Error 812 when connecting to Windows Server 2008 R2 VPN

Posted on 2014-08-22
Last Modified: 2014-09-09
We recently took over a network where the previous in-house IT guy was fired.  He was unbecoming of any credentials, so we've had to reset devices or crack passwords in order to be able to administer properly.

The site was using a Sonicwall TZ215 to act as a VPN server.  I've given up on getting that to work--the Sonicwall Global VPN client appears to connect but then throws an error.  (I don't remember what but it doesn't matter since I've scrapped it anyway.)  I also tried to configure the TZ215's SSL VPN which I seemed to make progress on, until I realized that I couldn't find anywhere to download the Sonicwall VPN client.

So I defaulted to the lowest common denominator--the Windows Server '08 R2 VPN server.  I started out by trying to fix the existing RRAS configuration, but eventually gave up on that.  I deleted all of the existing NPS policies (Server Manager -> Roles -> Network Policy and Access -> NPS -> Policies -> Network Policies -> delete everything under Policy Name), disabled RRAS so it would delete its settings (Server Manager -> Roles -> Routing and Remote Access -> right click and Disable Routing and Remote Access), and then I uninstalled RRAS and NPS and rebooted the server.  

I reinstalled RRAS using one of the many how-tos on the internet.  Some of the specified installing NPS; others didn't.  Most recently, I used this one which did not include NPS:

When I attempt to connect via the (internal local Windows 7 Pro) client, I get Error 812: The connection was prevented because of a policy configured on your RAS/VPN server.  Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile.

I have disabled the firewall on the server for testing purposes.  

I am using the administrator account for testing.  I have gone to ADUC -> Administrator properties -> Dial-in tab -> Network Access Permission -> Allow Access is bulleted.  

When I check the Event Viewer, I see EventID 20258 – “The account for user \domain\administrator connected on port VPN3-127 does not have Remote Access privilege.  The line has been disconnected.”

I created a new user called admintest and it gets the same error in the event log.  

I’ve gone to Computer -> Properties -> Remote Settings -> Remote tab.  The bullet is next to Allow connections from computer running any version of Remote Desktop.  Under Select Users, I have verified that administrator and admintest are listed.  

I am out of ideas.  Please advise.
Question by:SINC_dmack
    LVL 10

    Expert Comment

    by:Gajendra Rathod
    Configure VPN on Sonicwall  TZ 215

    You can download NetExtender after login using using HTTPS and either the IP address and port or URL and port to access the Virtual Office VPN connect site

    Author Comment

    Gajendra, I have seen that link (and quite a few on how to configure the SSL VPN on the TZ215) but I don't understand where to install the NetExtender client.  

    You say "You can download NetExtender after login using using HTTPS and either the IP address and port or URL and port to access the Virtual Office VPN connect site" but I have no idea what the IP address or port or URL are for the Virtual Office VPN connect site.

    Author Comment

    It appears that even though I deleted the NPS policies and removed the NPS role, when I reinstalled the RRAS role, NPS came right back.  (Or maybe it was never gone to begin with.)
    There don't appear to be any policies, however.
    LVL 10

    Expert Comment

    by:Gajendra Rathod
    Please check this link

    Log out of your Network Security Appliance administration panel to return to the login page.
    Click the link in the lower right-hand corner of the dialog that points you to the SonicWALL Virtual Office.
    Enter the user name and password you entered and click "Login" to access the SonicWALL Virtual Office.
    Download and install the provided NetExtender application.
    Double-click the NetExtender icon in your system tray once the installation is complete.

    You need to install NetExtender on client machine.

    Author Comment

    Hi Gajendra, I logged out of the TZ215, but there's no Sonicwall Virtual Office link at the login page.  I also logged in and browsed through the menus (not too closely, but I did check the VPN and SSL VPN menu trees) but didn't see any mention of the Virtual Office.


    Accepted Solution

    We've got a few TP-Link VPN routers on hand and they support LAN to LAN VPN as well as Client to LAN VPN.  We've already used the LAN to LAN VPN with positive results, so I decided to try out the Client to LAN VPN.  In this case, I used a TL-ER604W.   TP-Link has a detailed step-by-step guide available here:  It even includes links and setup steps for two VPN clients, one of which is the free Shrew Soft VPN client.  The TP-Link only supports the client authenticating against the router itself, so there is no there is no Active Directory integration.  I'll have to configure a separate tunnel for each user (in order to keep their credentials separated), but that's not a big deal as there are only a handful of users that need VPN access.

    Following the instructions in the PDF, I was able to create and connect a VPN from my laptop to the TL-ER604W.  I could ping the IP address of a computer on the TL-ER604W's network and browse to its shares via its IP address--the only thing that didn't work was browsing to the computer by name, and I'm aware of the DNS issue that's preventing that from working.  So at this point, I am going to propose to the client that we scrap the Sonicwall in favor of the TL-ER604W and user the TP-Link's VPN connectivity.  

    I appreciate the assistance.  I'll leave this open for a few more days in case anyone has any magical solutions for my Windows or Sonicwall VPN connection issues but if not, I'll mark this as the answer.  Thanks!

    Author Closing Comment

    My solution resolved the problem, but it didn't fix it using the existing hardware or software, so I feel like I sort of cheated.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Suggested Solutions

    I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now