Troubleshooting VPN connections
If you are seeing errors while establishing VPN connection using Windows in-built VPN client, you have reached the right place. This article will help you to easily troubleshoot some of the common VPN related errors.
1) Error Code: 800
Error Description: The remote connection was not made because the attempted VPN tunnels failed. The VPN server might be unreachable. If this connection is attempting to use an L2TP/IPsec tunnel, the security parameters required for IPsec negotiation might not be configured properly.
|
Possible Cause: This error comes when the VPN tunnel type is ‘Automatic’ and the connection establishment fails for all the VPN tunnels.
|
Possible Solutions:
a> If you know which tunnel should actually be used for your deployment, try to set the ‘Type of VPN’ to that particular tunnel type on the VPN client side. [This can be set by clicking the ‘Network Connections’ icon on the bottom right of the task bar, Select your Connection, Right Click -> Properties -> Securities Tab -> Under ‘Type of VPN’ select the interested VPN tunnel type ]
By making VPN connection with a particular tunnel type, your connection will still fail but it will give a more tunnel specific error (for example: GRE blocked for PPTP, Certificate error for L2TP, SSL negotiation errors for SSTP, etc.)
b> This error usually comes when the VPN server is not reachable or the tunnel establishment fails.
i. Make sure the VPN server is reachable (try to PING the server).
ii. If interested in PPTP, make sure PPTP port (TCP 1723) or GRE Port (47) is not blocked on in between firewalls.
iii. If interested in L2TP, make sure
1. Correct pre-shared key or machine certificate are present both on client and server.
2. L2TP port (UDP 1701) is not blocked on any of the firewalls.
iv. If interested in IKEv2 based VPN tunnel, make sure
1. IKE port (UDP port 500, UDP port 4500) is not blocked.
2. Correct machine certificate for IKE are present both on client and server.
v. If interested in SSTP, make sure correct machine certificate is installed on the server and correct trusted root certificate is installed on the client machine.
|
2) Error Code: 609, 633
Error Description:
609: A device type was specified that does not exist.
633: The modem (or other connecting device) is already in use or is not configured properly.
|
Possible Cause: This error usually comes when the connecting VPN device (aka miniport) is not configured properly.
|
To confirm the issue: From the elevated command prompt, type the following command to confirm the presence of miniport: -
netcfg.exe –q <miniport name>
Following is the Miniport Device name for different tunnels:
PPTP Tunnel: MS_PPTP
L2TP Tunnel: MS_L2TP
SSTP Tunnel: MS_SSTP
VPN Reconnect (IKEv2) Tunnel: MS_AGILEVPN
|
Possible Solution:
1. In Windows 7, a built-in diagnostic with repair is provided for the ‘miniport missing’ issue for locally created VPN connections. A ‘Diagnostic’ button is shown on the Error page of the VPN connection. By clicking this button, it will give a ‘repair’ option if it finds the issue to be miniport missing which if clicked will automatically try to fix the issue.
2. On Vista or below OS, if the miniport device is missing, you can run the following command from ‘elevated’ command prompt:
a> netcfg.exe -e -c p -i <miniport name>
Details of the <miniport name> is given above.
b> Stop and Start ‘rasman’ (‘Remote Access Connection Manager’) service.
|
3) Error Code: 732, 734, 812
Error Description:
732: Your computer and the remote computer could not agree on PPP control protocols.
734: The PPP link control protocol was terminated.
812: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.
|
Possible Causes: One of the prime causes for the above error is: when the *only* allowed authentication protocol configured on VPN server (or Radius server) is MS-CHAP and the VPN client is Vista or above OS platform (like Windows7). Note: due to security reasons MS-CHAP was removed from Vista and above OS platform and hence the connection fails.
Error 812 comes when Authentication protocol is set via NPS (Network Policy and Access Services) otherwise Error 732/734.
Event log 20276 is logged to the event viewer when RRAS based VPN server authentication protocol setting mismatches which that of the VPN client machine.
|
Possible Solution: Configure a more secured authentication protocol like MS-CHAPv2 or EAP based authentication on the server – which matches the settings on the client side.
|
4) Error Code: 806
Error Description: 806: The VPN connection between your computer and the VPN server could not be completed. The most common cause for this failure is that at least one Internet device (for example, a firewall or a router) between your computer and the VPN server is not configured to allow Generic Routing Encapsulation (GRE) protocol packets. If the problem persists, contact your network administrator or Internet Service Provider.
|
Possible Cause: PPTP uses GRE (Generic Route Encapsulation) protocol to encapsulate the VPN payload in a secure manner.This error generally comes when some firewall in path between client and server blocks GRE Protocol (i.e. IP protocol number 47).
|
Possible Solution: Allow both outgoing and incoming Protocol 47 (GRE) on any in between firewalls. If that is not possible, deploy SSTP based VPN tunnel on both VPN server and VPN client – that allows VPN connection across firewalls, web proxies and NAT.
|
5) Error Code: 789, 835
Error Description:
789: The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.
835: The L2TP connection attempt failed because the security layer could not authenticate the remote computer. This could be because one or more fields of the certificate presented by the remote server could not be validated as belonging to the target destination.
|
Possible Causes: This is a generic error which is thrown when the IPSec negotiation fails for L2TP/IPSec connections.
Possible causes for this issue could be:
a> L2TP based VPN client (or VPN server) is behind NAT.
b> Wrong certificate or pre-shared key is set on the VPN server or client
c> Machine certificate or trusted root machine certificate is not present on the VPN server.
d> Machine Certificate on VPN Server does not have 'Server Authentication' as the EKU
|
Possible Solution: Make sure correct certificate is used both on client and server side – for further details refer to this blog. In case Pre Shared Key (PSK) is used, make sure the same PSK is configured on the client and the VPN server machine.
|
6) Error Code: 766
Error Description: 766: A certificate could not be found. Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate.
|
Possible Cause: This error usually comes when their is no valid machine certificate on your client machine.
|
Possible Solution: Make sure the correct machine certificate for L2TP validation is installed on your client machine - for further details refer to this blog.
|
7) Error Code: 691
Error Description: 691: The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.
|
Possible Cause: This error is given when the authentication phase erred out because of wrong credentials being passed.
|
Possible Solution:
a> Make sure correct username and password is typed.
b> Make sure ‘Caps Lock’ is not turned ON while typing credentials.
c> Make sure the authentication protocol as selected on the client is permitted on the server.
|
8) Error Code: 809
Error Description: 809: The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem.
|
Possible Cause: This error usually comes when some firewall between client and server is blocking the ports used by VPN tunnel
a> PPTP port (TCP port 1723) is blocked by a firewall/router. [Applicable to tunnel type = PPTP]
b> L2TP or IKEv2 port (UDP port 500, UDP port 4500) is blocked by a firewall/router. [Applicable to tunnel type = L2TP or IKEv2]
|
Possible Solution: Enable the port (as mentioned above) on firewall/router. If that is not possible, deploy SSTP based VPN tunnel on both VPN server and VPN client – that allows VPN connection across firewalls, web proxies and NAT.
|
9) Error Code: 13806
Error Description: 13806: IKE failed to find valid machine certificate. Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store.
|
Possible Cause: This usually happens when there is no machine certificate or no root machine certificate present on the VPN Server.
|
Possible Solution: Please contact your VPN server administrator to verify and fix the issue - for further details refer to this blog.
|
10) Error Code: 13801
Error Description: 13801: IKE authentication credentials are unacceptable.
|
Possible Causes: This error usually comes in one of the following cases:
|
Possible Solution: Please contact your VPN server administrator to verify and fix the above issue - for further details refer to thisblog.
|
11) Error Code: 0x800704C9
Error Description:
|
Possible Cause: This issue may occur if no SSTP ports are available on the server.
|
Possible Solution: To troubleshoot this issue, verify that the RAS server has sufficient ports configured for remote access. To do this, follow these steps:
|
12) Error Code: 0x80070040
Error Description:
|
Possible Cause: This issue may occur if a server authentication certificate is not installed on the RAS server.
|
Possible Solution: Make sure the machine certificate used by RAS server for SSL has ‘Server Authentication’ as one of the certificate usage entries. For further details refer to this blog. For changing the SSTP machine certificate, please refer to this blog if on VPN server is running Windows server 2008 R2, else refer to this blog
|
13) Error Code: 0x800B0101
Error Description: 0x800B0101: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
|
Possible Cause: This issue may occur if a server authentication certificate is not installed on the Routing and Remote Access server.
|
Possible Solution: Make sure the machine certificate used by RAS server for SSL has ‘Server Authentication’ as one of the certificate usage entries and the certificate is not expired. For further details refer to this blog. For changing the SSTP machine certificate, please refer to this blog if on VPN server is running Windows server 2008 R2, else refer to this blog
|
14) Error Code: 0x800B0109
Error Description: 0x800B0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
|
Possible Cause: This issue may occur if the appropriate trusted root certification authority (CA) certificate is not installed in the Trusted Root Certification Authorities store on the client computer.
Note: Generally the VPN client machine is joined to the active directory based domain and if you use domain credentials to log on to the VPN server, the certificate is automatically installed in the Trusted Root Certification Authorities store. However, if the computer is not joined to the domain or if you use an alternative certificate chain, you may experience this issue.
|
Possible Solution: Make sure root certificate is installed on the client machine in the Trusted Root Certification Authorities store.
|
15) Error Code: 0x800B010F
Error Description: 0x800B010F: The certificate's CN name does not match the passed value.
|
Possible Cause: This issue may occur if the host name of the server that is specified in the VPN connection does not match the subject name that is specified on the SSL certificate that the server submits to the client computer.
|
Possible Solution: Verify that the certificate which RAS server uses for SSL has the correct subject name. For example, if the VPN client is configured to use FQDN name to connect to the VPN server, the certificate used by VPN server must have FQDN in the subject name. Same thing if the client is configured to use IP address (IPv4 or IPv6) of VPN server. If the appropriately-named certificate is not present on the RAS server, you must obtain a new certificate for the RAS server.
|
16) Error Code: 0x80092013
Error Description: 0x80092013: The revocation function was unable to check revocation because the revocation server was offline.
|
Possible Cause: This issue may occur if the client computer fails the certificate revocation check for the SSL certificate that the client computer obtained from the VPN server.
|
Possible Solution: To troubleshoot this issue, verify that the server that hosts the Certificate Revocation List (CRL) is available to the client – before VPN tunnel is established. This means that the CRL server is available to the client over the Internet because the client computer runs the CRL check during the establishment of the SSL connection and the CRL check query is sent directly to the CRL server.
|
17) Error Code: 0x800704D4
Error Description: 0x800704D4: The network connection was aborted by the local system
|
Possible Cause: This error comes when the hostname of the VPN server is not resolved by the forward proxy in-front of the VPN client.
|
Possible Solution: Check your proxy settings inside the Internet explorer. If the settings are correct, please ensure you are able to access other web sites (e.g. www.microsoft.com) using the browser. If that also works through, try accessing the URI which SSTP uses internally i.e. https://vpn_server_name/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ - please replace vpn_server_name with actual VPN server name. If you see error “the website cannot be found” inside your browser, that validates the hostname resolution failure. If you know the IP address of VPN server, try connecting with that. Else contact your network administrator (who is responsible for managing the web proxy – most probably your ISP) – giving them the details of the problem (i.e. hostname resolution is failing for that particular hostname).
|
18) Error Code: 0x80072746
Error Description: 0x80072746: An existing connection was forcibly closed by the remote host.
|
Possible Cause: This error comes when the server machine certificate binding to HTTPS is not done on the VPN server OR the server machine certificate is not installed on the VPN server.
|
Possible Solution: Please contact your VPN server administrator – to check whether relevant machine certificate is installed on the VPN server. If installed correctly, check the HTTPS binding by running following command at the VPN server command prompt - “netsh http show ssl”. For further details, please refer to this blog.
source: https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/
|
Reacties
Een reactie posten