Troubleshooting Remote Access

Applies To: Windows 7, Windows Server 2008 R2

For specific troubleshooting scenarios, see Remote Access Problems and Solutions.

You can use the following tools and commands to troubleshoot virtual private network (VPN) connections:

TCP/IP troubleshooting tools

The Ping, Tracert, and Pathping tools use ICMP Echo and Echo Reply messages to verify connectivity, display the path to a destination, and test path integrity. The route print command can be used to display the IP routing table. Alternatively, you can use the netsh routing ip show rtmroutes command or the Routing and Remote Access MMC snap-in.

In addition to the TCP/IP tools, use the Netdiag tool to test and display your network configuration.

Unreachability reason

When a demand-dial interface fails to make a connection, the interface is left in an unreachable state and RRAS records the reason the connection attempt failed. To view the unreachable reason in the RRAS MMC snap-in, click Network Interfaces. In the details pane, right-click the demand-dial interface, and then click Unreachability Reason.

Authentication and accounting logging

You can log authentication and accounting information for remote access connections in local logging files using Network Policy Server (NPS). This logging is separate from the events recorded in the system event log and can be used to track remote access usage and authentication attempts. For more information, see "RADIUS Accounting" in NPS Help.

Event logging

On the Logging tab in the properties of a VPN router in the Routing and Remote Access MMC snap-in, there are four levels of logging. Select Log all events, and then try the connection again. After the connection fails, check the system event log for events logged during the connection process. After you have viewed remote access events, select the Log errors and warnings option on the Logging tab to conserve system resources.

PPP logging

Point-to-Point Protocol (PPP) logging records the series of programming functions and PPP control messages during a PPP connection and is a valuable source of information when you are troubleshooting the failure of a PPP connection. To enable PPP logging, select the Log additional Routing and Remote Access information option on the Logging tab on the properties of an RRAS server.


RRAS has an extensive tracing capability that you can use to troubleshoot complex network problems. You can enable the components to log tracing information to files using the Netsh command-line tool or through the registry.

Enabling tracing with Netsh

You can use the Netsh command-line tool to enable and disable tracing for specified components or for all components. To enable and disable tracing for a specific component, use the following syntax:

netsh ras set tracingComponentenabled|disabled

where Component is a component in the list of RRAS components found in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing. For example, to enable tracing for the RASAUTH component, the command is:

netsh ras set tracing rasauth enabled

To enable tracing for all components, use the following command:

netsh ras set tracing * enabled

Enabling tracing by using the registry

You can also configure the tracing function by changing settings in the registry under:


You can enable tracing for each RRAS component by setting the registry values described in this section. You can enable and disable tracing for components while RRAS is running. Each component is capable of tracing and appears as a subkey under the preceding registry key.

To enable tracing for each component, you can configure the following registry entries for each protocol key:

EnableFileTracing REG_DWORD Integer

You can enable logging tracing information to a file by setting EnableFileTracing to 1. The default value is 0.

FileDirectory REG_EXPAND_SZ PathToWriteTracingFiles

You can change the default location of the tracing files by setting FileDirectory to the path you want. The file name for the log file is the name of the component for which tracing is enabled. By default, log files are placed in the %SystemRoot%\Tracing folder.

FileTracingMask REG_DWORD LevelOfTracingInformationLogged (hexadecimal value)

FileTracingMask determines how much tracing information is logged to the file. The default value is 0xFFFF0000.

MaxFileSize REG_DWORD SizeOfLogFile (hexadecimal value)

You can change the size of the log file by setting different values for MaxFileSize. The default value is 0x10000 (64 KB).


Tracing consumes system resources and should be used sparingly to help identify network problems. After the trace is captured or the problem is identified, you should immediately disable tracing. Do not leave tracing enabled on multiprocessor computers. Tracing information can be complex and very detailed. Most of the time this information is useful only to Microsoft support professionals or to network administrators who are very experienced with RRAS. Tracing information can be saved as files and sent to Microsoft Help and Support for analysis.

Oakley logging

You can use the Oakley log to view details about the Internet Protocol security (IPsec) security association (SA) negotiation process. The Oakley log is enabled in the registry. It is not enabled by default. To enable the Oakley log, set the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Oakley\EnableLogging registry setting to 1. The Oakley key does not exist by default and must be created.

After it is enabled, the Oakley log, which is stored in the %SystemRoot%\Debug folder, records all IPsec SA negotiations. A new Oakley.log file is created each time the IPsec Policy Agent is started and the previous version of the Oakley.log file is saved as Oakley.log.sav, overwriting any previous file.

To activate the new EnableLogging registry setting after modifying its value, stop and start the IPsec Policy Agent and related IPsec services by running the following sequence of commands:

  1. Stop RRAS using the net stop remoteaccess command.

  2. Stop the IPsec services using the net stop policyagent command.

  3. Start the IPsec services using the net start policyagent command.

  4. Start RRAS using the net start remoteaccess command.

Network Monitor

Use Network Monitor to capture and view the traffic sent between virtual private network (VPN) routers during the VPN connection process and during data transfer. You cannot interpret the encrypted portions of VPN traffic with Network Monitor. Download and install Network Monitor from the Microsoft Download Center (

Interpretation of the VPN traffic with Network Monitor requires an in-depth understanding of PPP, Point-to-Point Tunneling Protocol (PPTP), IPsec, and other protocols. Network Monitor captures can be saved as files and sent to Microsoft Help and Support for analysis.

Additional references