Always On VPN RRAS Monitoring and Reporting

Always On VPN RRAS Monitoring and ReportingWindows Server with the Routing and Remote Access Service (RRAS) role installed is a popular choice for Windows 10 Always On VPN deployments. Configuring RRAS is commonly performed using the RRAS management console but it can also be configured using PowerShell and/or netsh. In addition, there are a few different options for natively monitoring server health and client connection status.

RRAS Management Console

After installing the RRAS role, the administrator uses the RRAS management console (rrasmgmt.msc) to perform initial configuration. The RRAS management console can also be used to view client connection status by expanding the server and highlighting Remote Access Clients.

Connection Details

To view connection details for a specific connection, the administrator can right-click a connection and choose Status, or simply double-click the connection.

High level information about the connection including duration, data transfer, errors, and IP address assignment can be obtained here. In addition, the administrator can terminate the VPN connection by clicking the Disconnect button.

RRAS Management Console Limitations

Using the RRAS management console has some serious limitations. It offers only limited visibility into client connectivity status, for example. In addition, the client connection status does not refresh automatically. Also, the RRAS management console offers no historical reporting capability.

Remote Access Management Console

The Remote Access Management console (ramgmtui.exe) will be familiar to DirectAccess administrators and is a better option for viewing VPN client connectivity on the RRAS server. It also offers more detailed information on connectivity status and includes an option to enable historical reporting.

Dashboard

The Dashboard node in the Remote Access Management console provides high-level status for various services associated with the VPN server. It also provides a high-level overview of aggregate VPN client connections.

Operations Status

The Operations Status node in the Remote Access Management console provides more detailed information regarding the status of crucial VPN services. Here the administrator will find current status and information about service uptime.

Remote Client Status

The Remote Client Status node in the Remote Access Management console is where administrators will find detailed information about client connectivity. Selecting a connection will provide data about the connection including remote IP addresses, protocols, and ports accessed by the remote client, in addition to detailed connection information such as authentication type, public IP address (if available), connection start time, and data transferred.

Always On VPN RRAS Monitoring and Reporting

Double-clicking an individual connection brings up a detailed client statistics page for the connection, as shown here.

Always On VPN RRAS Monitoring and Reporting

Custom View

The Remote Access Management console includes the option to customize the data presented to the administrator. To view additional details about client connections, right-click anywhere in the column headings to enable or disable any of the fields as required.

Always On VPN RRAS Monitoring and Reporting

Recommended Columns

From personal experience I recommend adding the following columns in the Remote Access Management console.

  • IPv4 Address (this is the IP address assigned to the VPN clients by RRAS)
  • Connection Start Time
  • Authentication Method
  • Total Bytes In
  • Total Bytes Out
  • Rate

Always On VPN RRAS Monitoring and Reporting

Drawbacks

The only real drawback to using the Remote Access Management console is that it supports viewing connections from just one VPN server at a time. If you have multiple RRAS servers deployed, you must retarget the Remote Access Management console each time to view connections on different VPN servers in the organization.

You can retarget the Remote Access Management console at any time by highlighting the Configuration node in the navigation pane and then clicking the Manage a Remote Server link in the Tasks pane.

Always On VPN RRAS Monitoring and Reporting

Reporting

Remote Access reporting is not enabled by default on the RRAS VPN server. Follow the steps below to enable historical reporting for RRAS VPN connections.

1. Highlight the Reporting node in the Remote Access Management console.
2. Click Configure Accounting.
3. Uncheck Use RADIUS accounting.
4. Check Use inbox accounting.
5. Review the settings for data retention and make changes as required.
6. Click Apply.

Always On VPN RRAS Monitoring and Reporting

Optionally, historical reporting can be enabled using PowerShell by opening and elevated PowerShell command window and running the following command.

Set-RemoteAccessAccounting -EnableAccountingType Inbox -PassThru

Important Note! There is a known issue with the inbox accounting database that can result in high CPU utilization for very busy RRAS VPN servers. Specifically, a crucial index is missing from one of the tables in the logging database. To correct this issue, download and run the Optimize-InboxAccountingDatabase.ps1 script on each RRAS VPN server in the organization.

Additional Information

Windows 10 Always On VPN and Windows Routing and Remote Access Service (RRAS)

Windows 10 Always On VPN Protocol Recommendations for Windows Server Routing and Remote Access Service (RRAS)

Windows 10 Always On VPN and RRAS with Single NIC

Windows 10 Always On VPN and RRAS in Microsoft Azure

Leave a comment

27 Comments

  1. Dave K

     /  February 20, 2020

    Great article, thank you for publishing it, Richard. Have you ever seen an issue where Always On VPN has been configured and deployed on Windows Server 2019 and the only thing that appears in the Remote Access Management Console under DirectAccess and VPN Client Status is “Unavailable”? Always On VPN is working properly with a device tunnel, yet I have no monitoring available through the Remote Access Management Dashboard.

    Reply
    • Haven’t seen anything like that myself. Is the Remote Access Management service (ramgmtsvc) running on the server?

      Reply
      • Dave K

         /  February 24, 2020

        Oh yes, definitely! Clients are connected to the RRAS server using an IKEv2 device tunnel. I can monitor and manage clients through the RRAS console but the Remote Access Management Console does not seem to ‘plug in’ to the RRAS component.

      • Dave K

         /  February 24, 2020

        My apologies, Richard. I made an assumption which I should never do. I checked services and found that Remote Access Management service was indeed stopped and set to disabled. That did the trick! The Remote Access Management Console now displays client information. Thank you so much!

    • Ryan P

       /  September 17, 2020

      Hi Richard! I’m having the same problem as Dave K. In the Remote Access Management Console under Dashboard > DirectAccess and VPN Client Status I have “unavailable” listed for each statistic. I’m running DirectAccess on a 2016 server. The ramgmtsvc service is running and I have restarted it to no avail. I’ve also rebooted the entire server. What’s interesting is that I’m getting “Remote Client Status” reported correctly and do not appear to be experiencing any issues with client connections. I get good results from the PS command “Get-RemoteAccessConnectionStatistics”, however when I run “Get-RemoteAccessConnectionStatisticsSummary” I get “A general error occurred that is not covered by a more specific error code.” This problem began immediately after I installed the 2020-09 Windows updates last night (KB4577015, KB4576750, & KB890830). I suspect it may have something to do with the connection to the Windows Internal Database, but I’m not sure how to test it. I would think the two PS commands would contact the DB in the same way so it’s very strange that one command works and the other does not. Any insight would be greatly appreciated! Thank you!

      Reply
      • That is very strange for sure. It might be worth disabling inbox accounting and removing the database entirely, then re-enabling and let it build a new database. I can share the code to do that with you if you like.

        If you want to test connectivity to the database you can run the following commands locally on the server.

        $connection = New-Object -TypeName System.Data.SqlClient.SqlConnection
        $connection.ConnectionString = ‘Server=np:\\.\pipe\Microsoft##WID\tsql\query;Database=RaAcctDb;Trusted_Connection=True;’
        $Connection | Format-List

      • Ryan P

         /  September 18, 2020

        Thank you, I would much appreciate the code to rebuild the DB. I used your connection script and appear to have connected without errors. I also successfully connected with SQL Mgmt Studio and was able to do so using the same named pipe you have in your script.

      • You will find a script to remove the inbox accounting database here.

        https://github.com/richardhicks/aovpn/blob/master/Remove-InboxAccountingDatabase.ps1

        Once you’ve run that you can re-enable inbox accounting and it will do so with a clean copy of the database.

      • Ryan P

         /  September 23, 2020

        Thank you very much for the script! I’m working through a couple DA connection issues with users right now so I don’t want to delete their connection history just yet. When I close out those tickets I’ll give this a try. Thanks again!

  2. Nate

     /  March 17, 2020

    Richard, great overview of monitoring. Have you used any 3rd party tools to aggregate all of this information, I haven’t found anything online, but thinking there has to be something out there.

    Reply
    • I haven’t personally, but I have customers that have exported log files to various SIEM solutions. Most of them have a dedicated or universal connector that can be used to collect this information. I’m currently working on a custom solution that will aggregate data from individual servers to a central SQL database. No timeframe on that but hope to release something in the coming months. This will allow administrators to log multiple VPN servers to a single database and create their own custom reports as well.

      Reply
      • Richard, do you know how people have managed to get this information out of the server and into a SIEM? Thing like the source address dont seem to appear in any log or event. This powershell seems to include everything that i would need, but i am really only after it sending new information to my SIEM for new connections.

        Get-RemoteAccessConnectionStatistics | Format-list -Property *

        What type of connector would you be referring to?

      • Most SIEM solutions have dedicated or universal connectors to access log data and forward it. NPS has been around a long time so I’m sure your provider would have something. If not, NPS logs to a standard format, so it shouldn’t be hard to move that data. NPS would include the source IP address of the client (Calling Station Identifier field) which is in the event log on the NPS server. It’s more difficult for the device tunnel because it doesn’t use NPS. It is possible to write some PowerShell code that would collect the data you need and output via syslog if that helps. I’ve worked with customers in the past who have done this.

  3. Hopefully a simple question for you. I have run & saved a report of usage, however I am unable to specify where to save the report to. Is there a default location?

    Reply
    • You can’t actually save reports in the Remote Access Management console. After you generate a report you can run a query against it and then save the query, but you can’t actually output the report in any way.

      Reply
  4. Hi, I have noticed that with SSTP you get no hostname in the logs. Is it possible to add this or get this from some other source?

    Reply
    • In my experience I never see the hostname when looking at client connection status in the Remote Access Management console, either for SSTP or IKEv2 connections. Are you seeing it for IKEv2 and just not SSTP?

      Reply
  5. LanDI

     /  April 29, 2020

    Richard using device tunnel. i have clients who have multiple entries and consuming IP/addresses in remote access clients. basically if they disconnect they get a new Ip and that old session is still clinging on.
    is there a setting/config i missed?

    Reply
  6. Francesco

     /  May 6, 2020

    Great article, thanks for posting it Richard. I have IKEv2 Device tunnel with machine certificate authentication and SSTP User Tunnel with PEAP on the same Win 2019 RRAS server. I’m using a separate Win 2019 NPS server for Radius authentication, Azure MFA Extension and Accounting. I notice that in my accounting log file there is no trace about machine authentication sessions. It is expected or I missed something? My goal is a central repository for all my user’s sessions, either Radius or machine certificate authentication.

    Reply
    • That is expected. Device certificate authentication does not use NPS, it is authenticated directly on the VPN server. You’ll see this in the event logs on the VPN server itself in this case.

      Reply
  7. Nate

     /  May 26, 2020

    Are modifications to the tables in the logging database still required for RRAS 2016/2019 installations? The original Microsoft articles only seem to reference Server 2012/R2. Also, amazing content as always Richard!

    Reply
  8. BillS

     /  November 13, 2020

    Will the Reporting work with regular VPN. I have a 2019 server and we just have users connecting up with SSTP. Remote Access Management Console seems to work fine and shows everything. Also, I assume you can’t run the missing index fix until you configure accounting and it starts logging? Thanks much

    Reply
    • Yes, you can create historical reports for VPN users in the Remote Access Management console as long as you’ve enabled inbox accounting. And yes, you can only add the index after you’ve enabled the feature. My script checks for that and complains if you do this out of order. 🙂

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: