Technical Diagnosis and Analysis: handling VPN connection faults

Virtual private Network (VPN) provides secure connections, but many problems may occur. The following are some situations and suggestions for handling them.
The user cannot access the file server.
If the user can access the file server through an IP address but not by name, the most likely cause is the domain name resolution problem. It may be due to a problem with NetBIOS or DNS host name resolution. If the client operating system uses NetBIOS, the VPN Server should assign an intranet host name to the VPN Client.
If you use DNS to resolve the Intranet host name for the VPN user, make sure that these clients can correctly resolve the domain names used in the enterprise network. If a computer without a domain name tries to use DNS to resolve the Domain Name of the Intranet server behind the VPN Server, this problem is often encountered.
Users cannot access any content of CEN
Sometimes users can connect to a remote VPN Server, but cannot connect to any resources in the enterprise network. They cannot resolve host names or even ping Resources in the enterprise network.
The most common cause of this problem is that the enterprise network connected to the VPN Server uses the same network ID. For example, if the user connects to a hotel broadband network, the ID of the network is 10.0.0.0/24. If the enterprise network also uses the 10.0.0.0/24 ID, they cannot be connected, because the VPN Client Machine regards the destination address as the local network address, so it will not connect to the remote network through the VPN interface.
Another common cause of communication failure is that the rules on the VPN Server/firewall device connected to the VPN Client do not allow the client to access resources in the enterprise network. The solution is to modify the firewall configuration and allow the VPN Client to access appropriate network resources.
The user cannot connect to the VPN Server from the NAT device
Most firewalls and NAT routers support the pptp vpn protocol behind the NAT device. However, some high-end network equipment vendors have not set up a NAT editor for the pptp vpn protocol. If the user is behind such a device, using PPTP for VPN connection will fail, and using VPN protocol will succeed.
All NAT devices and firewalls support the IPSec-based VPN protocol IPSecpassthrough. These VPN protocols include the IPSec channel mode and RFC-compatible L2TP/IPSec. These VPN protocols support NAT, and IPSec communication is compressed into UDP headers for round-trip in the network.
If your VPN client and server support NAT, the client tries to use L2TP/IPSec to connect to a NAT-T-compatible VPN Server through a NAT, the most likely cause of this problem is that the client uses Windows XP Service Pack 2. Service Pack 2 blocks NAT communication between the L2TP and IPSec VPN clients. To solve this problem, follow the instructions in Microsoft Knowledge Base article 885407 to modify the registry of the VPN Client.
User complaints are too slow
Poor performance is one of the most difficult problems to solve. There are many possible reasons. It is important to obtain accurate and detailed descriptions of users, clarify what they are doing, and when they find slow speeds.
One of the most common causes of slow VPN clients is that these clients are located behind a PPPoE DSL network. These network connections often encounter the maximum transmission unit MTU), which may affect the connection and performance. For more information about the MTU issue on the Microsoft Client, see Microsoft Knowledge Base article 283165.