VPN Tools and Settings
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
VPN Tools and Settings
In this section
Windows Server 2003 provides the following tools to troubleshoot VPN connections:
TCP/IP Troubleshooting Tools
Authentication and Accounting Logging
Event Logging
IAS Event Logging
PPP Logging
Tracing
Oakley Logging
Network Monitor
TCP/IP Troubleshooting Tools
The Ping, Tracert, and Pathping tools use ICMP Echo and Echo Reply messages to verify connectivity, display the path to a destination, and test path integrity. The route print command can be used to display the IP routing table. Alternately, on the VPN server, you can use the netsh routing ip show rtmroutes command or the Routing and Remote Access snap-in. The Nslookup tool can be used to troubleshoot DNS and name resolution issues.
Authentication and Accounting Logging
A VPN server running Windows Server 2003 supports the logging of authentication and accounting information for remote access VPN connections in local logging files when Windows authentication or Windows accounting is enabled. This logging is separate from the events recorded in the system event log. You can use the information that is logged to track remote access usage and authentication attempts. Authentication and accounting logging is especially useful for troubleshooting remote access policy issues. For each authentication attempt, the name of the remote access policy that either accepted or rejected the connection attempt is recorded.
Enable authentication and accounting logging from the Settings tab on the properties of the Local File object in the Remote Access Logging folder in the Routing and Remote Access snap-in (if the Routing and Remote Access service is configured for Windows authentication and accounting) or the Internet Authentication Service snap-in (if the Routing and Remote Access service is configured for RADIUS authentication and accounting and the RADIUS server is an IAS server)
The authentication and accounting information is stored in a configurable log file or files stored in the SystemRoot\System32\LogFiles folder. The log files are saved in Internet Authentication Service (IAS) or database-compatible format, meaning that any database program can read the log file directly for analysis.
If the VPN server is configured for RADIUS authentication and accounting and the RADIUS server is a computer running Windows Server 2003 and IAS, the authentication and accounting logs are stored in the SystemRoot\System32\LogFiles folder on the IAS server computer.
IAS for Windows Server 2003 can also send authentication and accounting information to a Structured Query Language (SQL) database.
Event Logging
On the Logging tab in the properties of a VPN server in the Routing and Remote Access snap-in, there are four levels of logging. Select Log all events, and then try the connection again. After the connection fails, check the system event log for events logged during the connection process. After you are done viewing remote access events, select the Log errors and warnings option on the Logging tab to conserve system resources.
IAS Event Logging
If your VPN servers are configured for RADIUS authentication and your RADIUS servers are computers running Windows Server 2003 and IAS, check the system event log for IAS events for rejected or accepted connection attempts. IAS system event log entries contain a lot of information about the connection attempt including the name of the remote access policy that accepted or rejected the connection attempt. IAS event logging for rejected or accepted connection attempts is enabled by default and configured from the Service tab from the properties of an IAS server in the Internet Authentication Service snap-in.
PPP logging
PPP logging records the series of programming functions and PPP control messages during a PPP connection and is a valuable source of information when you are troubleshooting the failure of a PPP connection. To enable PPP logging, select the Log additional Routing and Remote Access information option on the Logging tab on the properties of a remote access server.
By default, the PPP log is stored as the Ppp.log file in the SystemRoot\Tracing folder.
Tracing
The Windows Server 2003 Routing and Remote Access service has an extensive tracing capability that you can use to troubleshoot complex network problems. You can enable the components in Windows Server 2003 to log tracing information to files using the Netsh command or through the registry.
Enabling Tracing with Netsh
You can use the Netsh command to enable and disable tracing for specific components or for all components.
To enable and disable tracing for a specific component, use the following syntax:
netsh ras set tracingComponentenabled|disabled
where Component is a component in the list of Routing and Remote Access service components found in the Windows Server 2003 registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing. For example, to enable tracing for the RASAUTH component, the command is:
netsh ras set tracing rasauth enabled
To enable tracing for all components, use the following command:
netsh ras set tracing * enabled
Enabling Tracing Through the Registry
You can configure the tracing function by changing settings in the Windows Server 2003 registry under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing
You can enable tracing for each Routing and Remote Access service component by setting the registry values described later. You can enable and disable tracing for components while the Routing and Remote Access service is running. Each component is capable of tracing and appears as a subkey under the preceding registry key.
To enable tracing for each component, you can configure the following registry entries for each protocol key:
EnableFileTracing REG_DWORD Flag
You can enable logging tracing information to a file by setting EnableFileTracing to 1. The default value is 0.
FileDirectory REG_EXPAND_SZ Path
You can change the default location of the tracing files by setting FileDirectory to the path you want. The file name for the log file is the name of the component for which tracing is enabled. By default, log files are placed in the SystemRoot\Tracing folder.
FileTracingMask REG_DWORD LevelOfTracingInformationLogged
FileTracingMask determines how much tracing information is logged to the file. The default value is 0xFFFF0000.
MaxFileSize REG_DWORD SizeOfLogFile
You can change the size of the log file by setting different values for MaxFileSize. The default value is 0x10000 (64K).
Note
Tracing consumes system resources and should be used sparingly to help identify network problems. After the trace is captured or the problem is identified, you should immediately disable tracing. Do not leave tracing enabled on multiprocessor computers.
Note
Tracing information can be complex and very detailed. Most of the time this information is useful only to Microsoft support professionals or to network administrators who are very experienced with the Routing and Remote Access service. Tracing information can be saved as files and sent to Microsoft support for analysis.
Oakley Logging
You can use the Oakley log to view details about the SA establishment process. The Oakley log is enabled in the registry. It is not enabled by default. To enable the Oakley log, set the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Oakley\EnableLogging registry setting to 1. The Oakley key does not exist by default and must be created.
After it is enabled, the Oakley log, which is stored in the SystemRoot\Debug folder, records all IPSec SA negotiations. A new Oakley.log file is created each time the IPSec Policy Agent is started and the previous version of the Oakley.log file is saved as Oakley.log.sav.
To activate the new EnableLogging registry setting after modifying its value, stop and start the IPSec Policy Agent and related IPSec services by running the following sequence of commands:
Stop the Routing and Remote Access service using the net stop remoteaccess command.
Stop the IPSec services using the net stop policyagent command.
Start the IPSec services using the net start policyagent command.
Start the Routing and Remote Access service using the net start remoteaccess command.
Network Monitor
Use Network Monitor, a packet capture and analysis tool supplied with Windows Server 2003, to capture and view the traffic sent between a VPN server and VPN client during the VPN connection process and during data transfer. You cannot interpret the encrypted portions of VPN traffic with Network Monitor. Network Monitor is installed as an optional networking component.
The proper interpretation of the remote access and VPN traffic with Network Monitor requires an in-depth understanding of PPP, PPTP, IPSec, and other protocols. Network Monitor captures can be saved as files and sent to Microsoft support for analysis.