How to Troubleshoot When a Remote Access VPN Client Cannot Access an Internal Server?
Options

Zyxel_Cooldia
Posts: 1,537
Zyxel Employee





1. Confirm VPN Tunnel Status
- Navigate to:
VPN Status > IPSec VPN > Remote Access VPN
- Verify whether the VPN client is listed as connected.
- Ensure the VPN tunnel is successfully established to the firewall.
2. Check VPN Client IP Assignment
- Confirm that the VPN virtual NIC has been assigned an IP address by the firewall. This indicates that the client has successfully connected and received network configuration.
- Windows command prompt : ipconfig
3. Verify Routing Table
- Check whether a route to the internal subnet is present and associated with the VPN interface.
- Windows command prompt: route print -4
4. Check ARP/MAC Table on Firewall
- Look for the internal server’s IP and verify if it appears in the ARP table. This confirms the firewall has recently communicated with the destination device.
- Firewall CLI: show arp-table
5. Ping Test and Basic Connectivity
- If there is an ICMP reply, basic connectivity is working.
- If there is a reply but the service is still unreachable, verify whether endpoint protection or host-based firewalls on the server are blocking other service connection.
- Windows command prompt: ping X.X.X.X
6. Packet Capture (Optional)
- If no ICMP response is received, perform a packet capture on the firewall's LAN interface.
- Check whether ICMP or service traffic from the VPN client is leaving the firewall.
- If traffic is seen leaving the firewall but no reply is received, inspect the destination server to ensure it is not blocking the traffic with security software or firewall rules.
- Firewall CLI: cmd traffic-capture [interface] filter "host X.X.X.X"
7. Verify Firewall Security Policies
- Review the firewall security policies to ensure that traffic from the VPN subnet to the internal network is allowed.
- If unsure, temporarily disable related security policies to test connectivity.
- If disabling the policy resolves the issue, refine the policy rules accordingly to permit only necessary traffic securely.
Tagged:
0
Categories
- All Categories
- 435 Beta Program
- 2.7K Nebula
- 175 Nebula Ideas
- 117 Nebula Status and Incidents
- 6.1K Security
- 422 USG FLEX H Series
- 297 Security Ideas
- 1.6K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 44 Wireless Ideas
- 6.7K Consumer Product
- 272 Service & License
- 418 News and Release
- 88 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 89 Security Highlight