How to Troubleshoot When a Remote Access VPN Client Cannot Access an Internal Server?

Options
Zyxel_Cooldia
Zyxel_Cooldia Posts: 1,537  Zyxel Employee
Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
edited June 19 in VPN

1. Confirm VPN Tunnel Status

  • Navigate to:
    VPN Status > IPSec VPN > Remote Access VPN
  • Verify whether the VPN client is listed as connected.
  • Ensure the VPN tunnel is successfully established to the firewall.

2. Check VPN Client IP Assignment

  • Confirm that the VPN virtual NIC has been assigned an IP address by the firewall. This indicates that the client has successfully connected and received network configuration.
  • Windows command prompt : ipconfig

3. Verify Routing Table

  • Check whether a route to the internal subnet is present and associated with the VPN interface.
  • Windows command prompt: route print -4

4. Check ARP/MAC Table on Firewall

  • Look for the internal server’s IP and verify if it appears in the ARP table. This confirms the firewall has recently communicated with the destination device.
  • Firewall CLI: show arp-table

5. Ping Test and Basic Connectivity

  • If there is an ICMP reply, basic connectivity is working.
  • If there is a reply but the service is still unreachable, verify whether endpoint protection or host-based firewalls on the server are blocking other service connection.
  • Windows command prompt: ping X.X.X.X

6. Packet Capture (Optional)

  • If no ICMP response is received, perform a packet capture on the firewall's LAN interface.
  • Check whether ICMP or service traffic from the VPN client is leaving the firewall.
  • If traffic is seen leaving the firewall but no reply is received, inspect the destination server to ensure it is not blocking the traffic with security software or firewall rules.
  • Firewall CLI: cmd traffic-capture [interface] filter "host X.X.X.X"

7. Verify Firewall Security Policies

  • Review the firewall security policies to ensure that traffic from the VPN subnet to the internal network is allowed.
  • If unsure, temporarily disable related security policies to test connectivity.
  • If disabling the policy resolves the issue, refine the policy rules accordingly to permit only necessary traffic securely.