locked
VPN on TMG 2010 Not Working RRS feed

  • Question

  • Good Day,

    i have installed TMG 2010 on Hyper v Guest machine , TMG 2010 installed with Egde Network Template. the TMG configures with Two NIC one has real IP and the other have Privte IP , every thing is working fine , accessing Internet , URL fillter, ...  i tried to configure VPN but with no luck , when enable the VPN i get the follwoing
    1. routing and remote access services does not start
    2. i get the evert Error 20103 say" Unable to load C:\Windows\System32\iprtrmgr.dll."
    2. i get the evert Error 7024 say "The Routing and Remote Access service terminated with service-specific error A device attached to the system is not functioning.."

    when i tried to start the service manualy and configure routing and remote access service manually , the same faild to start

    any help will appreciated

    Thank you

    aafifi
    Tuesday, January 12, 2010 8:15 AM

Answers

  • Dear All,

    after all suggestions and invesitigation i found the soluation and working here are the steps to get the VPN working on TMG 2010 on windows 2008

    1. Disable the VPN from TMG 2010 Console ( if you enabled it)

    2. disable routing and remote access service

    3. Enable all IPv6 functionallty

    4. Remove this registry ([HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters] "DisabledComponents"=dword:ff ) if you install it.

    5. restart the TMG server

    6. now enable the VPN from TMG 2010 Console

     

    regards,

    Ahmed Afifi


    aafifi
    • Marked as answer by Ahmed Afifi Wednesday, May 12, 2010 8:46 AM
    Wednesday, May 12, 2010 8:46 AM

All replies

  • hi,

    the problem still occured when i installed TMG 2010 on physical machine replaced by Hyper- V guset, i think that problem in TMG 2010 with windows 2008 R2. i will try to update the windows with lateast Security and critical updates , and configure VPN again,

    regards,

    aafifi
    Monday, January 18, 2010 7:42 AM
  • Microsoft Experts Please response.

    i tested the VPN function on TMG 2010 on windows 2008 SP2 and it work perfectly , but still on windows 2008 R2 not working and the above errors still appear.

    is there is a compitabilty issue in TMG 2010 RTM with windows 2008 R2 ??



    aafifi
    Monday, January 18, 2010 12:48 PM
  • Hi,

     

    Thank you for the post.

     

    As far as I know, no issues or differences have been noted in the TMG 2010 RTM install and operation on Windows 2008 SP2 and Windows 2008 R2. Please try to remove ipv6 in the following registry and start the service .

     

    HKEY_LOCAL_MACHINE\System\currentcontrolset\services\remoteaccess\routermanagers\IPV6

     

    Regards,


    Nick Gu - MSFT
    Tuesday, January 19, 2010 9:14 AM
    Moderator
  • The problem is disabling IPv6 as supposed at “Unsupported Configurations”. This article says:

    Forefront TMG does not support IPv6 traffic

    Issue: IPv6 traffic is not supported by Forefront TMG (except for DirectAccess).

    Cause: Filtering of IPv6 traffic is not supported, and all IPv6 traffic is blocked by default.

    Solution: It is recommended that you disable IPv6 traffic on the Forefront TMG computer or array members. To disable the IPv6 stack on the Forefront TMG computer or array member, see Knowledge Base article KB929852 (http://go.microsoft.com/fwlink/?LinkId=179983).

    But actually if I disable IPv6 (i.e. set DisabledComponents = 0xFFFFFFFF) RRAS service does not start exactly as Ahmed Afifi described. So I had to turn it back to 0x0 and that fixed RRAS.

    Tuesday, January 19, 2010 11:37 PM
  • Does Microsoft have any idea how many people they are frustating by VPN on TMG not working "out of the box" on a brand new server Windows 2008 R2 server?  How could this have possible gotten through testing without getting noticed? I wasted dozens of hours thinking it was "my" fault...

    /End of Rant.
    Wednesday, February 10, 2010 9:14 PM
  • Does Microsoft have any idea how many people they are frustating by VPN on TMG not working "out of the box" on a brand new server Windows 2008 R2 server?  How could this have possible gotten through testing without getting noticed? I wasted dozens of hours thinking it was "my" fault...

    /End of Rant.

    Hi Robert,

    Could you please clarify which solution helped you?
    Thursday, February 11, 2010 6:19 AM
  • I didn't get to a solution.  I installed TMG on a new W2K8r2 box. Everything worked accept VPN.  Tried all kinds of things (and several late nights) to get it working, nothing worked.  (I've been getting basic VPN working on machines since MS Proxy Server...)  Installed TMG on another w2k8r2  box and when I started seeing the same issues on it, I realized that something something is amiss here.  I could have done a PSS support call, but due to some other things going on I just didn't have the time for what probably would be a marathon support session.

    I'm just going to stick with ISA 2006 on a w2k3 machine for now.


    Thursday, February 11, 2010 11:02 AM
  • Question re-opened.

    Keith
    Keith Alabaster - MVP/Forum Moderator
    Thursday, February 11, 2010 6:21 PM
    Moderator
  • I also have this same issue.  I have rebuilt the system many times, and logging doesnt show much.  I can do a wireshark trace to try to figure it out.  But this is obviously a Bug in TMG that hopefully gets fixed here soon.
    Anyone have any ideas on when this fix might happen?
    Friday, February 12, 2010 4:35 AM
  • As Nick rightly pointed out earlier in this thread, this is not a known issue - it is certainly not recognised as a bug so there is no 'fix' that is being worked on to the best of my knowledge.  


    Keith Alabaster - MVP/Forum Moderator
    Friday, February 12, 2010 7:22 AM
    Moderator
  • Hi Keith

    I have the same issue and am in the process of raising this with Microsoft through our 24/7 Support that comes with the Software Assurance Agreement...its being slightly delayed as TMG 2010 doesn't appear to be recognised as a supported product on the SA Benefits site, but that has been recognised and a case has been escalated, so hopefully I will be able to start the support process soon.

    Any info on a resolution to this in the meantime would be great.

    All the best,

    James


    Monday, February 15, 2010 3:52 PM
  • I have a new install of EBS, Since November and I am still unable to get the VPN to function.  I have had a support call in since that time, have sent in 4GB dump file and still they want me to reproduce the error (crash my Security Server) to get another dump file. Not sure now that I am production, that is a wise idea at all.

    My issues is when connecting with a 2008 or Win7 box the security server crashes, XP just does not work. 

    Tom D--
    Friday, February 19, 2010 8:04 PM
  • When you say that "VPN doesn't work" what are you setting up?

    What errors do you see when the VPN client connects?

    What protocols are you trying to support?

    What appears in the TMG log files regarding the connections?

    What appears in the Event Log regarding VPN connections?

    Can you connect when the VPN clients are on-subnet (testing)

    Thanks!
    Tom
    MS ISDUA Anywhere Access Team
    Friday, February 19, 2010 8:49 PM
    Moderator
  • Thanks for coming in Tom. I know you must be tired after this week.

    Keith
    Keith Alabaster - MVP/Forum Moderator
    Friday, February 19, 2010 8:56 PM
    Moderator
  • Ahmed,

    I have been advised that there IS an issue that has been picked up by the RAS Team and they are currently investigating it. The problem is reproducable without having installed Forefront TMG on the server.

    I appreciate that this does not move you forward but to clarify, the issue is not with the TMG application. I will try and ascertain more details and post them as and when I get something to add.

    Keith
    Keith Alabaster - MVP/Forum Moderator
    Saturday, February 20, 2010 8:00 AM
    Moderator
  • Hi Shinder, Keith

    So, I have installed this on different machines in multiple scenarios, always using 2008 R2 as the DC, CA and TMG.  And I am seeing RPC errors like crazy.  which affects VPN, and user based firewall policies, among others.  Keith, I am not quite understanding how you cannot reproduce this issue, maybe its because you are using VM's only??
    I performed that TCP Offload disable fix which did nothing, and reading other threads i believe a lot of different issues people are seeing is the same underlying issue.
    I even see some people have used their SA to call MS.  I will keep building this as I have time in different scenarious to see if i can pinpoint the issue further, and post anything i find, and if you have an insights let me know.  And I know you guys want to troubleshoot, which of course i have no problem doing, but if you also could shoot this up to dev, i would appreciate it.
    Sunday, February 21, 2010 5:34 PM
  • The issue though is NOT within TMG. A problem HAS been identified by the RAS team when using Windows 2008 R2 in respect to VPN and THIS IS being investigated. The fact the TMG may also be installed on the server that ALREADY HAS a vpn issue is a red herring.
    Keith Alabaster - MVP/Forum Moderator
    Monday, February 22, 2010 4:56 PM
    Moderator
  • Thanks for coming in Tom. I know you must be tired after this week.

    Keith
    Keith Alabaster - MVP/Forum Moderator

    Hi Keith,

    Thanks! Yes, especially after getting sick at the end of the week :(

    Tom
    MS ISDUA Anywhere Access Team
    Wednesday, February 24, 2010 8:48 PM
    Moderator
  • Please let us know which problem is RRAS known issue and not TMG?

    Thanks,
    Wednesday, February 24, 2010 9:40 PM
  • Still do not know exactly which problem Keith is refering as known issue with RAS team.
    Friday, February 26, 2010 7:45 PM
  • I have been advised that there IS an issue that has been picked up by the RAS Team and they are currently investigating it. The problem is reproducable without having installed Forefront TMG on the server.

    I appreciate that this does not move you forward but to clarify, the issue is not with the TMG application. I will try and ascertain more details and post them as and when I get something to add.

    As at this moment, nor do I as per my comment above.
    Keith Alabaster - MVP/Forum Moderator
    Saturday, February 27, 2010 9:16 AM
    Moderator
  • ok thanks
    Ive tested standard and enterprise, i havent tested UAG as the front end vpn server yet.
    Saturday, February 27, 2010 3:22 PM
  • Whoa - this has been a "known issue" for 2+ months now and no downloadable fix yet? 
    Friday, March 26, 2010 3:57 PM
  • Is this "the fix"???

    Update for Forefront TMG 2010 (KB 980674)

    Brief Description
    VPN site-to-site connections may not work after enabling NLB.

    http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=af1e8287-072c-45a6-9d8e-37485e482fe2

     

    • Proposed as answer by Meyra BeheerBanned Thursday, April 15, 2010 6:09 AM
    • Unproposed as answer by Ahmed Afifi Sunday, October 17, 2010 10:01 AM
    Wednesday, April 14, 2010 9:27 PM
  • So far this has fixed the issue.  Since i installed this hotfix its been running for 3 days now.  This is exciting.  Thanks to everyone for pursuing this issue.

    -Paul

    Wednesday, April 21, 2010 3:07 PM
  • Dear All,

    after all suggestions and invesitigation i found the soluation and working here are the steps to get the VPN working on TMG 2010 on windows 2008

    1. Disable the VPN from TMG 2010 Console ( if you enabled it)

    2. disable routing and remote access service

    3. Enable all IPv6 functionallty

    4. Remove this registry ([HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters] "DisabledComponents"=dword:ff ) if you install it.

    5. restart the TMG server

    6. now enable the VPN from TMG 2010 Console

     

    regards,

    Ahmed Afifi


    aafifi
    • Marked as answer by Ahmed Afifi Wednesday, May 12, 2010 8:46 AM
    Wednesday, May 12, 2010 8:46 AM
  • Try the following to get RRAS working

    Browse to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\RouterManagers\IPv6 
    
    Export the key
    Delete the registry entry 
    Tuesday, July 20, 2010 10:18 AM