Troubleshooting VPN Connectivity

Reset a dead peer for L2TP VPN on USG or EdgeRouter

This fix is for a VPN connection that was working, but is not working currently. For L2TP VPNs only. To our knowledge this is only prevalent on Windows computers.

  1. Direct the affected person to go to ipinfo.tw in their browser on the affected device - this will have their WAN IP for the following steps
  2. SSH into router
  3. Run sudo swanctl --list-sa | grep -B 2 ###.###.###.### replacing the #s with the Public WAN IP of the person having the issue.
  4. Take note of the line that says remote-access: #XXXX, ESTABLISHED and jot down the number after the #.
  5. Run sudo swanctl --terminate --ike-id XXXX where XXXX is the number from the previous step
  6. You should receive a message terminate completed successfully.
  7. The client should be able to reconnect to the VPN now

Disable IPv6

If the dead peer isn't present when running the above commands, check to see if the client computer is preferring IPv6. This is known to cause connectivity issues in at least one instance, and the fix was not obvious.

While troubleshooting, we observed that the client computer was showing an IPv6 address on https://ipinfo.tw, where it normally shows an IPv4 address. The client was not able to connect to the VPN while IPv6 was enabled.

After disabling IPv6 for their primary network card (the WiFi in this case, but ethernet if it's hard-wired) in "Change adapter options" --> The adapter --> Properties --> uncheck IPv6, the VPN connection could then establish.

Additional information

The following document details troubleshooting instructions for the end user. This can be distributed to the customer:

Discard
Save
Draft
Was this article helpful?
Edit Page New Page Revisions Page Settings

Previous Page

Left

Next Page

Right

On this page

Review Changes ← Back to Content
Message Status Space Raised By Last update on