How to troubleshoot your internet connection layer-by-layer

The Open Systems Interconnection (OSI) model describes seven layers that computer systems use to communicate over a network. It was the first standard model for network communications, adopted by all major computer and telecommunication companies in the early 1980s

The modern Internet is not based on OSI, but on the simpler TCP/IP model. However, the OSI 7-layer model is still widely used, as it helps visualize and communicate how networks operate, and helps isolate and troubleshoot networking problems.

OSI was introduced in 1983 by representatives of the major computer and telecom companies, and was adopted by ISO as an international standard in 1984.

OSI Model Explained: The OSI 7 Layers

How to troubleshoot your internet connection layer-by-layer

We’ll describe OSI layers “top down” from the application layer that directly serves the end user, down to the physical layer.

7. Application Layer

The application layer is used by end-user software such as web browsers and email clients. It provides protocols that allow software to send and receive information and present meaningful data to users. A few examples of application layer protocols are the Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Post Office Protocol (POP), Simple Mail Transfer Protocol (SMTP), and Domain Name System (DNS).

6. Presentation Layer

The presentation layer prepares data for the application layer. It defines how two devices should encode, encrypt, and compress data so it is received correctly on the other end. The presentation layer takes any data transmitted by the application layer and prepares it for transmission over the session layer.

5. Session Layer

The session layer creates communication channels, called sessions, between devices. It is responsible for opening sessions, ensuring they remain open and functional while data is being transferred, and closing them when communication ends. The session layer can also set checkpoints during a data transfer—if the session is interrupted, devices can resume data transfer from the last checkpoint.

4. Transport Layer

The transport layer takes data transferred in the session layer and breaks it into “segments” on the transmitting end. It is responsible for reassembling the segments on the receiving end, turning it back into data that can be used by the session layer. The transport layer carries out flow control, sending data at a rate that matches the connection speed of the receiving device, and error control, checking if data was received incorrectly and if not, requesting it again.

3. Network Layer

The network layer has two main functions. One is breaking up segments into network packets, and reassembling the packets on the receiving end. The other is routing packets by discovering the best path across a physical network. The network layer uses network addresses (typically Internet Protocol addresses) to route packets to a destination node.

2. Data Link Layer

The data link layer establishes and terminates a connection between two physically-connected nodes on a network. It breaks up packets into frames and sends them from source to destination. This layer is composed of two parts—Logical Link Control (LLC), which identifies network protocols, performs error checking and synchronizes frames, and Media Access Control (MAC) which uses MAC addresses to connect devices and define permissions to transmit and receive data.

1. Physical Layer

The physical layer is responsible for the physical cable or wireless connection between network nodes. It defines the connector, the electrical cable or wireless technology connecting the devices, and is responsible for transmission of the raw data, which is simply a series of 0s and 1s, while taking care of bit rate control.

Advantages of OSI Model

The OSI model helps users and operators of computer networks:

  • Determine the required hardware and software to build their network.
  • Understand and communicate the process followed by components communicating across a network.
  • Perform troubleshooting, by identifying which network layer is causing an issue and focusing efforts on that layer.

The OSI model helps network device manufacturers and networking software vendors:

This article describes how to troubleshoot L2TP/IPSec virtual private network (VPN) connection issues.

Applies to: Windows 10 – all editions
Original KB number: 325034


You must have an Internet connection before you can make an L2TP/IPSec VPN connection. If you try to make a VPN connection before you have an Internet connection, you may experience a long delay, typically 60 seconds, and then you may receive an error message that says there was no response or something is wrong with the modem or other communication device.

When you troubleshoot L2TP/IPSec connections, it’s useful to understand how an L2TP/IPSec connection proceeds. When you start the connection, an initial L2TP packet is sent to the server, requesting a connection. This packet causes the IPSec layer on your computer to negotiate with the VPN server to set up an IPSec protected session (a security association). Depending on many factors including link speed, the IPSec negotiations may take from a few seconds to around two minutes. When an IPSec security association (SA) has been established, the L2TP session starts. When it starts, you receive a prompt for your name and password (unless the connection has been set up to connect automatically in Windows Millennium Edition.) If the VPN server accepts your name and password, the session setup completes.

A common configuration failure in an L2TP/IPSec connection is a misconfigured or missing certificate, or a misconfigured or missing preshared key. If the IPSec layer can’t establish an encrypted session with the VPN server, it will fail silently. As a result, the L2TP layer doesn’t see a response to its connection request. There will be a long delay, typically 60 seconds, and then you may receive an error message that says there was no response from the server or there was no response from the modem or communication device. If you receive this error message before you receive the prompt for your name and password, IPSec didn’t establish its session. If that occurs, examine your certificate or preshared key configuration, or send the isakmp log to your network administrator.

A second common problem that prevents a successful IPSec session is using a Network Address Translation (NAT). Many small networks use a router with NAT functionality to share a single Internet address among all the computers on the network. The original version of IPSec drops a connection that goes through a NAT because it detects the NAT’s address-mapping as packet tampering. Home networks frequently use a NAT. This blocks using L2TP/IPSec unless the client and the VPN gateway both support the emerging IPSec NAT-Traversal (NAT-T) standard. For more information, see the "NAT Traversal" section.

If the connection fails after you receive the prompt for your name and password, the IPSec session has been established and there’s probably something wrong with your name and password. Other server settings may also be preventing a successful L2TP connection. In this case, send the PPP log to your administrator.

NAT Traversal

With the IPSec NAT-T support in the Microsoft L2TP/IPSec VPN client, IPSec sessions can go through a NAT when the VPN server also supports IPSec NAT-T. IPSec NAT-T is supported by Windows Server 2003. IPSec NAT-T is also supported by Windows 2000 Server with the L2TP/IPSec NAT-T update for Windows XP and Windows 2000.

For third-party VPN servers and gateways, contact your administrator or VPN gateway vendor to verify that IPSec NAT-T is supported.