Causes for the L2TP dialup failure

3

The possible causes are as follows:
- L2TP packets are discarded because the firewall or the PC with built-in firewall on the public network discards L2TP packets.
- The corresponding ports of L2TP are disabled or occupied. Generally, UDP port 1701 is used. For example, ACL and NAT use this port.
- The user name and password are incorrectly configured on the LAC, or no user is configured on the LNS.
- The address is incorrectly configured. For example, the static address of the VT interface is incorrect.
- Tunnel authentication modes are different.
- LCP renegotiation is not configured.
- The addresses are improperly allocated. The address pool is small or is not set.
- The IP address pool is not configured with the gateway address, so that the gateway address is also allocated to the clients.
- Unreachable routes exist at both ends.
- In the L2TP group view, the specified remote tunnel name is incorrect.
- The authentication domain is configured incorrectly.
- Control packets sent by the built-in client of the PC do not carry the SQ serial number. As a result, L2TP negotiation fails.
- IPSec parameters configured at both ends are inconsistent.

Other related questions:
What are the causes of the L2TP dialup failure
The causes of the L2TP dialup failure are as follows: -The firewall deployed on the public network or the built-in firewall on the PC discards L2TP packets. -The corresponding L2TP port, usually UDP port 1701, is disabled or occupied. For example: ACL or NAT is configured on the port. -The user name and password configured on the LAC are incorrect, or no related user is configured on the LNS. -The configuration address, such as the static address of the VT interface, is incorrect. -The tunnel authentication modes are different. -LCP renegotiation is not configured. -The address pool cannot meet user requirement or no address pool is configured. -No gateway address is reserved in the IP address pool, so that the gateway address is allocated to users. -The LAC and LNS have no reachable routes to each other. -An incorrect remote tunnel name is specified in the L2TP group view. -The authentication domain is incorrectly configured. -The control packets sent by the PC client do not carry the SQ number, so that the L2TP negotiation fails. -When IPSec encryption is used, the IPSec parameters on both ends are different.

What are possible causes for L2TP dial-up failures of the AR router
Possible causes for L2TP dialup failures are as follows: - The firewall is configured on the public network or the local PC has the firewall, so L2TP packets are discarded. - When corresponding L2TP port is disabled or occupied, UDP port 1701 is often used. For example, ACL and NAT are configured. - The user name and password of the LAC are incorrect, or no users are specified for the LNS. - The configured address is incorrect. For example, the statically configured address of the VT interface is incorrect. - Tunnel authentication modes are different. - LCP renegotiation is not configured. - The IP address allocation is improper. The IP address pool has a small address range or not configured. - Gateway addresses are not configured in the IP address pool, so gateway addresses are allocated to clients. - There are unreachable routes. - In the L2TP group view, the specified tunnel name at the remote end is incorrect. - The configured authentication domain is incorrect. - L2TP negotiation fails because control packets sent by clients of the local PC do not carry the SQ. - When IPSec encryption is used, the IPSec parameters on the two ends of the tunnel are inconsistent.

A user successfully initiates L2TP dialup, but cannot access the private network. Why?
A user successfully initiates L2TP dialup, but cannot access the private network. The possible causes are as follows: - The firewall is enabled on the intranet host. - The local and remote devices are on the same network segment. - The access address through L2TP dialup and LAN users are on the same network segment, and proxy ARP is not enabled. - The MTU on the virtual interface is incorrect. It is recommended that the MTU of the virtual interface plus all the header lengths should not exceed the MTU of the interface. Otherwise, packets will be discarded if some devices do not support fragmentation. - The MSS on the virtual interface is incorrect. Ensure that the MSS plus all the header lengths does not exceed the MTU. - LCP re-negotiation is not configured. - There are unreachable routes. - Tunnel authentication is not configured. - IPSec encryption is not configured and data flows do not match ACLs.

How to rapidly locate the cause of a failure to establish a tunnel between the LAC and LNS
During L2TP configuration, the LAC cannot set up a tunnel with the LNS. Perform the following operations to quickly locate the fault.
1. Run the start l2tp command on the LAC to check whether there is a reachable route to the LNS. If the route is unreachable, ensure route reachability.
2. Check the L2TP configuration on the LNS and delete the remote parameter specified in the allow l2tp command. If an L2TP tunnel can be established successfully, the LAC cannot set up a tunnel with the LNS because the tunnel name on the LAC is incorrect or the tunnel name specified by the LNS is incorrect. Use the following methods:
 - Run the tunnel name command on the LAC to set the local tunnel name to the value of remote specified by the allow l2tp command on the LNS.
 - Run the allow l2tp command on the LNS to change the value of remote to the tunnel name configured on the LAC. If no local tunnel name is configured using the tunnel name command on the LAC, the value of remote is the device name of the LAC.

L2TP dialup is successful after several attempts, but the system displays error 691.
After the AR is configured with L2TP, users need to dial up multiple times. During dialup, the system displays error 691. This is because the AR supports challenge messages with only 16 bytes. When the length of challenge message is not 16, CHAP authentication fails. The system displays error 691 (incorrect user name or password). To solve the problem, configure L2TP re-negotiation so that the LNS and client negotiate 16-byte challenge messages.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top