Always On VPN Administrators may encounter a scenario where Always On VPN connections suddenly stop working for all clients using the Secure Socket Tunneling Protocol (SSTP) VPN protocol. IKEv2 VPN connections continue to work, however.
Event Log
Reviewing the event log on a client machine reveals an error event ID 20227 from the RasClient source. The error message states the following.
“The user [username] dialed a connection named [connection name] which has failed. The error code returned on failure is -2146762495.”
Error -2146762495?
Always On VPN administrators will be familiar with error codes such as 809, 691 and 812, 853, 858, and even 13801, 13806, and 13868. However, this error code seems to be formatted much differently. As it turns out, this message is in decimal format. Thankfully it’s pretty easy to convert it to something more meaningful, like hexadecimal. To do this, open the Windows calculator (calc.exe) and switch to programmer mode. Highlight DEC and enter -2146762495. The hexadecimal value will be displayed in the HEX field, as shown here.
Error 0x800B0101
After converting the error message from decimal to hex, use the Microsoft Error Lookup tool (err.exe) to translate the hex value of this error. As shown here, 0x800B0101 translates to CERT_E_EXPIRED.
Expired TLS Certificate
Once again, an expired certificate is to blame! In this case, the TLS certificate installed on the VPN server has expired and is no longer valid.
Resolution
The problem is simple enough to resolve, of course. Obtain a new TLS certificate from your certification authority (CA) of choice and update your VPN server configuration. You can find detailed guidance for updating the RRAS VPN server’s TLS certificate here. You will also find a video demonstration of the RRAS SSL/TLS certificate renewal process here.
Additional Information
Installing or Renewing an SSL/TLS Certificate on Windows Server RRAS for Always On VPN and SSTP
Microsoft Windows Always On VPN SSTP Security Configuration
Microsoft Windows Always On VPN SSL/TLS Certificate Requirements for SSTP
Microsoft Windows Always On VPN SSTP with Let’s Encrypt Certificates