locked
L2TP VPN issue in Vista SP1 RRS feed

  • Question

  • I've been using L2TP in Vista to access my corporate VPN for the last year without any issues - but Vista SP1 seems to have mostly broken that functionality (for me at least). 

     

    What's happening now is pretty erratic.  In about 9 out of 10 connection attempts, I get stuck at the 'Connecting' dialog for about a minute until the connection times out and I get a dialog asking if I want to either retry or diagnose the issue.  The weird thing is that the connection dialog does move on to authentication about once out of every 10 tries and I’m able to connect just fine in those cases.

     

    At first I thought maybe something was going on with the networking, so I completely disabled the firewall and it didn't help at all.  I also attached WireShark and, although I can't really see what's going on inside the tunnel, I can see that a connection is being made. 

     

    I went ahead and enabled logging and found something interesting inside of tapisrv.log.  It turns out that on all of the failed attempts I get a series of log entries like this:

     

    [5240] 12:45:19:762: [TRACE] ClientAttach: enter, pid=x7c8, user='myusername', machine='MYMACHINENAME'
    [5240] 12:45:19:767: [INFO ] ClientAttach: LookupAccountSidW: User name myusername Domain name DOMAIN
    [5240] 12:45:19:767: [INFO ] ClientAttach(myusername): Auth level = 0x6
    [5240] 12:45:19:767: [ERROR] OpenProcess(pid=x7c8) failed, err=5

     

    On the successful attempts, I get similar entries like this:

     

    [1436] 12:45:20:262: [TRACE] ClientAttach: enter, pid=xb20, user='myusername', machine='MYMACHINENAME'
    [1436] 12:45:20:262: [INFO ] ClientAttach: LookupAccountSidW: User name myusername Domain name DOMAIN
    [1436] 12:45:20:262: [INFO ] ClientAttach(myusername): Auth level = 0x6
    [1436] 12:45:20:282: [TRACE] TReadLocations: enter
    [1436] 12:45:20:282: [INFO ] TReadLocations: Check only, no data transfer
    [1436] 12:45:20:282: [TRACE] TReadLocations: exit, result=x0
    [5240] 12:45:20:282: [TRACE] ClientDetach: enter

    The really interesting thing here is that the process ID changes every time I attempt a new connection.  The VPN connection appears to fail every time it fails to connect to a process - and it succeeds when the attach succeeds. 

     

    I also started checking which processes it was trying to attach to and it seems completely random.  The only thing that is consistent is that it only succeeds when the target process is a user-mode app (such as explorer.exe).

     

    Anyway, I’m still debugging this – but I need to get it resolved as soon as possible.  Any help would definitely be appreciated.

     

    Wednesday, March 12, 2008 1:50 AM

Answers

  • Hi Dave M in Austin,

     

    Thank you for your research. Based on your description, the issue is POSSIBLY related to the differences between Windows Vista and Windows Vista SP1. However, please understand that we are not the best resource for the issue related to SP1 so far. I suggest submitting it to our Windows Vista Service Pack 1 forum, The support professionals are better qualified for issues related to SP1.

     

    For your convenience, I’ve included the link of Windows Vista SP1 forum:

     

    Windows Vista Service Pack 1 (SP1)

    http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=1992&SiteID=17

     

    Hope the issue can be resolved soon.

     

    Have a nice day.

     

    Monday, March 17, 2008 6:59 AM
    Moderator

All replies

  • I think we has exact the same Problem in our company, all Vista clients can't connect via VPN since SP1! I can confirm that the IPSEC connection is being made correctly. 

     

    But after that we get the following - no helpful - error messages on our concentrator:

     

    55568 02/26/2008 10:01:16.600 SEV=4 L2TP/5 RPT=45 xxx.xxx.xxx.xxx

    Received Result Code AVP which is invalid for message Incoming-Call-Request (ip

    = xxx.xxx.xxx.xxx)

     

    55570 02/26/2008 10:01:16.600 SEV=4 L2TP/47 RPT=5044 xxx.xxx.xxx.xxx

    Session closed on tunnel xxx.xxx.xxx.xxx (peer 1, local 41636, serial 0), reason:

     

    Please tell us which additional information are require to solve around the problem?  

     

    THX

    Wednesday, March 12, 2008 10:07 AM
  • I've spent more time with this and it turns out I can easily reproduce the problem in a lab environment.  All I have to do is setup a VPN server to use L2TP shared keys and then attempt connections with Vista and Vista SP1.

     

    The standard Vista systems will always connect just fine and the Vista SP1 systems will fail most of the time with an error 809.

     

    Does anyone have any idea what the problem could be here?  I'm starting to think that L2TP is just broken in Vista SP1...

     

     

    Friday, March 14, 2008 5:43 PM
  • Hi Dave M in Austin,

     

    Thank you for your research. Based on your description, the issue is POSSIBLY related to the differences between Windows Vista and Windows Vista SP1. However, please understand that we are not the best resource for the issue related to SP1 so far. I suggest submitting it to our Windows Vista Service Pack 1 forum, The support professionals are better qualified for issues related to SP1.

     

    For your convenience, I’ve included the link of Windows Vista SP1 forum:

     

    Windows Vista Service Pack 1 (SP1)

    http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=1992&SiteID=17

     

    Hope the issue can be resolved soon.

     

    Have a nice day.

     

    Monday, March 17, 2008 6:59 AM
    Moderator
  • Just thought I'd add my voice to the crowd.

     

    I have the same problem with Vista SP1 and zonealarm antivirus. Reports seem to suggest that something in Vista SP1 has broken 3rd party firewalls.

     

    I have reported the error and suggest everyone else with the problem does the same to get some momentum.


    LJ

     

    Saturday, May 10, 2008 10:42 AM
  • Vista has been the source of nonending headaches for my VPN management at work.

    My PIX 6.3.5 server worked fine for supporting Microsoft XP native L2TP VPN connections but I was never able to get Vista to work. I just upgraded to PIX 7.2.3 and it appears that while L2TP supports works for both Windows XP and Mac OS X 10.5 clients, Vista is STILL not working.

    Is there a definitive workaround for this problem?
    Friday, May 16, 2008 4:29 PM
  • I have encountered a similar problem.  I was connecting via VPN with Vista Home and Premium version.  I upgraded to Vista Ultimate and applied SP1 - since that time I have not been able to connect.  It apprears to fail to execute the cacheclearner and the firewall DNS firepass. 

     

    I would greatly appreciate if anyone has any suggestions.  I have called Microsoft and HP and seem to be caught up in a whirlwind of who is able to fix this.  Of course for a nominal fee - they will take a look at the issue.

     

    Here are the trace logs I received in my attempt to connect to a SSL VPN.  I get to the connecting screen and receive the message DEVICE NOT FOUND.

     

    CLEANER:1960,5692)  log level has been changed to 0
    Wed May 28 03:16:33 2008 GMT (CLEANER:1960,5692)  Failed to receive full path to CacheCleaner.exe
    Wed May 28 03:16:46 2008 GMT (SUPERHOST:1960,3188)  log level has been changed to 0
    Wed May 28 03:16:47 2008 GMT (SUPERHOST:1960,3188)  Request to install/update control (clsid="{E0FF21FA-B857-45C5-8621-F120A0C17FF2}", codebase
    Wed May 28 03:16:47 2008 GMT (SUPERHOST:1960,3792)  need not install/update control (clsid="{E0FF21FA-B857-45C5-8621-F120A0C17FF2}", codebase="

    Wed May 28 03:16:47 2008 GMT (HOST:1960,3188)  log level has been changed to 0
    Wed May 28 03:16:47 2008 GMT (HOST:1960,3188)  Request to install/update control (clsid="{6C275925-A1ED-4DD2-9CEE-9823F5FDAA10}", codebase="
    Wed May 28 03:16:47 2008 GMT (HOST:1960,3964)  need not install/update control (clsid="{6C275925-A1ED-4DD2-9CEE-9823F5FDAA10}",

     

     

     

    Wednesday, May 28, 2008 11:09 PM
  • Hi all! Posted this to the SP1 forum, but in case you are reading this here goes.

     

    I had the same problem, and I must admit I was extremely happy today to have found a solution from MS.

     

    Just to make sure you are experiencing the same problem as I was: Standard installation of Vista. Installed SP1. VPN stops working with message "Failed to connect" and event ID 20227 "The user xxxx\xxxx dialed a connection....". I tried to turn of the firewall, virus scanner, etc but the problem still exsisted.

     

    So the solution is: "VPN WAN miniport is corrupted or not present." !? For a complete description see http://support.microsoft.com/kb/953795

     

    The short version to fix this is as follows:

    "1. Click Start>All Programs>Accessories and click "Command Prompt".

    2. In the Command prompt, type the following commands one by one and press Enter after each one.

    Netcfg -u MS_L2TP
    Netcfg -u MS_PPTP
    Netcfg -l %windir%\inf\netrast.inf -c p -i MS_PPTP
    Netcfg -l %windir%\inf\netrast.inf -c p -i MS_L2TP

    NOTE: When prompted by User Account Control, click Continue. "

     

    Good luck, and hopefully I can stop some production of grey hair. ;o)

     

    Best regards

    Morten Yndesdal

     

    Thursday, June 12, 2008 3:39 PM
  • I have a problem with my VPN connection using the Cisco VPN client however my problem only persists when Zonealarm is active. If I shutdown ZA then I am able to connect successfully.

    My symptoms are with ZA active are:

    1) longer time to connect
    2) successful connection but all packets are discarded or ignored

    Shutting down ZA and everything works as advertised.

    I followed the steps above to check for the devices and I have both so apparently in my Vista Home Premium I do not have this specific problem.

    Any suggestions?

    thx
    Saturday, June 28, 2008 3:58 PM
  • This chap Morten deserves a medal! Excellent post - this worked first time, be patient with the command line installs, certain anti-virus/monitoring software may question the validity of the command being run - tell it to 'piss off' 'cos you know what you're doing and all will be sweet.

     

    Morten - where do I send the cheque?  :-)

     

    PS the hair has stopped greying - and the clumps ripped out are re-growing nicely!

     

     

     

     Morten Yndesdal wrote:

    Hi all! Posted this to the SP1 forum, but in case you are reading this here goes.

     

    I had the same problem, and I must admit I was extremely happy today to have found a solution from MS.

     

    Just to make sure you are experiencing the same problem as I was: Standard installation of Vista. Installed SP1. VPN stops working with message "Failed to connect" and event ID 20227 "The user xxxx\xxxx dialed a connection....". I tried to turn of the firewall, virus scanner, etc but the problem still exsisted.

     

    So the solution is: "VPN WAN miniport is corrupted or not present." !? For a complete description see http://support.microsoft.com/kb/953795

     

    The short version to fix this is as follows:

    "1. Click Start>All Programs>Accessories and click "Command Prompt".

    2. In the Command prompt, type the following commands one by one and press Enter after each one.

    Netcfg -u MS_L2TP
    Netcfg -u MS_PPTP
    Netcfg -l %windir%\inf\netrast.inf -c p -i MS_PPTP
    Netcfg -l %windir%\inf\netrast.inf -c p -i MS_L2TP

    NOTE: When prompted by User Account Control, click Continue. "

     

    Good luck, and hopefully I can stop some production of grey hair. ;o)

     

    Best regards

    Morten Yndesdal

     

    Friday, July 4, 2008 6:32 AM
  • Hi all,

    (Skip the next three paragraphs if nothing you've found on forums so far works to get your VPN running again and you just want to try something desperately!)

    This information didn't solve the problem with my PPTP VPN connection - however it put me on the right path, thanks Morten =]  After piecing together tips from different sources and a couple of hours I found a solution that worked for me.  Hopefully this might also help others who I saw on many different forums weren't helped by the KB solution.  Interestingly enough I happened to make my way here through the Vista installation FAQ for the Relakks VPN service...

    Let me start with describing my scenario.  After trying to remove and re-install the PPTP/L2TP devices using netcfg I soon noticed I ended up with two separate PPTP miniports in the device manager list.  So I figured I had to get them both removed so I will know the RAS client is using the one I install after that.  So I removed the first
    using netcfg -u, no problem.  Then I tried running netcfg -u to remove the second one.  No luck; it reported that no PPTP devices exist.  And uninstalling through the device manager didn't work on any of them.  When I eventually succeeded, re-installing the PPTP device again as described in the KB did indeed add the device, but when making the connection, the RAS client failed quickly with the dreaded error 807 (or was it 809 ?), event ID 20227, as before...

    So... THE SOLUTION (that worked for me) involves two very similar steps: removing the "sticky" PPTP device, and adding a new (working) PPTP device.  It could be that removing the "sticky" PPTP device isn't necessary - but I like to keep things tidy and organized so I didn't even bother trying that scenario =] 
    No reboots required anywhere in this process.

    Step one, remove the "sticky" PPTP device.  I found a working method on this page (thanks to ChicagoTech!) - however only steps 1-3 is interesting - using devcon to install the device obviously doesn't work since it's XP specific.  I've mirrored the steps here for your convenience:

    1. Go to device manager and select "Show Hidden Devices" under the View menu.

    2. Expand Network adapters. You should see the WAN Miniport (PPTP)

    3. Try right clicking on it and uninstalling it. More than likely it won't allow you to. To get around this update the driver to something "uninstallable" like the MAC Bridge. To do this right click on it and select update driver. Choose no to look on windows update. Then choose to specify a location. Next choose dont search. Next unselect show compatible hardware and find the MAC Bridge under Microsoft. Force it to install it. After thats done you should be able to uninstall your new 'MAC Bridge Miniport."


    So now all the defunct PPTP devices are gone, joy and happiness.  Sweet smell of araliya flowers in every nostril.  Now, on to the next step...

    Step two, add a working PPTP device.  This, I stumbled across in pure unguided desperation.  I claim no cerebral capacity or
    intellectual credit for discovering this step.  If anything, I attribute my current digital karma to this solution.  Please enjoy.  I celebrated the find by eating half a packet of extremely thin and crunchy cashew nut cookies.  Ok, here it comes.  Run this from an Administrator-elevated Command Prompt:

    netcfg -l c:\windows\inf\netrass.inf -c p -i MS_PPTP

    Hey, did you see the difference from the KB article?  You haven't tried this before, I'm quite sure.  Let me type it again to make it extra clear:

    netcfg -l c:\windows\inf\netrass.inf -c p -i MS_PPTP

    Windows will warn you that it's not really what it wants to do with a big flashy red banner.  But just tell it to do it anyway.

    Ok... That's all.  Another beautiful vibrating sunset.  Hope it works as well for you as it did for me.  I take no responsibility concerning your reactions, behaviour or outcome as a result of reading and interpreting all of this.  This is simply a report on the discoveries of a successful but stubborn and somewhat desperate trial & error session, not a Microsoft endorsed and/or legally binding instruction.
      Try it, and/or don't try it.  Time to sleep.  Zzz...

    Peace, unity and love to one and all,
    Kim Svedmark

    • Proposed as answer by Delta Quotient Wednesday, April 22, 2009 12:54 AM
    Tuesday, October 7, 2008 11:30 PM
  • Hi, I tried the above steps but was not helpful I still get the error with "Device not found". Are there any more steps that you can provide to have this issue resolved. I use a wireless card connection. (Information may be of some help) Thanks bro
    Wednesday, April 22, 2009 12:55 AM
  • Hi all,

    (Skip the next three paragraphs if nothing you've found on forums so far works to get your VPN running again and you just want to try something desperately!)

    This information didn't solve the problem with my PPTP VPN connection - however it put me on the right path, thanks Morten =]  After piecing together tips from different sources and a couple of hours I found a solution that worked for me.  Hopefully this might also help others who I saw on many different forums weren't helped by the KB solution.  Interestingly enough I happened to make my way here through the Vista installation FAQ for the Relakks VPN service...

    Let me start with describing my scenario.  After trying to remove and re-install the PPTP/L2TP devices using netcfg I soon noticed I ended up with two separate PPTP miniports in the device manager list.  So I figured I had to get them both removed so I will know the RAS client is using the one I install after that.  So I removed the first
    using netcfg -u, no problem.  Then I tried running netcfg -u to remove the second one.  No luck; it reported that no PPTP devices exist.  And uninstalling through the device manager didn't work on any of them.  When I eventually succeeded, re-installing the PPTP device again as described in the KB did indeed add the device, but when making the connection, the RAS client failed quickly with the dreaded error 807 (or was it 809 ?), event ID 20227, as before...

    So... THE SOLUTION (that worked for me) involves two very similar steps: removing the "sticky" PPTP device, and adding a new (working) PPTP device.  It could be that removing the "sticky" PPTP device isn't necessary - but I like to keep things tidy and organized so I didn't even bother trying that scenario =] 
    No reboots required anywhere in this process.

    Step one, remove the "sticky" PPTP device.  I found a working method on this page (thanks to ChicagoTech!) - however only steps 1-3 is interesting - using devcon to install the device obviously doesn't work since it's XP specific.  I've mirrored the steps here for your convenience:

    1. Go to device manager and select "Show Hidden Devices" under the View menu.

    2. Expand Network adapters. You should see the WAN Miniport (PPTP)

    3. Try right clicking on it and uninstalling it. More than likely it won't allow you to. To get around this update the driver to something "uninstallable" like the MAC Bridge. To do this right click on it and select update driver. Choose no to look on windows update. Then choose to specify a location. Next choose dont search. Next unselect show compatible hardware and find the MAC Bridge under Microsoft. Force it to install it. After thats done you should be able to uninstall your new 'MAC Bridge Miniport."


    So now all the defunct PPTP devices are gone, joy and happiness.  Sweet smell of araliya flowers in every nostril.  Now, on to the next step...

    Step two, add a working PPTP device.  This, I stumbled across in pure unguided desperation.  I claim no cerebral capacity or
    intellectual credit for discovering this step.  If anything, I attribute my current digital karma to this solution.  Please enjoy.  I celebrated the find by eating half a packet of extremely thin and crunchy cashew nut cookies.  Ok, here it comes.  Run this from an Administrator-elevated Command Prompt:

    netcfg -l c:\windows\inf\netrass.inf -c p -i MS_PPTP

    Hey, did you see the difference from the KB article?  You haven't tried this before, I'm quite sure.  Let me type it again to make it extra clear:

    netcfg -l c:\windows\inf\netrass.inf -c p -i MS_PPTP

    Windows will warn you that it's not really what it wants to do with a big flashy red banner.  But just tell it to do it anyway.

    Ok... That's all.  Another beautiful vibrating sunset.  Hope it works as well for you as it did for me.  I take no responsibility concerning your reactions, behaviour or outcome as a result of reading and interpreting all of this.  This is simply a report on the discoveries of a successful but stubborn and somewhat desperate trial & error session, not a Microsoft endorsed and/or legally binding instruction.
      Try it, and/or don't try it.  Time to sleep.  Zzz...

    Peace, unity and love to one and all,
    Kim Svedmark


    Hi - first time in adding to a blog, but very grateful to above.
    Tried this after having upgraded to windows 7 64bit from windows XP, found I was unable to connect to a SBS2003 server (windows 2003 server) via VPN
    To cut a long story short it turned out I was missing the WAN miniport PPTP - the VPN connection was confiured for automatic and was stalling at the L2PT (my server not configured for this protocol - but did not want to make chages to a working configuration).

    When I changed the VPN client connectionon my PC from automatic to PPTP came up "device not found". Further investigation revealed that the WAN Miniport PPTP was missing.

    I had trawlled the internet trying to find out how to re-install - and tried various solutions - non had worked.

    The above did - so very grateful to Kim Svedmark for submitting -



    Wednesday, December 23, 2009 7:23 PM
  • I'm having the same issues, Windows 7 x64. I can't get it to connect.

    VPN Profile created on Windows Server 2008 x64 - Target Vista/Win7 x64 and XP x64.
    VPN Profile created on Windows 7 x86 - Target - Vista/Win7 x86 and XP x86.

    VPN Hosts - Windows Server 2003, R2, SP2, ISA 2006 Enterprise, clustered.

    Connection is IP (Not DNS Name), L2TP, MS-CHAPv2, PSK. Only the Windows 7 x64 client fails. I've tried the above twice, and nothing works. I've compared the Windows 7 x86 to the x64 and don't see any differences, recreated the profiles, rebooted the ISA Servers, even talked nicely to them... Really starting to annoy me. Anyone have any other suggestions before I call MS Support?

    Cheers,

    Zen
    Wednesday, February 3, 2010 5:12 PM