Always On VPN Client Connections Fail with Status Connecting

Administrators who have deployed Windows 10 Always On VPN may encounter a scenario in which an Always On VPN connection fails, yet the connectivity status indicator perpetually reports a “Connecting” status.

Always On VPN Client Connections Fail with Status Connecting

Affected Clients

This is a known issue for which Microsoft has recently released updates to address. Affected clients include Windows 10 1909, 1903, and 1809.

Updates Available

The following Windows updates include a fix to resolve this problem.

KB4541335 – Windows 10 1909 and 1903

KB4541331 – Windows 10 1809

Additional Information

Always On VPN Hands-On Training

Leave a comment

26 Comments

  1. Hi Richard
    Do you have a quick guide on differences between direct access and always on VPN, with advantage/disadvantage?
    Is it an easy transition?
    Will they work together for a smooth client feel?
    Thank you
    Regards
    Phil

    Sent from my iPhone

    Reply
  2. Flo

     /  March 25, 2020

    Hey Richard, Thx a lot!
    Really Microsoft? Not one word in the change log?

    Reply
  3. Ryan

     /  March 25, 2020

    Wonder if this also applies to DirectAccess? Have these same symptoms on some (but not all?) of our DA Win10 laptops with users now WFH. PCs are a mix of 1809 and 1909 (haven’t checked if one and not the other has the issue yet)

    Reply
  4. Benjamin Watson

     /  March 26, 2020

    Thanks Richard. You are a great source for Microsoft Remote access product information. Appreciate the information you provide.

    Reply
  5. SRay

     /  March 27, 2020

    Hi Richard. We have set this up using the System account and PC based certs to allow any domain user to log in to any domain joined PC. It works as designed – but only if the PC is on Wifi. As soon as the attempt to use a LAN cable, or tethered USB connection, the VPN interface disconnects. I can temporarily get it going by setting the VPN interface metric, but that only works until the connection type changes again. Any ideas?

    Reply
    • This can happen on occasion. The solution is to change the interface metric in rasphone.pbk. Setting using Set-NetIPInterface doesn’t persist, unfortunately.

      Reply
      • SRay

         /  March 30, 2020

        Hi Richard. I have created a PS script to dynamically find/replace/save the interface metric value in the PBK file post VPN creation and it works a treat. Thanks so much for your assistance with this. You’re a legend.

      • Awesome! I have some code I use for this as well. The code I have does have the ability to replace individual parameters in rasphone.pbk, and can do so selectively per connection if you have multiple VPN profiles configured. 🙂

      • jhl

         /  April 5, 2020

        can you share your code that replaces parameters in rasphone.pbk?

      • Still working out a few bugs I recently discovered. I’ll publish something soon for sure. 🙂

      • Uploaded the script to do this on my GitHub here: https://github.com/richardhicks/aovpn/blob/master/Update-Rasphone.ps1. Any feedback you might have is appreciated. 🙂

        Enjoy!

  6. John

     /  April 3, 2020

    Hi Richard,

    Thanks for the heads up, we had started seeing this in our estate.

    Can you clarify, you mention KB4541335 as the resolving update for 1903, however KB4554364 seems to indicate that is the resolving update for connectivity issues with VPN, or is this a separate issue entirely?

    Reply
    • KB4554364 is a separate issue. This was an emergency fix released out of band due to the high volume of remote workers caused by the COVID-19 pandemic.

      Reply
  7. William

     /  April 15, 2020

    Hi Richard. Seeing an interesting one in the Lab – Device tunnel is perfect, but SSTP user tunnel will connect after the user logs in. If the user then logs off, the tunnel is not torn down in RRAS and when the client logs in again the tunnel disconnects, then reconnects for 5 seconds and then permanently disconnects. No further attempt to automatically connect is made.

    The only error log generated is a standard “disconnected due to user request”.

    Ever come across this? Only an issue when users log off rather than rebooting, but will be an issue down the road for sure.

    Reply
  8. zzzp18

     /  April 19, 2020

    Wish this fix came out alot sooner. Poor form from Microsoft.

    Reply
  9. Gino Albanese

     /  April 20, 2020

    Hi Richard
    I have Windows 10 1809 with the latest fix (https://support.microsoft.com/de-ch/help/4554354/windows-10-update-kb4554354) but i have still the same problem. When i restart my notebook the connection is still connected but i don’t have connection.
    Any ideas? Thx a lot!
    Regards Gino

    Reply
    • If you have this update installed but are still experiencing the issue, I would have to say it is not related to the specific problem addressed in this fix. What the problem you are having is I don’t know for sure though.

      Reply
  10. Graham

     /  April 29, 2020

    Hi Richard. Thank you for all your work on this topic. I’ve used your scripts (new-aovpnconnection.ps1) to connect to our office and it works great. The only problem is after a computer goes to sleep, the vpn just will not seemingly attempt to automatically reconnect. I suppose I could start a task scheduler to watch over this, but with a name like always on, it seems like that shouldn’t be necessary. 1809 LTSC 17763.1158.

    I had the same issue with a machine based vpn, and decided to try user based with the hopes it wouldn’t have this issue, but no luck.

    Reply
    • This is a persistent issue with Always On VPN that Microsoft has yet to fully resolve. The only solution here is to restart the network interface, or simply reboot the device. :/

      Reply

Leave a Reply to philready Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: