TMG2010 site-to-site VPN fails to dial with error 913 (A Remove Access Client attempted to connect over a port that was reserved for Routers only)

Scenario

When configuring site-to-site (S2S) VPN networks, you may notice that the VPN tunnel doesn't connect.

On the dialing TMG server, you'll see the following event logs:

Log Name:      Application

Source:        RasClient

Event ID:      20227

Description: CoId={A56F6195-18BB-44ED-AE45-34B70D127A2C}: The user SYSTEM dialed a connection named Net2 which has failed. The error code returned on failure is 913.

Log Name:      System

Source:        RemoteAccess

Event ID:      20111

Description: A Demand Dial connection to the remote interface Net2 on port VPN2-4 was successfully initiated but failed to complete successfully because of the  following error: A Remote Access Client attempted to connect over a port that was reserved for Routers only.

And on the other TMG server, you'll see this event log:

Log Name:      System

Source:        RemoteAccess

Event ID:      20270

Description: CoID={31A76222-6269-4085-95E5-B3DAC64F69FD}: The user Net2, attempting to connect on VPN2-100, was disconnected because of the following  reason: A Remote Access Client attempted to connect over a port that was reserved for Routers only.

Solution

In order to accept any VPN connections, you must enable VPN client access, even if you only expect site-to-site VPN connections.

-Gabriel Koren, TMG product team