Always On VPN Device Tunnel Does Not Connect Automatically

When configuring a Windows 10 Always On VPN device tunnel, the administrator may encounter a scenario in which the device tunnel does not connect automatically. This can occur even when ProfileXML is configured with the AlwaysOn element set to “true”.

Always On VPN Device Tunnel Does Not Connect Automatically

Manual Connection

An administrator can establish a device tunnel connection manually using rasdial.exe however, indicating no issues with connectivity or authentication that would prevent a successful automatic connection.

Always On VPN Device Tunnel Does Not Connect Automatically

Root Cause

This scenario will occur when the device tunnel configuration is applied to a Windows 10 Professional edition client.

Always On VPN Device Tunnel Does Not Connect Automatically

Device Tunnel Support

The Windows 10 Always On VPN device tunnel is supported only on Windows 10 1709 or later Enterprise edition clients that are domain-joined. To ensure the device tunnel connects automatically, upgrade to Windows 10 Enterprise 1709 or later and join it to a domain.

Always On VPN Device Tunnel Does Not Connect Automatically

Source: https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-device-tunnel-config#device-tunnel-requirements-and-features

Additional Information

Windows 10 Always On VPN Device Tunnel Configuration using PowerShell

Windows 10 Always On VPN Device Tunnel Missing in the Windows UI

Deleting a Windows 10 Always On VPN Device Tunnel

Leave a comment

8 Comments

  1. Thanks Richard. I would also like to know why either a User or Device tunnel randomly fails to even *attempt* to connect (using Enterprise, of course). It would be useful to understand the mechanism whereby Windows detects that it should try to initiate a connection.

    I see this mainly after waking a laptop from sleep. Even toggling the WiFi Airplane mode doesn’t trigger it. Plugging an ethernet LAN cable in and pulling it out after about 10 seconds sometimes triggers a connection. Perhaps that’s the state change that Windows needs to see? Seems a bit over-the-top. There has to be a more reliable way.

    Reply
    • This is a known issue, and one that was recently fixed by Microsoft. I’ve got a post coming out soon on this, but make sure you have at least the February 19 update (https://support.microsoft.com/en-us/help/4487029/windows-10-update-kb4487029) installed for Windows 10 1803 and the March 1 update (https://support.microsoft.com/en-us/help/4482887) installed for Windows 10 1809. Both of those updates includes fixes for known Always On VPN issues including the ones you describe.

      Reply
      • Nóri

         /  March 16, 2019

        My experience has been that IKEv2 connections sometimes drop when you move between wireless APs. I’ve found it incredibly unreliable. Tested on many different physical and virtual machines with various versions of Windows 10. Perhaps there’s a reason for the VPNStrategy setting defaulting to SSTP. 🙂

      • Interesting observation. In theory, IKEv2 is supposed to be better at handling mobility. In practice it would seem that’s not the case. I have found that the situation is much improved with the latest updates for Windows 10 1803 and 1809 though. If you haven’t done so already, try installing the latest updates and see if that helps. But you’re right, perhaps the default setting was chosen for this reason. 😉

      • Thanks Richard. KB4487029 has helped significantly with my 1803 test rig, although when reconnecting after waking the laptop seems to randomly pick the User or Device tunnel. Additionally, if it has picked a Device tunnel it very often establishes two simultaneous connections.
        Despite this it’s a step forward as two connections are better than none.
        It’s worth noting that the more recent update (KB4489868) incorporates this fix too.

      • Great to hear. You’re right, the updates are cumulative so you just need to have KB4489868 at a minimum installed to get the update. Anything after that would also include the fixes.

  2. Jason Jones

     /  March 15, 2019

    The client doesn’t meet the documented requirement and hence it doesn’t work – go figure! 🙂

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: