Solved

Users cannot connect through VPN locally or remotely

Posted on 2015-01-10
31
1,252 Views
Last Modified: 2015-01-27
Good Evening,

I have an issue that I'm at my wits end.  For some unknown reason my users suddenly cannot connect through VPN anymore.  It's a setup on Server 2012 R2 with a File Server/VPN server and a DC running on Hyper-V.  

Nothing to my knowledge has changed in the environment, we haven't even had a work ticket for them in maybe a month.  For some reason when you try to VPN in it just sits there for about 3 minutes and the client gets:

error 619: A Connection to the remote computer could not be established, so the port used for this connection was closed.  

The server gets error RemoteAccess 20252 on the actual port, so I know the VPN client is hitting the server and then just going nowhere.  

Neither of these errors have offered any help.  The router has never changed and is still setup properly so it's not the firewall, I can RDP remotely and that works fine.  The NegotiateTime is set at 150 which is supposedly the fix for error 20252.  

We use Bright House for our ISP and I called and verified they aren't blocking anything.

I have reconfigured and completely reinstalled the RRAS role every way I know how to, it's a single NIC so I use the custom install for RRAS and set it up for VPN.  I've tried every NPS policy I can think of, I even copied the Policies settings from NPS on a different client's VPN server and it still doesn't work.

Any help is really appreciated.
0
Comment
Question by:blue92lx
  • 16
  • 13
  • 2
31 Comments
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Other than that error there is nothing else?
Time/timezone verified?
Recheck the confifiguration of the Vpn to see what the policy is which vpn is it establishing ipsec, l2tp, pptp?

Enable logging on the client and see what it reports as far as where the failure occurs.

This will vary depending on which vpn technology/type is selected.

If it is a VM, why not add a second NIC for the VM?
0
 
LVL 23

Expert Comment

by:Brian B
Comment Utility
Try and shut off all the firewall rules temporarily.
0
 

Author Comment

by:blue92lx
Comment Utility
Brian Boyes:  I turned off the PPTP forwarding in the firewall just to start and it stopped getting to the server.  With the forwarding turned on it's been going to verify username and password and then sits there until it errors out.  That's when I get the error 20252 from the server which leads me to believe the firewall or the ISP isn't the issue.  I've also completely turned off the server Firewall and it doesn't change anything either.

Arnold:  Time is good, I understand the second NIC mentality but honestly when I setup this server about 8 months ago I wondered about doing it and all of the research showed me there really was no benefit to having a second NIC when the single NIC can do it all with a more simplified setup.  I've also used SBS servers in the past that all use single NICs and have never had an issue with VPN.  

This one has literally worked flawlessly since the day I set it up until now mysteriously it absolutely refuses to work and it's completely baffled me.  

So here's the most recent issue that I came across today after completely removing RRAS, IIS, and I even removed the RAS and IAS group membership and readded it in A.D., then reinstalled everything.  

1)  In RRAS -> Servername -> IPV -> General the Internal network says 'Not Available' and I can't figure out how to get that back up.  I can't think the issue would be anything else, but I can't figure out why the Internal network is not working

2)  If I run netstat -ano | find ":1723" the result is 0.0.0.0:1723.  I've added the port to registry as shown in the link below and rebooted and it still came up with the same results.  BTW: The registry key for 'ReservedPorts' wasn't even there, I created it new and it still didn't work:
https://social.technet.microsoft.com/Forums/en-US/316d7a58-5167-44f7-ac0f-eec7d35638ea/vpn-problems-after-microsoft-update

I think all signs would point to the internal network not running in RRAS, but I haven't found a solution for that either.  

Luckily this site isn't heavily reliant on VPN, but they need it from time to time so it's still an important issue that I'm hoping to accomplish before Monday.  Thanks again for checking in on this one with any ideas you all may have.
0
 

Author Comment

by:blue92lx
Comment Utility
OK, here's the process that happens with the logging turned on when I try the VPN Client from my computer with the Event ID's added, it's in chronological order top to bottom:

Event ID: 20221
CoId={9551ED64-CC4A-4982-83FD-04B1540B986D}: The user AJ-PC\AJ has started dialing a VPN connection using a per-user connection profile named SSC Connection. The connection settings are:
Dial-in User = <my username>
VpnStrategy = PPTP
DataEncryption = Require
PrerequisiteEntry =
AutoLogon = No
UseRasCredentials = Yes
Authentication Type = CHAP/MS-CHAPv2
Ipv4DefaultGateway = No
Ipv4AddressAssignment = By Server
Ipv4DNSServerAssignment = By Server
Ipv6DefaultGateway = Yes
Ipv6AddressAssignment = By Server
Ipv6DNSServerAssignment = By Server
IpDnsFlags =
IpNBTEnabled = Yes
UseFlags = Private Connection



Event ID: 20222
CoId={9551ED64-CC4A-4982-83FD-04B1540B986D}: The user AJ-PC\AJ is trying to establish a link to the Remote Access Server for the connection named SSC Connection using the following device:
Server address/Phone Number = <external IP>
Device = WAN Miniport (PPTP)
Port = VPN3-1



Event ID: 20223
CoId={9551ED64-CC4A-4982-83FD-04B1540B986D}: The user AJ-PC\AJ has successfully established a link to the Remote Access Server using the following device:
Server address/Phone Number = <external IP>
Device = WAN Miniport (PPTP)
Port = VPN3-1



Event ID:  20224
CoId={9551ED64-CC4A-4982-83FD-04B1540B986D}: The link to the Remote Access Server has been established by user AJ-PC\AJ.



Event ID: 20226
CoId={9551ED64-CC4A-4982-83FD-04B1540B986D}: The user AJ-PC\AJ dialed a connection named SSC Connection which has terminated. The reason code returned on termination is 829.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Try using the internal IP of 2012 VPN server while on the inside to confirm/eliminate the network as the cause.

I haven't checked but think the 829 for termination deals a failure to negotiate a protocol.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Did you replace the external router following which this issue arose?
0
 

Author Comment

by:blue92lx
Comment Utility
Yeah I had tried VPN internally last night too and just tried again to be sure, same issue internally or externally.

Router has not changed, it's an older Watchguard XTM 22 router.  I did notice that the Livesecurity license is expired, but I'm not sure if we've ever renewed it in the past.  Watchguard is a little weird where some routers are fine if you don't have a license and some routers disable functions if you don't have a license.

Although the connections seem to be getting to the server, so I don't know.  I'm going to call them maybe tomorrow to verify.
0
 
LVL 23

Expert Comment

by:Brian B
Comment Utility
Do you have an extra external IP? Plug a laptop in to the same switch as the firewall and assign it that IP. This will tell for sure if problem is ISP.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
If you are connecting to the internal IP is it on the same segment as the workstation. Or is it going through the router.

If you look on the router's logs, does it have any information?

Usually license/subscription deal with functions such anti-virus, spam blocker for SMTP proxy ...........
0
 

Author Comment

by:blue92lx
Comment Utility
Brian:  Just one Static IP at this site

Arnold:  Yes same LAN, so both are on 192.168.15._

As far as logs, the only log is the previously mentioned System Warning 20252:
CoId={54146D57-781F-46CB-B0B1-A910F861AF1B}: The user connected to port VPN3-127 has been disconnected because the authentication process did not complete within the required amount of time.


I think tomorrow I'll install RRAS on the DC and just see what it does.  If that works then there's something going on with the current RRAS server.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Double check the timeout on the client, I think it should be set to 60 seconds.  Double check the timeout setting on the RRAS to also have it around 60 seconds.
Note what the setting is if shorter.

Double check all the settings/timeouts.
My suggestion would be to work on the sysytem you used to correct.  Altering another server could inadvertently cause other problems... And you do not need that.
0
 

Author Comment

by:blue92lx
Comment Utility
Off the top of my head I changed the VPN on my computer to use the Gateway on the server and it worked, no errors or anything.  Disconnected and tried it on internal computer and it failed.  Tried it again on my computer and it failed.  

There are no errors on the DC, so I know it's not something with FS trying to authenticate to the DC and failing.  

Also, now that there has been a connection to the RRAS server the IP4 Internal connection is now active and not saying 'Not Available'.  Apparently it only becomes active once the first connection is made.

Rebooted the server, got the following error:
Event Log: system
Type:      Error
Source:    Microsoft-Windows-Iphlpsvc
Category:  
Event:     4202

Message:
Unable to update the IP address on Isatap interface isatap.{AD35ED9E-5EB4-444A-A3E4-0B88BBFA0C73}. Update Type: 1. Error Code: 0x490.


Read on a forum to go into Device Manager and enabled hidden devices.  I did that and there were ISATAP #3 and #4 adapters.  Only let me disable #3 but when I did that #4 also disabled.  I went ahead and reenabled #3, #4 would not let me enable it.  

Started VPN on remote computer and it worked, but gave me the below error:

System
Warning
Source: LSA (LsaSrv)
Event ID:  6038

Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server.
This event occurs once per boot of the server on the first time a client uses NTLM with this server.
NTLM is a weaker authentication mechanism. Please check:
      Which applications are using NTLM authentication?
      Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?
      If NTLM must be supported, is Extended Protection configured?


I tried on the internal computer with the VPN gateway checked and it worked.  
Came back to remote computer, disconnected and connected again with the Gateway on and it worked.  
Disconnected and now it won't connect again.

The connections also take about 30-60 seconds, which is longer than I've seen VPN connections take.  Normally they connect right away.

I rebooted the RRAS server to recreate the whole scenario from scratch now that I have some ideas on the issue.  

Same ISATAP error came up.  When I looked at Device Manager ISATAP #3 is active and ISATAP #4 is greyed out, but not able to disable or enable it.
Tried VPN from remote computer and it failed.
Disabled ISATAP #3 and tried remote VPN and it failed.
Tried Internally and it worked.  Gave me the NTLM error.
ISATAP #4 is now enabled and not greyed out.
Tried VPN remotely and it failed.
Enabled ISATAP #3
Tried VPN remotely and it worked.

Tried Internally again and for some reason I'm getting the below error even though I've connected previously with this user and VPN connection:
Event:     20271

Message:

CoId={2FADB7A6-4ABB-40B1-8B3E-DBA68F12705F}: The user <username> connected from 192.168.15.51 but failed an authentication attempt due to the following reason: The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Look at the RRAS to cleanup and uninstall the hidden devices.

You may have two that some how tied to the same resource I.e. Your issue starts when more than one connect at the same time.  I.e. Try one at a time connect/disconnect. Connect/disconnect.
0
 

Author Comment

by:blue92lx
Comment Utility
I'll do this later, but what do you mean by use RRAS to cleanup and uninstall hidden devices?  I've never seen that before.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
You say you have #3vand #4 in device manager that seem to interact with each other. Uninstall the #4 and see if there is any reference to it in RRAS.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:blue92lx
Comment Utility
Oh ok, I thought you meant there was somehow a way inside of RRAS to see what ISATAP connections were associated with it.  

So I removed the ISATAP #4 connection and RRAS created a another one.  So I removed them both and it created an ISATAP connector with no number.  I still couldn't connect to the server.  I checked my computer and the local desktop and each one had about 8 ISATAP connectors.  It's like it creates a new one every time it connects and just leaves it there.  

I rebooted the server and it came back up with two connectors again.  Same scenario as above though as far as connecting.  It almost seems random.  I also think it's somehow related to the slow connect times, I've never seen a VPN take 30+ seconds to connect, it's always just a couple of seconds and you're in.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Look at the security log on a DC to see whether it sees and rejects access.

If you have multiple dc, run dcdiag to make sure they are synchronized.
Trying to see whether the RRAS server is querying a DC that is out of sync.
0
 

Author Comment

by:blue92lx
Comment Utility
The first time I tried it the username didn't show up on either server
The second time it actually worked and the username showed up on the RRAS server and the DC server
Third time I tried it didn't connect again and the username did not show up on either server.

Side note:  Currently the server is setup with a static pool, I've also tried setting up the DHCP relay to the DC to use RRAS as DHCP and that didn't work either.  

So here's what's in my head currently:
When I setup RRAS on the DC it didn't work either and gave the same error codes.
So at this point it almost doesn't seem like it's something to do with the virtual servers I think.

Issues:
1) What in the network can prevent RRAS from working, or make it work intermittently, on the virtual servers?
2) What in the network makes the VPN take 30-60 seconds to connect when it finally does connect (internally or externally)

Possible causes:
1)  Firewall - I'm pretty sure I've ruled that out, but maybe not.  Maybe it's being deceptive and I should try a new router for a test
2) Hyper-V Server - Basically a blank Server 2012 R2 install with nothing on it but Hyper-V
3) Maybe Hyper-V switch/Networking?  Nothing has changed on it, however, and internet and everything works except RRAS.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
If you see the same behavior when directly connecting to the lan private ip, the issue is outside of the external router.

How many IPs in the static pool.  The issue might be you are using a lan iP in the static pool.
Could these static pool IPs be allocated by DHCP to LAN systems?

I think you need a DHCP agent configured to proxy the DHCP request from the VPN connection client to your internal dhcp.
0
 

Author Comment

by:blue92lx
Comment Utility
Right.  The DHCP is .50-.150 and the static pool is .175-200

When I had it setup to use DHCP for the RRAS connections I setup the DHCP forwarder in RRAS and you could see the RAS reserved IP's come up in DHCP.  
I removed the DC server IP from the DHCP relay when I went back to static pool assignment and they also cleared out of the DHCP list.
0
 

Author Comment

by:blue92lx
Comment Utility
Wait I just stumbled onto something interesting.  So in the Remote Access Management Console on the RRAS server (again this is the new Server 2012 console) I've attached a picture of what it shows.  You'll notice that it says

Maximum client connections:  1
Total Active clients: 1

This is while the connection is sitting at verifying username and password and then errors out.  After it errors out the Active Connection goes back to 0 in the Remote Access Management Console.
RRAS.jpg
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Try increasing the number of maximum clients if you've not done so already.
0
 

Author Comment

by:blue92lx
Comment Utility
OK apparently the maximum client connections status is a status of how many VPN connections there were at one point in time.  So it's not an issues.

I also shut down the firewall and Anti-Virus on the RRAS and DC servers and that didn't work either.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
how many DCs in the environment if more than on, dcdiag status clean?
0
 

Author Comment

by:blue92lx
Comment Utility
DCDiag is good, the only thing I got was:

dcdiag there are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL replication problems may cause Group Policy problems.

But when I checked the DFSR logs it was one warning and then it continued on successfully.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
A thing to try is to use network monitor tool or wireshark to see what this RRAS is sending and to which DC and what it gets back to see if that explains.

if you check each DC, do both have sysvol shared?
If not, fix the replicationmand see if that resolves your issue
See if you can on RRAS increase the detail of what it is getting into a log.
0
 

Author Comment

by:blue92lx
Comment Utility
Oh sorry, it's only one DC.  

I can do the other stuff tonight though or as soon as possible and let you know what it comes back with.
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 500 total points
Comment Utility
If you have only one DC, there should not be any replication issues.  Was there a different DC that this one replaced.  You should go through the AD to see how many DC references there are.
If there are two or more DC references, that may explain your issue. i.e. the non-existant/active DC is being sent the request first, by the time it timesout, the connection is denied.
0
 

Author Comment

by:blue92lx
Comment Utility
OK the old DC was listed in AD Sites and Services, I deleted it from there.  I used NTDSUTIL to clear the metadata but the old server was not listed in the metadata.  

The only other thing I can think of at the moment is removing and recreating the Hyper-V switch and maybe create new virtual NIC's for the servers.  I'll do that as soon as I get a chance.
0
 

Accepted Solution

by:
blue92lx earned 0 total points
Comment Utility
Turns out that rebuilding the Hyper-V virtual network switch and Hyper-V NICs in the VM's fixed it.  Not sure why that would've been the issue since the servers could still get internet just fine and work internally on the network, but they're up and running now.  

Thanks arnold for all of your help, it definitely helped take possibilities off of the potential list of problems so I also accepted your last reply as part of the solution.
0
 

Author Closing Comment

by:blue92lx
Comment Utility
Accepted my own solution since the solution was in my last comment about recreating the Hyper-V network
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
A procedure for exporting installed hotfix details of remote computers using powershell
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now