Troubleshooting Common VPN issues on Windows Server 2012 R2 Essentials

[This post comes to us courtesy of Sabir Chandwale, Harshal Charde, Ajay Sarkaria and Rituraj Choudhary from Global Business Support]

In our previous post, we covered steps involved in configuring VPN on Windows Server Essentials. In this post, we will cover common problems that could result in failure of VPN functionality in your Windows Server Essentials environment.

In Windows Server 2012 R2 Essentials, VPN is deployed in a way that there is little requirement of manual configurations on the server or a client. Considering correct TCP Ports are open on the firewall and forwarded to the server, and VPN was enabled while running Anywhere Access wizard, VPN should work right out of the box. Also, on the VPN client, make sure the VPN dialer has proper protocols selected.

To be able to access the Remote Access management tools, you should first install Remote Access GUI and Command-Line Tools using the following command:

Add-WindowsFeature –Name RSAT-RemoteAccess-MGMT

Let us now discuss some common issues with VPN connection.

Error 850: The Extensible Authentication Protocol type required for authentication of the remote access connection is not installed on your computer.

clip_image001

If you have set up the VPN connection manually, you may encounter this error. This error indicates that none of the protocols are chosen in the VPN Connection Properties. The fix is to select Allow these protocols on the Security tab of the VPN connectoid. Microsoft CHAP Version 2 (MS-CHAP v2) would get selected automatically when you click this option. Hit OK to apply the changes.

clip_image002

You may also face internet or network resource access issues. It could be that you are using the default gateway of the remote network. On the Networking tab of the VPN connectoid, open the properties of Internet Protocol Version 4 (TCP/IPv4) and click Advanced.

clip_image003

Now, on the Advanced TCP/IP Settings window, clear the check for Use default gateway on remote network.

image

That should ensure that the network and internet connection are up and running.

Let’s look at another error.

Error 800: The remote connection was not made because the attempted VPN tunnels failed. The VPN server might be unreachable. If this connection is attempting to use an L2TP/IPsec tunnel, the security parameters required for IPsec negotiation might not be configured properly.

clip_image005

The reason for this connection failure could be either because 443 is not allowed on the firewall or there is a mismatch of certificate in RRAS and IIS (Default Web Site). To fix it, ensure that 443 is allowed and forwarded to the Windows Server 2012 R2 Essentials, and that correct SSL certificate is bound to the Default Web Site for port 443, and the same is associated with SSTP port.

You can easily figure out if SSL port 443 is blocked. If you are able to browse RWA from outside, it is open, otherwise it is not.

To verify certificates, open Internet Information Services (IIS) Manager on the Server Essentials, and click to open Bindings for the Default Web Site.

clip_image006

On the Site Bindings page, choose the binding for the port 443 with blank host name, and click Edit.

clip_image007

On the Edit Site Binding page, click View.

clip_image008

On the Certificate window, chose Details and make a note of the Thumbprint of the certificate.

clip_image009

Alternatively, you could use the following PowerShell command to display the thumbprint of the certificate active on the Default Web Site:

Get-WebBinding | Where-Object {$_.bindinginformation -eq "*:443:"} | fl certificateHash

Now, open Routing and Remote Access Management console. Right-click the server name, open its properties and click on the Security tab. Click View next to the Certificate. You should have the same certificate thumbprint here as well.

image

If this is a different certificate, change the certificate to match the one on the IIS. Alternatively, you may use this command to modify the thumbprint of this certificate for the Secure Socket Tunneling Protocol (SSTP) Service:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters /v SHA1CertificateHash /t REG_BINARY /<thumbprint recorded from previous step> /f

Once you ensure that the certificate on the Default Web Site and SSTP are same, this issue should have been taken care of.

Let’s look at the next error.

Error 720: A connection to the remote computer could not be established. You might need to change the network settings for this connection.

clip_image011

If VPN client is unable to obtain an IP address from the VPN server, you may see this error.

In Server Essentials, usually the DHCP is hosted on a different device. To workaround this error, open Routing and Remote Access console and open the server Properties.

clip_image012

On the server properties, assign a valid static IPv4 address pool for the VPN clients, and exclude it from DHCP server scope.

clip_image013

On certain occasions we have seen that the on premise client would show connected to the hosted Windows Server 2012 R2 Essentials, however there may not be any connectivity the between the VPN client and the Server Essentials. In such scenarios, enable and analyze additional Routing and Remote Access information logs at the %windir%\tracing directory.

clip_image014

Additionally, you may want to check the events for RemoteAccess-MgmtClient and RemoteAccess-RemoteAccessServer on the Event Viewer.

clip_image015

These were some common VPN issues we see with Windows Server 2012 R2 Essentials, and they usually show up when VPN server settings or VPN client connectoid has been configured manually. If you enable VPN through the Anywhere Access wizard, you may not see these errors.