. Internet Access is the method used to connect the computer to the internet. This may be PDAS (our private dialup service), a public dialup service, high-speed, or wireless. Make sure this connection is working properly before troubleshooting the Digital Certificate or VPN components. To determine if your internet connection is functioning properly, you can try the following: - Browse to a web site that would not commonly be visited - Browse to www.gnb.ca - Browse to www.exchange.gnb.ca - If using PDAS, ping 10.212.200.1 - If using any other internet connection, ping 22.214.171.124 or vpn-rpv.gnb.ca - Telnet to gnb-sd2.gnb.ca 389. This attempts to make a telnet connection on port 389. If this is successful, you will see a flashing cursor in a black window. This means that the server is up, the path is open, and DNS is working properly. If you cannot telnet to gnb-sd2.gnb.ca but you can telnet to 126.96.36.199 389 successfully, you have a DNS problem on the client. Important Phone Numbers: - Aliant Internet Helpdesk (Vibe & NBNet) 1-800-560-VIBE (8423) - Rogers High Speed Internet Helpdesk 1-888-288-4663 Digital Certificate authentication is the method used to verify that a client is an authorized user of the VPN system. A digital certificate is assigned to each user and is to be kept confidential. The digital certificate information is stored in a profile on the computer’s hard drive in a folder called c:\Entrust Profiles. The file will have an *.epf extension. When you log in to Entrust offline, you are using this *.epf file to validate your digital certificate password. Once a profile has been created for an individual, it may be copied to a diskette or other computers. This is useful when a computer’s hard drive is being wiped or re-installed. To determine if the Entrust system is working properly, you can try the following: - Once you have established Internet Access, right-click on the yellow key in the status bar and select “Log In To Entrust” Enter your profile password. Make sure “Work Off-line” is not checked. Right-click on the yellow key again and select “Status” You should see a box pop up and the words “Connect to Entrust” should appear by the word Status:. To determine if a Digital Certificate is valid, you can try the following: - Using MS Outlook, from the main Outlook window, Select Express, Entrust Address Book. In the "Look in" drop down box, select Directory Search. Enter the last name of the person you are looking for in the "Searc h for" box. You will see all the people with that last name appear. If there is a line through a name, it means that the person has been issued a certificate but it has not been set up (a profile has not been created). - Using Entrust, select Start, Programs, Entrust, Entrust Address Book. In the "Look in" drop down box, select Directory Search. Enter the last name of the person you are looking for in the "Search for" box. You will see all the people with that last name appear. If there is a line through a name, it means that the person has been issued a certificate but it has not been set up (a profile has not been created). VPN authentication is also a method used to verify that a client is an authorized user of the VPN system. The VPN Client makes a connection to the VPN device and passes the user’s digital certificate i nformation to it. The VPN device uses this information to validate the certificate with the Entrust server. If the certificate does not belong to a group that is granted access through the VPN or if it has been revoked, it will be rejected and will not be allowed to use the VPN. This process takes from 10 to 100 seconds depending on the speed of the connection. It may appear as if the client has made a positive VPN connection while this process is completing. To determine if the VPN device is functioning properly, you can try the following: - If using PDAS, ping 10.212.200.1 - If using any other internet connection, ping 188.8.131.52 or vpn-rpv.gnb.ca If the pinging the VPN server is successful, you are able to communicate with the VPN server. To determine possible reasons for VPN Client errors, - Turn on “logging” at the VPN Client. Make sure that all but PPP and Firewall are set to High in the Log Settings section. Have the client send you this log by e-mail. If Internet Access is working, the client will be able to use Outlook Web Access. - Check the log. You will need to read through a lot of lines of messages and pick out the important ones. You should see a few lines where the client is contacting the gateway (VPN device), then you will see where the certificate is validated. Once you see “Updating certificate successful”, you have a successful VPN connection. - Check the FAQ on the VPN web site for descriptions of the errors you are seeing. Not all errors are described here, just the common ones. The web site is www.gnb.ca/0900. The user id is vpn-rpv and the password is ragn#995. So what do I do now? Once you have worked through the steps above and have determined that the problem is not the Internet Access or the Digital Certificate, make a note of your testing and your findings and contact the CIMS Helpdesk at 444-CIMS (2467) and log a call.
Pages to are hidden for
"VPN Trouble-Shooting Tips"Please download to view full document