beautypg.com

Complicated network application, Troubleshooting l2tp – H3C Technologies H3C SecPath F1000-E User Manual

Page 61

background image

28

LocalSID RemoteSID LocalTID

17345 4351 1

23914 10923 2

# On the LNS, use the display l2tp tunnel command to check the established L2TP tunnels.

[LNS-l2tp1] display l2tp tunnel

Total tunnel = 2

LocalTID RemoteTID RemoteAddress Port Sessions RemoteName

1 1 1.1.2.1 1701 1 LAC-1

2 2 1.1.2.1 1701 1 LAC-1

Complicated Network Application

A security gateway can simultaneously serve as an LAC and an LNS. Additionally, it can support more

than one incoming call. If there are enough memory and physical lines, L2TP can receive and make
multiple calls at the same time. See the above examples for complex network configurations.
Note that many L2TP applications rely on static routes to initiate connection requests.

Troubleshooting L2TP

The VPN connection setup process is complex. The following presents an analysis of some common faults

that may occur in the process. Before troubleshooting the VPN, ensure that the LAC and LNS are

connected properly across the public network.
Symptom 1: Users cannot log in.
Analysis and solution:
Possible reasons for login failure are as follows:

Step1

Tunnel setup failure, which may occur in the following cases:

The address of the LNS is set incorrectly on the LAC.

No L2TP group is configured on the LNS to receive calls from the tunnel peer. For more information,
see the description of the allow command.

Tunnel authentication fails. Tunnel authentication must be enabled on both the LAC and LNS and
the tunnel authentication passwords configured on the two sides must match.

If the tunnel is torn down by force on the local end but the remote end has not received the
notification packet for reasons such as network delay, a new tunnel cannot be set up.

Step2

PPP negotiation failure, which may occur because:

Usernames and/or passwords are incorrectly configured on the LAC or are not configured on the
LNS.

The LNS cannot allocate addresses. This may be because the address pool is too small or no
address pool is configured.

The authentication type is inconsistent. For example, if the default authentication type for a VPN
connection created on Windows 2000 is Microsoft Challenge Handshake Authentication Protocol

(MSCHAP) but the remote end does not support MSCHAP, the PPP negotiation will fail. In this case,

CHAP is recommended.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: