Many users have reported connection stability issues using Windows Server 2019 Routing and Remote Access Service (RRAS) and the IKEv2 VPN protocol. Specifically, there have been reports of random disconnects for which the connection cannot be re-established for an extended period. At the same time, other VPN connections may work without issue.
KB5003703
Microsoft has identified an issue in RRAS where the RemoteAccess service enters DoS protection mode, limiting incoming IKEv2 connection attempts. They released an update on June 15 (OS Build 17763.2028) that addresses this issue. Previously, the only workaround was to restart the IKEEXT service, which was highly disruptive if performed during peak hours.

No More Files
In addition, this update includes another Always On VPN-related fix for Windows 10 1809 clients. An Always On VPN user tunnel connection may fail, with an error message stating, “There are no more files.” The problem can occur after an existing user’s certificate is automatically renewed.

Additional Information
Microsoft Update June 15, 2021 KB5003703 (OS Build 17763.2028)
James Hawksworth
/ June 22, 2021Great, thanks for the heads up! This might solve many of those weird unexplained hiccups.
Love the lack of detail from MS though, DoS Protection appears to be normal, so what is the issue they’ve addressed? Hopefully not just turned it off… *facepalm*
Richard M. Hicks
/ June 23, 2021I agree, but I’ll take something rather than nothing! I can’t tell you how many updates for Always On VPN have come out over the years and they are not documented at all. :/
Andy Chips
/ June 24, 2021I pounced on this, as I thought it would solve all my random IKEv2 device tunnel disconnects, but sadly no. I’m running the latest build, not 1809.
Richard M. Hicks
/ June 24, 2021You ran the update on your RRAS servers, correct?
Andy Chips
/ June 25, 2021{facepalm}… no!
I thought it was for clients.
I should always read the instructions before use.
Richard M. Hicks
/ June 26, 2021😉 Let me know what happens after you install it on the server!
swedesolutions
/ June 25, 2021We have the exact same problems on our 2016 servers. Are these being updated too with the same fix?
Richard M. Hicks
/ June 26, 2021I’m not certain. Microsoft has only released the update for Windows Server 2019 and Windows Server 1809. It’s possible they could backport the fix to Windows Server 2016 in the future though.
Beau McMahon
/ June 30, 2021Do you know how to tell if you’re server starts blocking connections because it thinks it’s under DDOS attack? I’d like to know if one of our issues we’re having is due to this. When around/over 250 connections are made, IKEv2 connections start failing, but SSTP connections are fine.
Richard M. Hicks
/ July 6, 2021I’m not certain, to be honest. There might be an event log message recorded though. You’ll have to check when you see this happening to validate.
Artūras
/ July 20, 2021I wonder if there is an update for OS Build 17763.2061. This seems to be happening in our environment too. We are getting random 809 errors
Richard M. Hicks
/ July 21, 2021Microsoft usually backports these fixes after a period of time. Hopefully it gets released later this year.
j03oe
/ July 21, 2021In our experience, the IKEv2 Device Tunnel connection typically goes whacky when a user’s WiFi or ISP connection gets dropped or interfered with. What I mean by ‘whacky’ is that the Device Tunnel adaptor remains ‘connected’, but when you check the packet counter, the W10 client is sending packets, but not receiving anything from the Server. When you check the server logs, it just shows a generic “User Requested Disconnect” at the time of the client’s initial drop. This “half-connected” state usually lasts for 15 minutes before the Device Tunnel finally realizes that it’s hosed and the connection timer goes back to 00:00 and traffic starts flowing again. Why isn’t the Windows 10 client able to realize that the Device Tunnel is down and auto-reconnect sooner?
Richard M. Hicks
/ July 21, 2021This is likely caused by the default IKEv2 timeouts configured in Windows Server RRAS. It might be worth lowering the default timeout and outage time window values to prevent this (or at least make it faster). You can set the IKEv2 timeout by running the following command on your RRAS server.
netsh.exe ras set ikev2connection idletimeout = 5 nwoutagetime = 5
Richard M. Hicks
/ July 21, 2021You might also have to disable IKE mobility on the client-side, or reduce the timeout value there too. You’ll find that in the advanced security settings for the VPN profile.
Andrey Zasypkin
/ February 23, 2023Hi Richard, what is the best way to change value on number of Redial attempts … can this option be added to Update-Rasphone.ps1 … thank you
Richard M. Hicks
/ February 27, 2023I would assume editing rasphone.pbk. My script doesn’t support this, however.