TMG will not accept VPN connections, RRAS Fails to Start RRS feed

  • Question

  • Hello all,

    We are having a problem getting remote access VPN running on an install of TMG 2010. 

    The server is a physical server running Server 2008 x64, fully updated as of today.  Besides the OS, and the RAID manager app, TMG is the only software installed on the server.

    TMG is installed as an edge firewall.  There are four NICs configured, one external and three internal nics (Production network, Lab network, and Visitor Network).  We have a basic access rule configured to allow all internal networks to allow traffic to external using HTTP, HTTPS, DNS, and ICMP/Ping).  The server is routing traffic properly and we are able to access the internet normally on all networks.   There are no firewalls or translation devices between the TMG and the Internet; it has a fully-routable internet IP.

    I tried to configure a very basic remote access VPN configuration as a starting point, which I've done several times in the past on other servers so I'm pretty sure I'm doing it right. 
    - Address assignment is configured to use DHCP on the Production Network NIC. 
    - The domain admins group of our windows domain is set up in the VPN users dialog. 
    - Access Networks is set to "External"
    - Authentication is MS-CHAPv2
    - Nothing RADIUS related is enabled.
    - VPN access is enabled, with 100 users
    - PPTP is configured as the allowed protocol
    - User Mapping and Quarantine are not enabled.

    I checked the technet articles as a sanity check and according to them, I don't need anything else configured. 

    I rebooted the server after enabling VPN access, and found that RRAS is stopped, and the following warning is displayed in the monitoring section:

    Description: The Remote Access Service configuration for VPN could not be completed. As a result, the Remote Access Service may be stopped.
    The failure is due to error: 0x80070386

    I had previously been running RC, so I completely uninstalled everything TMG related on the server, and reinstalled the GA.  I did not import any configurations, but rather reconfigured the server by hand in case there might have been some error in the config.  After reinstallation, I had exactly the same result. 

    Previous to the reinstall, I forced a start of RRAS to see what would happen, and when I did, the Vista laptop I am using to test a client connection, which is connected to the Internet using a Linksys WRT54GL router running the latest firmware, would get to the "verifying userid and password" step, then eventually fail.  It would never reach the "registering computer on the network" step.  I also tried connecting from my home PC (which is able to connect to other TMG servers okay), to no avail. 

    Any help pointing me in the right direction would be greatly appreciated. 

    • Moved by Nick Gu - MSFT Friday, December 18, 2009 7:21 AM issue about TMG (From:Forefront Edge Security Virtual Private Networks)
    Wednesday, December 16, 2009 10:02 PM


  • This issue can be closed. 

    I reinstalled the OS from bare metal and after doing so and installing TMG, VPN worked fine.
    • Marked as answer by Dave Puetz Friday, December 18, 2009 1:00 PM
    Friday, December 18, 2009 12:59 PM