Aug 20 2021 03:55 AM
We are having an issue with the always on device tunnels being removed on device start. Once logged in to windows, we have to do a manual sync with Intune for it to restore the connection. When the connection is available it runs as it normally would and does appear to stay there, but as soon as you reboot it deletes itself.
The VPN is deployed via intune, and is setup with machine certs connecting to a RRAS server running on 2019. Works fine on all of our windows 10 devices, and worked fine on our test device before upgrading to 11.
Aug 20 2021 06:52 AM
Aug 23 2021 01:13 AM
@Reza_Ameri
Yes that's correct, admittedly we haven't tried on a fresh install of windows 11 only on an upgrade (for our environment 90% will be upgraded in the future).
I have been playing with it over the weekend as well and can also confirm i can replicate the issue if the device goes to sleep too.
As for event view logs, i am seeing event id 233, the first being - The operation 'Delete' succeeded on nic 539A6C2E-3B4E-4AE3-9FA4-45218E7CB927 (Friendly Name: Always On VPN -), Instance Id {6da09a8c-62a3-4fdd-87b9-15904318d2b9}.
with subsequent redeploy events of:
The operation 'Create' succeeded on nic 247A8E96-70BB-4EE5-88F1-8C0012190023 (Friendly Name: Always On VPN -), Instance Id {00000000-0000-0000-0000-000000000000}.
Miniport NIC 247A8E96-70BB-4EE5-88F1-8C0012190023 (Friendly Name: Always On VPN -) successfully initialized.
NIC 247A8E96-70BB-4EE5-88F1-8C0012190023 (Friendly Name: Always On VPN -) successfully connected to port 13370ECB-0D6A-4E9C-8DB0-F64170BDC969 (Friendly Name: Container NIC 23ca8c04) on switch C08CB7B8-9B3C-408E-8E30-5E16A3AEB444(Friendly Name: Default Switch).
on the intune logs i can see a couple of errors which could relate (although i am not entirely sure what they mean...)
MDM ConfigurationManager: Command failure status. Configuration Source ID: (C664FCF1-D9FD-4FC4-8258-AF86250964CB), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (VPNv2), Command Type: (Clear: first phase of Delete), CSP URI: (./Device/Vendor/MSFT/VPNv2/Always On VPN - Device Tunnel), Result: (An attempt was made to reference a token that does not exist.).
MDM ConfigurationManager: Command failure status. Configuration Source ID: (C664FCF1-D9FD-4FC4-8258-AF86250964CB), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (VPNv2), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/VPNv2/Always On VPN - Device Tunnel), Result: (The specified quota list is internally inconsistent with its descriptor.).
Aug 23 2021 07:47 AM
Aug 23 2021 07:48 AM
Aug 23 2021 07:57 AM
Aug 24 2021 05:44 AM
Aug 24 2021 05:49 AM
Nov 12 2021 09:24 AM
Nov 13 2021 08:25 AM
Nov 23 2021 03:05 AM
Nov 25 2021 09:12 PM
@jjeffries Seeing this also on our corporate devices, have had to suspend rollout as our engineers require VPN to provide on call emergency cover.
Nov 25 2021 10:27 PM
Nov 25 2021 11:28 PM - edited Nov 25 2021 11:31 PM
Just received from Microsoft: "I would like to inform you that the issue which you are facing is an ongoing issue in Windows 11 and our team is working to fix it soon. For more details you can refer to the article https://docs.microsoft.com/en-us/mem/intune/configuration/vpn-settings-configure"
Below is the Custom Config profile XML I have used to create a working (without errors during sync) IKEv2 Split tunnel VPN with RADIUS authentication of user certificates. Beware: almost everything is case sensitive. Like the RADIUS servernames, the XML labels etc.
<VPNProfile>
<ProfileName>AOVPN</ProfileName>
<AlwaysOn>true</AlwaysOn>
<DnsSuffix>domain.com</DnsSuffix>
<TrustedNetworkDetection>domain.com</TrustedNetworkDetection>
<NativeProfile>
<Servers>vpn.domain.com</Servers>
<RoutingPolicyType>SplitTunnel</RoutingPolicyType>
<NativeProtocolType>IKEv2</NativeProtocolType>
<DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>
<CryptographySuite>
<EncryptionMethod>AES128</EncryptionMethod>
<IntegrityCheckMethod>SHA256</IntegrityCheckMethod>
<CipherTransformConstants>AES128</CipherTransformConstants>
<AuthenticationTransformConstants>SHA256128</AuthenticationTransformConstants>
<PfsGroup>PFS2048</PfsGroup>
<DHGroup>Group14</DHGroup>
</CryptographySuite>
<Authentication>
<UserMethod>Eap</UserMethod>
<Eap>
<Configuration>
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<EapMethod>
<Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type>
<VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
<VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
<AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
</EapMethod>
<Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
<Type>13</Type>
<EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
<CredentialsSource>
<CertificateStore>
<SimpleCertSelection>true</SimpleCertSelection>
</CertificateStore>
</CredentialsSource>
<ServerValidation>
<DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation>
<ServerNames>RADIUS1.domain.com;RADIUS2.domain.com</ServerNames>
<TrustedRootCA>xxxxxxxxxxxxxxxx Root CA hash xxxxxxxxxxxxxxxxxxxxxxxxxx </TrustedRootCA>
</ServerValidation>
<DifferentUsername>false</DifferentUsername>
<PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</PerformServerValidation>
<AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</AcceptServerName>
<TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">
<FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3">
<CAHashList Enabled="true">
<IssuerHash>xxxxxxxxxxx Issuing CA hash xxxxxxxxx </IssuerHash>
</CAHashList>
</FilteringInfo>
</TLSExtensions>
</EapType>
</Eap>
</Config>
</EapHostConfig>
</Configuration>
</Eap>
</Authentication>
</NativeProfile>
<DomainNameInformation>
<DomainName>.domain.com</DomainName>
<DnsServers>192.168.1.1,192.168.1.2</DnsServers>
</DomainNameInformation>
<Route>
<Address>192.168.1.0</Address>
<PrefixSize>24</PrefixSize>
</Route>
</VPNProfile>