Unit-13

The Most Common Network Problems

Now let’s run through some of the most common network problems that have left many
users and network administrators pulling out their hair!

1. High Bandwidth Usage

Bandwidth is the maximum amount of data transmitted over an Internet connection in
a given amount of time.
It refers to a network’s capacity to transfer data between devices or the Internet
within a given span of time. Bandwidth is often mistaken for Internet speed when
it's actually the volume of information that can be sent over a connection in a
measured amount of time – calculated in megabits per second (Mbps).

Higher bandwidth allows data to be transferred across your network at a faster rate and
can sustain a larger number of connected devices all at once. When someone or something,
like a large application, on your network is monopolizing your bandwidth by downloading
gigabytes worth of data, it creates a congestion in your network.

Network congestion caused by high bandwidth usage, also runs the risk of leaving
insufficient amounts of bandwidth for other parts of your network that need it. When this
happens, you may start experiencing problems like slow download speed over the Internet.

Causes of high bandwidth include:

Large Downloads:
Downloads consisting of large files that are being placed on your computer's harddrive
from the Internet, like file transfers or backups, can drastically increase bandwidth usage.
The more bytes the file contains, the higher your bandwidth usage.
Latency:
Latency refers to the time it takes for a data packet to reach its destination in a network,
can. Consistent delays or odd spikes in delay time are signs of major performance issues
and can affect bandwidth time.
Packet Loss:
Packet Loss occurs when a data packet is dropped during its journey across a network and
never makes it to its final destination and back. It can cause a great deal of problems
depending on how much of the packet does not go through and how often it occurs.
Video Streaming:
Streaming videos from the Internet is a more common cause of high bandwidth usage.
Streaming video in 7k can take up to 200 times more bandwidth than audio streaming.
Large Applications:
Different applications have different requirements. Applications that require Internet
connection, like programs for web development, email, computer games, etc. require a lot
of bandwidth to function and can therefore increase your bandwidth usage.
File Sharing:
There are programs that allow users to share files from computer-to-computer connection
over the Internet. These programs can result in high bandwidth usage as they require you
to download and transfer large files, with large amounts of data, over the Internet.

How to Measure Packet Loss

Learn how to measure packet loss using Obkio’s Network Monitoring software to
proactively identify problems in your network & collect data to troubleshoot.

2. High CPU Usage

CPU, or “ Central Processing Unit”, is the primary component of a computer that

receives and processes instructions for operating systems and applications.
With such a big job on its shoulders, the signs of high CPU usage on a network device are a
very troubling sign for many of us.
As your network devices continue to work harder to perform an increasing amount of
tasks, it increases the chance that things can go wrong.
The most common reason for high CPU usage occurs when your network becomes bogged
down by enormous amounts of traffic. CPU usage can increase drastically when processes
require more time to execute or when a larger number of network packets are sent and
received throughout your network.
There are a number of network devices such as switches that have hardware components
(ASICs or NPUs) that take charge and process packets super quickly. For this equipment,
the CPU usage is not linked to the amount of traffic.
For equipment that analyzes or manipulates traffic, like firewalls, that's a whole different
story. Depending on the features that you’ve enabled on your devices, the CPU may be in
the critical path of packet routing or forwarding. If overused, network
metrics like latency, jitter, and packet loss will increase, which will lead to significant levels
of network performance degradation.

How to Detect Network Congestion

Learn how to detect network congestion inside and outside of your own network using
Network Monitoring & Network Device Monitoring with Obkio.

2. Physical Connectivity Issues

It may seem obvious, but some network issues may occur with the hardware
outside of the network.
When the time comes to troubleshoot network issues, our instinct is often to think about
the most complex situations, when sometimes the problem is actually very simple and right
in front of us.

Hardware problems like defective cables or connectors can generate errors on the network
equipment to which it is connected. You may think that this problem is due to a network
failure, or Internet connection problem, but it’s actually because you have a broken or
malfunctioning cable.

This can also occur outside of the LAN infrastructure. If a copper cable, or fiber-optic cable
is damaged, it will likely reduce the amount of data that can go through it without any
packet loss.

Checking every cable one by one can be repetitive, and can take a large amount of time out
of your day. A simple way to monitor cables on a defective connector is to have a network
performance monitoring software that will measure errors on all network interfaces and
warn you if any problems arise.

How to Troubleshoot Network Issues

Learn how to troubleshoot network issues by identifying where, what, why network
problems occur with Network Troubleshooting tools.

3. Malfunctioning Devices or Equipment

Sometimes, network issues occur within network equipment or devices like

Firewalls, Routers, Switches, Wifi APs.

Problems can be due to bad configurations, faulty network connection issues, packet loss,
or maybe just because they’re been disabled.

You need to ensure that all the devices on your network are configured correctly in order
for your network to work properly. Whenever you install or reconfigure a device, or
upgrade equipment firmware on your network, you need to test that device to ensure that
it’s been configured correctly.

Many network performance issues are caused by device misconfigurations that can affect
different parts of your network and turn into major problems down the line. That’s why
you need to pay attention to all the switches and devices on your network to ensure that
they’re always working as they should be, and react quickly if they aren’t.

Obkio’s network device monitoring solution is a simple and easy solution that offers
advanced polling to monitor all SNMP-enabled devices along your network to ensure
they’re all performing as they should be.
How to Identify Network Problems & Diagnose Network Issues

Learn how to identify network issues by looking at common problems, causes,

consequences and solutions.

5. DNS Issues

DNS or Domain Name System, controls how visitors find your website over the Internet.

It is essentially a directory for the Internet (and every Internet-connected device) that
matches domain names with IP addresses. Every single website has its own IP address on
the web, and computers can connect to other computers via the Internet and look up
websites using their IP address. When you type in a domain name in your Internet browser,
DNS works to find the information connected to that domain.

DNS issues are very common network problems that many people tend to overlook. DNS
issues occur when you are unable to connect to an IP address, signalling that you may have
lost network or Internet access. For example, your site can simultaneously appear online
for you, but looks to be offline to your visitors.

Other DNS issues can be due to:

 Bad configurations: You may experience issues due to improper configuration of

DNS records.
 High DNS latency: High Latency, which is the measure of time it takes for data to
reach its destination across a network, can cause slow and abnormally long loading
times.
 High TTL Values: High “time to live” values on your records, will lead to high
propagation wait times. Traceroute tools, like Obkio’s Live Traceroutes feature,
actually track and monitor TTL values.
 Hardware/Network Failures: DNS problems can be caused by hardware failures
on the host machine or network failures. Troubleshoot network/ hardware
configuration settings using a network performance monitoring solution to identify
the source of the problem.

The inability to access the Internet or particular sites can have a very immediate and
negative impact on your business - especially if it means that users cannot access your site.
Just a few hours offline can cost your company in more ways than one, which is why it’s
important to find and fix DNS problems as soon as possible.
Network Performance Monitoring for Network Troubleshooting
Learn how to leverage network performance monitoring for network troubleshooting of
intermittent network issues that affect network performance.

6. Interference in the Wireless Network

WiFi problems are one of the most common complaints surrounding modern day
connectivity.

Wireless interference occurs when something disrupts or weakens the Wi-Fi signal
transmitted from your wireless router.

Signs of wireless interference include:

 Low signal strength even when close to a WiFi broadcast device

 Slower Internet connection when using connected over WiFi
 Slow file transfers between computers over WiFi
 Inability to pair WiFi or Bluetooth devices even when in proximity to the receiver
 Intermittently dropping of WiFi connection

Very common household items, like microwave ovens or cordless phones, can slow down
your home Wi-Fi network performance. If you live in a densely populated area, your
neighbors’ Wi-Fi networks could actually be interfering with your own. This is particularly
true if you’re using a 2.4GHz wireless router.

However, seeing as a failure can occur at any time, the first challenge for network
administrators is to quickly identify what can cause interference as well as the precise time
they occurred.

While users are usually quick enough to report problems, it’s ideal to identify and solve the
problem before it affects users.

How to Identify Network Problems

Identifying network issues is the first step to solving them - and it all comes down to
pinpointing who, what, where, and when.

But first...
1. Choose a Network Monitoring Software
When it comes to identifying some of these most common network issues, the best tool at
your disposal is a Network Monitoring software. A Network Monitoring (or Network
Performance Monitoring) tool monitors end-to-end network performance to identify
network issues affecting your end-users, whether the problems occur in your local network
infrastructure, over the Internet, or even in a service provider's network.

We recommend a software like Obkio Network Monitoring Software because it does the
work for you.
Obkio uses Monitoring Agents installed in key network locations to simulate synthetic
traffic in your network, identify network problems and collect information like we mention
in the next step...

Get Started with Obkio

Start monitoring network performance and troubleshooting network problems in 15

minutes with Obkio!
2. Perform a Network Assessment

The step when it comes to identifying network problems, with your Network
Monitoring tool in hand, is performing a network assessment to collect some key
information about:

 What the problem is: To know how to solve these problems, you need to actually
understand what they are. A network performance monitoring software will
measure network metrics and report back if it finds any issues, with details about
what the issue is, and what caused it.
 Where the problem is located: It’s important to identify where exactly in your
network an issue has occurred. Using Monitoring Agents, Obkio allows you to
deploy Agents in key network locations for end-to-end visibility over your network
to provide you with details about where problems have occurred.
 Who is responsible for this network segment: Once you know where a network
problem is located, and what exactly it is, you can then easily decide who in your
business is responsible for that network segment.
 What actions to take: After you’ve collected all the information you need to
identify the network issue, can then start network troubleshooting. That could
include reaching out to your ISP or MSP, or bringing the problem to your network
administrator to fix it internally.

 Gather Information
To gather symptoms from suspected networking device, use Cisco IOS commands
and other tools such as packet captures and device logs.

The table describes common Cisco IOS commands used to gather the symptoms of a
network problem.

Command Description

 Sends an echo request packet to an address, then waits for a

ping {host | ip- reply
address}  The host or ip-address variable is the IP alias or IP address
of the target system

 Identifies the path a packet takes through the networks

traceroute  The destination variable is the hostname or IP address of
destination the target system
 Command Description

telnet {host | ip-  Connects to an IP address using the Telnet application

address}  Use SSH whenever possible instead of Telnet

ssh -l user-id ip-  Connects to an IP address using SSH

address  SSH is more secure than Telnet

show ip
interface brief  Displays a summary status of all interfaces on a device
 Useful for quickly identifying IP addressing on all interfaces.
show ipv6
interface brief

show ip route Displays the current IPv4 and IPv6 routing tables, which
contains the routes to all known network destinations
show ipv6 route

Displays the configured protocols and shows the global and

show protocols interface-specific status of any configured Layer 3 protocol

Displays a list of options for enabling or disabling debugging

debug events

 Troubleshooting with Layered Models

The OSI and TCP/IP models can be applied to isolate network problems when
troubleshooting. For example, if the symptoms suggest a physical connection problem, the
network technician can focus on troubleshooting the circuit that operates at the physical
layer.

The figure shows some common devices and the OSI layers that must be examined during
the troubleshooting process for that device.
 Troubleshooting with Layered Models
Notice that routers and multilayer switches are shown at Layer 4, the transport layer.
Although routers and multilayer switches usually make forwarding decisions at Layer 3,
ACLs on these devices can be used to make filtering decisions using Layer 4 information.

Structured Troubleshooting Methods

There are several structured troubleshooting approaches that can be used. Which one to
use will depend on the situation. Each approach has its advantages and disadvantages. This
topic describes methods and provides guidelines for choosing the best method for a
specific situation.

 Bottom-Up
 Top-Down
 Divide-and-Conquer
 Follow-the-Path
 Substitution
 Comparison
 Educated Guess
In bottom-up troubleshooting, you start with the physical components of the network and
move up through the layers of the OSI model until the cause of the problem is identified, as
shown in the figure.

Bottom-up troubleshooting is a good approach to use when the problem is suspected to be

a physical one. Most networking problems reside at the lower levels, so implementing the
bottom-up approach is often effective.

The disadvantage with the bottom-up troubleshooting approach is it requires that you
check every device and interface on the network until the possible cause of the problem is
found. Remember that each conclusion and possibility must be documented so there can be
a lot of paper work associated with this approach. A further challenge is to determine
which devices to start examining first.
In the figure, top-down troubleshooting starts with the end-user applications and moves
down through the layers of the OSI model until the cause of the problem has been
identified.

End-user applications of an end system are tested before tackling the more specific
networking pieces. Use this approach for simpler problems, or when you think the problem
is with a piece of software.

The disadvantage with the top-down approach is it requires checking every network
application until the possible cause of the problem is found. Each conclusion and possibility
must be documented. The challenge is to determine which application to start examining
first.

The figure shows the divide-and-conquer approach to troubleshooting a networking

problem.

The network administrator selects a layer and tests in both directions from that layer.

In divide-and-conquer troubleshooting, you start by collecting user experiences of the

problem, document the symptoms and then, using that information, make an informed
guess as to which OSI layer to start your investigation. When a layer is verified to be
functioning properly, it can be assumed that the layers below it are functioning. The
administrator can work up the OSI layers. If an OSI layer is not functioning properly, the
administrator can work down the OSI layer model.

For example, if users cannot access the web server, but they can ping the server, then the
problem is above Layer 3. If pinging the server is unsuccessful, then the problem is likely at
a lower OSI layer.
Follow the path
This is one of the most basic troubleshooting techniques. The approach first discovers the
actual traffic path all the way from source to destination. The scope of troubleshooting is
reduced to just the links and devices that are in the forwarding path. The objective is to
eliminate the links and devices that are irrelevant to the troubleshooting task at hand. This
approach usually complements one of the other approaches.

Substitution

This approach is also called swap-the-component because you physically swap the
problematic device with a known, working one. If the problem is fixed, then the problem is
with the removed device. If the problem remains, then the cause may be elsewhere.

In specific situations, this can be an ideal method for quick problem resolution, such as
with a critical single point of failure. For example, a border router goes down. It may be
more beneficial to simply replace the device and restore service, rather than to
troubleshoot the issue.

If the problem lies within multiple devices, it may not be possible to correctly isolate the
problem.

Comparision

This approach is also called the spot-the-differences approach and attempts to resolve the
problem by changing the nonoperational elements to be consistent with the working ones.
You compare configurations, software versions, hardware, or other device properties, links,
or processes between working and nonworking situations and spot significant differences
between them.

The weakness of this method is that it might lead to a working solution, without clearly
revealing the root cause of the problem.

Educated Guess

This approach is also called the shoot-from-the-hip troubleshooting approach. This is a

less-structured troubleshooting method that uses an educated guess based on the
symptoms of the problem. Success of this method varies based on your troubleshooting
experience and ability. Seasoned technicians are more successful because they can rely on
their extensive knowledge and experience to decisively isolate and solve network issues.
With a less-experienced network administrator, this troubleshooting method may be more
like random troubleshooting.
Guidelines for Selecting a Troubleshooting Method

To quickly resolve network problems, take the time to select the most effective network
troubleshooting method.

The figure illustrates which method could be used when a certain type of problem is
discovered.

For instance, software problems are often solved using a top-down approach while
hardware-based problem are solved using the bottom-up approach. New problems may be
solved by an experienced technician using the divide-and-conquer method. Otherwise, the
bottom-up approach may be used.

Troubleshooting is a skill that is developed by doing it. Every network problem you identify
and solve gets added to your skill set.

Slow or no internet access in certain rooms

Wi-Fi is radio waves, meaning your Wi-Fi router broadcasts in all directions from a central
location. If your router is in a far corner of your house, then you’re covering a great deal of
the outside world unnecessarily. If you can, move your router to a more centralized
location. The closer you can put your router to the center of your coverage area, the better
reception will be throughout your house.
If you have external antennas, you can try adjusting those, too. Alternating between fully
vertical and fully horizontal positions can help reach in multiple directions.

Slow internet everywhere

If your Wi-Fi speed is slow no matter where you are, try plugging a laptop into your modem
directly and test your internet speed using a site like speedtest.net. If speeds are still down,
the problem is likely with your internet connection, not your router. Contact your ISP.

If that’s not the issue, it could be that your current wireless channel is overcrowded by
your devices, or by those of other nearby networks. Consider changing the channel on your
router in your router settings. Each router brand does that a little differently, though.

One device can’t connect to the Wi-Fi

Sometimes you run into a Wi-Fi issue with one particular device. It’s probably just a
momentary network issue. Try turning off the Wi-Fi on your device, then re-enabling it. If
that doesn’t work, do the same with your router by unplugging it and then plugging it back
in 30 seconds later.

If that doesn’t help, or if the problem reoccurs, consider deleting your current network
from the list of saved networks on your device, then reconnect again.

If you’re running Windows 10, search for “wifi troubleshooting” and open the result, which
should be Identify and Repair Network Issues. That will go through a series of diagnostics
that may restore connectivity. If none of that works, consider rebooting the device.

Nothing can connect to Wi-Fi

If you can’t connect to your Wi-Fi at all, plug your laptop into the router directly using an
Ethernet cable, and see if you can connect that way. If that works, your Wi-Fi is the problem
— but if it doesn’t, then your internet may be down altogether. Check your ISP’s webpage
and social accounts, or give them a call to see if they are reporting problems. Sometimes
providers can be a little slow to note issues, so you can also check with a monitoring site
like Downdetector, and see if other users in your region are reporting problems.
If that’s no use, you may need to consider buying a new router.

Connections drop at random times

Is there some sort of pattern? Do connections drop whenever you use the microwave? It
may sound weird, but some routers have trouble with this, especially on the 2.5GHz
frequency, or if you’re using an older microwave with shield problems.

It could be that you’re experiencing interference from other networks or devices. If your
neighbors are heavy Wi-Fi users at a particular time each day, this could be slowing you
down. Changing your router’s channel might help. You can use NetSpot on Mac and
Windows and Wi-Fi Analyzer for Android to show you every wireless network nearby. If
yours overlaps with nearby networks, switching to a less congested channel in your router
settings can help.

If that doesn’t work, try performing a factory reset on your router by pressing a paperclip
into the miniature hole on it.

Wi-Fi network disappears entirely

If you lose track of your Wi-Fi network on any device, it’s possible that your router reset
itself. Do you see an unprotected network named after your brand of router? That might be
yours. Connect a laptop or desktop to it via Ethernet cable, then use our guide to setting up
a wireless router to get everything properly configured again.

If you don’t see such a network, plug your laptop into the router with an Ethernet, and see
if you get a connection. Use our guide to finding your router’s IP address and login
information for more help. Also, if you don’t have a cable, check out our guide on how to
choose the right Ethernet cable.

The network connects, but there’s no internet access

It might sound like a tired tip, but try resetting your modem by unplugging it and plugging
it back in. If that doesn’t work, also try resetting your router the same way, assuming it’s a
separate device.
Connect a laptop or desktop to your router with an Ethernet cable (these are the best
ones). If this works, then the router is having a problem and may need to be reset. If there’s
still no internet, though, you may have an outage. Contact your ISP.

Router crashes regularly and only restarting it helps

If your router needs to be restarted regularly, consider giving it a full reset. On most
routers, you’ll find a Reset button that you can hold down with a paperclip. Do so for 30
seconds, and the router should default from factory settings. Use our guide to setting up a
wireless router to get everything properly configured.

If that doesn’t work, your router may be on its way out. Your only real option is to return it
if it is within its warranty period or to buy a new one.
Wi-Fi connection lost when logging back into computer
This problem can crop up on Windows 10 due to an issue with Fast Startup. Fast Startup
keeps certain processes running so you can log back in very quickly. However, this can
sometimes cause a bug with the wireless driver that prevents it from reconnecting to Wi-Fi
properly. In the short term, you turn off Fast Startup to prevent this problem. Search
for Power Options in your Windows 10 search bar and go to this section of the Control
Panel. Select Choose What the Power Button Does on the left-side menu, and then look at the
new section Shutdown Settings. Find the option to Turn On Fast Startup and make sure it is
deselected.

In the long term, your wireless network adapter may need to have its driver updated to fix
any bugs causing this issue. You can follow our guide on how to update Windows 10
drivers for more information.

Forgot the Wi-Fi password

If you really can’t remember your Wi-Fi password, and there are no notes or cards with it
written down somewhere, you’ll have to reset your router. Use a paperclip to press the
hidden switch in the pinhole on the back of your router for 30 seconds. It should then
default to factory settings.

Use our guide to setting up a wireless router to get everything properly configured.

Unknown devices on my Wi-Fi network

Log into your Wi-Fi app or administrator settings (which you can find by searching your IP
address on your browser — here’s how to find it). Look for a list of currently connected
devices and pinpoint the devices you don’t recognize. First, make sure these don’t
represent connections you didn’t realize you had — each smart device will have its own
connection, for example, and they can have some strange titles if you didn’t name them.
Game consoles and TVs may also be connected.

If you’ve ruled out all your own potential devices, and there’s still a connection or two you
don’t recognize, it’s possible someone else is hijacking your Wi-Fi network. In this case,
look in your settings for an option to block these devices on your Wi-Fi, and ban their MAC
addresses, if possible. Then change your Wi-Fi password, and reboot your router (here’s
how). This may not stop especially determined hackers, but it’s usually enough to kick
unwanted guests off your network.
A recent update broke Wi-Fi

This can happen with some operating system updates. Windows 10 updates in mid-2020
had bugs that stopped some users from connecting to their Wi-Fi networks or even seeing
a Wi-Fi connection at all. Similar updates to iOS, Android, and other platforms also have
created bugs in the past that disrupt Wi-Fi connections.

When something like this happens, it’s best to wait for a patch that fixes the problem. In the
meantime, remove the update and roll back your system to an earlier version to help get
your online connectivity back.

The satellite routers on my mesh network aren’t connecting

Make sure that your satellite devices are powered up and turned on. If they are, try
unplugging and replugging the problematic device and see if it will connect to your
network then. If your router app allows you to restart a Wi-Fi point (Google’s Home app,
for example, allows this), then reboot that point and see if this helps, too.

Google also allows you to run a test to make sure the network is set up properly. You can
find Wifi points on the Home app, under Test mesh. If the test comes back with a weak or
failed connection, you should try repositioning your satellite routers to be closer to your
primary router. This also is a good tactic for any mesh system that keeps dropping its
satellite points — they could be too far away from the primary point.

You can also double-check to make sure that your satellite router devices have a different
SSID than your primary router. If they were accidentally all assigned the same SSID, then
the mesh network may not be able to coordinate properly.
My smart device isn’t connecting to Wi-Fi

First, make sure that your smart device and your router are both updated. Then try
resetting your router and rebooting your smart device. You can either unplug and plug in
the smart device, or check its app for a reboot option — the Google Home app, for example,
has a Reboot tool under each device section that you can use.

If the device still isn’t connecting properly, try moving it next to the router and seeing if it
connects then — distance and interference can make a difference, especially for smaller
smart devices. You should also double-check to make sure that your smart device doesn’t
need a Zigbee hub to operate, which is more common among older smart devices but a
problem that still occasionally crops up.

If your smart device keeps dropping a Wi-Fi signal, especially during busy times of the day,
check to see if your router supports automatic band switching for devices. If it does, try
turning this feature off: Sometimes a router will try to switch a smart device to a different
band, but the device isn’t ready for that, causing it to lose a connection. There may also be
issues with connecting to a mesh router, and you may have to be very specific about your
network connection to make smart devices work.

My game console can’t connect to Wi-Fi

First, check social media and Downdetector to make sure nothing is wrong with your
gaming platform — sometimes Xbox Live or Playstation Network goes down for any
number of reasons, but they’re typically back up again after a short period.

If everything looks all right there, reboot both your router and your game console and see if
they can successfully connect. This is also a good time to test your internet connection.
Major systems like Xbox and PlayStation have an option in their Settings menu to test your
internet connection. On PlayStation, head to Settings, then Network, then select Test
Internet Connection. On Xbox, go to Profile & System, select Settings, and in
the General section, select Network Settings, where you will find an option to Test Network
Speed & Statistics. This can provide more information about what’s going wrong, and even
tips on what you may need to change.
Can’t connect to wireless printer

First, make sure you are trying to connect to your Wi-Fi and not via Wi-Fi Direct — they are
two different technologies. We also highly suggest the traditional routine of turning
everything off and back on again, especially if your printer has connected to Wi-Fi
successfully in the past. If your printer is far away from your router and keeps running into
Wi-Fi errors, try moving it to a closer position.

If it looks like your printer is connected to Wi-Fi but you can’t get it to work, head into your
printer settings on your computer and make sure the correct default printer is
selected. Microsoft also has some troubleshooters you can run to see if they pick up on
anything obviously awry.

I’m worried about Amazon Sidewalk giving my Wi-Fi to strangers

Amazon Sidewalk is a new service that started rolling out in June 2021, and has caused
some consternation among those with Amazon devices because of its use of Wi-Fi beyond
the home.

There are two important parts of Sidewalk to consider. First, any compatible device
(Amazon Echos, newer Ring devices, etc.) will use BLE (Bluetooth Low Energy) to help
facilitate smart device communication and strengthen the Wi-Fi network around your
home. If your neighbors are already using your Wi-Fi (see that issue addressed above), they
may find it easier, but otherwise not much will change.

Troubleshooting Authentication Issues

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

This topic contains troubleshooting information for issues related to problems users may
have when attempting to connect to DirectAccess using OTP authentication. DirectAccerss
OTP related events are logged on the client computer in Event Viewer under Applications
and Services Logs/Microsoft/Windows/OtpCredentialProvider. Make sure that this log
is enabled when troubleshooting issues with DirectAccess OTP.

1. Failed to access the CA that issues OTP certificates

Scenario. User fails to authenticate using OTP with the error: "Authentication failed due to
an internal error"
Error received (client event log). OTP certificate enrollment for user <username> failed on
CA server <CA_name>, request failed, possible reasons for failure: CA server name cannot
be resolved, CA server cannot be accessed over the first DirectAccess tunnel or the
connection to the CA server cannot be established.
Cause
The user provided a valid one-time password and the DirectAccess server signed the
certificate request; however, the client computer cannot contact the CA that issues OTP
certificates to finish the enrollment process.
Solution
On the DirectAccess server, run the following Windows PowerShell commands:

1. Get the list of configured OTP issuing CAs and check the value of 'CAServer': Get-
DAOtpAuthentication

2. Make sure that the CAs are configured as a management servers: Get-DAMgmtServer -
Type All

3. Make sure that the client computer has established the infrastructure tunnel: In the
Windows Firewall with Advanced Security console, expand Monitoring/Security
Associations, click Main Mode, and make sure that the IPsec security associations
appear with the correct remote addresses for your DirectAccess configuration.

2. DirectAccess server connectivity issues

Scenario. User fails to authenticate using OTP with the error: "Authentication failed due to
an internal error"
Error received (client event log)

One of the following errors:

 A connection cannot be established to Remote Access server

<DirectAccess_server_hostname> using base path <OTP_authentication_path> and
port <OTP_authentication_port>. Error code: <internal_error_code>.

 User credentials cannot be sent to Remote Access server

<DirectAccess_server_hostname> using base path <OTP_authentication_path> and
port <OTP_authentication_port>. Error code: <internal_error_code>.

 A response was not received from Remote Access server

<DirectAccess_server_hostname> using base path <OTP_authentication_path> and
port <OTP_authentication_port>. Error code: <internal_error_code>.

Cause
The client computer cannot access the DirectAccess server over the Internet, due to either
network issues or to a misconfigured IIS server on the DirectAccess server.

Solution

Make sure that the Internet connection on the client computer is working, and make sure
that the DirectAccess service is running and accessible over the Internet.

3. Failed to enroll for the DirectAccess OTP logon certificate

Scenario. User fails to authenticate using OTP with the error: "Authentication failed due to
an internal error"

Error received (client event log). Certificate enrollment from CA <CA_name> failed. The
request was not signed as expected by the OTP signing certificate, or the user does not have
permission to enroll.

Cause

The one-time password provided by the user was correct, but the issuing certification
authority (CA) refused to issue the OTP logon certificate. The certificate request may not be
properly signed with the correct EKU (OTP registration authority application policy), or the
user does not have the "Enroll" permission on the DA OTP template.

Solution

Make sure that DirectAccess OTP users have permission to enroll for the DirectAccess OTP
logon certificate and that the proper "Application Policy" is included in the DA OTP
registration authority signing template. Also make sure that the DirectAccess registration
authority certificate on the Remote Access server is valid. See 3.2 Plan the OTP certificate
template and 3.3 Plan the registration authority certificate.

4. Missing or invalid computer account certificate

Scenario. User fails to authenticate using OTP with the error: "Authentication failed due to
an internal error"

Error received (client event log). OTP authentication cannot be completed because the
computer certificate required for OTP cannot be found in local machine certificate store.

Cause

DirectAccess OTP authentication requires a client computer certificate to establish an SSL

connection with the DirectAccess server; however, the client computer certificate was not
found or is not valid, for example, if the certificate expired.

Solution

Make sure that the computer certificate exists and is valid:

 1. On the client computer, in the MMC certificates console, for the Local Computer
account, open Personal/Certificates.

2. Make sure that there is a certificate issued that matches the computer name and
double-click the certificate.

3. On the Certificate dialog box, on the Certificate Path tab, under Certificate status,
make sure that it says "This certificate is OK."

If a valid certificate is not found, delete the invalid certificate (if it exists) and re-enroll for
the computer certificate by either running gpupdate /Force from an elevated command
prompt or restarting the client computer.

5. Missing CA that issues OTP certificates

Scenario. User fails to authenticate using OTP with the error: "Authentication failed due to
an internal error"

Error received (client event log). OTP authentication cannot be completed because the DA
server did not return an address of an issuing CA.

Cause

Either there are no CAs that issue OTP certificates configured, or all of the configured CAs
that issue OTP certificates are unresponsive.

Solution

1. Use the following command to get the list of CAs that issue OTP certificates (the CA
name is shown in CAServer): Get-DAOtpAuthentication.

2. If no CAs are configured:

1. Use either the command Set-DAOtpAuthentication or the Remote Access

Management console to configure the CAs that issue the DirectAccess OTP logon
certificate.

2. Apply the new configuration and force the clients to refresh the DirectAccess GPO
settings by running gpupdate /Force from an elevated command prompt or
restarting the client machine.

3. If there are CAs configured, make sure they're online and responding to enrollment
requests.

6. Misconfigured DirectAccess server address

Scenario. User fails to authenticate using OTP with the error: "Authentication failed due to
an internal error"
Error received (client event log). OTP authentication cannot complete as expected. The
name or address of the Remote Access server cannot be determined. Error code:
<error_code>. DirectAccess settings should be validated by the server administrator.

Cause

The address of the DirectAccess server is not configured properly.

Solution

Check the configured DirectAccess server address using Get-DirectAccess and correct the
address if it is misconfigured.

Make sure the latest settings are deployed on the client computer by running gpupdate
/force from an elevated command prompt or restart the client machine.

7. Failed to generate the OTP logon certificate request

Scenario. User fails to authenticate using OTP with the error: "Authentication failed due to
an internal error"

Error received (client event log). The certificate request for OTP authentication cannot be
initialized. Either a private key cannot be generated, or user <username> cannot access
certificate template <OTP_template_name> on the domain controller.

Cause

There are two possible causes for this error:

 The user doesn't have permission to read the OTP logon template.

 The user's computer can't access the domain controller because of network issues.

Solution

 Review the permissions setting on the OTP logon template and make sure that all
users provisioned for DirectAccess OTP have 'Read' permission.

 Make sure that the domain controller is configured as a management server and that
the client machine can reach the domain controller over the infrastructure tunnel. See
3.2 Plan the OTP certificate template.

8. No connection to the domain controller

Scenario. User fails to authenticate using OTP with the error: "Authentication failed due to
an internal error"
Error received (client event log). A connection with the domain controller for the purpose
of OTP authentication cannot be established. Error code: <error_code>.
Cause
There are two possible causes for this error:

 The user's computer has no network connectivity.

  The domain controller isn't accessible over the infrastructure tunnel.

Solution
 Make sure that the domain controller is configured as a management server by
running the following command from a PowerShell prompt: Get-DAMgmtServer -
Type All.
 Make sure that the client computer can reach the domain controller over the
infrastructure tunnel.

9. OTP provider requires challenge/response

Scenario. User fails to authenticate using OTP with the error: "Authentication failed due to
an internal error"
Error received (client event log). OTP authentication with Remote Access server
(<DirectAccess_server_name>) for user (<username>) required a challenge from the user.
Cause
The OTP provider used requires the user to provide additional credentials in the form of a
RADIUS challenge/response exchange, which is not supported by Windows Server 2012
DirectAccess OTP.
Solution
Configure the OTP provider to not require challenge/response in any scenario.
10.Incorrect OTP logon template used
Scenario. User fails to authenticate using OTP with the error: "Authentication failed due to
an internal error"
Error received (client event log). The CA template from which user <username> requested
a certificate is not configured to issue OTP certificates.
Cause
The DirectAccess OTP logon template was replaced and the client computer is attempting
to authenticate using an older template.
Solution
Make sure the client computer is using the latest OTP configuration by performing one of
the following:
 Force a Group Policy update by running the following command from an elevated
command prompt: gpupdate /Force.
 Restart the client machine.

11.Missing OTP signing certificate

Scenario. User fails to authenticate using OTP with the error: "Authentication failed due to
an internal error"

Error received (client event log). An OTP signing certificate cannot be found. The OTP
certificate enrollment request cannot be signed.
Cause
The DirectAccess OTP signing certificate cannot be found on the Remote Access server;
therefore, the user certificate request can't be signed by the Remote Access server. Either
there is no signing certificate, or the signing certificate has expired and was not renewed.
Solution
Perform these steps on the Remote Access server.
 1. Check the configured OTP signing certificate template name by running the
PowerShell cmdlet Get-DAOtpAuthentication and inspect the value
of SigningCertificateTemplateName.

2. Use the Certificates MMC snap-in to make sure that a valid certificate enrolled from
this template exists on the computer.

3. If no such certificate exists, delete the expired certificate (if one exists) and enroll for
a new certificate based on this template.

To create the OTP signing certificate template see 3.3 Plan the registration authority
certificate.

12.Missing or incorrect UPN/DN for the user

Scenario. User fails to authenticate using OTP with the error: "Authentication failed due to
an internal error"
Error received (client event log)

One of the following errors:

 User <username> cannot be authenticated with OTP. Ensure that a UPN is defined for
the user name in Active Directory. Error code: <error_code>.

 User <username> cannot be authenticated with OTP. Ensure that a DN is defined for
the user name in Active Directory. Error code: <error_code>.
Error received (server event log)
The user name <username> specified for OTP authentication does not exist.
Cause
The user does not have the User Principal Name (UPN) or Distinguished Name (DN)
attributes properly set in the user account, these properties are required for proper
functioning of DirectAccess OTP.
Solution
Use the Active Directory Users and Computers console on the domain controller to verify
that both of these attributes are properly set for the authenticating user.
13.OTP certificate is not trusted for login
Scenario. User fails to authenticate using OTP with the error: "Authentication failed due to
an internal error"

Cause

The CA that issues OTP certificates is not in the enterprise NTAuth store; therefore,
enrolled certificates can't be used for logon. This can occur in multi domain and multiforest
environments where cross domain CA trust is not established.

Solution

Make sure that the certificate of the root of the CA hierarchy that issues OTP certificates is
installed in the enterprise NTAuth Certificate store of the domain to which the user is
attempting to authenticate.

14.Windows could not verify user credentials

Scenario. User fails to authenticate using OTP with the error: "Authentication failed due to
an internal error"

Error received (Client computer). Something went wrong while Windows was verifying
your credentials. Try again, or ask your administrator for help.

Cause

The Kerberos authentication protocol does not work when the DirectAccess OTP logon
certificate does not include a CRL. The DirectAccess OTP logon certificate does not include
a CRL because either:

 The DirectAccess OTP logon template was configured with the option Do not include
revocation information in issued certificates.

 The CA is configured not to publish CRLs.

Solution

1. To confirm the cause for this error, in the Remote Access Management console,
in Step 2 Remote Access Server, click Edit, and then in the Remote Access Server
Setup wizard, click OTP Certificate Templates. Make a note of the certificate
template used for the enrollment of certificates that are issued for OTP
authentication. Open the Certification Authority console, in the left pane,
click Certificate Templates, double-click the OTP logon certificate to view the
certificate template properties.

To solve this issue, configure a certificate for the OTP logon certificate and do not
select the Do not include revocation information in issued certificates check box
on the Server tab of the template properties dialog box.

2. On the CA server, open the Certification Authority MMC, right click the issuing CA and
click Properties. On the Extensions tab make sure that CRL publishing is correctly
configured.