none
AssumeUDPEncapsulationContextOnSendRule Registry Setting Not working

    Question

  • Hi all, I have recently come across an issue with a lot of the new Win10 machines that we are purchasing where they won't connect to our L2TP VPN. (Dell Inspirons)

    The first thing that came to mind was the AssumeUDPEncapsulation registry entry, however even after setting this to '2' we are having no luck.

    I have also removed the Miniport adaptors and re-added. (even though they were showing fine)

    The machines are fully up-to-date with windows updates as well.

    The VPN server is a W2K8 R2 box with RRAS etc.

    I am connected to the internet via a Samsung S8, and i have tested from one of the older machines and the VPN is working via this internet connection.

    I also tried to break the older machines by running all windows updates etc, however they are still working!!

    Has anyone seen this before? any ideas?

    Monday, October 2, 2017 4:11 AM

Answers

  • This fix worked for me.. i found it on another forum and thought i would share because i have been looking for a fix for ages

    ------------------

    If you have an intel wifi card, then dell ships with "smartbyte drivers and services", if you have a killer wifi card, then it ships with the Killer Wireless Suite. To get your vpn working, uninstall these types of software. These 3rd party network drivers are supposed to prioritize network traffic to give priority to streaming video or something like that, but they are more trouble than they are worth in my experience. They mess with VPNs.

    • Marked as answer by RyanNicholls Wednesday, March 28, 2018 12:31 AM
    Thursday, February 22, 2018 2:05 PM

All replies

  • Hi,

    Could you provide the screenshot of error ?

    There are some suggsetions for you:

    1. Check the service "IPsec policy agent" if your win 10 is enable.

    2. In Registry Editor, locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
    On the Edit menu, point to New, and then click DWORD Value.
    Type AllowL2TPWeakCrypto, and then press ENTER.
    On the Edit menu, click Modify.
    In the Value data box, type 1, and then click OK.
    On the File menu, click Exit to exit Registry Editor.

    https://support.microsoft.com/en-us/help/929856/you-receive-a-741-or-a-742-error-message-when-you-try-to-establish-a-v

    If it doesn't work,please refer to it below:

    3 .Locate the registry HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
    On the edit menu, click new -> "DWORD value"
    In the name box, type in "ProhibitIpSec"
    In the Value data box,type "1" and then click ok.

    Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs.

    Best Regards,
    Frank



    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Monday, October 2, 2017 6:56 AM
  • Hi Frank,

    I should have mentioned the error is an 809 error. (which generally indicates NAT issues.)
    In all of our older machines, making the AssumeUDPEncapsulationContextOnSendRule change fixes the problem.

    I have only started seeing this issue on the new machines in the last month.


    I can also see that when i run wireshark on the laptop and make the connection that the SCCRQ packets are not encapsulated and look like the below:

    Control Message - SCCRQ (tunnel id=0, session id=0)

    I would have expected that these should be ESP packets like:

    ESP (SPI=0x0406de3a)

    The error message that windows reports is:

    The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g., firewalls, NAT, routers, etc.) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem. 

    Monday, October 2, 2017 10:36 PM
  • Hi,

    >>The first thing that came to mind was the AssumeUDPEncapsulation registry entry, 

    Please check the regvalue if it is "AssumeUDPEncapsulationContextOnSendRule" rather than "AssumeUDPEncapsulation".

    This DWORD value allows Windows to establish security associations when both the VPN server and the Windows based VPN client computer are behind NAT devices.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent 

    RegValue: AssumeUDPEncapsulationContextOnSendRule

    Type: DWORD

    Data Value: 2

    Note that after creating this key you will need to reboot the machine

    Besides, please choose one of our problematic win10, temporary close the firewall of allow traffic from UDP 500.

    Error Description: 809: The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem.

    Possible Cause: This error usually comes when some firewall between client and server is blocking the ports used by VPN tunnel

    a> PPTP port (TCP port 1723) is blocked by a firewall/router. [Applicable to tunnel type = PPTP]

    b> L2TP or IKEv2 port (UDP port 500, UDP port 4500) is blocked by a firewall/router. [Applicable to tunnel type = L2TP or IKEv2]

    Possible Solution: Enable the port (as mentioned above) on firewall/router. If that is not possible, deploy SSTP based VPN tunnel on both VPN server and VPN client – that allows VPN connection across firewalls, web proxies and NAT.

    Refer to link below: https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/

    Best Regards, 

    Frank


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 6, 2017 9:05 AM
  • Hi Frank, yes i have the full registry key in there, i was just shortening for the sake of the message.

    There is also no firewall enabled on the machine, and the firewall at the main office is not blocking these ports.

    The other machines that are here have no issues connecting.

    I have resorted to setting up SSTP instead to get around this issue, however the original issue still stands with the L2TP connection on a lot of our new laptops.

    Sunday, October 8, 2017 10:57 PM
  • Hi,RyanNicholls

    Thanks for your updating and sharing.

    Best Regards,

    Frank


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 11, 2017 9:53 AM
  • KB4041994 resolved this issue for us, we are using a L2TP with preshared key.
    Thursday, November 2, 2017 10:13 PM
  • Hello Ryan,

    Were you able to find a solution? I am currently struggling with the same issue. Dell Inspiron. 809 error, registry edit did not fix.

    Thanks much!

    Wednesday, December 27, 2017 6:08 PM

  • I have same issue, 809 error in Dell XPS 13.

    AssumeUDPEncapsulationContextOnSendRule = 2,
    AllowL2TPWeakCrypto = 1,
    ProhibitIpSec = 1 
    These changes doesn't work
    Thursday, December 28, 2017 8:18 AM
  • I could resolve this problem by uninstalling Pre-installed software, Killer Wireless Suite

    • Proposed as answer by Herbert87 Wednesday, March 28, 2018 12:30 AM
    Tuesday, January 9, 2018 4:26 AM
  • Thanks M Otoguro.  Was able to resolve by doing the same on the XPS 13. 
    Wednesday, February 14, 2018 1:48 AM
  • This fix worked for me.. i found it on another forum and thought i would share because i have been looking for a fix for ages

    ------------------

    If you have an intel wifi card, then dell ships with "smartbyte drivers and services", if you have a killer wifi card, then it ships with the Killer Wireless Suite. To get your vpn working, uninstall these types of software. These 3rd party network drivers are supposed to prioritize network traffic to give priority to streaming video or something like that, but they are more trouble than they are worth in my experience. They mess with VPNs.

    • Marked as answer by RyanNicholls Wednesday, March 28, 2018 12:31 AM
    Thursday, February 22, 2018 2:05 PM
  • Thank you very much!

    Updating the Software (Killer Control Center 64 bit) did it for me, although I am using a completely different machine but with the same error. I was using a very old version (1.0.xx), the new version (currently 1.5.1852) works fine. :)

    Wednesday, March 28, 2018 12:29 AM
  • Thank so much!!
    Wednesday, June 13, 2018 3:05 PM