Windows Server with the Routing and Remote Access Service (RRAS) role installed is a popular choice for Windows 10 Always On VPN deployments. Configuring RRAS is commonly performed using the RRAS management console but it can also be configured using PowerShell and/or netsh. In addition, there are a few different options for natively monitoring server health and client connection status.
RRAS Management Console
After installing the RRAS role, the administrator uses the RRAS management console (rrasmgmt.msc) to perform initial configuration. The RRAS management console can also be used to view client connection status by expanding the server and highlighting Remote Access Clients.
Connection Details
To view connection details for a specific connection, the administrator can right-click a connection and choose Status, or simply double-click the connection.
High level information about the connection including duration, data transfer, errors, and IP address assignment can be obtained here. In addition, the administrator can terminate the VPN connection by clicking the Disconnect button.
RRAS Management Console Limitations
Using the RRAS management console has some serious limitations. It offers only limited visibility into client connectivity status, for example. In addition, the client connection status does not refresh automatically. Also, the RRAS management console offers no historical reporting capability.
Remote Access Management Console
The Remote Access Management console (ramgmtui.exe) will be familiar to DirectAccess administrators and is a better option for viewing VPN client connectivity on the RRAS server. It also offers more detailed information on connectivity status and includes an option to enable historical reporting.
Dashboard
The Dashboard node in the Remote Access Management console provides high-level status for various services associated with the VPN server. It also provides a high-level overview of aggregate VPN client connections.
Operations Status
The Operations Status node in the Remote Access Management console provides more detailed information regarding the status of crucial VPN services. Here the administrator will find current status and information about service uptime.
Remote Client Status
The Remote Client Status node in the Remote Access Management console is where administrators will find detailed information about client connectivity. Selecting a connection will provide data about the connection including remote IP addresses, protocols, and ports accessed by the remote client, in addition to detailed connection information such as authentication type, public IP address (if available), connection start time, and data transferred.
Double-clicking an individual connection brings up a detailed client statistics page for the connection, as shown here.
Custom View
The Remote Access Management console includes the option to customize the data presented to the administrator. To view additional details about client connections, right-click anywhere in the column headings to enable or disable any of the fields as required.
Recommended Columns
From personal experience I recommend adding the following columns in the Remote Access Management console.
- IPv4 Address (this is the IP address assigned to the VPN clients by RRAS)
- Connection Start Time
- Authentication Method
- Total Bytes In
- Total Bytes Out
- Rate
Drawbacks
The only real drawback to using the Remote Access Management console is that it supports viewing connections from just one VPN server at a time. If you have multiple RRAS servers deployed, you must retarget the Remote Access Management console each time to view connections on different VPN servers in the organization.
You can retarget the Remote Access Management console at any time by highlighting the Configuration node in the navigation pane and then clicking the Manage a Remote Server link in the Tasks pane.
Reporting
Remote Access reporting is not enabled by default on the RRAS VPN server. Follow the steps below to enable historical reporting for RRAS VPN connections.
1. Highlight the Reporting node in the Remote Access Management console.
2. Click Configure Accounting.
3. Uncheck Use RADIUS accounting.
4. Check Use inbox accounting.
5. Review the settings for data retention and make changes as required.
6. Click Apply.
Optionally, historical reporting can be enabled using PowerShell by opening and elevated PowerShell command window and running the following command.
Set-RemoteAccessAccounting -EnableAccountingType Inbox -PassThru
Database Management
A Windows Internal Database (WID) is automatically installed and configured for data storage when inbox accounting is enabled. WID is nothing more than a basic instance of Microsoft SQL Server. As such, the database will require periodic maintenance to perform optimally. I have published the InboxAccountingDatabaseManagement PowerShell module to address many of the required and optional administrative tasks associated with inbox accounting. You can learn more about this PowerShell module and its functions here.
https://directaccess.richardhicks.com/2022/03/21/inbox-accounting-database-management/
Important Note! There is a known issue with the inbox accounting database that can result in high CPU utilization for very busy RRAS VPN servers. Specifically, a crucial index is missing from one of the tables in the logging database. To correct this issue, be sure to run the Optimize-InboxAccountingDatabase function included in my InboxAccountingDatabaseManagement PowerShell module.
Additional Information
Always On VPN Inbox Accounting Database Management
Always On VPN Inbox Accounting Database Management PowerShell module on Github
Windows 10 Always On VPN and Windows Routing and Remote Access Service (RRAS)
Dave K
/ February 20, 2020Great article, thank you for publishing it, Richard. Have you ever seen an issue where Always On VPN has been configured and deployed on Windows Server 2019 and the only thing that appears in the Remote Access Management Console under DirectAccess and VPN Client Status is “Unavailable”? Always On VPN is working properly with a device tunnel, yet I have no monitoring available through the Remote Access Management Dashboard.
Richard M. Hicks
/ February 22, 2020Haven’t seen anything like that myself. Is the Remote Access Management service (ramgmtsvc) running on the server?
Dave K
/ February 24, 2020Oh yes, definitely! Clients are connected to the RRAS server using an IKEv2 device tunnel. I can monitor and manage clients through the RRAS console but the Remote Access Management Console does not seem to ‘plug in’ to the RRAS component.
Dave K
/ February 24, 2020My apologies, Richard. I made an assumption which I should never do. I checked services and found that Remote Access Management service was indeed stopped and set to disabled. That did the trick! The Remote Access Management Console now displays client information. Thank you so much!
Richard M. Hicks
/ February 26, 2020😁
Ryan P
/ September 17, 2020Hi Richard! I’m having the same problem as Dave K. In the Remote Access Management Console under Dashboard > DirectAccess and VPN Client Status I have “unavailable” listed for each statistic. I’m running DirectAccess on a 2016 server. The ramgmtsvc service is running and I have restarted it to no avail. I’ve also rebooted the entire server. What’s interesting is that I’m getting “Remote Client Status” reported correctly and do not appear to be experiencing any issues with client connections. I get good results from the PS command “Get-RemoteAccessConnectionStatistics”, however when I run “Get-RemoteAccessConnectionStatisticsSummary” I get “A general error occurred that is not covered by a more specific error code.” This problem began immediately after I installed the 2020-09 Windows updates last night (KB4577015, KB4576750, & KB890830). I suspect it may have something to do with the connection to the Windows Internal Database, but I’m not sure how to test it. I would think the two PS commands would contact the DB in the same way so it’s very strange that one command works and the other does not. Any insight would be greatly appreciated! Thank you!
Richard M. Hicks
/ September 18, 2020That is very strange for sure. It might be worth disabling inbox accounting and removing the database entirely, then re-enabling and let it build a new database. I can share the code to do that with you if you like.
If you want to test connectivity to the database you can run the following commands locally on the server.
$connection = New-Object -TypeName System.Data.SqlClient.SqlConnection
$connection.ConnectionString = ‘Server=np:\\.\pipe\Microsoft##WID\tsql\query;Database=RaAcctDb;Trusted_Connection=True;’
$Connection | Format-List
Ryan P
/ September 18, 2020Thank you, I would much appreciate the code to rebuild the DB. I used your connection script and appear to have connected without errors. I also successfully connected with SQL Mgmt Studio and was able to do so using the same named pipe you have in your script.
Richard M. Hicks
/ September 19, 2020You will find a script to remove the inbox accounting database here.
https://github.com/richardhicks/aovpn/blob/master/Remove-InboxAccountingDatabase.ps1
Once you’ve run that you can re-enable inbox accounting and it will do so with a clean copy of the database.
Ryan P
/ September 23, 2020Thank you very much for the script! I’m working through a couple DA connection issues with users right now so I don’t want to delete their connection history just yet. When I close out those tickets I’ll give this a try. Thanks again!
Nate
/ March 17, 2020Richard, great overview of monitoring. Have you used any 3rd party tools to aggregate all of this information, I haven’t found anything online, but thinking there has to be something out there.
Richard M. Hicks
/ March 18, 2020I haven’t personally, but I have customers that have exported log files to various SIEM solutions. Most of them have a dedicated or universal connector that can be used to collect this information. I’m currently working on a custom solution that will aggregate data from individual servers to a central SQL database. No timeframe on that but hope to release something in the coming months. This will allow administrators to log multiple VPN servers to a single database and create their own custom reports as well.
johncouzins
/ October 7, 2020Richard, do you know how people have managed to get this information out of the server and into a SIEM? Thing like the source address dont seem to appear in any log or event. This powershell seems to include everything that i would need, but i am really only after it sending new information to my SIEM for new connections.
Get-RemoteAccessConnectionStatistics | Format-list -Property *
What type of connector would you be referring to?
Richard M. Hicks
/ October 16, 2020Most SIEM solutions have dedicated or universal connectors to access log data and forward it. NPS has been around a long time so I’m sure your provider would have something. If not, NPS logs to a standard format, so it shouldn’t be hard to move that data. NPS would include the source IP address of the client (Calling Station Identifier field) which is in the event log on the NPS server. It’s more difficult for the device tunnel because it doesn’t use NPS. It is possible to write some PowerShell code that would collect the data you need and output via syslog if that helps. I’ve worked with customers in the past who have done this.
Mike Mackin
/ April 5, 2022Hi Richard,
Thanks for all the guides, I have found these really helpful in deploying our AOVPN Solution.
Did you ever manage to develop the solution to grab all info from all AOVPN Servers, and dump them in one SQL DB?
Thanks in advance,
Mike.
Richard M. Hicks
/ April 5, 2022No, I haven’t. It’s an interesting idea, however. I’m sure it could be done, it’s just a matter of the development effort to do it. 🙂
John Beaddie (@beaddiej)
/ April 2, 2020Hopefully a simple question for you. I have run & saved a report of usage, however I am unable to specify where to save the report to. Is there a default location?
Richard M. Hicks
/ April 2, 2020You can’t actually save reports in the Remote Access Management console. After you generate a report you can run a query against it and then save the query, but you can’t actually output the report in any way.
Mr-Tbone
/ April 23, 2020Hi, I have noticed that with SSTP you get no hostname in the logs. Is it possible to add this or get this from some other source?
Richard M. Hicks
/ April 23, 2020In my experience I never see the hostname when looking at client connection status in the Remote Access Management console, either for SSTP or IKEv2 connections. Are you seeing it for IKEv2 and just not SSTP?
LanDI
/ April 29, 2020Richard using device tunnel. i have clients who have multiple entries and consuming IP/addresses in remote access clients. basically if they disconnect they get a new Ip and that old session is still clinging on.
is there a setting/config i missed?
Richard M. Hicks
/ April 29, 2020No, it just happens on occasion. Typically you can just ignore them and they stale connections will eventually time out. If they persist for too long, and there are cases where they can live forever, then you can either restart the RemoteAccess service, restart the server, or you can use the following PowerShell script to clean up old connections.
https://github.com/richardhicks/aovpn/blob/master/Remove-VpnConnections.ps1
Zack
/ August 5, 2022Any ideas what causes the stale connections? I end up with over a hundred after a month. Luckily they get cleared by monthly updates, but still it’s annoying and holding RAS IPs hostage..
Richard M. Hicks
/ August 8, 2022Not sure, to be honest. I have a PowerShell script that you can use to remove stale connections if you are interested.
https://github.com/richardhicks/aovpn/blob/master/Remove-VpnConnections.ps1
I have many customers running this as a nightly scheduled task to clear out old connections.
Enjoy!
Francesco
/ May 6, 2020Great article, thanks for posting it Richard. I have IKEv2 Device tunnel with machine certificate authentication and SSTP User Tunnel with PEAP on the same Win 2019 RRAS server. I’m using a separate Win 2019 NPS server for Radius authentication, Azure MFA Extension and Accounting. I notice that in my accounting log file there is no trace about machine authentication sessions. It is expected or I missed something? My goal is a central repository for all my user’s sessions, either Radius or machine certificate authentication.
Richard M. Hicks
/ May 6, 2020That is expected. Device certificate authentication does not use NPS, it is authenticated directly on the VPN server. You’ll see this in the event logs on the VPN server itself in this case.
Nate
/ May 26, 2020Are modifications to the tables in the logging database still required for RRAS 2016/2019 installations? The original Microsoft articles only seem to reference Server 2012/R2. Also, amazing content as always Richard!
Richard M. Hicks
/ May 27, 2020Yes. The index is still missing in Windows Server 2016 and Windows Server 2019.
Nate
/ June 8, 2020Awesome, thanks for the clarification!
BillS
/ November 13, 2020Will the Reporting work with regular VPN. I have a 2019 server and we just have users connecting up with SSTP. Remote Access Management Console seems to work fine and shows everything. Also, I assume you can’t run the missing index fix until you configure accounting and it starts logging? Thanks much
Richard M. Hicks
/ November 17, 2020Yes, you can create historical reports for VPN users in the Remote Access Management console as long as you’ve enabled inbox accounting. And yes, you can only add the index after you’ve enabled the feature. My script checks for that and complains if you do this out of order. 🙂
Justin
/ December 9, 2020Hi Richard, you recommend the rate Column above. Please can you advise what rate actually reports on?
Richard M. Hicks
/ December 9, 2020It displays the current throughput being used by the client. It can be interesting to see who the busy users are and perhaps why. 🙂
Djam
/ March 17, 2021Hello Richard,
We have multiple connections with the same username. Each connection is marked as active.
Is there a way to prevent this?
AOVPN Server 2019 and Users Tunnel
Richard M. Hicks
/ March 17, 2021Typically this isn’t a problem, as the older connection will eventually time out and drop off. If you want to remove them immediately, you’ll have to create a PowerShell script to do that.
Sinan
/ March 26, 2021hello Richard
really great information. I wonder if you can help me with tips, we are facing a problem RRAS is out of ports. I increased it and that fixed the problem.
but I noticed that old connection are not removed (under Remote Access Clients) but instead there are new connection for the same device and that making our RRAS out of ports.
any tips for how to put a clean up task for the old connections ?
many thanks
BR
Sinan
Richard M. Hicks
/ March 27, 2021This is pretty common. Not much you can do about it except restart the service periodically. It doesn’t hurt to overprovision ports and IP addresses either, just to make sure you don’t run up against the limit. If that doesn’t work for you, I have a script that can be used to remove stale connections here: https://github.com/richardhicks/aovpn/blob/master/Remove-VpnConnections.ps1.
Sinan
/ March 29, 2021Many thanks for the reply. I will test your recommendation.
//Sinn
Chris
/ June 10, 2021Is there also a WinEvent for AlwaysOn VPN where I see the public IP address
Like the event for DA in:
Microsoft-Windows-Iphlpsvc/Operational Event ID: 4303 which looks like this:
IP-HTTPS client Unknown (89.200.100.99) is associated with IP address fe80::b0e7:4444:aaaa:bbb9. 10.06.2021 06:28:49
Richard M. Hicks
/ June 10, 2021That information is logged on the VPN server. If you’ve enabled inbox accounting you’ll find the information in the client status section or when you run a report. You can also find logging information in C:\Windows\System32\LogFiles. Look for files beginning with IN*.
Germier Mela Hung
/ August 16, 2021Hi Richard
First of all, thanks very much for all your Guides, they are very helpful!!!!
I have a question, I have (like in your Print Screen), no Host Name listed :(.
How can I resolve this?
Best regards
Mela
Richard M. Hicks
/ August 16, 2021This field isn’t used for VPN connections, only DirectAccess connections. Nothing you can do about it, unfortunately.
germiermela
/ August 16, 2021All right, thanks for the quick answer.
danielhan2020
/ August 25, 2021Hi Richard, is there a way to see DeviceTunnel logs in log files or eventviewer? I understand we can see User Tunnel logs in logfile and eventviewer but couldn’t see DeviceTunnel in these places.
Thanks.
Richard M. Hicks
/ August 29, 2021You should see those in the log files on the VPN server in C:\Windows\System32\Logfiles\IN*.log. They should also be recorded in the event view on the VPN server.
Dan Schaeffler
/ February 4, 2022Hi Richard, I’m looking for a way to provide view/read only access to rras or the remote access management console. Really just the ability to run a powershell script to get properties on a connection remotely without being an admin of the rras servers.
Main reason for the need is I’m getting occasional reports from local IT staff that are attempting to RDP to always on devices over the device tunnel and they experience errors. They contact me and I can see the device connected in rras, but the IP assigned does not match what’s in DNS. I have device tunnel set to register in DNS, but that does not seem to work consistently.
Richard M. Hicks
/ February 4, 2022I’ve done something like this in the past for DirectAccess, and it shouldn’t be that much different for Always On VPN to be honest. Hit me up directly and I’ll provide you with some code examples.
John Andre Schreuder
/ March 29, 2022Hi, Richard.. Thank you for all the great blog posts you are creating. I have learned a lot from your posts.
I was wondering a bit about using clearpass for radius authentication and accounting. Everything works fine with authentication, but it seems like the accounting information is just updated in clearpass on connect and disconnect. Do you know if it is possible to update the interval for the accounting information coming from the ras servers?
Richard M. Hicks
/ March 29, 2022Indeed, any RADIUS server will work with Always On VPN. I’m not aware of any way to change the accounting update interval or RRAS, though.
John Andre Schreuder (@JohnAndreSchreu)
/ March 31, 2022Hello Richard, thank you for all the great guides and blogs you are creating. Very helpfule!
I have a problem with Radius accounting updates when using Clearpass for radius authentication and radius accounting. In clearpass i can only se accounting updates on connect and disconnect.
We want to use the accounting information in the firewall but clearpass (radius) does not get any updates of accounting information after the
initial vpn connection is established.
I would like the RAS servers to send accounting updates to clearpass fex. every 15 mins or so. Is this possible to tune? For now we only se accounting info in clearpass on connect and disconnect.
The accounting information is used for dynamic ACL rules in the fortigate firewall, but the rules times out when no accounting update is forwarded from clearpass after 8 hours.
have a great day!
//John Andre
Richard M. Hicks
/ March 31, 2022Hi John. Unfortunately, I’m not aware of any way to adjust the RADIUS accounting updates in RRAS. This is the first time I’ve heard anyone have an issue with the default settings.
Aamir
/ May 4, 2023Are there any powershell commands that would let us check the VPN connection status of domain users?
Richard M. Hicks
/ May 5, 2023Get-VpnConnection -Name [connection name ] | Select-Object ConnectionStatus
This didn’t work in some earlier versions of Windows 10. However, I believe this issue is resolved in most modern builds.