All posts tagged error

Always On VPN Error -2146762495

DirectAccess Troubleshooting and the Windows 10 Network Connectivity Assistant

Always On VPN Administrators may encounter a scenario where Always On VPN connections suddenly stop working for all clients using the Secure Socket Tunneling Protocol (SSTP) VPN protocol. IKEv2 VPN connections continue to work, however.

Event Log

Reviewing the event log on a client machine reveals an error event ID 20227 from the RasClient source. The error message states the following.

“The user [username] dialed a connection named [connection name] which has failed. The error code returned on failure is -2146762495.”

Error -2146762495?

Always On VPN administrators will be familiar with error codes such as 809, 691 and 812, 853, 858, and even 13801, 13806, and 13868. However, this error code seems to be formatted much differently. As it turns out, this message is in decimal format. Thankfully it’s pretty easy to convert it to something more meaningful, like hexadecimal. To do this, open the Windows calculator (calc.exe) and switch to programmer mode. Highlight DEC and enter -2146762495. The hexadecimal value will be displayed in the HEX field, as shown here.

Error 0x800B0101

After converting the error message from decimal to hex, use the Microsoft Error Lookup tool (err.exe) to translate the hex value of this error. As shown here, 0x800B0101 translates to CERT_E_EXPIRED.

Expired TLS Certificate

Once again, an expired certificate is to blame! In this case, the TLS certificate installed on the VPN server has expired and is no longer valid.

Resolution

The problem is simple enough to resolve, of course. Obtain a new TLS certificate from your certification authority (CA) of choice and update your VPN server configuration. You can find detailed guidance for updating the RRAS VPN server’s TLS certificate here. You will also find a video demonstration of the RRAS SSL/TLS certificate renewal process here.

Additional Information

Installing or Renewing an SSL/TLS Certificate on Windows Server RRAS for Always On VPN and SSTP

VIDEO: Installing or Renewing an SSL/TLS certificate on Windows Server RRAS for Always On VPN and SSTP

Microsoft Windows Always On VPN SSTP Security Configuration

Microsoft Windows Always On VPN SSL/TLS Certificate Requirements for SSTP

Microsoft Windows Always On VPN SSTP with Let’s Encrypt Certificates

Leave a comment
by Richard M. Hicks on February 15, 2022  •  Permalink
Posted in administration, Always On VPN, AOVPN, certificates, Encryption, Enterprise, enterprise mobility, Mobility, Operational Support, PKI, public key infrastructure, Remote Access, routing and remote access service, RRAS, Secure Socket Tunneling Protocol, SSL, SSL and TLS, SSTP, TLS, TLS 1.3, troubleshooting, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 15, 2022

https://directaccess.richardhicks.com/2022/02/15/always-on-vpn-error-2146762495/

Always On VPN PowerShell Script Issues in Windows 11

Many administrators are now beginning to test Always On VPN functionality on the latest Microsoft Windows client operating system, Windows 11. Initially, Microsoft had some issues with provisioning and managing Always On VPN profiles on Windows 11 using Microsoft Endpoint Manager/Intune, but those have been resolved. However, some lingering problems may delay enterprise deployments of Always On VPN on Windows 11 for some organizations, specifically those using PowerShell with Active Directory group policy startup scripts or System Center Configuration Manager (SCCM).

Important Note: The issues outlined in this article have been resolved! The fix for the WMI enumeration bug is addressed in the following updates:

Windows 11 21H2 – KB5022905 (build 22000.1641)

Windows 11 22H2 – KB5026446 (build 22621.1778)

MakeProfile.ps1

Microsoft has published guidance for deploying Always On VPN profiles using PowerShell with their MakeProfile.ps1 script. This script extracts configuration details from a template VPN profile to create another PowerShell script called VPN_Profile.ps1, which is used to create the Always On VPN profile. SCCM administrators commonly use VPN_Proifle.ps1 to deploy Always On VPN profiles. However, running this script on Windows 11 fails and returns the following error message.

“Unable to create [VPN profile name] profile: A general error occurred that is not covered by a more specific code.”

This issue appears to be related to a problem with the WMI-to-CSP bridge, specifically enumerating the MDM_VPNv2_01 class in the root\cimv2\mdm\dmmap namespace. Here you can see the template VPN profile with PowerShell and Get-VpnConnection.

However, attempts to view the MDM_VPNv2_01 class of this VPN profile using PowerShell and Get-CimInstance fail.

New-AovpnConnection.ps1

Interestingly, administrators may find that my Always On VPN PowerShell deployment script works more reliably on Windows 11, although not always. In my experience, I’ve found that it sometimes fails once (profile is loaded, but the configuration is incomplete), then works after deleting the profile and creating it again. If the Microsoft-provided script isn’t working, give mine a try and see if it works better for you.

Note: When deploying Always On VPN profiles using my PowerShell deployment script via Active Directory startup scripts, it seems to fail consistently for some reason. Go figure. 😉

Remove-AovpnConnection.ps1

The issues described previously with Windows 11 are also negatively affecting some of my other PowerShell scripts. For example, running Remove-Aovpnconnection.ps1 on Windows 11 fails and returns the following error message.

“A general error occurred that is not covered by a more specific error code.”

Current Status

Microsoft is currently aware of this issue. However, I am aware of no timeframe for resolution at the time of this writing. Hopefully, Microsoft addresses this soon so organizations can move forward with their Windows 11 migration projects.

Additional Information

Microsoft Windows Always On VPN Windows 11 Issues with Microsoft Endpoint Manager/Intune

Microsoft Windows Always On VPN Profile Deployment Script

Microsoft Windows Always On VPN Remove Always On VPN Profile Script

Always On VPN PowerShell Script Repository on GitHub

70 Comments
by Richard M. Hicks on February 7, 2022  •  Permalink
Posted in administration, Always On VPN, AOVPN, Deployment, Device Management, device tunnel, Endpoint Manager, enterprise mobility, GitHub, InTune, MDM, MEM, MEMCM, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, Operational Support, PowerShell, ProfileXML, Remote Access, SCCM, System Center Configuration Manager, systems management, troubleshooting, Uncategorized, user tunnel, VPN, Windows 11, XML
Tagged , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 7, 2022

https://directaccess.richardhicks.com/2022/02/07/always-on-vpn-powershell-script-issues-in-windows-11/

Always On VPN Error 13806

Troubleshooting Always On VPN Error 691 and 812 – Part 2

As a follow-up to my last post regarding Always On VPN error 13801, this post will cover a similar and related error administrators may encounter, the 13806 error. As mentioned previously, certificate configuration is crucial for Always On VPN deployments. I described some specific certificates requirements for IKEv2 in this earlier post. Following this guidance, administrators should have no issues with IKEv2 Always On VPN connections. However, it is always possible to encounter an error if any of these certificates are missing or misconfigured.

Error 13806

Much like the error 13801 described previously, 13806 is also common. When an Always On VPN connection using IKEv2 fails, the Windows Application event log will record an event ID 20227 from the RasClient source. The error message states the following:

“The user [username] dialed a connection named [connection name] which has failed. The error code returned on failure is 13806”.

IKE Failed To Find Valid Machine Certificate

Error 13806 translates to ERROR_IPSEC_IKE_NO_CERT, indicating IKE failed to find a valid machine certificate. The problem can be on the device, the VPN server, or an issue with the VPN server configuration.

Device Certificate

For the device tunnel, the most obvious cause of this error is a missing device authentication certificate on the client itself. Ensure the endpoint has a valid certificate issued by the organization’s internal PKI that includes Client Authentication EKU (OID 1.3.6.1.5.5.7.3.2). The certificate must have a subject name matching the device’s FQDN. It must also be valid (not expired), trusted, and not revoked.

Certificate Chain

A 13806 error will occur if the device certificate installed on the client is not trusted or if the client does not trust the certificate installed on the VPN server. Ensure the client has all the necessary root and intermediate certification authority (CA) certificates installed in their respective certificate stores.

VPN Server Certificate

A 13806 error can also occur if the VPN server does not have a properly configured server certificate. Ensure the VPN server has a valid certificate issued by the organization’s internal PKI that includes both the Server Authentication (OID 1.3.6.1.5.5.7.3.1) and IP security IKE intermediate (OID 1.3.6.1.5.5.8.2.2) EKUs. The subject name must match the public fully qualified domain name (FQDN) used by VPN clients to connect to the VPN server (not the server’s NetBIOS name). Again, ensure the certificate is valid (not expired), trusted, not revoked, and all necessary root and intermediate CA certificates are installed in their respective certificate stores.

Certificate Revocation

An expired Certificate Revocation List (CRL) can also result in a 13806 error. Open the Enterprise PKI console (pkiview.msc) on an issuing CA and review the status of all CRLs. If any are expired, resolve any issues preventing the CRL from publishing successfully, then issue a new CRL by running certutil.exe -crl on the issuing CA server.

RRAS Configuration

Another cause of the 13806 error for the user tunnel is a misconfigured Routing and Remote Access Service (RRAS) VPN server. An error 13806 can happen if the administrator incorrectly defines a trusted root CA using Set-VpnAuthProtocol. Ensure that the root certificate thumbprint matches exactly the root CA server’s thumbprint used to issue certificates to VPN devices and the VPN server.

Get-VpnAuthProtocol

Root CA Certificate Thumbprint

Resolution

Ensure that devices and VPN servers have correctly configured certificates installed. If the root CA certificate is assigned incorrectly on the VPN server, follow the guidelines detailed here to update the configuration.

Additional Information

Microsoft Windows Always On VPN Error 13801

Microsoft Windows Always On VPN Certificate Requirements for IKEv2

Microsoft Windows Always On VPN IPsec Root Certificate Configuration Issue

Microsoft Windows Always On VPN IKEv2 Policy Mismatch Error

Microsoft Windows Always On VPN IKEv2 Security Configuration

Microsoft Windows Always On VPN IKEv2 Fragmentation

Microsoft Windows Always On VPN IKEv2 Load Balancing and NAT

Microsoft Windows Always On VPN IKEv2 Features and Limitations

3 Comments
by Richard M. Hicks on December 20, 2021  •  Permalink
Posted in Always On VPN, AOVPN, Azure Virtual WAN, Azure VPN, Azure VPN Gateway, certificates, device tunnel, Enterprise, enterprise mobility, IKEv2, Mobility, PowerShell, Remote Access, routing and remote access service, RRAS, Security, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on December 20, 2021

https://directaccess.richardhicks.com/2021/12/20/always-on-vpn-error-13806/

« Older Posts
Newer Posts »