All posts tagged routing and remote access service

RemoteAccess Service Hangs in Windows Server 2025

For Always On VPN administrators using the Routing and Remote Access Service (RRAS) on Windows Server 2025, you’ve likely encountered issues with service restarts and system reboots since migrating to the latest release of the Windows server operating system. I’ve experienced this myself, and many of my customers and Discord users have raised the same complaints.

Service Hang

Attempting to restart the RemoteAccess service after the server has accepted at least one VPN connection causes the service to hang. In addition, many have reported that the server hangs and eventually blue-screens during a shutdown or restart.

Resolution

Unfortunately, there is no workaround or fix for this issue today. However, hope is on the horizon.

Coming Soon

I have several customers with open support cases for this issue. Microsoft has informed them that a fix is due out soon, perhaps with the April security updates (April 14, 2026). I performed validation testing with the latest Insider build for Windows Server 2025 and can confirm that Microsoft fixed the issue in this release. Unfortunately, I wouldn’t recommend running an Insider build in production, so hang on (pun intended!) for the April security updates.

Additional Information

Always On VPN on Discord

Windows Server Insider Builds

Leave a comment
by Richard M. Hicks on March 3, 2026  •  Permalink
Posted in Always On VPN, AOVPN, Microsoft, Remote Access, routing and remote access service, RRAS, VPN, Windows Server 2025
Tagged , , , , , , , , , ,

Posted by Richard M. Hicks on March 3, 2026

https://directaccess.richardhicks.com/2026/03/03/remoteaccess-service-hangs-in-windows-server-2025/

Always On VPN Security Updates June 2025

Patch Tuesday is upon us again; thankfully, it’s a light month of Always On VPN administrators. The Microsoft monthly security updates for June 2025 include just a few Windows Routing and Remote Access Service (RRAS) fixes. In addition, an update is available for a vulnerability in the Windows Remote Access Connection Manager. Significantly, DirectAccess administrators are affected this month by a vulnerability identified in the Windows KDC Proxy Service (KPSSVC).

RRAS Updates

The Microsoft security updates for June 2025 address the following CVEs for Windows Server RRAS.

Both RRAS CVEs are Remote Code Execution (RCE) vulnerabilities with max severity ratings of Important.

Remote Access Connection Manager

A security vulnerability in the Windows Remote Access Connection Manager is addressed with the following CVE.

An attacker exploiting this vulnerability could elevate local access privileges.

KDC Proxy

This critical vulnerability affects those organizations still supporting Microsoft DirectAccess in their environments.

This CVE addresses an RCE in the KDC Proxy Service (KPSSVC) that could allow an attacker to execute arbitrary code over the network. DirectAccess administrators are encouraged to apply this update as soon as possible.

Additional Information

Microsoft June 2025 Security Updates

Leave a comment
by Richard M. Hicks on June 10, 2025  •  Permalink
Posted in authentication, KDC Proxy, Microsoft, Remote Access, routing and remote access service, RRAS, Security Update, Update, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , ,

Posted by Richard M. Hicks on June 10, 2025

https://directaccess.richardhicks.com/2025/06/10/always-on-vpn-security-updates-june-2025/

Microsoft Deprecates Legacy VPN Protocols

It’s long overdue, but Microsoft has finally announced the formal deprecation of the Point-to-Point Tunnel Protocol (PPTP) and the Layer 2 Tunneling Protocol (L2TP) in Windows Server Routing and Remote Access (RRAS) Servers. Both protocols have long since been replaced with more secure alternatives such as the Secure Socket Tunneling Protocol (SSTP) and Internet Key Exchange version 2 (IKEV2). However, many organizations have RRAS servers configured using these legacy protocols to support ad-hoc, on-demand access for non-managed users and devices.

Deprecated Protocols

There are a few reasons why Microsoft has deprecated these legacy protocols. Consider the following.

PPTP

It’s been widely known for many years that PPTP is broken and terribly insecure. Using this VPN protocol today is tremendously risky.

L2TP

L2TP is still considered secure, for the most part. However, it has been replaced with IKEv2, which is more secure and efficient.

Future Support

Although Microsoft made the announcement recently, the protocols will still be included in Windows Server 2025 when released later this year. However, Microsoft may remove these protocols from future Windows Server releases.

Always On VPN

Those who have deployed Microsoft Always On VPN are likely already using modern, secure VPN protocols, so this deprecation announcement won’t impact them. Although PPTP and L2TP are technically supported with Always On VPN, they are not commonly configured.

Recommendations

Administrators using Windows Server RRAS for VPN access using PPTP are encouraged to migrate to another protocol immediately. Those continuing to use L2TP should consider migrating soon.

Additional Information

Always On VPN Protocol Recommendations for Windows Server RRAS

Leave a comment
by Richard M. Hicks on October 11, 2024  •  Permalink
Posted in administration, Always On VPN, AOVPN, Deployment, end of life, Enterprise, enterprise mobility, EOL, IKEv2, L2TP, Microsoft, Mobility, Operational Support, PPTP, Remote Access, routing, routing and remote access service, RRAS, Security, SSTP, TLS, VPN, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on October 11, 2024

https://directaccess.richardhicks.com/2024/10/11/microsoft-deprecates-legacy-vpn-protocols/

« Older Posts