VPN Trouble-Shooting Tips by docinternet

VIEWS: 132 PAGES: 3

									                               VPN Trouble-Shooting Tips

The VPN service is made up of 3 components; Internet Access, Digital Certificate
authentication, and VPN authentication. It is helpful to understand the 3 components when
trouble-shooting problems.

Internet Access is the method used to connect the computer to the internet. This may be
PDAS (our private dialup service), a public dialup service, high-speed, or wireless. Make sure
this connection is working properly before troubleshooting the Digital Certificate or VPN
components.

   To determine if your internet connection is functioning properly, you can try the following:

   -      Browse to a web site that would not commonly be visited
   -      Browse to www.gnb.ca
   -      Browse to www.exchange.gnb.ca
   -      If using PDAS, ping 10.212.200.1
   -      If using any other internet connection, ping 142.139.0.100 or vpn-rpv.gnb.ca
   -      Telnet to gnb-sd2.gnb.ca 389. This attempts to make a telnet connection on port
          389. If this is successful, you will see a flashing cursor in a black window. This
          means that the server is up, the path is open, and DNS is working properly. If you
          cannot telnet to gnb-sd2.gnb.ca but you can telnet to 142.139.25.254 389
          successfully, you have a DNS problem on the client.

   Important Phone Numbers:

   -   Aliant Internet Helpdesk (Vibe & NBNet)            1-800-560-VIBE (8423)
   -   Rogers High Speed Internet Helpdesk                1-888-288-4663


Digital Certificate authentication is the method used to verify that a client is an authorized
user of the VPN system. A digital certificate is assigned to each user and is to be kept
confidential. The digital certificate information is stored in a profile on the computer’s hard
drive in a folder called c:\Entrust Profiles. The file will have an *.epf extension. When you log
in to Entrust offline, you are using this *.epf file to validate your digital certificate password.
Once a profile has been created for an individual, it may be copied to a diskette or other
computers. This is useful when a computer’s hard drive is being wiped or re-installed.

   To determine if the Entrust system is working properly, you can try the following:

   -      Once you have established Internet Access, right-click on the yellow key in the
          status bar and select “Log In To Entrust” Enter your profile password. Make sure
          “Work Off-line” is not checked. Right-click on the yellow key again and select
          “Status” You should see a box pop up and the words “Connect to Entrust” should
          appear by the word Status:.

   To determine if a Digital Certificate is valid, you can try the following:
   -      Using MS Outlook, from the main Outlook window, Select Express, Entrust Address
          Book. In the "Look in" drop down box, select Directory Search. Enter the last
          name of the person you are looking for in the "Searc h for" box. You will see all the
          people with that last name appear. If there is a line through a name, it means that
          the person has been issued a certificate but it has not been set up (a profile has not
          been created).

   -      Using Entrust, select Start, Programs, Entrust, Entrust Address Book. In the "Look
          in" drop down box, select Directory Search. Enter the last name of the person you
          are looking for in the "Search for" box. You will see all the people with that last
          name appear. If there is a line through a name, it means that the person has been
          issued a certificate but it has not been set up (a profile has not been created).


VPN authentication is also a method used to verify that a client is an authorized user of the
VPN system. The VPN Client makes a connection to the VPN device and passes the user’s
digital certificate i nformation to it. The VPN device uses this information to validate the
certificate with the Entrust server. If the certificate does not belong to a group that is granted
access through the VPN or if it has been revoked, it will be rejected and will not be allowed to
use the VPN. This process takes from 10 to 100 seconds depending on the speed of the
connection. It may appear as if the client has made a positive VPN connection while this
process is completing.


   To determine if the VPN device is functioning properly, you can try the following:

   -      If using PDAS, ping 10.212.200.1
   -      If using any other internet connection, ping 142.139.0.100 or vpn-rpv.gnb.ca

   If the pinging the VPN server is successful, you are able to communicate with the VPN
   server.

   To determine possible reasons for VPN Client errors,

   -      Turn on “logging” at the VPN Client. Make sure that all but PPP and Firewall are
          set to High in the Log Settings section. Have the client send you this log by e-mail.
          If Internet Access is working, the client will be able to use Outlook Web Access.
   -      Check the log. You will need to read through a lot of lines of messages and pick
          out the important ones. You should see a few lines where the client is contacting
          the gateway (VPN device), then you will see where the certificate is validated.
          Once you see “Updating certificate successful”, you have a successful VPN
          connection.
   -      Check the FAQ on the VPN web site for descriptions of the errors you are seeing.
          Not all errors are described here, just the common ones. The web site is
          www.gnb.ca/0900. The user id is vpn-rpv and the password is ragn#995.

So what do I do now?
Once you have worked through the steps above and have determined that the problem is not
the Internet Access or the Digital Certificate, make a note of your testing and your findings
and contact the CIMS Helpdesk at 444-CIMS (2467) and log a call.

								
To top