Troubleshooting l2tp, Symptom 1: failure to access the private network, Analysis and solution – H3C Technologies H3C SecPath F5020 User Manual

46

LocalSID RemoteSID LocalTID State

21409 3395 4501 Established

# On the LNS, use the display l2tp tunnel command to display the established L2TP tunnel.

[LNS] display l2tp tunnel

LocalTID RemoteTID State Sessions RemoteAddress RemotePort RemoteName

4501 524 Established 1 3.3.3.1 1701 LAC

# On the LNS, you should be able to ping 10.2.0.1, a private network address on the LAC side. This
indicates that hosts on 10.2.0.0/16 and those on 10.1.0.0/16 can communicate with each other through

the L2TP tunnel.

[LNS] ping -a 10.1.0.1 10.2.0.1

Ping 10.2.0.1 (10.2.0.1): 56 data bytes, press CTRL_C to break

56 bytes from 10.2.0.1: icmp_seq=0 ttl=128 time=1.000 ms

56 bytes from 10.2.0.1: icmp_seq=1 ttl=128 time=1.000 ms

56 bytes from 10.2.0.1: icmp_seq=2 ttl=128 time=1.000 ms

56 bytes from 10.2.0.1: icmp_seq=3 ttl=128 time=1.000 ms

56 bytes from 10.2.0.1: icmp_seq=4 ttl=128 time=1.000 ms

--- Ping statistics for 10.2.0.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/1.000/1.000/0.000 ms

Troubleshooting L2TP

Symptom 1: Failure to access the private network

The remote system cannot access the private network.

Analysis and solution

Possible reasons for the access failure include the following:

•

Tunnel setup failure, which might occur in the following cases:

{

The address of the LNS is set incorrectly on the LAC (see the lns-ip command).

{

No L2TP group is configured on the LNS to receive tunneling requests from the tunnel peer (see
the allow command).

{

Tunnel authentication fails. Tunnel authentication must be enabled on both the LAC and LNS,
and the tunnel authentication keys configured on the two sides must match.

•

PPP negotiation failure, which might occur for the following reasons:

{

Usernames, passwords, or both are incorrectly configured on the LAC or are not configured on
the LNS.

{

The LNS cannot allocate addresses. In this case, check whether IP address negotiation settings
are correct on the remote system and LNS.

{

The authentication type is inconsistent. For example, if the peer does not support MS-CHAP (the
default authentication type for a VPN connection created on Windows 2000), the PPP

negotiation will fail. In this case, change the authentication type to CHAP on Windows 2000.

Symptom 2: Data transmission failure

Data transmission fails. A connection is established, but data cannot be transmitted. For example, the

LAC and LNS cannot ping each other.