Always On VPN Updates for RRAS and IKEv2

Always On VPN Updates for RRAS and IKEv2

Many users have reported connection stability issues using Windows Server 2019 Routing and Remote Access Service (RRAS) and the IKEv2 VPN protocol. Specifically, there have been reports of random disconnects for which the connection cannot be re-established for an extended period. At the same time, other VPN connections may work without issue.

KB5003703

Microsoft has identified an issue in RRAS where the RemoteAccess service enters DoS protection mode, limiting incoming IKEv2 connection attempts. They released an update on June 15 (OS Build 17763.2028) that addresses this issue. Previously, the only workaround was to restart the IKEEXT service, which was highly disruptive if performed during peak hours.

No More Files

In addition, this update includes another Always On VPN-related fix for Windows 10 1809 clients. An Always On VPN user tunnel connection may fail, with an error message stating, “There are no more files.” The problem can occur after an existing user’s certificate is automatically renewed.

Additional Information

Microsoft Update June 15, 2021 KB5003703 (OS Build 17763.2028)

18 Comments
by Richard M. Hicks on June 22, 2021  •  Permalink
Posted in Always On VPN, AOVPN, enterprise mobility, Hotfix, IKEv2, Mobility, Operational Support, Remote Access, routing and remote access service, RRAS, Update, user tunnel, VPN, Windows 10, Windows Server 2019
Tagged , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on June 22, 2021

https://directaccess.richardhicks.com/2021/06/22/always-on-vpn-updates-for-rras-and-ikev2/

Previous Post
Next Post
Leave a comment

18 Comments

  1. James Hawksworth

     /  June 22, 2021

    Great, thanks for the heads up! This might solve many of those weird unexplained hiccups.

    Love the lack of detail from MS though, DoS Protection appears to be normal, so what is the issue they’ve addressed? Hopefully not just turned it off… *facepalm*

    Reply

    • Richard M. Hicks

       /  June 23, 2021

      I agree, but I’ll take something rather than nothing! I can’t tell you how many updates for Always On VPN have come out over the years and they are not documented at all. :/

      Reply

  2. Andy Chips

     /  June 24, 2021

    I pounced on this, as I thought it would solve all my random IKEv2 device tunnel disconnects, but sadly no. I’m running the latest build, not 1809.

    Reply

  3. swedesolutions

     /  June 25, 2021

    We have the exact same problems on our 2016 servers. Are these being updated too with the same fix?

    Reply

    • Richard M. Hicks

       /  June 26, 2021

      I’m not certain. Microsoft has only released the update for Windows Server 2019 and Windows Server 1809. It’s possible they could backport the fix to Windows Server 2016 in the future though.

      Reply

  4. Beau McMahon

     /  June 30, 2021

    Do you know how to tell if you’re server starts blocking connections because it thinks it’s under DDOS attack? I’d like to know if one of our issues we’re having is due to this. When around/over 250 connections are made, IKEv2 connections start failing, but SSTP connections are fine.

    Reply

    • Richard M. Hicks

       /  July 6, 2021

      I’m not certain, to be honest. There might be an event log message recorded though. You’ll have to check when you see this happening to validate.

      Reply

  5. Artūras

     /  July 20, 2021

    I wonder if there is an update for OS Build 17763.2061. This seems to be happening in our environment too. We are getting random 809 errors

    Reply

  6. j03oe

     /  July 21, 2021

    In our experience, the IKEv2 Device Tunnel connection typically goes whacky when a user’s WiFi or ISP connection gets dropped or interfered with. What I mean by ‘whacky’ is that the Device Tunnel adaptor remains ‘connected’, but when you check the packet counter, the W10 client is sending packets, but not receiving anything from the Server. When you check the server logs, it just shows a generic “User Requested Disconnect” at the time of the client’s initial drop. This “half-connected” state usually lasts for 15 minutes before the Device Tunnel finally realizes that it’s hosed and the connection timer goes back to 00:00 and traffic starts flowing again. Why isn’t the Windows 10 client able to realize that the Device Tunnel is down and auto-reconnect sooner?

    Reply

    • Richard M. Hicks

       /  July 21, 2021

      This is likely caused by the default IKEv2 timeouts configured in Windows Server RRAS. It might be worth lowering the default timeout and outage time window values to prevent this (or at least make it faster). You can set the IKEv2 timeout by running the following command on your RRAS server.

      netsh.exe ras set ikev2connection idletimeout = 5 nwoutagetime = 5

      Reply

    • Richard M. Hicks

       /  July 21, 2021

      You might also have to disable IKE mobility on the client-side, or reduce the timeout value there too. You’ll find that in the advanced security settings for the VPN profile.

      Reply

      • Andrey Zasypkin

         /  February 23, 2023

        Hi Richard, what is the best way to change value on number of Redial attempts … can this option be added to Update-Rasphone.ps1 … thank you

      • Richard M. Hicks

         /  February 27, 2023

        I would assume editing rasphone.pbk. My script doesn’t support this, however.

  1. Always On VPN RRAS and Stale Connections | Richard M. Hicks Consulting, Inc.

Leave a Reply to Beau McMahonCancel reply

Discover more from Richard M. Hicks Consulting, Inc.

Subscribe now to keep reading and get access to the full archive.

Continue reading