All posts in category routing

Always On VPN RRAS Internal Interface Non-Operational

Windows 10 Always On VPN Routing Configuration

Always On VPN administrators troubleshooting connectivity issues may find the Internal network interface in the Routing and Remote Access management console (rrasmgmt.msc) administrative status indicates ‘Unknown’. They will also notice the Operational Status shows Non-operational.

Internal Interface

For clarification, the ‘Internal’ network interface in the Routing and Remote Access management console, as shown above, is not a physical network adapter on the server. Instead, it is a virtual network interface used only for incoming VPN connections.

Non-Operational

The Internal virtual network interface will not be created until the VPN server accepts its first VPN connection. Because of this, the Internal interface will have an operational status of non-operational until the first client attempts to connect. When this occurs, RRAS creates the interface, then assigns it the first IP address from the static IPv4 address pool. Alternatively, if DHCP is configured, it will assign the first IP address returned by the DHCP server.

Interface Names

While discussing network interfaces, I typically recommend renaming them in Windows to identify their function, especially when using two NIC configurations. However, be careful not to name the server’s internal network adapter ‘Internal’, as this can be confusing in the future. In my example above, I use the name ‘LAN’ to identify the internal adapter to distinguish it from the server’s ‘Internal’ virtual interface.

Additional Information

Windows Server RRAS Service Does Not Start

Windows Server RRAS Monitoring and Reporting

Microsoft Always On VPN and RRAS in Azure

Microsoft Always On VPN and RRAS with Signle NIC

Leave a comment
by Richard M. Hicks on September 24, 2022  •  Permalink
Posted in administration, Always On VPN, AOVPN, Enterprise, enterprise mobility, Operational Support, Remote Access, routing, routing and remote access service, RRAS, troubleshooting, VPN, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on September 24, 2022

https://directaccess.richardhicks.com/2022/09/24/always-on-vpn-rras-internal-interface-non-operational/

Always On VPN Client Routes Missing

Choosing an Enterprise VPN

When configuring Always On VPN for Windows 10 and Windows 11 clients, administrators may encounter a scenario where an IPv4 route defined in Microsoft Endpoint Manager/Intune or custom XML is not reachable over an established Always On VPN connection. Further investigation indicates the route is added to the configuration on the endpoint but does not appear in the routing table when the connection is active.

Routing Configuration

When split tunneling is enabled, administrators must define routes to IP networks that are reachable over the Always On VPN connection. The method of defining these routes depends on the client configuration deployment method.

Endpoint Manager

Using Microsoft Endpoint Manager, administrators define IP routes in the Split Tunneling section of the configuration settings for the Always On VPN device configuration profile. Routes are defined by entering the destination prefix and prefix size. In this example, the 10.0.0.0/8 and 172.21.12.0/21 IPv4 networks are defined for routing over the Always On VPN tunnel.

Custom XML

Using custom XML deployed using Microsoft Endpoint Manager, System Center Configuration Manager (SCCM), or PowerShell, routes are defined in the XML file using the following syntax.

Client Configuration

Validate the routing configuration has been implemented on the endpoint successfully by running the following PowerShell command.

Get-VpnConnection -Name <Connection Name> | Select-Object -ExpandProperty Routes

As you can see here, the IPv4 routes 10.0.0.0/8 and 172.21.12.0/21 are included in the client’s Always On VPN configuration, as shown below.

Missing Route

However, after establishing an Always On VPN connection, the 172.21.12.0/21 network is not reachable. To continue troubleshooting, run the following PowerShell command to view the active routing table.

Get-NetRoute -AddressFamily IPv4

As you can see above, the only IPv4 route in the VPN configuration added to the routing table is the 10.0.0.0/8 network. The 172.21.12.0/21 IPv4 route is missing.

Network Prefix Definition

IPv4 routes missing from the Always On VPN client’s routing table result from incorrect network prefix definition. Specifically, the IPv4 route 172.21.12.0/21 used in the example here is not a valid network address. Rather, it is a host address in the 172.21.8.0/21 network, as shown below.

The Get-Subnet PowerShell cmdlet is part of the Subnet PowerShell module. To install this module, run the following PowerShell command.

Install-Module Subnet

Resolution

Using the example above, enabling access to the 172.21.12.0/21 subnet would require defining the IPv4 prefix in the routing configuration as 172.21.8.0/21. The moral of this story is always validate routing prefixes to ensure they are, in fact, network addresses and not host addresses.

Additional Information

Always On VPN Routing Configuration

Always On VPN Default Class-based Route and Microsoft Endpoint Manager/Intune

15 Comments
by Richard M. Hicks on November 8, 2021  •  Permalink
Posted in Always On VPN, AOVPN, Azure VPN, Azure VPN Gateway, Enterprise, enterprise mobility, InTune, MEM, MEMCM, Microsoft Endpoint Manager, Microsoft Intune, Mobility, Operational Support, PowerShell, ProfileXML, Remote Access, routing, split tunnel, split tunneling, troubleshooting, user tunnel, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on November 8, 2021

https://directaccess.richardhicks.com/2021/11/08/always-on-vpn-client-routes-missing/

Always On VPN Force Tunneling with Office 365 Exclusions

Always On VPN Force Tunneling with Office 365 ExclusionsWith the COVID-19 global pandemic forcing nearly everyone to work from home these days, organizations that implemented force tunneling for their VPN clients are likely encountering unexpected problems. When force tunneling is enabled, all client traffic, including Internet traffic, is routed over the VPN tunnel. This often overloads the VPN infrastructure and causes serious slowdowns, which degrades the user experience and negatively impacts productivity. This is especially challenging because so many productivity applications like Microsoft Office 365 are optimized for Internet accessibility. It is one of the main reasons that force tunneling is not generally recommended.

Force Tunneling with Exceptions

When enabling split tunneling is not an option, administrators frequently ask about enabling force tunneling with some exceptions. The most common configuration is enabling force tunneling while still allowing Office 365 traffic to go outside of the tunnel. While this is something that third-party solutions do easily, it has been a challenge for Always On VPN. Specifically, Always On VPN has no way to route traffic by hostname or Fully-Qualified Domain Name (FQDN).

Exclusion Routes

To address this challenge, the administrator can configure Exclusion Routes. Exclusion Routes are supported in Windows 10 1803 with update KB4493437, Windows 10 1809 with update KB4490481, and Windows 10 1903/1909.

Exclusion routes are defined in the client routing table that are excluded from the VPN tunnel. The real challenge here is determining all the required IP addresses required for Office 365.

Microsoft Published Guidance

Given current events and the heavy demands placed on enterprises supporting exclusively remote workforces, Microsoft has recently published guidance for configuring Always On VPN force tunneling while excluding Office 365 traffic. Their documentation includes all the required IP addresses to configure exclusions for. This will make it much simpler for administrators to configure Always On VPN to support this unique scenario. The following links provide detailed configuration guidance for enabling force tunneling for Always On VPN with exceptions.

Additional Information

Windows 10 Always On VPN Split vs. Force Tunneling

Windows 10 Always On VPN Routing Configuration

Windows 10 Always On VPN Lockdown Mode

26 Comments
by Richard M. Hicks on April 9, 2020  •  Permalink
Posted in Always On VPN, AOVPN, cloud, Enterprise, enterprise mobility, force tunnel, force tunneling, Mobility, ProfileXML, public cloud, Remote Access, routing, routing and remote access service, RRAS, Security, split tunnel, split tunneling, user tunnel, VPN, Windows 10
Tagged , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on April 9, 2020

https://directaccess.richardhicks.com/2020/04/09/always-on-vpn-force-tunneling-with-office-365-exclusions/

%d bloggers like this: