Always On VPN RasMan Device Tunnel Failure

Always On VPN RasMan Device Tunnel FailureAn Always On VPN device tunnel is an optional configuration for Windows 10 Enterprise edition clients designed to provide machine-level remote network connectivity. This capability provides feature parity with DirectAccess for domain-joined clients to support scenarios such as logging on without cached credentials and unattended remote support, among others.

Device Tunnel Failure

When configuring a Windows 10 client to use an Always On VPN device tunnel, you may find that the device tunnel works without issue after initial deployment but fails to connect after the computer restarts. In addition, the Windows event log will include an Event ID: 1000 application error with the following error message:

Faulting application name: svchost.exe_RasMan

Always On VPN RasMan Device Tunnel Failure

Known Issue

This can occur when a Windows 10 machine is configured with a device tunnel only (no user tunnel). This is a known issue with Windows 10 v1709 and it is currently being addressed by Microsoft. The fix should be included in Windows 10 v1803 (RS4).

Additional Information

Windows 10 Always On VPN Device Tunnel Step-by-Step Configuration using Powershell

Deleting an Always On VPN Device Tunnel

Leave a comment

11 Comments

  1. ced666

     /  April 13, 2018

    Hi Richard,

    How did you manage to make tunnel device mode work more accurately. I followed your procedure step by step but impossible to operate the tunnel device, does this principle work in a virtual environment. I really have doubts because it is currently impossible to operate the tunnel vpn device mode. how do you write the xml file with ./Device/Vendor / ….
    can I have a concrete example please.

    Patrck.

    Reply
    • Again, your client will require Internet access for this to work. If the NCSI reports “no Internet” the tunnel won’t work. It should work without issue in a virtual machine, but it won’t work after restart if you have only the device tunnel due to a known issue in Windows v1709.

      Reply
      • Andy

         /  April 23, 2018

        Will it not be fixed in 1709?, I’ve raised a Sev B with Premier support to confirm but they are so busy they are only dealing with Sev A’s at the moment.

      • To my understanding, no. You’ll need to upgrade to 1803.

      • Andy

         /  April 24, 2018

        Do you know if there are any functionality or risks not having the device tunnel when using 1709 or whether if affects the user tunnel? We are trying to establish whether to proceed with 1709 or wait for 1803 before rolling out a VPN project. What would you do?

      • The Windows 10 Always On VPN device tunnel is optional and only required to support scenarios such as logging on without cached credentials. If you don’t have any specific requirements for the device tunnel, you can safely deploy Always On VPN without it. If you really need the device tunnel, then I’d definitely wait for 1803.

  2. Thank you very much Richard, so I will test the tunnel device VPN from a client with Internet connection. I will also test if the bug has been fixed in the version 1803 Windows

    Patrick

    Reply
  3. Hello Richard,
    I confirm that the bug (eventID 1000) has been fixed in the version of Windows 1803 build (17127). After restarting, the tunnel is well mounted. However, all incoming traffic in tunnel device mode is still blocked.
    Patrick

    Reply
    • Excellent news! 🙂

      Reply
    • Also, regarding incoming traffic being blocked on the device tunnel, that is a known issue that occurs when using traffic filters. Once a traffic filter is defined, all inbound traffic will be denied. It is not a bug, but a missing feature. Hopefully that will be resolved in a future release of Windows.

      Reply
  4. ced666

     /  April 24, 2018

    Hello Richard,
    thank you
    It’s a shame because no remote maintenance is possible through the vpn tunnel to the client station.

    Patrick

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: