Always On VPN Bug in Windows 10 2004

Always On VPN Bug in Windows 10 2004While performing Always On VPN evaluation testing with the latest release of Windows 10 (2004), a bug was discovered that may result in failed VPN connections, but only under certain conditions. Specifically, the failure occurs when both the device tunnel and user tunnel are configured on the same client, and the user tunnel is configured to use IKEv2 exclusively.

Error 829

After upgrading to Windows 10 2004, and when the device tunnel and user tunnel are both deployed and the user tunnel is configured to use IKEv2, the administrator will notice that if the device tunnel connection is established, the user tunnel connects successfully but is then terminated abruptly with error code 829.

Always On VPN Bug in Windows 10 2004

Note: This can happen in reverse if the user tunnel is established before the device tunnel for some reason. In this scenario the user tunnel would be connected but attempts to establish the device tunnel would result in failure.

Error 619

If the user tunnel connection is initiated using rasdial.exe or rasphone.exe, the error code returned is 619.

Always On VPN Bug in Windows 10 2004

Always On VPN Bug in Windows 10 2004

Workaround

The workaround for this issue is to either use a single tunnel, or if both user tunnel and device tunnel are required, configure the user tunnel to use the SSTP VPN protocol instead of IKEv2.

Additional Information

Windows 10 Always On VPN Device Tunnel Only Deployment Considerations

Leave a comment

14 Comments

  1. Here’s hoping they fix this soon!

    Reply
    • For sure! It won’t affect everyone as most are using SSTP for the user tunnel in my experience. However, for those looking for the highest level of security, using IKEv2 is a requirement. They’ll definitely be affected.

      Reply
  2. Simon

     /  June 25, 2020

    *sigh* one more nail in the coffin for IKEv2 😦

    Reply
  3. Matt

     /  June 25, 2020

    Wow!
    Windows 10 2004 has so many bugs despite having extended testing due to the release postponements.
    I guess nobody tested AOVPN very much during Windows Insider release rings because it’s not as if it takes an extremely obscure configuration to expose this obvious issue.

    Does 2004 have any AOVPN improvements over earlier releases?

    Reply
    • It’s a pretty obvious bug, so one would have to guess as to how reliable the testing process is. 😉 I’m hearing that Always On VPN in Windows 10 2004 now supports manage out with traffic filters, but I’ve not seen any formal documentation on that yet.

      Reply
  4. Chris Podurgiel

     /  June 28, 2020

    We’ve been experiencing similar symptoms on 1909. I’m wondering if a recent update that shares code with 2004 is to blame.

    Reply
    • Anything is possible. In my testing this only seemed to affect 2004 devices though. Hopefully Microsoft issues some guidance and ideally a fix soon. 🙂

      Reply
  5. Julien Potier

     /  June 30, 2020

    I’m experiencing something very similar on W10 1803. Device VPN terminates randomly with reason code 828 (timeout) which is not configured on the device VPN side. We force the use of IKEv2 since SSTP is terrible for real time traffic. I need to investigate further

    Reply
    • I’d be curious to know if you are having this same issue on 1903/1909. Earlier versions of Windows 10 are always suspect IMO.

      Reply
  6. Drew

     /  July 2, 2020

    I’m seeing something similar on 2004, but my User tunnel is set to Auto (using the XML config from your blog, thank you!) and it connects as SSTP while my Device tunnel is obviously IKEV2. My user tunnel doesn’t SEEM to be affected but my device tunnel seems to randomly disconnect. If i attempt to dial the device connection via psexec RasDial.exe i get error 619 and i also get error 829 in the Application event log. I’ll see if hard coding the user tunnel to SSTP helps.

    Reply
  7. Victor Musatov

     /  July 9, 2020

    I confirm, Windows 10 2004, user sstp tunnel, device ikev2 tunnel, after waking up, only the user tunnel will automatically connect, devicetunnel ends with error 619/829

    Reply
  8. I confirm, Windows 10 2004, user sstp tunnel, device ikev2 tunnel, after waking up, only the user tunnel will automatically connect, devicetunnel ends with error 619/829

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: