locked
SSTP VPN disconnects immediately after it's established RRS feed

  • Question

  • Hi everyone,

    I have quite large a base of Windows 10 computers that connect to an Azure VNet via an SSTP Point-to-Site VPN.
    The problem is that the VPN connection on one of these computers broke right after the weekly round of Windows updates were automatically installed last Wednesday. I'm not sure if a specific KB might have damaged one or more system components that underpin VPN's.

    This is how the issue manifests:
    The VPN connects successfully, but disconnects after one or two seconds, maybe less. This is not due to a slow internet connection, latency, jitter, etc. The underlying internet service is OK as other users on this same feed have no issues with their VPN's. TCP port 443 (SSL) is not filtered anywhere.

    This is what I did as part of my troubleshooting effort:

    • On the Windows 10 client computer, the .pfx cerficate was re-installed. So was the Azure certificate for traffic encryption (the .cer file with the GUID in the name).
    • I deleted and recreated the VPN several times, but the issue still persists. I configured it with Windows 10's built-in VPN facilities, as well as with the VPN installer that's downloaded from Azure's portal. Either way, the VPN still gets disconnected after a couple of seconds.
    • I uninstalled and reinstalled Windows 10 WAN Miniports to no avail.

    Does anyone know what may cause a SSTP VPN on Windows 10 to immediately disconnect after it is successfully established?

    Opinions, insights and hints that may point me in the right direction are welcome.

    Thank you.
    Fernando Ronci

    Tuesday, July 10, 2018 11:53 PM

Answers

  • To minimize the number of exchanges of trace data, it might be better to include more providers in the first trace data: Microsoft-Windows-HttpService and Microsoft-Windows-WebIO. The resulting command looks like this:

    netsh trace start provider=Microsoft-Windows-RasSstp provider=Microsoft-Windows-HttpService provider=Microsoft-Windows-WebIO capture=yes correlation=disable tracefile=trouble.etl

    I think that the best freely available tool for analysing the resulting trace would be Microsoft's Message Analyzer. Even if one is not in the position of being fully able to understand the content, a quick check with Message Analyzer of the type of information in the trace data might be advisable before making the data publicly available.


    Monday, July 16, 2018 10:00 AM
  • Sorry. There are two Win32 HTTP APIs (WInINet (for client applications) and WinHttp (for server applications)) but many related ETW providers. WinINet is well covered by Microsoft-Windows-WinINet (and Microsoft-Windows-WinINet-Capture, when available). WinHttp is well covered by Microsoft-Windows-WinHttp and Microsoft-Windows-WebIO and, in my experience, most of the useful information is provided by the Microsoft-Windows-WebIO provider; nonetheless, I often make the mistake of associating the principal source of information with the provider that matches the API name.

    There is certainly a Microsoft-Windows-RasSstp provider under Windows 10. Here is an interpretation of its instrumentation manifest:

    <instrumentationManifest xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events" xmlns:xs="http://www.w3.org/2001/XMLSchema">
      <instrumentation>
        <events>
          <provider name="Microsoft-Windows-RasSstp" guid="{6c260f2c-049a-43d8-bf4d-d350a4e6611a}">
            <channels>
              <channel chid="System" name="System" type="Administrative" isolation="System" />
            </channels>
            <keywords>
              <keyword name="win:EventlogClassic" mask="0x80000000000000" />
            </keywords>
            <levels />
            <opcodes />
            <tasks />
            <events>
              <event value="1" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.1.0.0)" template="tid.1.0.0" />
              <event value="2" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.2.0.0)" template="tid.1.0.0" />
              <event value="3" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.3.0.0)" template="tid.3.0.0" />
              <event value="4" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.4.0.0)" template="tid.4.0.0" />
              <event value="5" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.5.0.0)" template="tid.1.0.0" />
              <event value="6" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.6.0.0)" template="tid.6.0.0" />
              <event value="7" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.7.0.0)" template="tid.7.0.0" />
              <event value="8" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.8.0.0)" template="tid.7.0.0" />
              <event value="9" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.9.0.0)" template="tid.9.0.0" />
              <event value="10" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.10.0.0)" template="tid.9.0.0" />
              <event value="11" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.11.0.0)" />
              <event value="12" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.12.0.0)" template="tid.12.0.0" />
              <event value="13" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.13.0.0)" template="tid.12.0.0" />
              <event value="14" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.14.0.0)" template="tid.7.0.0" />
              <event value="15" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.15.0.0)" template="tid.7.0.0" />
              <event value="16" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.16.0.0)" template="tid.1.0.0" />
              <event value="17" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.17.0.0)" template="tid.7.0.0" />
              <event value="18" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.18.0.0)" template="tid.7.0.0" />
              <event value="19" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.19.0.0)" template="tid.7.0.0" />
              <event value="20" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.20.0.0)" template="tid.7.0.0" />
              <event value="21" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.21.0.0)" template="tid.7.0.0" />
              <event value="22" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.22.0.0)" template="tid.7.0.0" />
              <event value="23" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.23.0.0)" template="tid.1.0.0" />
              <event value="24" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.24.0.0)" />
              <event value="25" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.25.0.0)" />
              <event value="32" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.32.0.0)" />
              <event value="33" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.33.0.0)" template="tid.1.0.0" />
            </events>
            <templates>
              <template tid="tid.1.0.0">
                <data name="CoId" inType="win:UnicodeString" outType="xs:string" />
                <data name="Error Message" inType="win:UnicodeString" outType="xs:string" />
              </template>
              <template tid="tid.3.0.0">
                <data name="CoId" inType="win:UnicodeString" outType="xs:string" />
                <data name="__binLength" inType="win:UInt32" outType="xs:unsignedInt" />
                <data name="binary" inType="win:Binary" outType="xs:hexBinary" length="__binLength" />
              </template>
              <template tid="tid.4.0.0">
                <data name="CoId" inType="win:UnicodeString" outType="xs:string" />
                <data name="HTTP Response Code" inType="win:UnicodeString" outType="xs:string" />
              </template>
              <template tid="tid.6.0.0">
                <data name="CoId" inType="win:UnicodeString" outType="xs:string" />
                <data name="SHA1 Certificate Hash" inType="win:UnicodeString" outType="xs:string" />
                <data name="SHA256 Certificate Hash" inType="win:UnicodeString" outType="xs:string" />
              </template>
              <template tid="tid.7.0.0">
                <data name="Error Message" inType="win:UnicodeString" outType="xs:string" />
              </template>
              <template tid="tid.9.0.0">
                <data name="Url" inType="win:UnicodeString" outType="xs:string" />
                <data name="Error Message" inType="win:UnicodeString" outType="xs:string" />
              </template>
              <template tid="tid.12.0.0">
                <data name="Error Message" inType="win:UnicodeString" outType="xs:string" />
                <data name="Certificate Name" inType="win:UnicodeString" outType="xs:string" />
              </template>
            </templates>
            <maps />
            <filters>
              <!--Not implemented-->
            </filters>
            <namedQueries>
              <!--N/A-->
            </namedQueries>
          </provider>
        </events>
      </instrumentation>
      <localization>
        <resources culture="en-US">
          <stringTable>
            <string id="event.1.0.0" value="CoId=%1:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again.&#xD;&#xA;&#xD;&#xA;%2" />
            <string id="event.2.0.0" value="CoId=%1:The initial Secure Socket Tunneling Protocol (SSTP) response could not be received. There might be intermittent network connectivity issues or the server might not be accepting SSTP connections. The detailed error message is provided below. Correct the problem and try again. &#xD;&#xA;&#xD;&#xA;%2" />
            <string id="event.3.0.0" value="CoId=%1:The HTTP response received from the server-side Secure Socket Tunneling Protocol (SSTP) either does not have the version information or the version is not supported. The HTTP version information received is logged in the data section below. The HTTP response from the SSTP server must contain the version header and the version must be 1.1." />
            <string id="event.4.0.0" value="CoId=%1:The server has refused the Secure Socket Tunneling Protocol (SSTP) request. Either a failure response code or no response code was received. The data portion below contains the response code that was received from the server. This is the HTTP status code present in the response. It can be because the web proxy or the SSTP server might be rejecting the connection, the server might not be configured for SSTP or the server might not have a port available for connection." />
            <string id="event.5.0.0" value="CoId=%1:The Secure Socket Tunneling Protocol (SSTP) negotiation has failed. The failure code is stored in the Data section of this message. Correct the problem and try again." />
            <string id="event.6.0.0" value="CoId=%1:The SSTP-based VPN connection to the remote access server was terminated because of a security check failure. Security settings on the remote access server do not match settings on this computer. Contact the system administrator of the remote access server and relay the following information:&#xD;&#xA;&#xD;&#xA;SHA1 Certificate Hash: %2&#xD;&#xA;SHA256 Certificate Hash: %3" />
            <string id="event.7.0.0" value="The Secure Socket Tunneling Protocol service could not open the ConfigStore that is used for storing service-specific information. This can lead to incorrect service configuration or a leak of system resources." />
            <string id="event.8.0.0" value="The Secure Socket Tunneling Protocol (SSTP) service could not initialize the HTTP layer for setting up the configuration. Any configuration changes applied by the administrator might not be applied by SSTP." />
            <string id="event.9.0.0" value="The Secure Socket Tunneling Protocol service could not secure the URL with the new service configuration. Other applications or services can override the URL reservation. Use 'netsh.exe http add urlacl' command to secure the access control list (ACL) manually. The detailed error message is given at the end of this message. &#xD;&#xA;&#xD;&#xA;URL: %1 &#xD;&#xA;&#xD;&#xA;%2" />
            <string id="event.10.0.0" value="The Secure Socket Tunneling Protocol service could not secure the default URL. This can prevent the servicing of the SSTP modules. Use 'netsh.exe http add urlacl' command to secure the ACL manually. The detailed error message is given at the end of this message. &#xD;&#xA;&#xD;&#xA;URL: %1&#xD;&#xA;&#xD;&#xA;%2" />
            <string id="event.11.0.0" value="The Secure Socket Tunneling Protocol (SSTP) service could not find either a Server Authentication certificate or an Any Purpose certificate to be used for HTTPS. Check to see the availability of either a Server Authentication certificate or an Any Purpose certificate which also has a private key. SSTP sessions may not get established. Use 'netsh.exe http add sslcert' command to configure the certificate manually or install the appropriate certificate for SSTP use and restart RemoteAccess service." />
            <string id="event.12.0.0" value="The Secure Socket Tunneling Protocol service could not configure the following certificate for use with Internet Protocol version 4 (IPv4). This might prevent SSTP connections from being established successfully. Correct the problem and try again.&#xD;&#xA;&#xD;&#xA;Certificate Name - %2&#xD;&#xA;&#xD;&#xA;%1" />
            <string id="event.13.0.0" value="The Secure Socket Tunneling Protocol service could not configure the following certificate for use with Internet Protocol version 6 (IPv6). This might prevent SSTP connections from being established successfully. Correct the problem and try again.&#xD;&#xA;&#xD;&#xA;Certificate Name - %2&#xD;&#xA;&#xD;&#xA;%1" />
            <string id="event.14.0.0" value="The Secure Socket Tunneling Protocol service could not configure the route to the VPN server, which is required for the proper functioning of the VPN connection. The detailed error message is given below. Correct the problem and try again. %1" />
            <string id="event.15.0.0" value="The Secure Socket Tunneling Protocol service could not get the network address of the remote server. This address is required for establishing the route for redirecting the traffic over the VPN interface. The detailed error message is provided below. Correct the problem and try again. %1" />
            <string id="event.16.0.0" value="CoId=%1:The Secure Socket Tunneling Protocol server has provided a certificate with an Enhanced Key Usage that is neither Server Authentication nor Any Purpose. This client will not accept the certificate. The connection will be canceled. Contact the server administrator to correct the issue and try again." />
            <string id="event.17.0.0" value="The Secure Socket Tunneling Protocol service could not open the Parameters section of the registry to read the configuration values, so SSTP cannot be initialized. The detailed error message is provided below. Correct the problem and try again. &#xD;&#xA;&#xD;&#xA;%1" />
            <string id="event.18.0.0" value="The Secure Socket Tunneling Protocol service either could not read the SHA256 certificate hash from the registry or the data is invalid. To be valid, the SHA256 certificate hash must be of type REG_BINARY and 32 bytes in length. SSTP might not be able to retrieve the value from the registry due to some other system failure. The detailed error message is provided below. SSTP connections will not be accepted on this server. Correct the problem and try again. &#xD;&#xA;&#xD;&#xA;%1" />
            <string id="event.19.0.0" value="The Secure Socket Tunneling Protocol service either could not read the SHA1 certificate hash from the registry or the data is invalid. To be valid, the SHA1 certificate hash must be of type REG_BINARY and 20 bytes in length. SSTP might not be able to retrieve the value from the registry due to some other system failure. The detailed error message is provided below. SSTP connections will not be accepted on this server. Correct the problem and try again. &#xD;&#xA;&#xD;&#xA;%1" />
            <string id="event.20.0.0" value="The Secure Socket Tunneling Protocol service was not able to allocate memory for setting up the configuration for accepting connections. The system might be low on memory. Correct the problem and restart the service." />
            <string id="event.21.0.0" value="The Secure Socket Tunneling Protocol service was not able to get the hash for the certificate configured with HTTP. The detailed error message is provided below. Correct the problem and try again. &#xD;&#xA;&#xD;&#xA;%1" />
            <string id="event.22.0.0" value="The Secure Socket Tunneling Protocol service could not be configured to accept incoming connections. The detailed error message is provided below. Correct the problem and restart the SSTP service. &#xD;&#xA;&#xD;&#xA;%1" />
            <string id="event.23.0.0" value="CoId=%1:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to the presence of a web proxy between the client and the server requiring authentication. Proxy authentication is not supported by this version of SSTP." />
            <string id="event.24.0.0" value="The certificates bound to the HTTPS listener for IPv4 and IPv6 do not match. For SSTP connections, certificates should be configured for 0.0.0.0:Port for IPv4, and [::]:Port for IPv6. The port is the listener port configured to be used with SSTP. The default listener port is 443." />
            <string id="event.25.0.0" value="The certificate used for Secure Socket Tunnelling Protocol (SSTP) is missing. You should configure a new certificate for SSTP or use default configuration" />
            <string id="event.32.0.0" value="The thumbprint (cert hash) of the certificate used for Secure Socket Tunnelling Protocol (SSTP) %1 is different than the certificate bound %2 to the Web listener (HTTP.sys). Configure SSTP to use the default certificate or the certificate bound to SSL. You can configure web server applications to use the same certificate used by SSTP" />
            <string id="event.33.0.0" value="CoId=%1: Secure Socket Tunnelling Protocol (SSTP) service could not configure the VPN server specific cookies. The detailed information on the error is given below.&#xD;&#xA;&#xD;&#xA;%%2" />
          </stringTable>
        </resources>
      </localization>
    </instrumentationManifest>

    Many of the problems that can occur with SSTP are covered by this provider - it will certainly be a loss if this information cannot be captured.

    Wednesday, July 18, 2018 7:07 PM

All replies

  • Hi Fernando,

    Please check if this problematic Windows's build is same as others' build.

    1. Press WIN+R.

    2. Type winver, press Enter.

    Please run system restore to a previous time point that everything worked fine to see if the issue has gone.

    If the issue persists, run network reset:

    1.Select the Start  button, then select Settings  > Network & Internet  > Status > Network reset.

    2.On the Network reset screen, select Reset now > Yes to confirm.

    Wait for your PC to restart and see if that fixes the problem.

    Note: After using network reset, you might need to reinstall and set up other networking software you might be using, such as VPN client software or virtual switches from Hyper‑V.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Wildhack Wednesday, January 30, 2019 10:45 PM
    Wednesday, July 11, 2018 6:23 AM
  • Thank you Karen.

    I will continue investigating the issue. Because I manage the Windows 10 clients remotely, resetting the network is not feasible for the time being. Nor is a system restore. Unless I find the cause elsewhere, I'll have no other choice than doing a network reset nonetheless.

    Thanks again.
    Fernando

    Wednesday, July 11, 2018 4:34 PM
  • If you are prepared to make some tracing data publicly available then you could start a trace with a command like:

    netsh trace start provider=Microsoft-Windows-RasSstp capture=yes correlation=disable tracefile=trouble.etl

    Then reproduce the problem and stop the trace with the command "netsh trace stop".

    This will produce two files: trouble.etl and trouble.cab. trouble.etl contains just what was requested to be captured; trouble.cab contains trouble.etl and additional information packed in a .cab (compressed) file.

    There are lots of things that could be traced; the commands above are just a "first cut" - depending on what the trace data reveals, one could adjust the set of providers or abandon this approach.

    Friday, July 13, 2018 1:33 PM
  • Thank you very much Gary for your suggestion. Highly appreciated.
    This week I will run some traces on the workstations with the malfunctioning VPN's and see what they reveal.

    I'll post back in this thread as soon as I gather any relevant information.

    Thanks again.
    Fernando

    Sunday, July 15, 2018 9:25 PM
  • To minimize the number of exchanges of trace data, it might be better to include more providers in the first trace data: Microsoft-Windows-HttpService and Microsoft-Windows-WebIO. The resulting command looks like this:

    netsh trace start provider=Microsoft-Windows-RasSstp provider=Microsoft-Windows-HttpService provider=Microsoft-Windows-WebIO capture=yes correlation=disable tracefile=trouble.etl

    I think that the best freely available tool for analysing the resulting trace would be Microsoft's Message Analyzer. Even if one is not in the position of being fully able to understand the content, a quick check with Message Analyzer of the type of information in the trace data might be advisable before making the data publicly available.


    Monday, July 16, 2018 10:00 AM
  • Thanks again Gary.

    The trace in its simplest form (with just one provider) works like a charm on Windows 7 but fails on Windows 10 with error message "One or more parameters for the command are not correct or missing."

    OK on Win7, fails on Win10: netsh trace start provider=Microsoft-Windows-RasSstp capture=yes correlation=disable tracefile=trouble.etl

    Fernando

    Monday, July 16, 2018 6:02 PM
  • Works fine on my up-to-date Windows 10 PC. You could try removing the time-saving "correlation=disable" element and experimenting with the syntax (try "netsh trace start ?" for hints) until it works.

    C:\Users\Gary\Home\2018>netsh trace start provider=Microsoft-Windows-RasSstp provider=Microsoft-Windows-HttpService provider=Microsoft-Windows-WebIO capture=yes correlation=disable tracefile=trouble.etl

    Trace configuration:
    -------------------------------------------------------------------
    Status:             Running
    Trace File:         trouble.etl
    Append:             Off
    Circular:           On
    Max Size:           250 MB
    Report:             Off

    C:\Users\Gary\Home\2018>netsh trace stop
    Merging traces ... done
    Generating data collection ... done
    The trace file and additional troubleshooting information have been compiled as "C:\Users\Gary\Home\2018\trouble.cab".
    File location = C:\Users\Gary\Home\2018\trouble.etl
    Tracing session was successfully stopped.

    C:\Users\Gary\Home\2018>ver
    Microsoft Windows [Version 10.0.17134.165]



    Monday, July 16, 2018 6:24 PM
  • Hi Gary,

    I reformulated the netsh statement and now it runs on Windows 10. In fact, the provider=Microsoft-Windows-WebIO parameter in your example from Monday was OK. What made the statement fail on Windows 10 was the Microsoft-Windows-RasSstp provider.

    Now I'm going to see what insights I can get from the traces.

    Thank you.
    Fernando

    PS: Got the hint from this post: https://social.technet.microsoft.com/Forums/en-US/fdf8926f-ce18-4468-a171-5e0a1b155453/winhttp-tracing-in-windows-10?forum=win10itpronetworking

    Wednesday, July 18, 2018 6:21 PM
  • Sorry. There are two Win32 HTTP APIs (WInINet (for client applications) and WinHttp (for server applications)) but many related ETW providers. WinINet is well covered by Microsoft-Windows-WinINet (and Microsoft-Windows-WinINet-Capture, when available). WinHttp is well covered by Microsoft-Windows-WinHttp and Microsoft-Windows-WebIO and, in my experience, most of the useful information is provided by the Microsoft-Windows-WebIO provider; nonetheless, I often make the mistake of associating the principal source of information with the provider that matches the API name.

    There is certainly a Microsoft-Windows-RasSstp provider under Windows 10. Here is an interpretation of its instrumentation manifest:

    <instrumentationManifest xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events" xmlns:xs="http://www.w3.org/2001/XMLSchema">
      <instrumentation>
        <events>
          <provider name="Microsoft-Windows-RasSstp" guid="{6c260f2c-049a-43d8-bf4d-d350a4e6611a}">
            <channels>
              <channel chid="System" name="System" type="Administrative" isolation="System" />
            </channels>
            <keywords>
              <keyword name="win:EventlogClassic" mask="0x80000000000000" />
            </keywords>
            <levels />
            <opcodes />
            <tasks />
            <events>
              <event value="1" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.1.0.0)" template="tid.1.0.0" />
              <event value="2" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.2.0.0)" template="tid.1.0.0" />
              <event value="3" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.3.0.0)" template="tid.3.0.0" />
              <event value="4" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.4.0.0)" template="tid.4.0.0" />
              <event value="5" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.5.0.0)" template="tid.1.0.0" />
              <event value="6" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.6.0.0)" template="tid.6.0.0" />
              <event value="7" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.7.0.0)" template="tid.7.0.0" />
              <event value="8" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.8.0.0)" template="tid.7.0.0" />
              <event value="9" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.9.0.0)" template="tid.9.0.0" />
              <event value="10" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.10.0.0)" template="tid.9.0.0" />
              <event value="11" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.11.0.0)" />
              <event value="12" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.12.0.0)" template="tid.12.0.0" />
              <event value="13" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.13.0.0)" template="tid.12.0.0" />
              <event value="14" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.14.0.0)" template="tid.7.0.0" />
              <event value="15" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.15.0.0)" template="tid.7.0.0" />
              <event value="16" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.16.0.0)" template="tid.1.0.0" />
              <event value="17" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.17.0.0)" template="tid.7.0.0" />
              <event value="18" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.18.0.0)" template="tid.7.0.0" />
              <event value="19" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.19.0.0)" template="tid.7.0.0" />
              <event value="20" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.20.0.0)" template="tid.7.0.0" />
              <event value="21" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.21.0.0)" template="tid.7.0.0" />
              <event value="22" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.22.0.0)" template="tid.7.0.0" />
              <event value="23" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.23.0.0)" template="tid.1.0.0" />
              <event value="24" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.24.0.0)" />
              <event value="25" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.25.0.0)" />
              <event value="32" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.32.0.0)" />
              <event value="33" version="0" level="0" opcode="0" task="0" channel="" keywords="win:EventlogClassic" message="$(string.event.33.0.0)" template="tid.1.0.0" />
            </events>
            <templates>
              <template tid="tid.1.0.0">
                <data name="CoId" inType="win:UnicodeString" outType="xs:string" />
                <data name="Error Message" inType="win:UnicodeString" outType="xs:string" />
              </template>
              <template tid="tid.3.0.0">
                <data name="CoId" inType="win:UnicodeString" outType="xs:string" />
                <data name="__binLength" inType="win:UInt32" outType="xs:unsignedInt" />
                <data name="binary" inType="win:Binary" outType="xs:hexBinary" length="__binLength" />
              </template>
              <template tid="tid.4.0.0">
                <data name="CoId" inType="win:UnicodeString" outType="xs:string" />
                <data name="HTTP Response Code" inType="win:UnicodeString" outType="xs:string" />
              </template>
              <template tid="tid.6.0.0">
                <data name="CoId" inType="win:UnicodeString" outType="xs:string" />
                <data name="SHA1 Certificate Hash" inType="win:UnicodeString" outType="xs:string" />
                <data name="SHA256 Certificate Hash" inType="win:UnicodeString" outType="xs:string" />
              </template>
              <template tid="tid.7.0.0">
                <data name="Error Message" inType="win:UnicodeString" outType="xs:string" />
              </template>
              <template tid="tid.9.0.0">
                <data name="Url" inType="win:UnicodeString" outType="xs:string" />
                <data name="Error Message" inType="win:UnicodeString" outType="xs:string" />
              </template>
              <template tid="tid.12.0.0">
                <data name="Error Message" inType="win:UnicodeString" outType="xs:string" />
                <data name="Certificate Name" inType="win:UnicodeString" outType="xs:string" />
              </template>
            </templates>
            <maps />
            <filters>
              <!--Not implemented-->
            </filters>
            <namedQueries>
              <!--N/A-->
            </namedQueries>
          </provider>
        </events>
      </instrumentation>
      <localization>
        <resources culture="en-US">
          <stringTable>
            <string id="event.1.0.0" value="CoId=%1:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again.&#xD;&#xA;&#xD;&#xA;%2" />
            <string id="event.2.0.0" value="CoId=%1:The initial Secure Socket Tunneling Protocol (SSTP) response could not be received. There might be intermittent network connectivity issues or the server might not be accepting SSTP connections. The detailed error message is provided below. Correct the problem and try again. &#xD;&#xA;&#xD;&#xA;%2" />
            <string id="event.3.0.0" value="CoId=%1:The HTTP response received from the server-side Secure Socket Tunneling Protocol (SSTP) either does not have the version information or the version is not supported. The HTTP version information received is logged in the data section below. The HTTP response from the SSTP server must contain the version header and the version must be 1.1." />
            <string id="event.4.0.0" value="CoId=%1:The server has refused the Secure Socket Tunneling Protocol (SSTP) request. Either a failure response code or no response code was received. The data portion below contains the response code that was received from the server. This is the HTTP status code present in the response. It can be because the web proxy or the SSTP server might be rejecting the connection, the server might not be configured for SSTP or the server might not have a port available for connection." />
            <string id="event.5.0.0" value="CoId=%1:The Secure Socket Tunneling Protocol (SSTP) negotiation has failed. The failure code is stored in the Data section of this message. Correct the problem and try again." />
            <string id="event.6.0.0" value="CoId=%1:The SSTP-based VPN connection to the remote access server was terminated because of a security check failure. Security settings on the remote access server do not match settings on this computer. Contact the system administrator of the remote access server and relay the following information:&#xD;&#xA;&#xD;&#xA;SHA1 Certificate Hash: %2&#xD;&#xA;SHA256 Certificate Hash: %3" />
            <string id="event.7.0.0" value="The Secure Socket Tunneling Protocol service could not open the ConfigStore that is used for storing service-specific information. This can lead to incorrect service configuration or a leak of system resources." />
            <string id="event.8.0.0" value="The Secure Socket Tunneling Protocol (SSTP) service could not initialize the HTTP layer for setting up the configuration. Any configuration changes applied by the administrator might not be applied by SSTP." />
            <string id="event.9.0.0" value="The Secure Socket Tunneling Protocol service could not secure the URL with the new service configuration. Other applications or services can override the URL reservation. Use 'netsh.exe http add urlacl' command to secure the access control list (ACL) manually. The detailed error message is given at the end of this message. &#xD;&#xA;&#xD;&#xA;URL: %1 &#xD;&#xA;&#xD;&#xA;%2" />
            <string id="event.10.0.0" value="The Secure Socket Tunneling Protocol service could not secure the default URL. This can prevent the servicing of the SSTP modules. Use 'netsh.exe http add urlacl' command to secure the ACL manually. The detailed error message is given at the end of this message. &#xD;&#xA;&#xD;&#xA;URL: %1&#xD;&#xA;&#xD;&#xA;%2" />
            <string id="event.11.0.0" value="The Secure Socket Tunneling Protocol (SSTP) service could not find either a Server Authentication certificate or an Any Purpose certificate to be used for HTTPS. Check to see the availability of either a Server Authentication certificate or an Any Purpose certificate which also has a private key. SSTP sessions may not get established. Use 'netsh.exe http add sslcert' command to configure the certificate manually or install the appropriate certificate for SSTP use and restart RemoteAccess service." />
            <string id="event.12.0.0" value="The Secure Socket Tunneling Protocol service could not configure the following certificate for use with Internet Protocol version 4 (IPv4). This might prevent SSTP connections from being established successfully. Correct the problem and try again.&#xD;&#xA;&#xD;&#xA;Certificate Name - %2&#xD;&#xA;&#xD;&#xA;%1" />
            <string id="event.13.0.0" value="The Secure Socket Tunneling Protocol service could not configure the following certificate for use with Internet Protocol version 6 (IPv6). This might prevent SSTP connections from being established successfully. Correct the problem and try again.&#xD;&#xA;&#xD;&#xA;Certificate Name - %2&#xD;&#xA;&#xD;&#xA;%1" />
            <string id="event.14.0.0" value="The Secure Socket Tunneling Protocol service could not configure the route to the VPN server, which is required for the proper functioning of the VPN connection. The detailed error message is given below. Correct the problem and try again. %1" />
            <string id="event.15.0.0" value="The Secure Socket Tunneling Protocol service could not get the network address of the remote server. This address is required for establishing the route for redirecting the traffic over the VPN interface. The detailed error message is provided below. Correct the problem and try again. %1" />
            <string id="event.16.0.0" value="CoId=%1:The Secure Socket Tunneling Protocol server has provided a certificate with an Enhanced Key Usage that is neither Server Authentication nor Any Purpose. This client will not accept the certificate. The connection will be canceled. Contact the server administrator to correct the issue and try again." />
            <string id="event.17.0.0" value="The Secure Socket Tunneling Protocol service could not open the Parameters section of the registry to read the configuration values, so SSTP cannot be initialized. The detailed error message is provided below. Correct the problem and try again. &#xD;&#xA;&#xD;&#xA;%1" />
            <string id="event.18.0.0" value="The Secure Socket Tunneling Protocol service either could not read the SHA256 certificate hash from the registry or the data is invalid. To be valid, the SHA256 certificate hash must be of type REG_BINARY and 32 bytes in length. SSTP might not be able to retrieve the value from the registry due to some other system failure. The detailed error message is provided below. SSTP connections will not be accepted on this server. Correct the problem and try again. &#xD;&#xA;&#xD;&#xA;%1" />
            <string id="event.19.0.0" value="The Secure Socket Tunneling Protocol service either could not read the SHA1 certificate hash from the registry or the data is invalid. To be valid, the SHA1 certificate hash must be of type REG_BINARY and 20 bytes in length. SSTP might not be able to retrieve the value from the registry due to some other system failure. The detailed error message is provided below. SSTP connections will not be accepted on this server. Correct the problem and try again. &#xD;&#xA;&#xD;&#xA;%1" />
            <string id="event.20.0.0" value="The Secure Socket Tunneling Protocol service was not able to allocate memory for setting up the configuration for accepting connections. The system might be low on memory. Correct the problem and restart the service." />
            <string id="event.21.0.0" value="The Secure Socket Tunneling Protocol service was not able to get the hash for the certificate configured with HTTP. The detailed error message is provided below. Correct the problem and try again. &#xD;&#xA;&#xD;&#xA;%1" />
            <string id="event.22.0.0" value="The Secure Socket Tunneling Protocol service could not be configured to accept incoming connections. The detailed error message is provided below. Correct the problem and restart the SSTP service. &#xD;&#xA;&#xD;&#xA;%1" />
            <string id="event.23.0.0" value="CoId=%1:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to the presence of a web proxy between the client and the server requiring authentication. Proxy authentication is not supported by this version of SSTP." />
            <string id="event.24.0.0" value="The certificates bound to the HTTPS listener for IPv4 and IPv6 do not match. For SSTP connections, certificates should be configured for 0.0.0.0:Port for IPv4, and [::]:Port for IPv6. The port is the listener port configured to be used with SSTP. The default listener port is 443." />
            <string id="event.25.0.0" value="The certificate used for Secure Socket Tunnelling Protocol (SSTP) is missing. You should configure a new certificate for SSTP or use default configuration" />
            <string id="event.32.0.0" value="The thumbprint (cert hash) of the certificate used for Secure Socket Tunnelling Protocol (SSTP) %1 is different than the certificate bound %2 to the Web listener (HTTP.sys). Configure SSTP to use the default certificate or the certificate bound to SSL. You can configure web server applications to use the same certificate used by SSTP" />
            <string id="event.33.0.0" value="CoId=%1: Secure Socket Tunnelling Protocol (SSTP) service could not configure the VPN server specific cookies. The detailed information on the error is given below.&#xD;&#xA;&#xD;&#xA;%%2" />
          </stringTable>
        </resources>
      </localization>
    </instrumentationManifest>

    Many of the problems that can occur with SSTP are covered by this provider - it will certainly be a loss if this information cannot be captured.

    Wednesday, July 18, 2018 7:07 PM
  • Hi Gary,

    Thank you again for your detailed explanation on Windows tracing. It is much appreciated.
    As you know, one thing I observed in the past days was that Windows 10's "netsh trace start" statement accepts the WebIO provider but rejects RasSstp.

    In addition, I also discovered that the Windows 10 computers where the SSTP VPN suffered immediate disconnections (fact that derived in my original post) also failed to run "netsh trace start" with error "Access is denied" (even though it was run elevated).
    The common denominator between VPN drops and tracing getting "Access is denied" was that these two errors happened only on domain-joined computers. Computers that were not part of the domain suffered neither from VPN drops nor access denied when starting traces.

    Because Active Directory management is beyond my scope, I escalated the claim to the AD staff and now it seems the VPN issue has been solved. I wasn't given any details, though.

    To close the thread I've marked two of your replies as "answers". They helped to expose some GPO misconfiguration.

    Thank you.
    Fernando
    PS: To expand a bit on providers. In all the tracing tests I did on Windows 10, the Microsoft-Windows-RasSstp provider was not recognised and therefore rejected. When I replaced it with the Microsoft-Windows-WebIO provider, the "netsh trace start" statement was accepted. But then, the traces on domain-joined computers couldn't be run because of "Access is denied", but it did succeed on non domain-joined ones.

    • Proposed as answer by AlperE Friday, December 7, 2018 6:48 AM
    Sunday, July 22, 2018 9:16 PM
  • Hi Gary,

    Thank you again for your detailed explanation on Windows tracing. It is much appreciated.
    As you know, one thing I observed in the past days was that Windows 10's "netsh trace start" statement accepts the WebIO provider but rejects RasSstp.

    In addition, I also discovered that the Windows 10 computers where the SSTP VPN suffered immediate disconnections (fact that derived in my original post) also failed to run "netsh trace start" with error "Access is denied" (even though it was run elevated).
    The common denominator between VPN drops and tracing getting "Access is denied" was that these two errors happened only on domain-joined computers. Computers that were not part of the domain suffered neither from VPN drops nor access denied when starting traces.

    Because Active Directory management is beyond my scope, I escalated the claim to the AD staff and now it seems the VPN issue has been solved. I wasn't given any details, though.

    To close the thread I've marked two of your replies as "answers". They helped to expose some GPO misconfiguration.

    Thank you.
    Fernando
    PS: To expand a bit on providers. In all the tracing tests I did on Windows 10, the Microsoft-Windows-RasSstp provider was not recognised and therefore rejected. When I replaced it with the Microsoft-Windows-WebIO provider, the "netsh trace start" statement was accepted. But then, the traces on domain-joined computers couldn't be run because of "Access is denied", but it did succeed on non domain-joined ones.


    Well i was having same problem with 1809, i managed to solve my problem with your hint. I'm not in any domain but sstp disconnecting after a seconds, still i was able to solve this by changing network identity to home computer from system settings.
    Friday, December 7, 2018 6:48 AM
  • AlperE, good to know you found this thread useful.

    Sunday, December 9, 2018 5:38 PM
  • Not sure what Network reset does behind the scenes, but it fixed the issue for me on Windows 10 Surface 3 Pro that a week ago suddenly started dropping VPN right after connect.  Deleting VPN, deleting credentials, rebooting, none of that worked until I did a network reset.
    Wednesday, January 30, 2019 10:47 PM
  • just had similar issue, issue was sstp VPN server certificate didn't match the iis certificate, task scheduler was used to renew lets encrypt cert automatically but rras didnt know about it and needed a restart as well. system log on client:

    The SSTP-based VPN connection to the remote access server was terminated because of a security check failure. Security settings on the remote access server do not match settings on this computer. Contact the system administrator of the remote access server and relay the following information:


    IT... ugh


    Tuesday, January 14, 2020 3:00 PM
  • Had a similar issue like the one described.

    My problem was that the proper certificate was not selected in the Routing and Remote Access Properties under the Security tab.

    Originally there was nothing selected in the drop-down list under the SSL Certificate Binding. That caused immediate disconnection of my VPN. When I selected the proper certificate the VPN connection established successfully and persisted without a problem.
    Thursday, August 6, 2020 8:29 AM