[This post comes to us courtesy of Sabir Chandwale, Harshal Charde, Ajay Sarkaria and Rituraj Choudhary from Global Business Support]
In our previous post , we covered steps involved in configuring VPN on Windows Server Essentials. In this post, we will cover common problems that could result in failure of VPN functionality in your Windows Server Essentials environment.
In Windows Server 2012 R2 Essentials, VPN is deployed in a way that there is little requirement of manual configurations on the server or a client. Considering correct TCP Ports are open on the firewall and forwarded to the server, and VPN was enabled while running Anywhere Access wizard, VPN should work right out of the box. Also, on the VPN client, make sure the VPN dialer has proper protocols selected.
To be able to access the Remote Access management tools, you should first install Remote Access GUI and Command-Line Tools using the following command:
Add-WindowsFeature –Name RSAT-RemoteAccess-MGMT
Let us now discuss some common issues with VPN connection.
Error 850: The Extensible Authentication Protocol type required for authentication of the remote access connection is not installed on your computer.
If you have set up the VPN connection manually, you may encounter this error. This error indicates that none of the protocols are chosen in the VPN Connection Properties. The fix is to select Allow these protocols on the Security tab of the VPN connectoid. Microsoft CHAP Version 2 (MS-CHAP v2) would get selected automatically when you click this option. Hit OK to apply the changes.
You may also face internet or network resource access issues. It could be that you are using the default gateway of the remote network. On the Networking tab of the VPN connectoid, open the properties of Internet Protocol Version 4 (TCP/IPv4) and click Advanced .
Now, on the Advanced TCP/IP Settings window, clear the check for Use default gateway on remote network .
That should ensure that the network and internet connection are up and running.
Let’s look at another error.
Error 800: The remote connection was not made because the attempted VPN tunnels failed. The VPN server might be unreachable. If this connection is attempting to use an L2TP/IPsec tunnel, the security parameters required for IPsec negotiation might not be configured properly.
The reason for this connection failure could be either because 443 is not allowed on the firewall or there is a mismatch of certificate in RRAS and IIS (Default Web Site). To fix it, ensure that 443 is allowed and forwarded to the Windows Server 2012 R2 Essentials, and that correct SSL certificate is bound to the Default Web Site for port 443, and the same is associated with SSTP port.
You can easily figure out if SSL port 443 is blocked. If you are able to browse RWA from outside, it is open, otherwise it is not.
To verify certificates, open Internet Information Services (IIS) Manager on the Server Essentials, and click to open Bindings for the Default Web Site .
On the Site Bindings page, choose the binding for the port 443 with blank host name, and click Edit .
On the Edit Site Binding page, click View .
On the Certificate window, chose Details and make a note of the Thumbprint of the certificate.
Alternatively, you could use the following PowerShell command to display the thumbprint of the certificate active on the Default Web Site:
Get-WebBinding | Where-Object {$_.bindinginformation -eq "*:443:"} | fl certificateHash
Now, open Routing and Remote Access Management console. Right-click the server name, open its properties and click on the Security tab. Click View next to the Certificate. You should have the same certificate thumbprint here as well.
If this is a different certificate, change the certificate to match the one on the IIS. Alternatively, you may use this command to modify the thumbprint of this certificate for the Secure Socket Tunneling Protocol (SSTP) Service:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters /v SHA1CertificateHash /t REG_BINARY /<thumbprint recorded from previous step> /f
Once you ensure that the certificate on the Default Web Site and SSTP are same, this issue should have been taken care of.
Let’s look at the next error.
Error 720: A connection to the remote computer could not be established. You might need to change the network settings for this connection.
If VPN client is unable to obtain an IP address from the VPN server, you may see this error.
In Server Essentials, usually the DHCP is hosted on a different device. To workaround this error, open Routing and Remote Access console and open the server Properties .
On the server properties, assign a valid static IPv4 address pool for the VPN clients, and exclude it from DHCP server scope.
On certain occasions we have seen that the on premise client would show connected to the hosted Windows Server 2012 R2 Essentials, however there may not be any connectivity the between the VPN client and the Server Essentials. In such scenarios, enable and analyze additional Routing and Remote Access information logs at the %windir%\tracing directory.
Additionally, you may want to check the events for RemoteAccess-MgmtClient and RemoteAccess-RemoteAccessServer on the Event Viewer.
These were some common VPN issues we see with Windows Server 2012 R2 Essentials, and they usually show up when VPN server settings or VPN client connectoid has been configured manually. If you enable VPN through the Anywhere Access wizard, you may not see these errors.