Always On VPN Updates for RRAS and IKEv2

Always On VPN Updates for RRAS and IKEv2

Many users have reported connection stability issues using Windows Server 2019 Routing and Remote Access Service (RRAS) and the IKEv2 VPN protocol. Specifically, there have been reports of random disconnects for which the connection cannot be re-established for an extended period. At the same time, other VPN connections may work without issue.

KB5003703

Microsoft has identified an issue in RRAS where the RemoteAccess service enters DoS protection mode, limiting incoming IKEv2 connection attempts. They released an update on June 15 (OS Build 17763.2028) that addresses this issue. Previously, the only workaround was to restart the IKEEXT service, which was highly disruptive if performed during peak hours.

No More Files

In addition, this update includes another Always On VPN-related fix for Windows 10 1809 clients. An Always On VPN user tunnel connection may fail, with an error message stating, “There are no more files.” The problem can occur after an existing user’s certificate is automatically renewed.

Additional Information

Microsoft Update June 15, 2021 KB5003703 (OS Build 17763.2028)

Leave a comment

15 Comments

  1. James Hawksworth

     /  June 22, 2021

    Great, thanks for the heads up! This might solve many of those weird unexplained hiccups.

    Love the lack of detail from MS though, DoS Protection appears to be normal, so what is the issue they’ve addressed? Hopefully not just turned it off… *facepalm*

    Reply
    • I agree, but I’ll take something rather than nothing! I can’t tell you how many updates for Always On VPN have come out over the years and they are not documented at all. :/

      Reply
  2. I pounced on this, as I thought it would solve all my random IKEv2 device tunnel disconnects, but sadly no. I’m running the latest build, not 1809.

    Reply
  3. swedesolutions

     /  June 25, 2021

    We have the exact same problems on our 2016 servers. Are these being updated too with the same fix?

    Reply
    • I’m not certain. Microsoft has only released the update for Windows Server 2019 and Windows Server 1809. It’s possible they could backport the fix to Windows Server 2016 in the future though.

      Reply
  4. Do you know how to tell if you’re server starts blocking connections because it thinks it’s under DDOS attack? I’d like to know if one of our issues we’re having is due to this. When around/over 250 connections are made, IKEv2 connections start failing, but SSTP connections are fine.

    Reply
    • I’m not certain, to be honest. There might be an event log message recorded though. You’ll have to check when you see this happening to validate.

      Reply
  5. Artūras

     /  July 20, 2021

    I wonder if there is an update for OS Build 17763.2061. This seems to be happening in our environment too. We are getting random 809 errors

    Reply
  6. j03oe

     /  July 21, 2021

    In our experience, the IKEv2 Device Tunnel connection typically goes whacky when a user’s WiFi or ISP connection gets dropped or interfered with. What I mean by ‘whacky’ is that the Device Tunnel adaptor remains ‘connected’, but when you check the packet counter, the W10 client is sending packets, but not receiving anything from the Server. When you check the server logs, it just shows a generic “User Requested Disconnect” at the time of the client’s initial drop. This “half-connected” state usually lasts for 15 minutes before the Device Tunnel finally realizes that it’s hosed and the connection timer goes back to 00:00 and traffic starts flowing again. Why isn’t the Windows 10 client able to realize that the Device Tunnel is down and auto-reconnect sooner?

    Reply
    • This is likely caused by the default IKEv2 timeouts configured in Windows Server RRAS. It might be worth lowering the default timeout and outage time window values to prevent this (or at least make it faster). You can set the IKEv2 timeout by running the following command on your RRAS server.

      netsh.exe ras set ikev2connection idletimeout = 5 nwoutagetime = 5

      Reply
    • You might also have to disable IKE mobility on the client-side, or reduce the timeout value there too. You’ll find that in the advanced security settings for the VPN profile.

      Reply

Leave a Reply to Beau McMahon Cancel reply

%d bloggers like this: