Always On VPN Client Connections Fail with Status Connecting

Administrators who have deployed Windows 10 Always On VPN may encounter a scenario in which an Always On VPN connection fails, yet the connectivity status indicator perpetually reports a “Connecting” status.

Always On VPN Client Connections Fail with Status Connecting

Affected Clients

This is a known issue for which Microsoft has recently released updates to address. Affected clients include Windows 10 1909, 1903, and 1809.

Updates Available

The following Windows updates include a fix to resolve this problem.

KB4541335 – Windows 10 1909 and 1903

KB4541331 – Windows 10 1809

Additional Information

Always On VPN Hands-On Training

Leave a comment


  1. Hi Richard
    Do you have a quick guide on differences between direct access and always on VPN, with advantage/disadvantage?
    Is it an easy transition?
    Will they work together for a smooth client feel?
    Thank you

    Sent from my iPhone

  2. Flo

     /  March 25, 2020

    Hey Richard, Thx a lot!
    Really Microsoft? Not one word in the change log?

  3. Ryan

     /  March 25, 2020

    Wonder if this also applies to DirectAccess? Have these same symptoms on some (but not all?) of our DA Win10 laptops with users now WFH. PCs are a mix of 1809 and 1909 (haven’t checked if one and not the other has the issue yet)

  4. Benjamin Watson

     /  March 26, 2020

    Thanks Richard. You are a great source for Microsoft Remote access product information. Appreciate the information you provide.

  5. SRay

     /  March 27, 2020

    Hi Richard. We have set this up using the System account and PC based certs to allow any domain user to log in to any domain joined PC. It works as designed – but only if the PC is on Wifi. As soon as the attempt to use a LAN cable, or tethered USB connection, the VPN interface disconnects. I can temporarily get it going by setting the VPN interface metric, but that only works until the connection type changes again. Any ideas?

    • This can happen on occasion. The solution is to change the interface metric in rasphone.pbk. Setting using Set-NetIPInterface doesn’t persist, unfortunately.

      • SRay

         /  March 30, 2020

        Hi Richard. I have created a PS script to dynamically find/replace/save the interface metric value in the PBK file post VPN creation and it works a treat. Thanks so much for your assistance with this. You’re a legend.

      • Awesome! I have some code I use for this as well. The code I have does have the ability to replace individual parameters in rasphone.pbk, and can do so selectively per connection if you have multiple VPN profiles configured. 🙂

      • jhl

         /  April 5, 2020

        can you share your code that replaces parameters in rasphone.pbk?

      • Still working out a few bugs I recently discovered. I’ll publish something soon for sure. 🙂

  6. John

     /  April 3, 2020

    Hi Richard,

    Thanks for the heads up, we had started seeing this in our estate.

    Can you clarify, you mention KB4541335 as the resolving update for 1903, however KB4554364 seems to indicate that is the resolving update for connectivity issues with VPN, or is this a separate issue entirely?

    • KB4554364 is a separate issue. This was an emergency fix released out of band due to the high volume of remote workers caused by the COVID-19 pandemic.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: