Computing and Networking Services

University of Florida VPN Service

Troubleshooting Guide

General Troubleshooting

Please click on your general problem. You will be taken to more specific troubleshooting steps:

1. I can't install the software.
2. I can start the client, but it never seems to connect correctly. I get an error about a "peer not responding".
3. I am asked for my username and password, but its not letting me on.
4. I can connect, and the VPN seems ready to use, but its not working.
5. I connect and start using the VPN, but it keeps disconnecting me.
6. I can't un-install the software.
7. I am still having problems, what should I do?

I can't install the software

• General Problems:
  1. Make sure you are running as a privileged user. In Windows NT/2K/XP this means you should be administrator or a member of the local administrators group. In Linux/Unix/MacOSX you need to be root to install (but not use) the software.
  2. Sometimes there can be problems with the InstallShield program that is used by windows for program installs. These issues are not specific to the VPN software. Here are some troubleshooting tips from the company that writes InstallShield.
• Windows 95:
  1. In Windows 95, I get an error about Microsoft DUN (Dial Up Networking) 1.2 not being installed.
     This means that you are running a pre-OSR2 release of Windows 95. OSR2 or above is required for the VPN software to work properly. You may be able to update your Windows 95 system with a newer version of DUN to work properly with the VPN software. Please see the following link for more information.
• Windows XP:
  1. When I try to install the software under XP, it doesn't finish and I get errors about ikernel.exe and rpc failures
     There is a fundamental bug in Windows XP that may prevent the software from fully installing. The fix is to upgrade to Service Pack 1. Here is the announcement from Microsoft. You should un-install the VPN client and install SP1. If you have problems un-installing the incomplete client, see below for instructions on doing a manual un-install.

I can start the client, but it never seems to connect correctly. I get an error about a "peer not responding" or "failed to establish connection."

• General Problems:
  1. Check to make sure you are using TCP based transparent tunneling, which is the default. Settings for this can be found in Options->Properties in the Windows client and by looking at the ufl-vpn.pcf file for the Linux/MacOS-X/Solaris client usually found in /etc/CiscoSystemsVpnClient/Profiles. Also make sure the port is set to 32611. If that does not work, you can also try port 22.
  2. Change from TCP based transparent tunneling to UDP based transparent tunneling. On the Windows client, go to the properties section as described above and check "Allow IPsec over UDP".
     Note: By using UDP based transparent tunneling, you many not be able to have multiple machines behind the same Cable/DSL firewall simultaneously establish VPN sessions. This is due to the way some consumer firewalls handle low numbered UDP ports. Linksys is known to have this problem.
  3. If that doesn't work, and you have a public IP address and are not behind a firewall, you can disable transparent tunneling. Go to the properties section and uncheck "Enable Transparent Tunneling."
     Note: This is not a recommended configuration as firewalls and NAT devices are so common, however we provide it as a last resort.
  4. If you are using a Cisco (not Netlock or Movian) client, disable IPsec pass through or vpn compatibility mode on any Cable or DSL firewall.
  5. If you are using the Netlock or Movian clients, these do not support NAT transparency mode, so if you have a 10.x.x.x, 172.16-20.x.x, or 192.168.x.x address, the client may not work. IPsec or VPN compatibility features are required on the device doing NAT or PAT (such as a Cable/DSL firewall), and even then, sometimes do not work reliably.
  6. If you are running any personal firewall software, temporarily disable it. If this fixes the problem, you will need to adjust your firewall software to allow the VPN traffic through. See the FAQ for instructions on how to do this. Also see the note below on the XP firewall if you are using XP.
  7. Make sure you can ping vpn.ns.ufl.edu. If you can't try vpn-1.ns.ufl.edu or vpn-2.ns.ufl.edu. Also try pinging 128.227.166.118. If you can't ping the named devices, but you can ping by IP address, you have a DNS problem. If you can't ping at all, you *may* have a network problem. Please see your local support staff.
  8. If you are using dialup, you must un-check "allow local lan access" from the VPN client. This is due to a bug in all versions of the windows dialup client that (wrongly) associates a classful address mask to the addresses handed out by the dialup servers.
  9. Check with the local network administrators to verify if there is a firewall in place, and if so, if it allows outgoing destination TCP 32611 or TCP 22 traffic.
• Windows XP:
  1. Make sure you disable the built in Windows XP firewall. It is not compatible with the Cisco VPN client, and many other pieces of software.
• Linux:
  1. I am using Redhat 7.2 or above. I have installed the client, and when I try to use it it says I am connecting to 128.227.166.118, but goes no further.
     You probably have ipchains or iptables running. This is firewall software that Redhat (any potentially other Linux vendors) activates automatically. You will need add the proper "holes" in the filter list to allow the VPN software to operate. A good way to make sure this is your problem is to issue the following commands as root

     /etc/init.d/ipchains stop
     /etc/init.d/iptables stop

     This will temporarily disable the firewall. If your vpn client can connect afterwards, please make the necessary changes in your ipchains/iptables config. See the Installation Instructions section for more information on what must be permitted through the firewall for proper VPN operation.

I am asked for my username and password, but its not letting me on.

• General Problems:
  1. Make sure your username is in the correct format. For a standard Gatorlink VPN tunnel, the username should be username@ufl.edu, which in most cases is the same as your Gatorlink email address. If you are using the campus-only tunnel, your username should be username@ufl.edu/campus. Although it will work, you should not be using the dialup username format (username/i).
  2. Make sure your Gatorlink password is not expired. It can be checked from the gatorlink website

I can connect, and the VPN seems ready to use, but its not working.

• General Problems:
  1. Make sure you are using NAT transparency. The preferred NAT transparency mode is TCP. This can be checked from "Options->Properties" when the VPN client is first started. This will encapsulate your IPsec VPN traffic in a TCP port 32611 packet, which should pass through most firewalls. If for whatever reason, the firewall you are behind does not allow TCP port 32611, we will also accept TCP port 22 (the same as SSH).
  2. Make sure that your local address is not a 10.x.x.x with a 255.0.0.0 subnet mask. This will interfere with tunnel operation. If you have a home Cable/DSL router, you should configure it to use 192.168.x.x with a 255.255.255.0 subnet mask. 192.168.x.x will never go over the tunnel, and won't interfere with tunnel operation.
  3. If you are behind a Cable or DSL router, make sure IPsec pass-thru is disabled. This feature is not necessary for the UF VPN service to work, and can actually cause problems.
  4. Try switching to UDP based NAT transparency. This can be done from "Options->Properties" when the client is first started. Be aware that some Cable/DSL routers will not properly translate UDP port 500, which is used by the IKE protocol when in UDP transparency mode. The end result is that you may not be able to have two active vpn sessions from two different computers behind some Cable/DSL routers.
  5. If you have a public IP address, and are not behind a firewall, try disabling NAT transparency. This can be done from "Options->Properties" when the client is first started by un-checking "Enable Transparent Tunnel".

I connect and start using the VPN, but it keeps disconnecting me.

• General Problems:
  1. Make sure you are using NAT transparency. The preferred NAT transparency mode is TCP. This can be checked from "Options->Properties" when the VPN client is first started. This will encapsulate your IPsec VPN traffic in a TCP port 32611 packet, which should pass through most firewalls. If for whatever reason, the firewall you are behind does not allow TCP port 32611, we will also accept TCP port 22 (the same as SSH).
  2. If you have a laptop, verify that it is not going into hibernate or suspend mode. Also, verify that your wirless or wired network card is not going into suspend mode. The most reliable setting for the network card is to disable power management on the card, and let the laptop itself suspend. This will give you a very clear indication that the laptop is going into low power mode. The VPN concentrator and client send IKE keepalives back and forth to let each know the other is still there. When your laptop or network card goes into suspend, it stops sending the keepalives. After a while, the VPN concentrator will decide that your client is no longer working properly and disconnect your session.
     Workaround: Before you suspend your laptop, close the VPN connection.
  3. Verify that there is not a duplicate IP address on the network you are on. This will cause frequent drops to the VPN connection.
  4. Switch to a campus-only tunnel by changing your username to username@ufl.edu/campus. Normally, all traffic except local subnet and DHCP traffic will take the tunnel. This may get in the way of some other process that must function on a foreign network to remain connected, such as an ICMP "heartbeat". With the campus-only tunnel, only traffic bound for UF will take the VPN tunnel.
  5. If you still have problems with a campus-only tunnel, try pinging 65.114.59.138. Do you see any packet loss? If so, please report this to your local service provider. Some amount of packet loss can cause the keepalives to be dropped, and the tunnel to be disconnected.

I can't un-install the software.

• General Problems:
  1. Make sure you are a privileged user. In Windows NT/2k/XP, you must be administrator, or a user in the administrators group. In Linux/Unix/MacOSX, you must be root.
• Windows NT/2k/XP:
  1. Perform a manual un-install with the following guide.
     Warning: This process involves editing the registry. Make sure you are comfortable doing this. Done improperly, such changes could render the machine unusable.
• Linux/Unix/MacOS-X
  1. Perform an uninstall according to the following instructions.

I am still having problems, what should I do.

1. Take a look through the FAQ. That has a number of answers to common questions.
2. Contact the UF Computing Helpdesk at 392-HELP.

---

Please help us meet your needs by rating this document.

Did you find what you were looking for?	5 Exactly	4	3	2	1 Not at all
How useful is the information you found?	5 Highly	4	3	2	1 Not at all
How easy was it to find the information you needed?	5 Very Easy	4	3	2	1 Very Difficult
If you have questions/comments/suggestions, please enter them below, prior to clicking the 'Send' button.
Be sure to include your e-mail address if you would like a response.					Your e-mail address:

---

UF Office of Information Technology | Computing and Networking Services | UF Computing Help Desk

Network Services - PO Box 112050

© University of Florida, Gainesville, FL 32611;

(352) 392-2061, Fax: (352) 392-9440.

This page was last updated Jun. 26, 2009.