Server 2008 R2: VPN Setup Causes Hundreds of "Event 20171" Errors

belias1 used Ask the Experts™

I've recently set up a basic (single NIC) PPTP VPN on Windows Server 2008 R2.  It's working fine, but for some reason I get multiple (hundreds) of error logs with Event 20171 from RemoteAccess.  The errors only appear on system start-up and they're all time stamped with the same time.

Here's the description it provides:

Failed to apply IP Security on port VPN2-11 because of error: A certificate could not be found.  Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate..  No calls will be accepted to this port.

I'm not sure how to interpret the message...and I don't require L2TP.  Any help in solving this would be great.


- Brian
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You might want to install a self-signed certificate.
Try this -

To create a self-signed certificate
You can perform this procedure by using the user interface (UI).

User Interface
To use the UI
1.Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7).

2.In Features view, double-click Server Certificates.

3.In the Actions pane, click Create Self-Signed Certificate.

4.On the Create Self-Signed Certificate page, type a friendly name for the certificate in the Specify a friendly name for the certificate box, and then click OK.


Thanks for the quick reply.  I don't have IIS installed on this server, and I'd prefer not to unless it's required (security, overhead, etc.).

Any thoughts?


- Brian
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Why don't you remove the L2TP interfaces from RRAS, if you don't require them?


simonlimon:  Makes sense - but I'm not sure how to do this.  I've looked through the various configuration settings, and I can see where to change a few L2TP settings but not how to remove it.  Any guidance here?

Try this -

 // Modify L2TP and PPTP port information on the local RRAS server
    wprintf(L"Disabling RRAS enabled L2TP and PPTP ports on the local system.");
    pMprServer->dwL2tpPortFlags = FALSE;
Open RRAS console,

click on ports, Select L2TP ports right click properties Remove check box from Remote access connections and demand dial routing, set the number of ports to 0.

Click OK, Click apply.

You are not using L2TP at all, right?


Number-1:  Fast response and definitely valid, unfortunately didn't apply in my situation since I don't have IIS.

Simonlimon:  Perfect - that did it!  I thought I'd never get rid of those errors.  Thank you!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial