Remote access troubleshooting tools

This section introduces you to tools that can be used to troubleshoot remote access connections.

On This Page

TCP/IP utilities
Event logging
Authentication and accounting logging
Network Monitor
Oakley logging
PPP logging

TCP/IP utilities

The tracert command

If you are having connectivity problems, you can use the tracert command to check the path to the destination IP address that you want to reach and record the results. The tracert command displays the series of IP routers that are used in delivering packets from your computer to the destination computer and also how long it took on each hop. If the packets are unable to be delivered to the destination, the tracert command displays the last router that successfully forwarded your packets.

For more information about the tracert command, type

tracert -?

at a command prompt.

The most common use of tracert is as follows:

tracert AddressOrName [-d]

This command returns a list of the routers that are crossed to get to destination IP address. By using the -d option, the router path is displayed faster because tracert does not try to resolve the names of the routers in the path.

Usage of the command is as follows:

tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] AddressOrName


-d      Do not resolve addresses to hostnames
-h maximum_hops Maximum number of hops to search for target
-j host-list    Loose source root along host list
-w timeout  Wait timeout milliseconds for each reply

The ping command

If you are having connectivity problems on your TCP/IP network, you can use the ping command to check the destination IP address that you want to reach and record the results. The ping command displays whether the destination responded and how long it took to receive a reply. If there is an error in the delivery to the destination, the ping command displays an error message.

The ping command is an external command that is available in Windows 2000. This command helps determine IP addresses in TCP/IP networks as well as identify and resolve network issues.

You can use the ping command to:

  • Ping your computer (by address, not host name) to determine that TCP/IP is functioning. Note that pinging your computer does not verify that your network adapter is functioning.

  • Ping the local router to determine whether the router is running.

  • Ping beyond your local router.

  • Verify IP-level connectivity.

  • Send an Internet Control Message Protocol (ICMP) echo message to a target host name or IP address.

  • Verify that a host computer can connect to the TCP/IP network and network resources.

  • Isolate network hardware problems and incompatible configurations.

The following table shows some useful ping command options.



-n Count

Determines the number of ICMP Echo messages to send. The default is 4.

-w Timeout

Enables you to adjust the time-out (in milliseconds). The default is 1,000 (a 1-second time-out).

-l Size

Enables you to adjust the size of the ICMP echo message data field. The default size is 32 bytes.


Sets the Don’t Fragment bit on the ICMP echo message. By default, the ICMP echo message allows fragmentation.

For more information about other ping options, see Command-line utilities.

For example, to check connectivity by using the ping command, at a command prompt, type ping and the IP address you want to reach.

A response of "Destination net unreachable" means there was no route to the destination. You need to check the routing table on the router listed in the "Reply from" address in the "Destination net unreachable" message. For more information about the routing table, see Understanding the IP routing table.

A response of "Request timed out" means there was no response to the ping attempt in the default time period of one second. In this case, look for the following problems:

  • A router is down. To check the routers in the path between the source and the destination, use the tracert command. For more information, see Using the tracert command.

  • The destination host is down. Physically verify that the host is running or check connectivity through another protocol.

  • There is no route back to your computer. If the host is running, you can check for a return route by viewing the default gateway and local routing table on the destination host.

  • The latency of the response is more than one second. Use the -w option on the ping command to increase the time-out. For example, to allow responses within five seconds, use ping -w 5000.

If the ping command is not found or the command fails, you can use Event Viewer to check the System Log and look for problems reported by Setup or the Internet Protocol (TCP/IP) service.

The ping command uses ICMP echo and echo reply messages. Packet filtering policies on routers, firewalls, or other types of security gateways might prevent the forwarding of this traffic. For example, a computer running Windows 2000 with IIS as a Web server and packet filters that allow only Web-based traffic will not respond to ICMP echo messages.

To test a TCP/IP configuration by using the ping command, complete the following steps:

  1. To quickly obtain the TCP/IP configuration of a computer, type ipconfig at a command prompt. From the display of the ipconfig command, ensure that the network adapter for the TCP/IP configuration you are testing is not in a Media disconnected state.

  2. At a command prompt, ping the loopback address by typing ping If the ping command fails, verify that the computer was restarted after TCP/IP was installed and configured. (The loopback address is designated for the software loopback interface of a computer, has no hardware associated with it, and is not physically connected to a network. Therefore, it allows you to test IP software without worrying about broken or corrupted drivers or hardware.)

  3. Ping the IP address of the computer. If the ping command fails, verify that the computer was restarted after TCP/IP was installed and configured.

  4. Ping the IP address of the default gateway. If the ping command fails, verify that the default gateway IP address is correct and that the gateway (router) is operational.

  5. Ping the IP address of a remote host (a host that is on a different subnet). If the ping command fails, verify that the remote host IP address is correct, that the remote host is operational, and that all of the gateways (routers) between this computer and the remote host are operational.

  6. Ping the IP address of the DNS server. If the ping command fails, verify that the DNS server IP address is correct, that the DNS server is operational, and that all of the routers between this computer and the DNS server are operational.

Event logging

Event logging for remote access connections is the recording of events into the system log, which can be viewed with the Event Viewer snap-in. System administrators commonly use event logging for troubleshooting or to get information about unusual events that might have occurred during a remote access attempt.

Routing and remote access

The Event Logging tab on the Properties dialog box of a remote access server allows you to enable the following different levels of event logging:

  • Log errors only

  • Log errors and warnings

  • Log the maximum amount of information

  • Disable event logging

If a connection fails, select the Log the maximum amount of information option and try the connection again. This will record all events associated with the connection process in the system event log. Logging consumes system resources and should be used sparingly to help identify network problems. So once you are done viewing the remote access events or identifying the problem, immediately reset logging to its default value by selecting Log errors only.

Internet Authentication Service (IAS)

IAS and RRAS share the same remote access policies and authentication and accounting logging capabilities. When RRAS is configured for Windows authentication, the local policies and logging are used. When RRAS is configured as a Remote Access Dial-In User Service (RADIUS) client to an IAS server, the policies and logging of the IAS server are used.

IAS supports RADIUS accounting, which an administrator can use to track network usage for auditing and billing purposes. Third-party products can be used to analyze RADIUS accounting data to provide charge-back, performance, and exception reports.

Support for the RADIUS standard allows IAS to collect the usage (accounting) records returned by NAS at a single point and create a log file. IAS logs audit information, for example, authentication accepts and rejects, and usage information, for example, logon and logoff records, to log files. This information is useful for keeping track of usage and correlated authentication information with accounting records, for example, to discover missing records or instances of over-billing. IAS logs can also be used to track events and troubleshoot a failed connection.

IAS log files can be created in two formats:

  • Database: The database format allows you to keep track of a predetermined set of attributes. Use this format if you want to import data directly into a database. You can analyze the data in the database by using third-party data-analysis software.

  • IAS format: The IAS format is more detailed and can contain information about all attributes. Use this format if you need to record more detailed information than what the database log format allows.

While the IAS log file contains all the IAS user-related events, the IAS service and system-related events are recorded in the Event log files.

RADIUS accounting
RADIUS accounting provides the following benefits:

  • Real-time data collection.

  • Accounting data collected at a centralized place.

The RADIUS accounting process

The RADIUS server has access to user account information and can check remote access authentication credentials. If the user's credentials are authentic and the connection attempt is authorized, the RADIUS server authorizes the user's access based on specified conditions and logs the remote access connections as accounting events.

When a client is configured to use RADIUS accounting, at the start of service delivery, it generates an accounting start packet describing the type of service being delivered and the user to whom it is being delivered. The packet is then sent to the RADIUS accounting server, which sends back an acknowledgment that the packet has been received. At the end of service delivery, the client generates an accounting stop packet describing the type of service that was delivered and statistics (optional), such as elapsed time, input and output octets, or input and output packets. It then sends that data to the RADIUS accounting server, which sends back an acknowledgment that the packet has been received.

The accounting-request packet (the start or stop packet) is submitted to the RADIUS accounting server through the network. If no response is returned within a length of time, the request is sent again repeatedly. The client can also forward requests to an alternate server or servers if the primary server is down or unreachable. An alternate server can be used either after a number of tries to the primary server fail, or in a round-robin fashion. If the RADIUS accounting server is unable to successfully record the accounting packet, it does not send an accounting-response acknowledgment to the client. For example, when the log file gets filled, IAS starts discarding accounting packets. This prompts the NAS to switch to the backup IAS server.

You can monitor IAS by using Windows 2000-based tools, such as Event Viewer or System Monitor, or by using Simple Network Management Protocol (SNMP). For more information on accounting, authentication, authorization and troubleshooting IAS, see the article, “Internet Authentication Service for Windows 2000.”

Iasparse.exe tool

IAS creates a log file based on the authentication and accounting requests received from the NAS when using RADIUS authentication. The remote access server logs similar information when using Microsoft Windows 2000 authentication. Unlike the database import log files, which use a fixed sequence of attributes, the sequence of the attributes in IAS-formatted log files depends on the format used by the NAS. IAS log files are multi-language and are written in UTF-8.

The log file generated by both these services is very cryptic to an ordinary user. To present this largely incomprehensible log file information in a user-friendly way, the Windows 2000 Server Resource Kit includes Iasparse.exe (in the folder), a command–line tool used to parse and read IAS log files. This command-line tool parses IAS and remote access server logs and converts them into a readable format.

The following list shows the advantages of using Iasparse.exe:

  • Simplifying administration of the service.

  • Using logs for tracking accounting information, such as logon and logoff records for billing purposes.

  • Troubleshooting connections where the user fails to authenticate.

  • Calculating billing information. For this, you can use TRU Access Manager Limited Edition, a network accounting application developed by Telco Research that ships with the Windows 2000 Server Resource Kit.

  • Running diagnostics, such as obtaining information about the RADIUS attributes received and sent.

Authentication and accounting logging

Windows authentication and accounting logging

A remote access server running Windows 2000 supports the logging of authentication and accounting information for remote access connections in local logging files when Windows authentication or Windows accounting is enabled. Windows logging is separate from the events recorded in the system event log. You can use the logged information to track remote access usage and authentication attempts.

Authentication and accounting logging is especially useful for troubleshooting remote access policy issues. For each authentication attempt, the name of the remote access policy that either accepted or rejected the connection attempt is recorded.

You can configure the authentication or accounting activity to be logged and configure log file settings from the properties dialog box of the Remote Access Logging folder in the Routing and Remote Access snap-in.

From the following options on the Settings tab, you can choose the events you want to log:

  • Log accounting requests, for example, accounting start or stop. Recommended.

  • Log authentication requests, for example, access-accept or access-reject. Recommended.

  • Log periodic status, for example, interim accounting requests.

    On the Local File tab, you can choose the file format that you want to use for your log file.

  • Database compatible file format

  • IAS format

Using this property sheet, you can also set new log time periods and a path to the log file directory.

If the remote access server is configured for RADIUS authentication and accounting and the RADIUS server is a Windows 2000 computer running IAS, the authentication and accounting logs are stored in the SystemRoot\System32\LogFiles folder on the IAS server computer.

Unlike IAS-formatted log files where the sequence of attributes depends on the format used by the access server, database import log files present data in a standard sequence and use a structure that is identical, regardless of the access server that sends the data. This consistent sequence and structure allows data to be easily imported into a database and helps simplify accounting and authentication records.

Network Monitor

Microsoft Network Monitor is a packet capture and analysis tool (installed as an optional networking component) supplied with Windows 2000 Server that helps analyze packets of data that are transferred over the network. It provides information about the network traffic that flows to or from a server. Using Network Monitor, you can capture and analyze information that helps you run your network smoothly, identify new patterns, and prevent, diagnose, and solve different types of network problems. You can also identify patterns that indicate whether changes such as an upgrade, might be worthwhile.

Network Monitor uses a Network Driver Interface Specification (NDIS) feature to copy all frames it detects to its capture buffer, which is a resizable storage area in memory. The buffer is a memory-mapped file and occupies disk space. The default size of this buffer is 1 megabyte (MB) but you can adjust the size manually as needed.

Because Network Monitor uses the local only mode of NDIS instead of the promiscuous mode (in which the network adapter passes on all frames sent on the network), you can use Network Monitor even if your network adapter does not support promiscuous mode. Networking performance is not affected when you use an NDIS driver to capture frames. Putting the network adapter in promiscuous mode can add 30 percent or more to the load on the CPU.

Using Network Monitor to troubleshoot

Once you install Network Monitor, you can capture to a file all the frames sent to or received by the network adapter of the computer on which it is installed. These captured frames can then be viewed or saved as files and sent to Microsoft support for analysis.

For dial-up or VPN connections, you can capture and view the traffic sent between a remote access server and a remote access client during the connection process and also during data transfer. However, you cannot interpret the encrypted or compressed portions of the remote access traffic using Network Monitor.

The proper interpretation of the remote access traffic using Network Monitor requires an in-depth understanding of PPP, PPTP, IPSec, and other protocols.


Tracing is the recording of the sequence of programming functions called by a component and associated process data. The tracing information can be recorded in a log file and used to analyze network problems. To use tracing to gather information for troubleshooting, enable tracing for the remote access components and try the connection again. Because tracing uses system resources, disable tracing when you are done collecting information in the trace log files.

Tracing is disabled by default. You can use the Netsh command to enable and disable tracing for specific components or for all components. To enable and disable tracing for a specific component, use the following syntax:

netsh ras set tracing Component enabled|disabled

Component is a component in the list of RRAS components found in the Windows 2000 registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing. For example, to enable tracing for the RASAUTH component, use the following command:

netsh ras set tracing rasauth enabled

To enable tracing for all components, use the following command:

netsh ras set tracing * enabled

You can also enable tracing for each component by setting registry values under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing. Each component is capable of tracing and appears as a subkey (such as RASAUTH) under the preceding registry key. You can enable and disable tracing for components even while the router is running.

Caution: Remember to back up valuable data before making changes to the registry.

Configure the following registry value entries for each protocol key:

  • EnableFileTracing REG_DWORD 1: You can enable logging tracing information to a file by setting EnableFileTracing to 1. The default value is 0.

  • FileDirectory REG_EXPAND_SZ Path: You can change the default location of the tracing files by setting FileDirectory to the path you want. The file name for the log file is the name of the component for which tracing is enabled. By default, log files are placed in the systemroot\Tracing folder.

  • FileTracingMask REG_DWORD LevelOfTracingInformationLogged: Determines how much tracing information is logged to the file. The default value is FFFF0000.

  • MaxFileSize REG_DWORD SizeOfLogFile: You can change the size of the log file by setting different values for MaxFileSize. The default value is 10000 (64 KB).

Tracing information can be very complex and detailed. Usually, this information is useful only to Microsoft support professionals, or to network administrators who are very experienced with the RRAS.

Oakley logging

You can use the Oakley log to view details about the SA establishment process. The Oakley log is enabled in the registry. It is not enabled by default. To enable the Oakley log, set the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Oakley\EnableLogging registry setting to 1. The Oakley key does not exist by default and must be created.

After it is enabled, the Oakley log, which is stored in the systemroot\Debug folder, records all IPSec SA negotiations. A new Oakley.log file is created each time the IPSec Policy Agent is started and the previous version of the Oakley.log file is saved as Oakley.log.sav.

To activate the new EnableLogging registry setting after modifying its value, stop and start the IPSec Policy Agent and related IPSec services by running the following sequence of commands:

  1. Stop the RRAS using the

    net stop remoteaccess


  2. Stop the IPSec services using the

    net stop policyagent


  3. Start the IPSec services using the

    net start policyagent


  4. Start the RRAS using the

    net start remoteaccess


PPP logging

Point-to-Point Protocol (PPP) is the suite of protocols used to establish a link, authenticate, and assign IP addresses to remote access connections. To establish a successful dial-up connection to the Internet, you need to authenticate and register the network. You can either authenticate using plain text (terminal mode) and then start a PPP session or allow authentication to take place under PPP.

You can enable logging to a PPP log file to help diagnose PPP-related connectivity problems.

Based on the entries in the PPP log, you can tell whether a connection failed or not.

If a PPP session is not started, then there are no entries made to the PPP log for the connection attempt. This lack of entries signifies that the connection failed on or before plain-text logon.

If you see entries in the PPP log, then the nature of the entries can provide a clue as to what failed during the connection attempt. When all other sources of information fail, PPP logs are the best place to review.

For RRAS, you can enable PPP logging from the Event Logging tab on the properties of a remote access server. For a Windows 2000 remote access client, you can enable PPP logging using netsh.

After you enable logging, the computer logs all PPP activity to the ppp.log file in the SystemRoot\Tracing folder. Because PPP logging uses system resources and hard disk space, it is recommended that you turn off logging when you are finished troubleshooting.

Enabling PPP logging for Routing and Remote Access

  1. Open the Routing and Remote Access snap-in.

  2. In the tree pane, right-click the server for which you want to enable logging, and then click Properties.

  3. Click the Event Logging tab.

  4. Select the Enable Point-to-Point Protocol (PPP) logging check box.

  5. Click OK.

  6. Click OK when prompted to restart the router.

Enabling PPP logging by using Netsh.exe

  1. Open a command prompt.

  2. Type

    netsh ras set tracing ppp enabled

Disabling PPP Logging

  1. Open a command prompt.

  2. Type

    netsh ras set tracing ppp disabled