Troubleshooting Always On VPN Error 691 and 812 – Part 3

Troubleshooting Always On VPN Error 691 and 812 – Part 2When implementing Windows 10 Always On VPN, administrators may encounter errors 691 or 812 when establishing a VPN connection. There are several different configuration issues that will result in these errors. For example they may occur when TLS 1.0 has been disabled on the RRAS server when installed on servers prior to Windows Server 2016. It can also happen if a user’s Active Directory account is configured to deny dial-in access and the NPS server is not configured to ignore user account dial-in properties. Another scenario that can result in 691/812 errors is when the Active Directory security groups are configured as conditions on the Network Policy Server (NPS) Network Policy. See below for more details.

SSTP and Error 691

When attempting to establish an Always On VPN connection using the Secure Socket Tunneling Protocol (SSTP), administrators may encounter the following error message.

“The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.”

Troubleshooting Always On VPN Error 691 and 812 – Part 2

In addition, an error 691 with event ID 20227 from the RasClient source can be found in the Application event log on the client.

“The user <domain\user> dialed a connection named which has failed. The error code returned on failure is 691.”

Troubleshooting Always On VPN Error 691 and 812 – Part 2

IKEv2 and Error 812

When attempting to establish an Always On VPN connection using Internet Key Exchange version 2 (IKEv2), administrators may encounter the following error message.

“The connection as prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.”

Troubleshooting Always On VPN Error 691 and 812 – Part 2

In addition, an error 812 with event ID 20227 from the RasClient source can be found in the Application event log on the client.

Troubleshooting Always On VPN Error 691 and 812 – Part 2

NPS Event Log

On the NPS server the administrator will find an entry in the application event log with event ID 6273 from the Microsoft Windows security auditing source and the Network Policy Server task category indicating the network policy server denied access to the user. Looking closely at this event log message shows Reason Code 48 and the following reason.

“The connection request did not match any configured network policy.”

Troubleshooting Always On VPN Error 691 and 812 – Part 2Group Membership

As stated earlier, another scenario in which administrators will encounter errors 691 and/or 812 is when the Network Policy on the NPS server is configured incorrectly. Specifically, and administrator may wish to grant access to more than one group but intend for access to be granted to users who are a member of any of them. Conversely, they may wish to require access in all specified groups to gain access to the VPN. Configuring each of these conditions is subtly different, however.

Open the NPS management console on the NPS server and follow the steps below to configure user group conditions correctly for the following scenarios.

Any Group

1. Right-click the Always On VPN network policy and choose Properties.
2. Click on the Conditions tab.
3. Click the Add button.
4. Click User Groups.
5. Click Add.
6. Click Add Groups.
7. Enter the name of the group you want to grant access to.
8. Click Ok.
9. Repeat the steps 6-8 above to specify additional groups.

Troubleshooting Always On VPN Errors 691 and 812

All Groups

1. Right-click the Always On VPN network policy and choose Properties.
2. Click on the Conditions tab.
3. Click the Add button.
4. Click User Groups.
5. Click Add.
6. Click Add Groups.
7. Enter the name of the group you want to grant access to.
8. Click Ok.
9. Repeat steps 3-8 above to specify additional groups (you must go back to the Add button on step 3!).

Troubleshooting Always On VPN Errors 691 and 812

Additional Information

Troubleshooting Always On VPN Error 691 and 812 – Part 1

Troubleshooting Always On VPN Error 691 and 812 – Part 2

Always On VPN Trusted Network Detection

Always On VPN Trusted Network DetectionWhen deploying Windows 10 Always On VPN, administrators can configure Trusted Network Detection (TND) which enables clients to detect when they are on the internal network. With this option set, the client will only automatically establish a VPN connection when it is outside the trusted network. Trusted network detection can be configured on both device tunnel and user tunnel connections.

TND Operation

When trusted network detection is configured, the VPN client will evaluate the DNS suffix assigned to all physical (non-virtual or tunnel) adapters that are active. If any of them match the administrator-defined trusted network setting, the client is determined to be on the internal network and the VPN connection will not connect. If the DNS suffix is not present on any of these adapters, the client is determined to be outside the internal network and the VPN connection will establish automatically.

TND Configuration

Trusted network detection is defined in the Intune UI or in ProfileXML as a string that matches the DNS suffix assigned to clients on the internal network. In this example, the DNS suffix on the internal network is lab.richardhicks.net.

Always On VPN Trusted Network Detection

Note: Your organization might have more than one DNS suffix. Ensure that the trusted network detection configuration includes all DNS suffixes in use in the environment to ensure reliable operation.

Intune

Follow the steps below to configured trusted network detection in Microsoft Intune.

  1. Open the Intune management portal (https://devicemanagement.microsoft.com/).
  2. Navigate to Devices > Configuration Profiles > [Profile Name] > Properties > Settings.
  3. Click on Trusted Network Detection.
  4. Enter the DNS suffix(es) used on the internal network.

Always On VPN Trusted Network Detection

ProfileXML

To define Trusted Network Detection in ProfileXML, add the TrustedNetworkDetection element as follows.

Always On VPN Trusted Network Detection

Caveats

In some instances, an Always On VPN client connection may persist, even if the client is connected to the internal network. A common scenario is when a client device connects to a Wi-Fi network that is not connected to the corporate network (for example guest Wi-Fi), then connects to the internal network with Ethernet via a docking station. If the Wi-Fi connection is still available, the Always On VPN connection will persist, even though the machine is connected to the internal network. This is expected and by design.

Workaround

To address this specific scenario, administrators can implement changes via group policy to the way Windows handles multiple connections to the same network. For example, beginning with Windows 10 1709, group policy can be configured to ensure that Windows 10 clients prefer wired Ethernet network connections over Wi-Fi, and to ensure that Wi-Fi connections disconnect when an Ethernet connection is detected.

GPO Configuration

Open the Group Policy management console (gpmc.msc) and perform the following steps to create the required group policy objects.

  1. Create a new Group Policy Object (GPO).
  2. Right-click the new GPO and choose Edit.
  3. Expand Computer Configuration > Administrative Templates > Network > Windows Connection Manager.
  4. Double-click the policy Minimize the number of simultaneous connections to the Internet or a Windows Domain.
  5. Select Enabled.
  6. From the Minimize Policy Options drop-down list choose 1 = Minimize simultaneous connections. Optionally you can choose to disable Wi-Fi whenever connected to Ethernet by choosing 3 = Prevent Wi-Fi when on Ethernet.
  7. Click Ok.Always On VPN Trusted Network Detection
  8. Double-click the policy Enable Windows to soft-disconnect a computer from a network.
  9. Select Disabled.
  10. Click Ok.Always On VPN Trusted Network Detection

Additional Information

Understanding and Configuring Windows Connection Manager

Always On VPN RRAS Monitoring and Reporting

Always On VPN RRAS Monitoring and ReportingWindows Server with the Routing and Remote Access Service (RRAS) role installed is a popular choice for Windows 10 Always On VPN deployments. Configuring RRAS is commonly performed using the RRAS management console but it can also be configured using PowerShell and/or netsh. In addition, there are a few different options for natively monitoring server health and client connection status.

RRAS Management Console

After installing the RRAS role, the administrator uses the RRAS management console (rrasmgmt.msc) to perform initial configuration. The RRAS management console can also be used to view client connection status by expanding the server and highlighting Remote Access Clients.

Connection Details

To view connection details for a specific connection, the administrator can right-click a connection and choose Status, or simply double-click the connection.

High level information about the connection including duration, data transfer, errors, and IP address assignment can be obtained here. In addition, the administrator can terminate the VPN connection by clicking the Disconnect button.

RRAS Management Console Limitations

Using the RRAS management console has some serious limitations. It offers only limited visibility into client connectivity status, for example. In addition, the client connection status does not refresh automatically. Also, the RRAS management console offers no historical reporting capability.

Remote Access Management Console

The Remote Access Management console (ramgmtui.exe) will be familiar to DirectAccess administrators and is a better option for viewing VPN client connectivity on the RRAS server. It also offers more detailed information on connectivity status and includes an option to enable historical reporting.

Dashboard

The Dashboard node in the Remote Access Management console provides high-level status for various services associated with the VPN server. It also provides a high-level overview of aggregate VPN client connections.

Operations Status

The Operations Status node in the Remote Access Management console provides more detailed information regarding the status of crucial VPN services. Here the administrator will find current status and information about service uptime.

Remote Client Status

The Remote Client Status node in the Remote Access Management console is where administrators will find detailed information about client connectivity. Selecting a connection will provide data about the connection including remote IP addresses, protocols, and ports accessed by the remote client, in addition to detailed connection information such as authentication type, public IP address (if available), connection start time, and data transferred.

Always On VPN RRAS Monitoring and Reporting

Double-clicking an individual connection brings up a detailed client statistics page for the connection, as shown here.

Always On VPN RRAS Monitoring and Reporting

Custom View

The Remote Access Management console includes the option to customize the data presented to the administrator. To view additional details about client connections, right-click anywhere in the column headings to enable or disable any of the fields as required.

Always On VPN RRAS Monitoring and Reporting

Recommended Columns

From personal experience I recommend adding the following columns in the Remote Access Management console.

  • IPv4 Address (this is the IP address assigned to the VPN clients by RRAS)
  • Connection Start Time
  • Authentication Method
  • Total Bytes In
  • Total Bytes Out
  • Rate

Always On VPN RRAS Monitoring and Reporting

Drawbacks

The only real drawback to using the Remote Access Management console is that it supports viewing connections from just one VPN server at a time. If you have multiple RRAS servers deployed, you must retarget the Remote Access Management console each time to view connections on different VPN servers in the organization.

You can retarget the Remote Access Management console at any time by highlighting the Configuration node in the navigation pane and then clicking the Manage a Remote Server link in the Tasks pane.

Always On VPN RRAS Monitoring and Reporting

Reporting

Remote Access reporting is not enabled by default on the RRAS VPN server. Follow the steps below to enable historical reporting for RRAS VPN connections.

1. Highlight the Reporting node in the Remote Access Management console.
2. Click Configure Accounting.
3. Uncheck Use RADIUS accounting.
4. Check Use inbox accounting.
5. Review the settings for data retention and make changes as required.
6. Click Apply.

Always On VPN RRAS Monitoring and Reporting

Optionally, historical reporting can be enabled using PowerShell by opening and elevated PowerShell command window and running the following command.

Set-RemoteAccessAccounting -EnableAccountingType Inbox -PassThru

Important Note! There is a known issue with the inbox accounting database that can result in high CPU utilization for very busy RRAS VPN servers. Specifically, a crucial index is missing from one of the tables in the logging database. To correct this issue, download and run the Optimize-InboxAccountingDatabase.ps1 script on each RRAS VPN server in the organization.

Additional Information

Windows 10 Always On VPN and Windows Routing and Remote Access Service (RRAS)

Windows 10 Always On VPN Protocol Recommendations for Windows Server Routing and Remote Access Service (RRAS)

Windows 10 Always On VPN and RRAS with Single NIC

Windows 10 Always On VPN and RRAS in Microsoft Azure

%d bloggers like this: