Warning: Windows Server 2008 R2 SP1 Breaks RRAS IKEv2 VPN invalid situation
-
Sunday, March 06, 2011 1:53 AMAfter installing SP 1 on my 2008 R2 VPN Server IKEv2 VPN connections broke. The conneting computer gets Error 13863: Invalid Situation. Windows Server Event Log shows:
CoId={HEX STRING}: The following error occurred in the Point to Point Protocol module on port: VPN1-79, UserName: DOMAIN\user. Invalid situation
Rollback SP1 fixes this issue. I recommend not installing SP1 on any RRAS VPN server using IKEv2 until MS fixes. Other users have reported same issue.
All Replies
-
Tuesday, March 08, 2011 9:32 AMModerator
Hi dflo16,
According to my test, IKEv2 VPN could work when windows2008 R2 upgrade to SP1.
1.IKEv2 (VPN reconnect) article for detailed steps:
http://technet.microsoft.com/en-us/library/dd637783(WS.10).aspx
2. Install performance update and windows2008 R2 SP1 articles:
http://support.microsoft.com/kb/2454826
http://support.microsoft.com/kb/976932
3.Troubleshooting IKEv2 VPN connections
http://technet.microsoft.com/en-us/library/dd941612(WS.10).aspx
The Mobility Manager - managing mobility for VPN reconnect connections (IKEv2 based VPN connections)
Enabling RAS Tracing in VPN Server
If still broke your VPN, please provide details VPN architecture, VPN server NPS role event log , VPN client application RasClient event log.
Regards, Rick Tan -
Tuesday, March 08, 2011 8:17 PMHello Rick, I don't have too much time to dig into now but I will get back to you. All I know for now is for my environment: Configure RRAS for IKEv2 VPN Connectivity works, Install SP1 clients cannot connect and get Invalid Situation error and therer are errors in Server Event Log, Rollback SP1 and everything works perfectly the way it did before installing SP1. So somehing in SP1 is breaking my IKEv2 VPN. I have read other users have the same issue.
-
Saturday, March 12, 2011 3:56 AM
I'll add to that. Same basic problem, although we also updated the Win7 client with the SP in the same time period.
Servers is a Win2008R2SP1 running as a VM under Wind2008r2SP1. It's running SSTP, IKEv2, and PPTP. This machine happens to be doing remote validation against a DC (also 2008R2SP1) with NPS.
Of course I've always found IKEv2 to be very flaky. At least once a day, it stops working properly. The client connects then immediately disconnects. The server logs report tha client chose to disconnect, but restarting the service on the server fixes the problem for several hours.
-
Monday, March 14, 2011 11:50 PM
Yup I got the same issue. Win 7 client with (just installed) SP1 can no-longer connect using IKEv2 or L2TP but can using PPTP to server 2008 R2 VPN server (with just installed) SP1.
My home computer a WinXP client can still connect using L2TP with preshared key however.
My VPN server is also a VM running in Hyper-V. The host does not have SP1. My VPN server is also a DC.
I tried removing SP1 and it was still broken so I reapplied it.
I did find out after reapplying the SP that it had apparently reset my IKEv2 ports to 0 so if it was still like that after I removed the service pack that would explain why it didn't work even after I removed it. After re-adding some IKEv2 ports to RRAS I get "error 13863 Invalid Situation".
After some troubleshooting I found out that Win 7 clients need the AssumeUDPEncapsulationContextOnSendRule registry fix to connect using L2TP VPN server behind NAT. I had already done this fix on my Vista and XP clients but hadn't bothered with Win 7 clients since IKEv2 worked before now. So now it looks like all of my clients can use either PPTP or L2TP but Win 7 clients cannot use IKEv2.
-
Wednesday, March 23, 2011 9:21 PM
Exactly the same issue.
The only way to fix it was to uninstall SP1 and block it from install back
Hope MS came up with a solution.
Sorry Rick, but your suggestions were useless
-
Sunday, March 27, 2011 6:34 PM
Hi, have just spent all day trying to unravel this one to no good effect. I#ve just kicked off the uninstall of Server 2008 R2 SP1, which will put me back to were the "VPN Reconnect" solutions works, or atleast I hope it works when I've rebooted the server.
My Win 7 Client already had SP1 and was working btw.
I've also tried several ways of reconfiguring RRAS on Server 2008 R2 but nothing works. Here's hoping uninstalling the SP works.
So please MS fix this issue. It can't be hard to replicate.
-
Friday, April 08, 2011 12:29 AM
I had the same problem with IKEv2 (before installing SP1) after installing Windows6.1-KB2248145-x64.msu. I had to uninstall that hotfix. But now SP1 again broke IKEv2 for me :-(
Perhaps it helps: in my situation both VPN server and client are behind NAT. Yes, I tried
netsh adv se glo ipsec ipsecthroughnat serverandclientbehindnat
but no success :-(- Edited by _RaFi_ Wednesday, May 11, 2011 9:40 PM ipseec->ipsec
-
Wednesday, April 13, 2011 11:33 AM
Hi Rick!
Please test the scenario with both VPN client and server behind NAT (it will get more popular with IPv4 space depletion).
-
Tuesday, April 26, 2011 3:40 AM
Try the below KB:
The maximum number of WAN Miniport (IKEv2) ports changes from 128 to two after
you install Windows Server 2008 R2 SP1http://support.microsoft.com/kb/2487292
-
Tuesday, April 26, 2011 8:15 AM
Installed the KB248792 after SP1, still the same error 13863: Invalid Situation
Thomas -
Friday, April 29, 2011 4:57 PM
Try the below KB:
The maximum number of WAN Miniport (IKEv2) ports changes from 128 to two after
you install Windows Server 2008 R2 SP1http://support.microsoft.com/kb/2487292
Yes I mentioned this in my post above but it is not the issue that prevents IKEv2 from working. I never did get this resolved. I had to change my VPN's to L2TP. -
Friday, May 06, 2011 8:56 PM
Hello,
I can confirm that. After SP1 installation to 2008R2 error 13863 invalid situation while trying to make IKEv2 VPN connection. SP1 also installed on Windows 7 client. The combination 2008R2 gold and Wind 7 SP1 still used to work.
As I would not like to remove the SP again and endanger the stability of the server I would love to see a hotfix soon.
Cheers
Robert
-
Tuesday, May 17, 2011 4:44 AM
I too am waiting for a fix. Installing SP1 on the 2008R2 VM broke both IKEv2 and SSTP VPN protocols, although RRAS does continue to authenticate PPTP over RADIUS properly. The error for SSTP is: Error 0x8007274D: No connection could be made because the target machine actively refused it." Both IKEv2 and SSTP were working perfectly and reliably before installing SP1.
EDIT: SSTP was using a non-default port, so perhaps that's why SP1 broke it. Running the command "netsh ras show sstp-ssl-cert" gave no result (instead of listing the GUI-selected certificate), and the following registry values/data were missing:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SstpSvc\Parameters]
"SHA256CertificateHash"=hex: [value deleted]
"SHA1CertificateHash"= hex: [value deleted]After uninstalling SP1 and restoring the correct SSTP registry settings, SSTP worked again. Re-installing SP1 through Windows Update in July 2011 did not damage SSTP and it continues to work. IKEv2 however still gives the error 13863 "invalid situation", from a (Win7-SP1) client that worked fine immediately before re-installing SP1 on the server. RRAS shows an event ID of 20255. The client tries to connect using MS-CHAPv2 or EAP using a certificate, both fail with the same details.
Note about IKEv2 error: RRAS tracing -> RASMAN.log shows :
ProtocolStarted ...VPN1-31
WorkerThread: Disconnect event signaled on port: VPN1-31
OVEVT_DEV_STATECHANGE. pOverlapped = 0x54c6e70
...
Disconnecting Port 0xVPN1-31, reason 1 [rc=0x0]
...
DisconnectType=1,DisconnectReason=4,pConn=0x0,cbports=0,signaled=0,hEvent=0xffffffff,fRedial=0
...
Listen posted on port: VPN1-31, error code 600
- Edited by NT Admin Monday, July 25, 2011 1:31 AM update
-
Friday, June 17, 2011 11:26 AM
In the System log of the RAS server I can see always the error logged:
http://technet.microsoft.com/en-us/library/cc733698(WS.10).aspx
Not really found a solution for this. Fact is that NPS authentication works always successfully on the DC (RAS and NPS are on different machines).
Removed SP1 now from the RAS server (NPS and Client(s) still have SP1 installed) again and everything works fine again. Also the error message is not logged anymore. One day I'll try to re-apply the SP1. Now the WSUS version has been fixed or I'll try it manually.
Recognized it also was the SP1 WSUS update which has been superseeded with a newer version. Maybe this is one of the bugs.
Cheers
Robert
-
Thursday, June 23, 2011 10:12 PMI have tried http://support.microsoft.com/kb/2523881/en-us but still no success :-(
-
Tuesday, July 26, 2011 4:17 PM
Just an update: I have all released updates other than SP1 installed, and IKE works fine. Installing SP1 still breaks IKE. I am wondering if it may be a problem with IPSec choosing the server's intranet certificate instead of our 3rd party SSL cert which is specified for use in the SSTP section of RRAS. Based on the description of how IPSec chooses the certificate, it prefers one with the Enhanced Key Usage (EKU) containing IKE Intermediate, which our 3rd party cert does not have but our intranet cert does.
Perhaps SP1 changes which certificate is selected when using IPSec. If anyone can tell me how to request a UCC/SAN certificate containing the EKU for IKE (eg, from Exchange Certificate Wizard or IIS), I will test SP1 with the updated cert.
-
Wednesday, July 27, 2011 2:35 PMI am having the same problem after loading SP1 for my Windows 2008 R2 VPN server. For now, we switched to using SSTP instead of IKE untill it is fixed.
-
Monday, August 01, 2011 5:31 PM
Dear ALL,
Here is my experience, I've tried several different types of connection:
1.
VPN server is in DMZ of the router - the same error occures, when you are connecting from a local network, BUT !
if you assign a real IP adress to your client - it works fine, without that "Breaks RRAS IKEv2 VPN invalid situation
"2. VPN server has real internet IP, all connections work just fine.
3.The issue is - VPN does not work within McDonalds FreeWiFi (error 809)
-
Friday, September 09, 2011 7:30 AMHas anyone figured this out yet? I can't beleive MS would let this go on so long!
-
Friday, September 09, 2011 3:59 PM
Has anyone figured this out yet? I can't beleive MS would let this go on so long!
Nope, still using SSTP until patched... -
Tuesday, October 04, 2011 3:39 PM
I opened a support case #211092031050940001.
As a solution I got the official response that Microsoft considers NAT-to-NAT IPSec configuration as insecure. Because of that SP1 changes the behavior in this never-really-officially-supported(?) scenario.
:-(
-
Thursday, March 08, 2012 1:00 PMIs this the final and accepted solution? Does anyone know?
-
Thursday, March 08, 2012 1:06 PMFor me this is unacceptable, but for Microsoft this is final answer :-) They do not intend to fix it, as this was (?) never supported (see http://support.microsoft.com/kb/885348), although they have released http://support.microsoft.com/kb/947234 documenting "netsh advfirewall set global ipsec ipsecthroughnat serverandclientbehindnat".
-
Friday, June 29, 2012 12:33 PM
A new hotfix have appeared:
I have tested, this hotfix fixes our problem :-)- Edited by _RaFi_ Saturday, June 30, 2012 7:33 AM
-
Thursday, August 30, 2012 7:12 PMYeah, my customer made enough noise about Dell, Microsoft, the US Govt., the Illuminati and black helicopters that MS finally gave in and changed their stance on not supporting IKEv2 and VPN Reconnect anymore. You're welcome. ;-)
support like no other...
-
Friday, September 14, 2012 11:39 AMThis hotfix did it for me too! :)
.png)
