none
VPN not working after creators update 1709

    Question

  • Hi Guys

    I am using an ultra book for mobile work and connect to my home network via VPN with an HSDPA WWAN modem. Before the fall creators update everything was working fine. Now after the update I cannot connect anymore via mobile network.

    the setup: I have a Win 2016 Server with RRAS configured for L2TP PSK VPN. When I connect from withing the network (LAN or WLAN) everything works as expected. Only the WWAN connection from outside does not work.

    Strange thing is, when I do this with my adroind mobile it works, via WLAN and WWAN.

    I have forwarded the ports 500, 1701 and 4500 in the router to the vpn server and also enabled the ESP protokol. I have checked with Wireshark if any communication on those ports arrives at the server when connecting with the win 10 (1709) machine, and yes there is traffic. But there are no events logged on the server and the client reports an 809 error in the vpn client events.

    I have googled for hours and watched several L2TP howtos on YouTube, so I can say the server seems to be configured correctly and working fine. Also the port forwarding is working as i can connect via android phone. I do not know how to debug or trace this to narrow in on the problem. Maybe you can help.

    thanks

    Peter

    Thursday, November 02, 2017 8:55 PM

Answers

  • The last Update (KB4048955) did the trick. Everything is working again now.



    • Marked as answer by Peter119 Monday, November 20, 2017 8:28 PM
    • Edited by Peter119 Monday, November 20, 2017 8:29 PM
    Monday, November 20, 2017 8:28 PM

All replies

  • I just tried removing the WAN miniport devices like stated here (https://social.technet.microsoft.com/Forums/en-US/6ec6b6b4-5137-4cac-b62e-8709b72aeec2/windows-10-creators-update-and-vpn-issues?forum=win10itpronetworking) but it did not help, still get the 809 error.
    Friday, November 03, 2017 8:03 AM
  • Hi,

    got a similar problem, error code 789. For both devices, Surface Pro 3 and Lumia 950 L2TP/IPSEC has worked like a charm. But since update to build 1709 (Windows 10 Pro and Windows 10 mobile) I got the same error for both devices.

    I have tried removing the WAN miniport adapters without success, I got still the error.

    Because the release notes of 1709 stated, there has been changes on VPN, I assume, there is a bug now.

    Best regards

    Thomas


    • Edited by tm2017 Friday, November 03, 2017 8:15 AM
    Friday, November 03, 2017 8:14 AM
  • One more thing. The registry setting for AssumeUDPEncapsulationContextOnSendRule is set correctly, unless there was something changed in the creators update at this end.
    • Edited by Peter119 Friday, November 03, 2017 1:09 PM
    Friday, November 03, 2017 1:09 PM
  • I've completed a rollback from 1709 to previous version of windows - before the 1709 release - and the VPN began to work correctly - other components of Windows, such as mail, calendar and other app functions were then broken, but the VPN did work.  I've reinstalled the 1709 release to fix the rabbits I spent all last night chasing, and as of this morning can use my email and other windows components, but VPN is out like a light.  

    I reached out to their organization, tried the few of their suggestions, which of course didn't work - and am back to square one.  without working VPN.  I did try several other versions of VPN from different providers - and none of them seemed to fare any better.  


    Saturday, November 04, 2017 7:12 PM
  • Ever since I installed 1703, VPN stopped working.

    I was hoping with 1709 they would have fixed it but it looks like they haven't from what I've been reading. I guess I'll have to be patient to see if they will fix it or not.

    Saturday, November 04, 2017 11:58 PM
  • Hi Peter,

    First, we need to double confirm that whether the configuration is the expected or not, we can refer to the following:

    http://kswp01.azurewebsites.net/?p=116

    https://support.microsoft.com/en-us/help/926179/how-to-configure-an-l2tp-ipsec-server-behind-a-nat-t-device-in-windows

    Second, we can check whether there is any specified client VPN error (RasClient and RasMan) when issue happens, somethings like the following snapshots:


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 09, 2017 12:25 PM
    Moderator
  • Hi Carl,

    thank you for the detailed answer, I have gone through the guide and added the LAN Routing and NAT configuration. Unfortunately this did not change anything. I have checked the following connections:

    Win 10 Laptop from withing LAN (WLAN) --> connection succeded

    Win 10 Laptop from outside (WWAN) --> connection failed with 809 VPN Error, No error on Server though

    Android mobile from within (WLAN) --> connection succeeded

    Adroind mobile from outside (WWAN) --> connection succeeded

    As the connection from outside also succeeded from Win 10 latpop before update 1709 and the android still can connect from outside, I suspect the update as reason. Maybe some ciphers or hash algorithms have changed or were disabled?

    These are connection details:

    CoID={EE26BB91-4822-491B-9E30-DD293B90EBC1}: Der Benutzer "********" hat eine VPN-Verbindung mit einem per-user-Verbindungsprofil mit dem Namen "VPN" angewählt. Die Verbindungseinstellungen lauten:
    Dial-in User = Peter
    VpnStrategy = L2TP
    DataEncryption = Require
    PrerequisiteEntry =
    AutoLogon = No
    UseRasCredentials = Yes
    Authentication Type = MS-CHAPv2
    Ipv4DefaultGateway = Yes
    Ipv4AddressAssignment = By Server
    Ipv4DNSServerAssignment = By Server
    Ipv6DefaultGateway = Yes
    Ipv6AddressAssignment = By Server
    Ipv6DNSServerAssignment = By Server
    IpDnsFlags =
    IpNBTEnabled = Yes
    UseFlags = Private Connection
    ConnectOnWinlogon = No
    IPsec authentication for L2TP = Pre-shared key.

    Maybe there are tools do debug the connection initialization / handshake?


    • Edited by Peter119 Thursday, November 09, 2017 3:26 PM
    Thursday, November 09, 2017 3:21 PM
  • Hi,

    here is the information from my attempt, still not working:

    Der Benutzer "SYSTEM" hat eine Verbindung mit dem Namen "SU" gewählt, die Verbindung konnte jedoch nicht hergestellt werden. Der durch den Fehler zurückgegebene Ursachencode lautet: 789.

    CoID={50214175-7D56-4949-9D01-620C07A386F3}: Der Benutzer "SYSTEM" hat eine VPN-Verbindung mit einem per-user-Verbindungsprofil mit dem Namen "SU" angewählt. Die Verbindungseinstellungen lauten:
    Dial-in User = tmaesing
    VpnStrategy = L2TP
    DataEncryption = Requested
    PrerequisiteEntry =
    AutoLogon = No
    UseRasCredentials = Yes
    Authentication Type = MS-CHAPv2
    Ipv4DefaultGateway = Yes
    Ipv4AddressAssignment = By Server
    Ipv4DNSServerAssignment = By Server
    Ipv6DefaultGateway = Yes
    Ipv6AddressAssignment = By Server
    Ipv6DNSServerAssignment = By Server
    IpDnsFlags =
    IpNBTEnabled = Yes
    UseFlags = Private Connection
    ConnectOnWinlogon = No
    IPsec authentication for L2TP = Pre-shared key.

    Best regards

    Thomas

    Thursday, November 09, 2017 7:43 PM
  • I am having a similar problem with with smart card VPN authentication after the 1709 update.  I cannot connect to a VPN with smart card authentication, it just hangs when I click connect and never prompts for a PIN.  I have tried with a few Yubikey 4 smart cards in PIV mode and also a PIVKEY C910.  Same problem with both smart cards.  Strange thing is it works fine with certificate authentication where the cert is loaded in the personal store.

    I have a Windows Server 2016 server that is fully patched that I am trying to connect to.

    Looks like something is broken with the builtin VPN client and 1709...


    • Edited by Joef12345 Saturday, November 11, 2017 2:53 PM grammer error
    Saturday, November 11, 2017 2:52 PM
  • Problem with VPN in 1709.

    I can connect to my network via VPN. I have internet connection via VPN if I am using Mozilla FireFox ;)

    Any thing related to IE, EDGE like Visual Studio and TFS not working anymore.

    This just happens after upgrade to 1709, all was good before upgrade.

    Monday, November 13, 2017 12:50 PM
  • Just wanted to say, I'm having the same issue. It seems some users on my network are fine.

    Maintaining VPN availability for Windows 10 hosts has been an ongoing battle.  As others have noted, I have Android, Linux and Mac systems connecting to L2TP without issue as well as Win 7/8.1 systems.

    I have PPTP setup on this and another server and I can connect to both.


    fyi here's my connection details

    CoId={D9CD0170-2DF4-41F7-927A-E95B0D972985}: The user hhhh has started dialing a VPN connection using a per-user connection profile named hhhh. The connection settings are:
    Dial-in User = hhhh
    VpnStrategy = L2TP
    DataEncryption = Requested
    PrerequisiteEntry =
    AutoLogon = No
    UseRasCredentials = Yes
    Authentication Type = MS-CHAPv2
    Ipv4DefaultGateway = Yes
    Ipv4AddressAssignment = By Server
    Ipv4DNSServerAssignment = By Server
    Ipv6DefaultGateway = Yes
    Ipv6AddressAssignment = By Server
    Ipv6DNSServerAssignment = By Server
    IpDnsFlags =
    IpNBTEnabled = Yes
    UseFlags = Private Connection
    ConnectOnWinlogon = No
    IPsec authentication for L2TP = Pre-shared key.



    • Edited by deathmcdoom Tuesday, November 14, 2017 9:52 PM
    Tuesday, November 14, 2017 6:17 PM
  • Same thing for me. IE, Edge fails to connect when on VPN.

    FireFox works.

    Thursday, November 16, 2017 7:51 PM
  • I am also in the same boat. My FortiClient SSLVPN is not able to stablish a connection just after Fall Creator's update. Another workmate told me that he experienced the same problem. There is not any advice on Fortinet's support page. I have read that MS has disabled by default these cryptographic protocols in this update:

    TLS_RSA_WITH_RC4_128_MD5

    TLS_RSA_WITH_RC4_128_SHA

    I tried enabling them again, just creating the subkey 

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128, and creating a DWORD entry named "Enabled" with value 0xffffffff

    However it doesn't work. Any other hint?

    • Proposed as answer by VIPS_husband Sunday, November 19, 2017 9:29 AM
    Thursday, November 16, 2017 8:30 PM
  • Hi,


    after the last update with my environment it is working again with Windows 10 Pro and Windows 10 mobile.


    Best regards

    Thomas

    Saturday, November 18, 2017 9:51 AM
  • Had high hopes for the update, but continue with the 809 error.
    Saturday, November 18, 2017 7:01 PM
  • yes,remove Wan miniport devices not help!
    Sunday, November 19, 2017 8:17 AM
  • Same problem here. Using FortiClient SSL VPN inside Internet Explorer (with Compatibility Setting enabled), running on Windows 10. After updating to Fall Creators version 1709 the vpn has stopped working. After entering username and 8-digit RSA token from my mobile phone, FortiClient gives the usual Tunnel Mode status screen, and then hangs with the status message "Collecting information...".

    Reverting back to Windows 10 version 1703 fixed my FortiClient SSL VPN problem.


    Sunday, November 19, 2017 9:17 AM
  • The last Update (KB4048955) did the trick. Everything is working again now.



    • Marked as answer by Peter119 Monday, November 20, 2017 8:28 PM
    • Edited by Peter119 Monday, November 20, 2017 8:29 PM
    Monday, November 20, 2017 8:28 PM
  • KB4048955  did not resolve it for me.  Edge and IE broken when VPN is running. Firefox works however
    Tuesday, November 21, 2017 3:01 PM
  • Seemed to take a combination of all reported solutions, KB4048955, registry patch, and uninstalling WAN Miniports.  Thanks all for you help
    Monday, November 27, 2017 4:13 PM
  • I mean, if it takes a number of steps like that then it's not really a resolved.
    Monday, November 27, 2017 5:07 PM
  • There might be a number of different factors involved after a major update like this, but in our network (L2TP VPN with NAT) I observed two scenarios with the following solutions:

    1) Re-apply this (already done in the past, which this update seems to have reset):

    netsh advfirewall set global ipsec ipsecthroughnat serverandclientbehindnat

    (run from elevated command prompt, then reboot)

    2) Go and check the "classic" Control Panel settings for the VPN connection (not under the more limited "modern" Settings), and make sure that the needed options are still set. In our specific scenario, under Security/Authentication, none of the radio buttons ("Use EAP", "Allow these protocols") was set any longer after the update. Selecting [x] Allow these protocols and [x] Microsoft CHAP Version 2 did the trick.
    • Edited by mcb Tuesday, December 05, 2017 4:32 PM One more solution found
    Wednesday, November 29, 2017 2:41 PM
  • https://msdn.microsoft.com/en-us/library/windows/desktop/mt813794%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396

    You should use PowerShell

    Enable-TlsCipherSuite -Name "TLS_RSA_WITH_RC4_128_MD5"

    Enable-TlsCipherSuite -Name "TLS_RSA_WITH_RC4_128_SHA"

    Monday, December 04, 2017 7:39 AM
  • I have tested it, but it doesn't work (Forticlient SSL VPN & Windows 10 1709)
    Thursday, December 07, 2017 10:11 AM
  • did you execute power shell as an administrator ?
    Wednesday, December 13, 2017 7:32 PM
  • Yes, I did. But it's still not working. 
    Tuesday, December 19, 2017 11:58 PM
  • I have similar problem. After update to Win 10 1709 I have problem with IKEv2 connection (strongswan on server side).

    Win give me this errors :

    Win GUI : Policy match error

    Event ID 20227 :
    The error code returned on failure is 13868

    Event ID 20226
    The reason code returned on terminate is 631


    Wednesday, December 20, 2017 11:39 PM
  • I had an issue where I could connect to the VPN, but it would only work for several seconds. The connection would stay connected, but I couldn't reach any of the remote devices.

    I uninstalled all (including ipv6, etc.) WAN Miniport devices in Device Manager, then did the Action -> Scan for hardware changes, and without even rebooting, it fixed the issue.

    Friday, December 29, 2017 10:00 AM
  • I'm spitting nails. Remote Unifi USG as VPN server. L2TP w/IPSEC. On the same network, my Android connects, an Apple MacBook connects, Windows 10 Pro connects....Windows 10 Edu nope. This is unacceptable. This is required for work.

    Everything I've done:

    1. Windows 10 Edu fully updated 1709, build 16299.125
    2. Verified and reverified PSK, login details, CHAPv2
    3. Deleted and re added VPN
    4. Registry "AssumeUDPEncapsulationContextOnSendRule"
    5. Registry "ProhibitIpSec"
    6. Registry "AllowL2TPWeakCrypto"
    7. Reinstall WAN miniport drivers
    8. Disabled firewall
    9. Ran powershell commands for the ciphers
    10. "netsh advfirewall set global ipsec ipsecthroughnat serverandclientbehindnat"
    11. Rebooted 5 Million times
    12. Reinstalled Windows, TWICE!!!

    Nothing works. Anybody else?



    • Edited by izzyfanto Tuesday, January 02, 2018 8:56 PM
    Tuesday, January 02, 2018 5:54 PM
  • This is what my router says:

    Jan  2 15:20:54 USG kernel: cavium_delete_hndl : NULL Sa/SA Handle : with x 800000000cf3c800 x->sa_handle            
    (nil)Jan  2 15:20:59 USG xl2tpd[3510]: Maximum retries exceeded for tunnel 60869.  Closing.
    Jan  2 15:21:33 USG kernel: cavium_delete_hndl : NULL Sa/SA Handle : with x 800000000cd02400 x->sa_handle            
    (nil)Jan  2 15:21:33 USG xl2tpd[3510]: Connection established to EXTERNAL IP, 44578.  Local: 10055, Remote: 36760 (ref=0/0).  LNS session is 'default'
    Jan  2 15:21:33 USG xl2tpd[3510]: Call established with EXTERNAL IP, Local: 2073, Remote: 31507, Serial: -405737441
    Jan  2 15:21:33 USG pppd[11896]: pppd 2.4.4 started by root, uid 0
    Jan  2 15:21:33 USG pppd[11896]: Connect: ppp2 <-->
    Jan  2 15:21:33 USG zebra[696]: interface ppp2 index 120 <POINTOPOINT,NOARP,MULTICAST> added.
    Jan  2 15:21:34 USG zebra[696]: interface ppp2 mtu changed from 1500 to 1400
    Jan  2 15:21:34 USG pppd[11896]: rc_avpair_gen: received unknown attribute 64 of length 4: 0x00000003
    Jan  2 15:21:34 USG pppd[11896]: rc_avpair_gen: received unknown attribute 65 of length 4: 0x00000001
    Jan  2 15:21:34 USG pppd[11896]: Unsupported protocol 'Compression Control Protocol' (0x80fd) received
    Jan  2 15:21:34 USG zebra[696]: warning: PtP interface ppp2 with addr 10.255.255.0/32 needs a peer address
    Jan  2 15:21:34 USG zebra[696]: interface index 120 was renamed from ppp2 to l2tp2
    Jan  2 15:21:34 USG pppd[11896]: Cannot determine ethernet address for proxy ARP
    Jan  2 15:21:34 USG pppd[11896]: local  IP address 10.255.255.0
    Jan  2 15:21:34 USG pppd[11896]: remote IP address 192.168.8.3
    Jan  2 15:21:34 USG zebra[696]: interface l2tp2 index 120 changed <UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>.
    Jan  2 15:21:48 USG xl2tpd[3510]: Maximum retries exceeded for tunnel 9479.  Closing.
    Jan  2 15:21:48 USG zebra[696]: interface l2tp1 index 119 changed <POINTOPOINT,NOARP,MULTICAST>.
    Jan  2 15:21:48 USG zebra[696]: interface l2tp1 mtu changed from 1400 to 1500
    Jan  2 15:21:54 USG pppd[9872]: Connection terminated: no multilink.
    Jan  2 15:21:54 USG zebra[696]: interface l2tp1 index 119 deleted.
    Jan  2 15:21:54 USG pppd[9872]: Modem hangupFAKEUSER@USG:~$

    Seems...

    Jan  2 15:21:34 USG pppd[11896]: Unsupported protocol 'Compression Control Protocol' (0x80fd) received
    ...looks like the culprit. Anybody know?
    Tuesday, January 02, 2018 10:57 PM
  • I have similar problem. After update to Win 10 1709 I have problem with IKEv2 connection (strongswan on server side).

    Win give me this errors :

    Win GUI : Policy match error

    Event ID 20227 :
    The error code returned on failure is 13868

    Event ID 20226
    The reason code returned on terminate is 631


    My problem is solved, because :

    https://support.microsoft.com/en-us/help/4034825/features-that-are-removed-or-deprecated-in-windows-10-fall-creators-up

    RSA/AES Encryption for IIS is disabled
    We recommend that users use CNG encryption provider.

    So windows 1709 change IPSEC policy from :

    IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

    to :

    IKE:AES_GCM_16_128/PRF_HMAC_SHA1/MODP_1024

    So, I've increased security via registry (restart is not needed):

    "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
    NegotiateDH2048_AES256"
    dword : 2

    to :

    IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048

    and this encryption is supported by my router and all works.

    Max

    Wednesday, January 03, 2018 6:25 AM
  • Thanks for the reply, but
    NegotiateDH2048_AES256 DWORD: 2
    doesn't fix it for me. 
    Wednesday, January 03, 2018 9:37 AM
  • izzyfanto,

    Not sure why you'd get this series of errors. This looks like it is a PPP config problem, but I'm not really sure. You could try going into adapter options->properties->options->ppp settings and toggle some of those options.  But it could also be server side.

    Wednesday, January 03, 2018 4:18 PM
  • Thanks so much for the replies, but alas that didn't help. I struggle to think that it's my router. Three other devices, three different brands all work fine. Only this fresh Windows 10 Edu is broke. I literally am putting off working because I refuse to use my Android phone to pinch and zoom for the server work that needs to be done. Thanks again for the reply

    • Edited by izzyfanto Thursday, January 04, 2018 12:25 AM
    Thursday, January 04, 2018 12:23 AM
  • Wow. 3 days later, and way too much time, I figured it out! Put a post together at my blog detailing everything. Hope it helps someone. I can't post links yet: blog.izzyfanto.net/2018/01/unifi-usg-l2tp-vpn-ccp-mppe-and-windows.html
    • Edited by izzyfanto Thursday, January 04, 2018 3:15 PM
    Thursday, January 04, 2018 3:16 AM
  • I have installed KB4056892 which as I understand should include KB4048955, since KB4056892  is a cummulative update. However my FortiClient SSL VPN inside Internet Explorer  is still not working.
    Saturday, January 06, 2018 12:50 PM