How to Troubleshoot When a Remote Access VPN Client Cannot Access an Internal Server?
Options
Zyxel_Cooldia
Posts: 1,539 
Zyxel Employee
Zyxel Employee
1. Confirm VPN Tunnel Status
- Navigate to:
VPN Status > IPSec VPN > Remote Access VPN - Verify whether the VPN client is listed as connected.
- Ensure the VPN tunnel is successfully established to the firewall.
2. Check VPN Client IP Assignment
- Confirm that the VPN virtual NIC has been assigned an IP address by the firewall. This indicates that the client has successfully connected and received network configuration.
- Windows command prompt : ipconfig
3. Verify Routing Table
- Check whether a route to the internal subnet is present and associated with the VPN interface.
- Windows command prompt: route print -4
4. Check ARP/MAC Table on Firewall
- Look for the internal server’s IP and verify if it appears in the ARP table. This confirms the firewall has recently communicated with the destination device.
- Firewall CLI: show arp-table
5. Ping Test and Basic Connectivity
- If there is an ICMP reply, basic connectivity is working.
- If there is a reply but the service is still unreachable, verify whether endpoint protection or host-based firewalls on the server are blocking other service connection.
- Windows command prompt: ping X.X.X.X
6. Packet Capture (Optional)
- If no ICMP response is received, perform a packet capture on the firewall's LAN interface.
- Check whether ICMP or service traffic from the VPN client is leaving the firewall.
- If traffic is seen leaving the firewall but no reply is received, inspect the destination server to ensure it is not blocking the traffic with security software or firewall rules.
- Firewall CLI: cmd traffic-capture [interface] filter "host X.X.X.X"
7. Verify Firewall Security Policies
- Review the firewall security policies to ensure that traffic from the VPN subnet to the internal network is allowed.
- If unsure, temporarily disable related security policies to test connectivity.
- If disabling the policy resolves the issue, refine the policy rules accordingly to permit only necessary traffic securely.
Tagged:
0
Categories
- All Categories
- 439 Beta Program
- 2.8K Nebula
- 202 Nebula Ideas
- 127 Nebula Status and Incidents
- 6.3K Security
- 515 USG FLEX H Series
- 328 Security Ideas
- 1.7K Switch
- 84 Switch Ideas
- 1.3K Wireless
- 49 Wireless Ideas
- 6.9K Consumer Product
- 288 Service & License
- 458 News and Release
- 90 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.3K FAQ
- 34 Documents
- 85 About Community
- 97 Security Highlight