Rock around the Remote Access Service
The story… one of our customers called in that he had just finished with the migration to TMG and as a last step he wanted to enable VPN Client Access. He did that, but the outcome was unexpected. The TMG array was not reachable through the NLB address anymore.
According to the TMG console: the VPN Client Access was enabled, but on the Services tab under Monitoring the Remote Access service and Network Load Balancing were in stopped state. Actually, Network Load Balancing was complaining about a VPN problem.
The services could not be started manually.
The first thing what I checked was the Application log:
Log Name: Application
Source: Microsoft Forefront TMG Firewall
Date: 25/01/2012 16:32:05
Event ID: 14104
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: XXX
Description:
Failed to start the Routing and Remote Access service. Look at the system event log for more errors.
Log Name: Application
Source: Microsoft Forefront TMG Firewall
Date: 25/01/2012 16:32:05
Event ID: 21199
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: XXX
Description:
The Remote Access Service configuration for VPN could not be completed. As a result, the Remote Access Service may be stopped.
Log Name: Application
Source: Microsoft Forefront TMG Firewall
Date: 25/01/2012 16:32:36
Event ID: 21122
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: XXX
Description:
Network Load Balancing on the local computer will be stopped because the Remote Access Service is not running or not responding, although VPN is enabled.
Since the service related issues are logged in the System log, had a look at that log as well:
Log Name: System
Source: RemoteAccess
Date: 25/01/2012 16:32:04
Event ID: 20103
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: XXX
Description:
Unable to load C:\Windows\System32\iprtrmgr.dll.
Log Name: System
Source: Service Control Manager
Date: 25/01/2012 16:32:06
Event ID: 7024
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: XXX
Description:
The Routing and Remote Access service terminated with service-specific error A device attached to the system is not functioning..
Based on the logs it turned out that we have here a Remote Access service starting issue. Searching on the error message “A device attached to the system is not functioning” gave many hits. In most of the cases the issue started after IPv6 had been disabled by the registry value DisabledComponents (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters).
Checking out the registry we noticed that the value was really there.
So we deleted it and rebooted the server. After this the problem was gone and everything worked fine.
Only one question remained: How to disable IPv6 in a supported way on a TMG server?
Fortunately, our Technet document about “Unsupported configurations” gives a clear answer:
Forefront TMG does not support IPv6 traffic
Issue: IPv6 traffic is not supported by Forefront TMG (except for DirectAccess).
Cause: Filtering of IPv6 traffic is not supported, and all IPv6 traffic is blocked by default.
Solution: It is recommended that you unbind IPv6 on the Forefront TMG computer network adapters. To do so, open each network adapter’s properties, and on the Networking tab, clear the checkbox for Internet Protocol Version 6 (TCP/IPv6) .
Unsupported configurations
http://technet.microsoft.com/en-us/library/ee796231.aspx
The most important takeaway is that the story might be different, but the Routing and Remote access service will not start if you fully disable IPv6 by the DisabledComponents registry value.
Author:
Arpad Gulyas
Microsoft CSS Forefront Security Edge Team
Technical Reviewer:
Lars Bentzen
Sr. Escalation Engineer
Microsoft CSS Forefront Security Edge Team