All posts tagged rasdial

Always On VPN Device Tunnel Issues with April 2024 Security Update

Always On VPN administrators may find that their device tunnel connections no longer connect automatically after applying the April 2024 security updates. The device tunnel connection is optional and only required under specific conditions, so end users may not be immediately impacted. However, administrators should be aware of this issue.

Note: The issues outlined in this post have been resolved with the May 14, 2024, security updates.

Error Messages

When manually establishing an Always On VPN device tunnel connection using rapshone.exe or rasdial.exe, you may receive one of the following error messages.

Rasphone.exe

Error 0x80070057: The parameter is incorrect.

Rasdial.exe

Connecting to <Name of Device Tunnel>…The parameter is incorrect.

Affected Devices

The issue affects all supported versions of Windows with an Always On VPN device tunnel connection configured to require a specific Enhanced Key Usage (EKU) OID. Administrators can run the following PowerShell command to identify this configuration.

Get-VpnConnection -AllUserConnection -Name <Name of Device Tunnel> | Select-Object MachineCertificateEkuFilter

If the output of this PowerShell command returns data, it is affected by this issue.

Workaround

To restore Always On VPN device tunnel functionality on devices with the April 2024 security updates installed, open an elevated PowerShell command window and run the following command.

Set-VpnConnection -AllUserConnection -Name ‘Always On VPN Device Tunnel’ -MachineCertificateEKUFilter $Null

After running this command, the output should now be blank.

Caveat

The problem with implementing the workaround described here is that you likely enabled this configuration to address an issue where the wrong certificate was selected for use with the device tunnel. In this case, the workaround may result in unexpected behavior and may not restore full functionality.

Known Issue Rollback

Currently, Microsoft is aware of the issue and is actively working to resolve it. If you are experiencing this issue, open a support case with Microsoft, and they will provide you with more information and possibly a private Known Issue Rollback (KIR). I will update this post as soon as Microsoft publishes a permanent fix.

Additional Information

Always On VPN Device Tunnel Operation and Best Practices

Always On VPN Device Tunnel Only Deployment Considerations

Considerations for Always On VPN with Azure VPN Gateway and Virtual WAN

Leave a comment
by Richard M. Hicks on April 23, 2024  •  Permalink
Posted in Always On VPN, AOVPN, Certificate Authentication, certificates, device tunnel, Enterprise, enterprise mobility, IKEv2, Microsoft, Mobility, Operational Support, PowerShell, Remote Access, Security, Security Update, troubleshooting, Update, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on April 23, 2024

https://directaccess.richardhicks.com/2024/04/23/always-on-vpn-device-tunnel-issues-with-april-2024-security-update/

Always On VPN Device Tunnel Does Not Connect Automatically

When configuring a Windows 10 Always On VPN device tunnel, the administrator may encounter a scenario in which the device tunnel does not connect automatically. This can occur even when ProfileXML is configured with the AlwaysOn element set to “true”.

Always On VPN Device Tunnel Does Not Connect Automatically

Manual Connection

An administrator can establish a device tunnel connection manually using rasdial.exe however, indicating no issues with connectivity or authentication that would prevent a successful automatic connection.

Always On VPN Device Tunnel Does Not Connect Automatically

Root Cause

This scenario will occur when the device tunnel configuration is applied to a Windows 10 Professional edition client.

Always On VPN Device Tunnel Does Not Connect Automatically

Device Tunnel Support

The Windows 10 Always On VPN device tunnel is supported only on Windows 10 1709 or later Enterprise edition clients that are domain-joined. To ensure the device tunnel connects automatically, upgrade to Windows 10 Enterprise 1709 or later and join it to a domain.

Always On VPN Device Tunnel Does Not Connect Automatically

Source: https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-device-tunnel-config#device-tunnel-requirements-and-features

Additional Information

Windows 10 Always On VPN Device Tunnel Configuration using PowerShell

Windows 10 Always On VPN Device Tunnel Missing in the Windows UI

Deleting a Windows 10 Always On VPN Device Tunnel

112 Comments
by Richard M. Hicks on March 14, 2019  •  Permalink
Posted in Always On VPN, AOVPN, device tunnel, Enterprise, enterprise mobility, IKEv2, Manage Out, Remote Access, routing and remote access service, RRAS, troubleshooting, VPN, Windows 10, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019
Tagged , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on March 14, 2019

https://directaccess.richardhicks.com/2019/03/14/always-on-vpn-device-tunnel-does-not-connect-automatically/

Deleting an Always On VPN Device Tunnel

Deleting an Always On VPN Device TunnelWindows 10 Always On VPN supports both a user tunnel for corporate network access, and a device tunnel typically used to provide pre-logon network connectivity and to support manage out scenarios. The process of testing Always On VPN is often an iterative one involving trial and error testing to fine tune the configuration parameters to achieve the best experience. As a part of this process it will often be necessary to delete a connection at some point. For the user tunnel the process is simple and straightforward. Simply disconnect the session and delete the connection in the UI.

Deleting an Always On VPN Device Tunnel

Deleting a device tunnel connection presents a unique challenge though. Specifically, there is no VPN connection in the UI to disconnect and remove. To delete an Always On VPN device tunnel, open an elevated PowerShell window and enter the following command.

Get-VpnConnection -AllUserConnection | Remove-VpnConnection -Force

If the device tunnel is connected when you try to remove it, you will receive the following error message.

The VPN connection [connection_name] cannot be removed from the global user connections. Cannot
delete a connection while it is connected.

Deleting an Always On VPN Device Tunnel

The device tunnel must first be disconnected to resolve this issue. Enter the following command to disconnect the device tunnel.

rasdial.exe [connection_name] /disconnect

Remove the device tunnel connection using PowerShell once complete.

Deleting an Always On VPN Device Tunnel
Additional Resources

Windows 10 Always On VPN Device Tunnel Step-by-Step Configuration using PowerShell

What’s The Difference Between DirectAccess and Always On VPN?

Windows 10 Always On VPN Recommendations for Windows Server 2016 Routing and Remote Access Service (RRAS)

Windows 10 Always On VPN Hands-On Training

50 Comments
by Richard M. Hicks on March 12, 2018  •  Permalink
Posted in Always On VPN, AOVPN, Enterprise, enterprise mobility, Manage Out, Mobility, PowerShell, Remote Access, Security, VPN, Windows 10, Windows Server 2012 R2, Windows Server 2016
Tagged , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on March 12, 2018

https://directaccess.richardhicks.com/2018/03/12/deleting-an-always-on-vpn-device-tunnel/