Administrators who have deployed Windows 10 Always On VPN may encounter a scenario in which an Always On VPN connection fails, yet the connectivity status indicator perpetually reports a “Connecting” status.
Affected Clients
This is a known issue for which Microsoft has recently released updates to address. Affected clients include Windows 10 1909, 1903, and 1809.
Updates Available
The following Windows updates include a fix to resolve this problem.
KB4541335 – Windows 10 1909 and 1903
KB4541331 – Windows 10 1809
philready
/ March 25, 2020Hi Richard
Do you have a quick guide on differences between direct access and always on VPN, with advantage/disadvantage?
Is it an easy transition?
Will they work together for a smooth client feel?
Thank you
Regards
Phil
Sent from my iPhone
Richard M. Hicks
/ March 26, 2020Have a look at the following articles:
https://directaccess.richardhicks.com/2018/02/05/what-is-the-difference-between-directaccess-and-always-on-vpn/
https://directaccess.richardhicks.com/2017/11/06/5-things-directaccess-administrators-should-know-about-always-on-vpn/
As for migrating from DirectAccess to Windows 10 Always On VPN, that’s pretty seamless for the most part. When you deploy Always On VPN to an existing DirectAccess client, DirectAccess will automatically shut down (in most cases – if it doesn’t, you have two connections but that’s better than none!). You’ll eventually see there are no more users connected to DirectAccess, at which point you can then remove all clients from the DirectAccess client security group and decommission the DirectAccess infrastructure. Best not to do it immediately to make sure everyone indeed got the new Always On VPN settings. 🙂
Flo
/ March 25, 2020Hey Richard, Thx a lot!
Really Microsoft? Not one word in the change log?
Richard M. Hicks
/ March 26, 2020Not for 1809, but at least they put something in the 1903/1909 Improvements and Fixes section! 🙂
Ryan
/ March 25, 2020Wonder if this also applies to DirectAccess? Have these same symptoms on some (but not all?) of our DA Win10 laptops with users now WFH. PCs are a mix of 1809 and 1909 (haven’t checked if one and not the other has the issue yet)
Richard M. Hicks
/ March 26, 2020No, not at all. if you have a “Connecting…” status on DirectAccess that is something entirely different. It either means the DirectAccess connection hasn’t established, or if it has, the client can’t resolve or connect to the web probe host URL. More details here: https://directaccess.richardhicks.com/2017/05/22/directaccess-network-connectivity-assistant-nca-configuration-guidance/.
Benjamin Watson
/ March 26, 2020Thanks Richard. You are a great source for Microsoft Remote access product information. Appreciate the information you provide.
Richard M. Hicks
/ March 26, 2020My pleasure. Thanks!
SRay
/ March 27, 2020Hi Richard. We have set this up using the System account and PC based certs to allow any domain user to log in to any domain joined PC. It works as designed – but only if the PC is on Wifi. As soon as the attempt to use a LAN cable, or tethered USB connection, the VPN interface disconnects. I can temporarily get it going by setting the VPN interface metric, but that only works until the connection type changes again. Any ideas?
Richard M. Hicks
/ March 27, 2020This can happen on occasion. The solution is to change the interface metric in rasphone.pbk. Setting using Set-NetIPInterface doesn’t persist, unfortunately.
SRay
/ March 30, 2020Hi Richard. I have created a PS script to dynamically find/replace/save the interface metric value in the PBK file post VPN creation and it works a treat. Thanks so much for your assistance with this. You’re a legend.
Richard M. Hicks
/ March 31, 2020Awesome! I have some code I use for this as well. The code I have does have the ability to replace individual parameters in rasphone.pbk, and can do so selectively per connection if you have multiple VPN profiles configured. 🙂
jhl
/ April 5, 2020can you share your code that replaces parameters in rasphone.pbk?
Richard M. Hicks
/ April 5, 2020Still working out a few bugs I recently discovered. I’ll publish something soon for sure. 🙂
Richard M. Hicks
/ April 10, 2020Uploaded the script to do this on my GitHub here: https://github.com/richardhicks/aovpn/blob/master/Update-Rasphone.ps1. Any feedback you might have is appreciated. 🙂
Enjoy!
John
/ April 3, 2020Hi Richard,
Thanks for the heads up, we had started seeing this in our estate.
Can you clarify, you mention KB4541335 as the resolving update for 1903, however KB4554364 seems to indicate that is the resolving update for connectivity issues with VPN, or is this a separate issue entirely?
Richard M. Hicks
/ April 3, 2020KB4554364 is a separate issue. This was an emergency fix released out of band due to the high volume of remote workers caused by the COVID-19 pandemic.
William
/ April 15, 2020Hi Richard. Seeing an interesting one in the Lab – Device tunnel is perfect, but SSTP user tunnel will connect after the user logs in. If the user then logs off, the tunnel is not torn down in RRAS and when the client logs in again the tunnel disconnects, then reconnects for 5 seconds and then permanently disconnects. No further attempt to automatically connect is made.
The only error log generated is a standard “disconnected due to user request”.
Ever come across this? Only an issue when users log off rather than rebooting, but will be an issue down the road for sure.
Richard M. Hicks
/ April 15, 2020Not seen that myself. Very strange for sure.
zzzp18
/ April 19, 2020Wish this fix came out alot sooner. Poor form from Microsoft.
Gino Albanese
/ April 20, 2020Hi Richard
I have Windows 10 1809 with the latest fix (https://support.microsoft.com/de-ch/help/4554354/windows-10-update-kb4554354) but i have still the same problem. When i restart my notebook the connection is still connected but i don’t have connection.
Any ideas? Thx a lot!
Regards Gino
Richard M. Hicks
/ April 22, 2020If you have this update installed but are still experiencing the issue, I would have to say it is not related to the specific problem addressed in this fix. What the problem you are having is I don’t know for sure though.
Gino
/ April 22, 2020Hi Richard. Yes the Problem was a Kaspersky Version (11.0). After an update it works. Thank you very much.
Richard M. Hicks
/ April 23, 2020Happens all too often unfortunately!
Graham
/ April 29, 2020Hi Richard. Thank you for all your work on this topic. I’ve used your scripts (new-aovpnconnection.ps1) to connect to our office and it works great. The only problem is after a computer goes to sleep, the vpn just will not seemingly attempt to automatically reconnect. I suppose I could start a task scheduler to watch over this, but with a name like always on, it seems like that shouldn’t be necessary. 1809 LTSC 17763.1158.
I had the same issue with a machine based vpn, and decided to try user based with the hopes it wouldn’t have this issue, but no luck.
Richard M. Hicks
/ April 30, 2020This is a persistent issue with Always On VPN that Microsoft has yet to fully resolve. The only solution here is to restart the network interface, or simply reboot the device. :/
Mave
/ July 10, 2020Hello Richard, do you know if a fix has been released for the AlwaysOn not reconnecting after coming out of Sleep? I’m using windows 10 1903
Richard M. Hicks
/ July 10, 2020Not to my knowledge. This is a persistent issue that has plagued Microsoft Always On VPN since inception. Hopefully they can resolve it soon!