locked
Windows 10 1703 detecting incorrect VPN protocol RRS feed

  • Question

  • I have a Windows Server 2012 R2 server with the remote access role configured with SSTP VPN using MS-CHAPv2 for authentication.

    This has been working great for over a year now, with VPN settings pushed to clients using GPP. These settings are simple, connection name, DNS name of the connection, type of VPN of automatic. All good.

    I've have noticed that new installations of Windows 10 1703 are unable to connect to the VPN server. If the VPN type is changed from automatic to SSTP, then the connection works. I can see in then event logs on the client that the VPN client (Microsoft built in one) tries to connect using IKEv2 and thinks it's successful. But the server has IKEv2 disabled, there is no way that would work. The ports aren't even allowed through on the firewall.

    Windows 10 installations that have been upgraded to Windows 10 1703 are still able to connect to the VPN server. Has anyone else come across this?


    • Edited by Beresford Hare Monday, March 5, 2018 2:37 AM Clarified that the remote access server role was installed
    Monday, March 5, 2018 2:36 AM

Answers

  • Installing patch KB4074592 seems to solve the problem. I'll report back if this isn't the case.
    Tuesday, March 13, 2018 2:34 AM

All replies

  • Hi Beresford,

    Thanks for your question.

    Have any error message when client connected VPN through automatic VPN tunnel? 

    Please compare the new installation of Windows 10 1703 with windows 10 1703 upgraded in version OS build by the command “winver” at the RUN.exe. If inconsistent, please upgrade the latest version.

    Here is a link refer to Windows 10 version 1703, it may be helpful,

    https://support.microsoft.com/en-us/help/4018124/windows-10-update-history

    Highly appreciate your effort and time.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com




    Tuesday, March 6, 2018 10:35 AM
  • There are no error messages.

    The machine was able to connect to the VPN once upgrade to Windows 10 1709.

    Here is the event log from the upgraded machine.

    CoId={586118F0-FCB1-4D02-A937-8109101694BF}: The user DOMAIN\USER has started dialing a VPN connection using a per-user connection profile named VPN Connection. The connection settings are: 
    Dial-in User = 
    VpnStrategy = IKEv2 , SSTP , PPTP then L2TP
    DataEncryption = None
    PrerequisiteEntry = 
    AutoLogon = Yes
    UseRasCredentials = Yes
    Authentication Type = CHAP/MS-CHAPv2 
    Ipv4DefaultGateway = No
    Ipv4AddressAssignment = By Server
    Ipv4DNSServerAssignment = By Server
    Ipv6DefaultGateway = Yes
    Ipv6AddressAssignment = By Server
    Ipv6DNSServerAssignment = By Server
    IpDnsFlags = 
    IpNBTEnabled = Yes
    UseFlags = Private Connection
    ConnectOnWinlogon = No
    IPsec authentication for L2TP = Machine certificate
    Mobility enabled for IKEv2 = Yes.

    CoId={586118F0-FCB1-4D02-A937-8109101694BF}: The user DOMAIN\USER is trying to establish a link to the Remote Access Server for the connection named VPN Connection using the following device: 
    Server address/Phone Number = xxx.xxx.xxx.xxx
    Device = WAN Miniport (IKEv2)
    Port = VPN2-1
    MediaType = VPN.

    CoId={586118F0-FCB1-4D02-A937-8109101694BF}: The user DOMAIN\USER has successfully established a link to the Remote Access Server using the following device: 
    Server address/Phone Number = xxx.xxx.xxx.xxx
    Device = WAN Miniport (IKEv2)
    Port = VPN2-1
    MediaType = VPN.

    CoId={586118F0-FCB1-4D02-A937-8109101694BF}: The link to the Remote Access Server has been established by user DOMAIN\USER.

    Above is where it stops on 1703, on 1709 it does the above, and then continues trying the next protocol.

    CoId={586118F0-FCB1-4D02-A937-8109101694BF}: The user DOMAIN\USER is trying to establish a link to the Remote Access Server for the connection named VPN Connection using the following device: 
    Server address/Phone Number = vpn.domain.com
    Device = WAN Miniport (SSTP)
    Port = VPN1-1
    MediaType = VPN.

    CoId={586118F0-FCB1-4D02-A937-8109101694BF}: The user DOMAIN\USER has successfully established a link to the Remote Access Server using the following device: 
    Server address/Phone Number = vpn.domain.com
    Device = WAN Miniport (SSTP)
    Port = VPN1-1
    MediaType = VPN.

    CoId={586118F0-FCB1-4D02-A937-8109101694BF}: The link to the Remote Access Server has been established by user DOMAIN\USER.

    CoId={586118F0-FCB1-4D02-A937-8109101694BF}: The user DOMAIN\USER has dialed a connection named VPN Connection to the Remote Access Server which has successfully connected. The connection parameters are:
    TunnelIpAddress = xxx.xxx.xxx.xxx
    TunnelIpv6Address = fe80::
    Dial-in User = .
    Tuesday, March 6, 2018 10:54 PM
  • Hi,

    Sorry for my delay.

    Do you mean that it still failed to connect through VPN when performing hotfix on version 1703?  

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, March 8, 2018 10:41 AM
  • Hi Beresford,

    How are things going on? Was your issue resolved?

    Please let us know if you would like further assistance.

    Wish you have a nice day!

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, March 12, 2018 8:47 AM
  • I'm busy working through installing those updates, for some reason the computer does not pick up those updates even though WSUS is configured correctly.

    This might only be affecting Lenovo X1 Carbon Generation 5 machines.

    Monday, March 12, 2018 7:36 PM
  • Installing patch KB4074592 seems to solve the problem. I'll report back if this isn't the case.
    Tuesday, March 13, 2018 2:34 AM
  • Hi Beresford,

    I am glad to hear that your issue was successfully resolved!

    In addition, thanks for posting and sharing here as it would be helpful to anyone who encounters similar issues.

    If there is anything else we can do for you, please feel free to post in the forum.

    Wish you have a nice day!

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, March 13, 2018 3:28 AM