Use case

Investigate VPN issuesbefore escalation.

Most VPN tickets are client-side. Wrong certificate, expired profile, conflicting interface, DNS leak, MFA token failure. GenticFlow diagnoses on the real endpoint, fixes what it can verify, and escalates only the actual gateway, identity, or policy issues with the full packet.

Book a Demo Start Free Trial

Ticket INC-90381

ServiceNow

Subject

VPN wont connect from home

User

[email protected]

Endpoint

WIN11-SLS-051

User said

VPN keeps failing. Says authentication error then drops. Worked yesterday. Tried restarting twice and reinstalling the client.

Endpoint evidence collected

VPN client: Cisco AnyConnect 4.10.07073
Client certificate: expired 2026-05-12
Last successful connect: 6 days ago
Network: home wifi (1Gbps, 14ms RTT)
VPN gateway reachable: yes (TCP 443)
Time skew: +3.2s vs NTP

The problem

VPN tickets escalate too fast and stay too long.

A user says VPN is down. L1 has limited visibility into the client, no view into the gateway, and ends up escalating to network engineering. By the time it lands there the engineer spends another 20 minutes asking what the user already tried, only to find a stale certificate.

Cross-team

ping-pong

Tickets bounce L1 to network to identity and back. Each handoff loses context and adds delay.

Mostly client

actual cause

The majority of VPN tickets are resolved at the endpoint: client reinstall, certificate refresh, interface reset.

Remote

user blocked from work

Every minute of VPN outage is a user who cant access internal systems. SLA pressure is high.

Slow

root cause discovery

Without endpoint state attached, every troubleshooting step is a question, a wait, and a slack message.

How GenticFlow investigates

Endpoint context attached before a technician opens the ticket.

The AI engineer pulls live evidence from the affected endpoint, correlates against fleet baselines, and produces a root-cause hypothesis with the steps it would take next.

Client and interface state

Active VPN client version, install integrity, virtual adapter state, conflicting adapters, recent connection attempts and exit codes.

Certificate and credential check

Client certificate validity, chain trust, expiration window, machine vs. user store, cached credentials.

MFA and identity

Recent auth attempts, MFA challenge state, conditional access block, time skew that breaks TOTP.

Routing and DNS

Default route, split-tunnel config, DNS resolution behind tunnel, IPv6 leak indicators, MTU mismatch.

Run the targeted fix

Renew client certificate, reset network adapter, reinstall the VPN client cleanly, flush DNS, correct time sync.

Verify with a real connect

Attempt a controlled VPN connect, validate tunnel is up, hit an internal probe URL, confirm DNS resolves through tunnel.

Auto-resolved

What gets fixed without escalation.

Endpoint-side VPN problems with deterministic remediation paths get resolved and verified.

Expired client certificate

Trigger certificate renewal flow, validate the new cert chains, attempt a clean reconnect.

VPN client install corruption

Clean uninstall, reinstall the approved package, restore profile config, verify connection.

Stale virtual adapter or routing

Reset the virtual adapter, clear lingering routes, flush DNS, attempt reconnect.

Time skew breaking auth

Force NTP resync, validate clock alignment, retry MFA challenge.

Conflicting third-party adapter

Identify and disable the conflicting interface, reorder bindings, verify clean tunnel establishment.

Escalated with evidence

What gets escalated and why.

When the endpoint is healthy and the problem is on the gateway, identity provider, or policy side, the ticket lands where it should with proof.

Gateway down or degraded

Multiple endpoints failing to reach the same gateway. Routed to network with the affected-endpoint list.

Conditional access blocking the user

Identity provider returns block reason. Routed to security with the sign-in correlation ID.

License or seat issue

VPN gateway license limit reached or user not assigned a seat. Routed to whoever owns provisioning.

Suspected compromise

Successful auth from impossible-travel location or persistent token theft indicators. Routed to security with the chain of evidence.

Explore related

Other ways teams use GenticFlow.

Each page walks the live investigation path against a real ticket so you can compare patterns across categories and stacks.

Printer ticket automation

Slow computer investigation

Outlook support automation

Disk space remediation

Reduce L1 ticket volume

AI engineer for service desks

AI ticket resolution for Halo PSA

AI ticket resolution for Autotask

AI ticket resolution for ConnectWise

FAQ

Common questions.

Specific answers for service desk and operations teams evaluating this workflow.

Does this work with any VPN client?

Cisco AnyConnect, Palo Alto GlobalProtect, FortiClient, Microsoft Always On VPN, and OpenVPN are covered today. Other clients integrate through generic endpoint checks plus the verified fix layer.

What about cloud VPNs and ZTNA?

Zscaler, Cloudflare Access, Tailscale, and similar ZTNA clients are diagnosed at the endpoint posture, identity, and connector layers. Gateway-side context is pulled when the integration is available.

Can it reissue a certificate by itself?

If the certificate renewal flow is exposed to the endpoint or via your PKI integration, yes. Otherwise the ticket is escalated with a clear request to reissue, including the affected serial and expiry.

What if the user is offline and cant reach the agent?

The endpoint agent works offline. When connectivity is restored, the diagnostic chain syncs and any pending remediation runs. The ticket gets updated automatically.

Stop bouncing VPN tickets across three teams.

See the AI engineer triage a live VPN ticket end-to-end and either fix it or hand the right team a fully diagnosed case.