Troubleshooting VPNs with PingPlotter


Question

Can PingPlotter be used to troubleshoot problems in a VPN (Virtual Private Network)?

Solution

PingPlotter primary purpose is to troubleshoot network bottlenecks, and a VPN bottleneck is definitely one that many people have used PingPlotter for with good success.

There are some challenges in VPN testing that we'll discuss here.

First, VPN's create a tunnel - and PingPlotter has no visiblity from inside that tunnel into which routers participated in that tunnel. That's part of the goal of the tunnel, and it adds a bit of complexity to testing.

The way to address this is to use several possible targets when running PingPlotter. First, you should ping the final destination that you're having problems with. For example, if your company has an intranet page that's responding poorly: http://intranet.mycompany.com, then you should use 'intranet.mycompany.com' as the target. Look for bottlenecks here - and try to identify if that bottleneck is part of the VPN (which for most remote users will be at hop 1 or hop 2), or some other part of the internal network.

If you determine that the VPN is the likely problem, you can't actually see all the routers participating in moving data over the tunnel from inside the tunnel - you need to run PingPlotter outside the tunnel. In most cases you do this by entering the IP address for your VPN server (the same one you enter in your local VPN client to connect to the company network). This will show the route between your computer and the remote end of the VPN tunnel, and will give you visibility to all the routers that are moving data for your tunnel.

The combination of these two collection targets should give you a pretty good idea of what's going on. There is no way to trace the entire route between you and the target server - it takes two steps.

The second problem a lot of people run into when testing VPNs is that some networks - especially corporate networks including VPNs - block the ability to do traceroute, which PingPlotter depends on.

If it's the corporate firewall at the exit point of the tunnel that's causing the problem, you can still use PingPlotter to troubleshoot the route between your computer and the exit point of the tunnel - by using the IP address of the VPN server.

You can also try changing the packet type from ICMP to UDP or TCP. Many corporate users have reported success with using PingPlotter with UDP or TCP when ICMP would only trace part of the route.

PingPlotter Pro has some additional help for this as it also allows you to set up a remote agent that may aid you in tracing around the tunnel.



Article ID: 28
Created On: August 13, 2004
Last Updated On: November 7, 2013

Online URL: https://www.pingman.com/kb/article/troubleshooting-vpns-with-pingplotter-28.html