Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Sunday, December 15, 2019 8:10 PM
Hello,
Last week I installed Always VPN at a customer. All server OS'es were 2019 (seperate NPS and RRAS server).
The client OS is Windows 10 Enterprise 1709.
Because all the other servers in their environment were W2008R2, I decided to upgrade 1 DC to W2019 and a new CA based on W2019. So all necessary certificates were issued by a W2019 CA with the highest compatibility level.
I also checked that the default domain certificates were issued by the W2019 CA.
On both the client and the server IKEv2 is configured.
The client is not able to connect. In the clients event log, there is error 20227 ending with failure 809.
On the RRAS server there were 2 errors:
20271
CoId={B5286053-DC15-80E6-3C87-A905E7AAEDD3}: The user username connected from 1.1.1.1 but failed an authentication attempt due to the following reason: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.
20225
CoId={B5286053-DC15-80E6-3C87-A905E7AAEDD3}: The following error occurred in the Point to Point Protocol module on port: VPN2-1, UserName: <Unauthenticated User>. Negotiation timed out
Does anyone have any idea what went wrong?
I already installed another AlwaysOn VPN chain in the same network and it has the same behavior.
Could it be the fact that the user is in W2088 R2 AD functional level or something like that?
All replies (11)
Monday, December 16, 2019 4:19 AM
Hello,
Please read the discussion - Trouble with Remote Access Server VPN for AlwaysOn VPN
Windows Server 1709 and higher supports IKEv2 fragmentation.
Try to enable IKEv2 fragmentation on your Windows SRV 2019:
HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\ikev2\EnableServerFragmentation DWORD = 1
Some useful links:
https://msdn.microsoft.com/en-us/library/mt846268.aspx
https://msdn.microsoft.com/en-us/library/cc233476.aspx
https://directaccess.richardhicks.com/2019/02/11/always-on-vpn-and-ikev2-fragmentation/
Avis de non-responsabilité:
Mon opinion ne peut pas coïncider avec la position officielle de Microsoft.
Bien cordialement, Andrei ...
MCP
Monday, December 16, 2019 6:54 AM
Thank you for your quick response!
The key is already set. This is one of my default steps for a W2019 AoV setup.
But I checkd it twice to see if I made some mistakes. But it looks good.
Monday, December 16, 2019 9:29 AM
Hi,
>>The client is not able to connect. In the clients event log, there is error 20227 ending with failure 809.
Please ensure TCP 1701, UDP port 500, UDP port 4500 opened on firewall/router.
The event IP 20227 may occur when the relevant system components are corrupt unexpectedly by some third-party software.
Maybe you can try to perform a clean boot to see which service caused the issue.
Hope this can help you, if you have anything unclear, please let me know.
Have a nice day!
Ellen
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, December 16, 2019 11:24 AM
Thank you Ellen for your reply.
The local firewalls are disabled and I test the AlwaysOn VPN to connect directly to the RRAS server at the first time.
I did not see Error 20227 on 1 of the belonging systems.
Monday, December 16, 2019 12:50 PM
Hi,
Could you please show me the Dial-in tab of the AD user, that you use to connect to VPN.
Avis de non-responsabilité:
Mon opinion ne peut pas coïncider avec la position officielle de Microsoft.
Bien cordialement, Andrei ...
MCP
Monday, December 16, 2019 1:46 PM
Unfortunatly I cannot upload pictures.
But the "Network Access Permission" is set to "Control access through NPS Network Policy".
Callback options: No callback
The other options are not checked.
Monday, December 16, 2019 2:17 PM
But the "Network Access Permission" is set to "Control access through NPS Network Policy".
It looks like it is set up correctly
Avis de non-responsabilité:
Mon opinion ne peut pas coïncider avec la position officielle de Microsoft.
Bien cordialement, Andrei ...
MCP
Monday, December 16, 2019 2:22 PM
Yep. I did a lot of AoV installations. But this issue is completely new to me. I did all the "common" checks (certificates, AD, settings, etc.).
Maybe it is the Windows client version (1709) in relation to the complete W2019 AoV chain (NPS, RRAS).
I will update the workstation this evening to check it.
The strange thing is that we see incoming traffic with WireShark on both the RRAS server and the NPS server.
In the RRAS server we see also errors in the EventViewer. But in the NPS server we see nothing in the EventViewer and in the NPS log file (auditing is enabled).
Monday, December 16, 2019 4:52 PM
I just did a W10 upgrade to 1909. Same problems.
But this one is also strange:
20255 (from the RRAS server):
CoId={5B77563D-5DE4-66EF-CF47-54680F7CD764}: The following error occurred in the Point to Point Protocol module on port: VPN2-1, UserName: <Unauthenticated User>. Negotiation timed out
The protocol I used is IKEv2. What is RRAS talking about PPTP??
Monday, December 16, 2019 6:53 PM
That's not unusual. PPP is different than PPTP. However, if you are still receiving the 809 error on your client, that still indicates a connection failure. If you have IKEv2 fragmentation enabled, that would rule that out. However, it could still be a firewall or NAT configuration issue. Does your edge firewall allow about UDP ports 500 and 4500 inbound? And are they both being NAT'd to the same VPN server?
Richard M. Hicks
Founder and Principal Consultant - Richard M. Hicks Consulting, Inc.
directaccess.richardicks.com
Wednesday, January 8, 2020 8:08 AM
Hi,
As this thread has been quiet for a while, we will propose it as ‘Answered’ as the information provided should be helpful.
If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
Best regards,
Ellen
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].