Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, September 18, 2018 12:00 PM
I just want to make sure, did I do something wrong or is this a bug? I've heard there is something going on in 1803 build, but not sure is this the same.
I have LAB with AD, PKI, NPS, VPN 2016 server, Windows 10 1803 enterprise and I deploy VPN profiles with SCCM CB 1806.
I've used User Tunnel successfully about 5 months, first with VPN only, then with VPN+NPS using EAP authorization.
Now when I started to play with Device tunnel, this happends;
- Device Tunnel works fine by its own
- User Tunnel works fine but its own
- If Device tunnel is deployed after User Tunnel, it will not connect. It stays passive, there is no way to connect.
- If User tunnel and device tunnel are deployed together, device tunnel works, but user tunnel will not connect - EAP missing cert issue. (event ID 20225 on vpn server). Deleting profiles/tunnels and re-roll them separatly seems not to fix the issue.
- Computer, which has received Device tunnel profile, will never work with User Tunnel, even if all tunnels are deleted and only user tunnel is re-enrolled. Same EAP cert missing error.
Is the Device tunnel issue known by Microsoft? Will they fix it? My 1803 is patched with september CU.
MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.
All replies (10)
Wednesday, October 17, 2018 3:50 PM âś…Answered | 1 vote
Both user and device tunnels are now operational after CU 10-2018!
Addresses an issue that prevents dual tunnel AlwaysOn VPN configurations that use trusted network detection from having both tunnels operational.
MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.
Wednesday, September 19, 2018 7:23 AM | 1 vote
Hi,
Thanks for your question.
Someone has already reported this question. Please refer to the link below:
https://github.com/MicrosoftDocs/windowsserverdocs/issues/900
Best regards,
Travis
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Wednesday, September 19, 2018 10:04 AM
Okay, so at the time I wrote the first post, I had bigger problems. This EAP missing cert issue may be resolved by re-enrolling certs from PKI, restarting device and re-enrolling User and Device tunnels. Eventually, I got it almost working but now I see the major problem / bug what everybody is talking about.
1. Device both tunnels enrolled starts up, connects to guest network and establishes Device tunnel. From VPN server logs I see; (HP8470P.labs.dom is a computer name, not a user)
- The user HP8470P.labs.dom has connected and has been successfully authenticated on port VPN2-127
- The user HP8470P.labs.dom connected on port VPN2-127 has been assigned address 10.0.0.65
2. User login with account wskadmin happends;
- The user [email protected] has connected and has been successfully authenticated on port VPN2-126.
- The user [email protected] connected on port VPN2-126 has been assigned address 10.0.0.66
- The user [email protected] connected on port VPN2-126 on 9/19/2018 at 12:44 PM and disconnected on 9/19/2018 at 12:44 PM. The user was active for 0 minutes 4 seconds. 1699 bytes were sent and 5221 bytes were received. The reason for disconnecting was user request. The tunnel used was WAN Miniport (IKEv2). The quarantine state was. - The user with ip address 10.0.0.66 has disconnected
Now, when logged in to the desktop, Device Tunnel is still established, and I can connect the User Tunnel _manually_, even if the autoconnect is ticked on. Probably, automatically it will not connect.
MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.
Thursday, September 20, 2018 9:10 AM
Hi,
Based on the complexity and the specific situation, I would suggest you contact Microsoft Customer Services and Support to get an efficient solution:
http://support.microsoft.com/contactus/?ln=en-au
Have a nice day!
Travis
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Wednesday, October 17, 2018 9:14 PM
Both user and device tunnels are now operational after CU 10-2018!
Addresses an issue that prevents dual tunnel AlwaysOn VPN configurations that use trusted network detection from having both tunnels operational.
MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.
Which patch specifically? I am testing from a fully patched 1803 machine. Do you mean the new 1809 build that has been pulled back?
Thursday, October 18, 2018 5:55 AM | 1 vote
Which patch specifically? I am testing from a fully patched 1803 machine. Do you mean the new 1809 build that has been pulled back?
No, I patched my 1803 with CU 10-2018 and it start working! Tested on 2 machines. Actually, if you see the change logs of patching, this was fixed on 2nd september CU release, but I didn't get it.
MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.
Thursday, October 18, 2018 12:20 PM
Which patch specifically? I am testing from a fully patched 1803 machine. Do you mean the new 1809 build that has been pulled back?
No, I patched my 1803 with CU 10-2018 and it start working! Tested on 2 machines. Actually, if you see the change logs of patching, this was fixed on 2nd september CU release, but I didn't get it.
MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.
I see. I have had the patches this whole time and I have not had trouble with the user tunnel and device tunnel running at the same time.
I have two other issues. The device tunnel seems to only work one way. I cannot manage out. It almost seems like a route conflict with the user tunnel but I'm not sure. If your manage out is working, can you please share a sanitized copy of your user and device profiles?
Microsoft has been stumped for about a week now trying to figure out my issue and I think it has been escalated yet again.
The other issue I had was the device tunnel just doesn't seem stable.. it will seem fine and then drop off for no reason. It wont reconnect like the user tunnel does either.
Thursday, October 18, 2018 4:14 PM
I have two other issues. The device tunnel seems to only work one way. I cannot manage out. It almost seems like a route conflict with the user tunnel but I'm not sure. If your manage out is working, can you please share a sanitized copy of your user and device profiles?
Microsoft has been stumped for about a week now trying to figure out my issue and I think it has been escalated yet again.
The other issue I had was the device tunnel just doesn't seem stable.. it will seem fine and then drop off for no reason. It wont reconnect like the user tunnel does either.
Those are different issues yes. I can test it at some point. Do you attempt manage out from that VPN server or from somewhere else? I think we could continue this on the other thread, just drop a link here...
MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.
Thursday, December 20, 2018 3:27 PM
Both user and device tunnels are now operational after CU 10-2018!
Addresses an issue that prevents dual tunnel AlwaysOn VPN configurations that use trusted network detection from having both tunnels operational.
MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.
What OS Build of Windows are you running with the CU 10-2018?
Is this 1709 or 1803?
Thursday, December 20, 2018 4:14 PM
This was 1803, must same should apply with 1709 also.
MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.