none
Some users unable to VPN L2TP and getting 691 error RRS feed

  • Pergunta

  • I have a problem where some users is unable to connect to vpn.
    I already try to compare everything and when I look at the NPS log
    I found out this differences.

    When user A able to connect to vpn below is the log of successful connection

    <Event>
    <Timestamp data_type="4">11/08/2019 10:05:54.044</Timestamp>
    <Computer-Name data_type="1">OBJ-SRV-DC1</Computer-Name>
    <Event-Source data_type="1">IAS</Event-Source>
    <Class data_type="1">311 1 10.20.0.10 11/07/2019 22:45:17 474</Class>
    <MS-Extended-Quarantine-State data_type="0">0</MS-Extended-Quarantine-State>
    <MS-Quarantine-State data_type="0">0</MS-Quarantine-State>
    <Fully-Qualifed-User-Name data_type="1">objgroup.com.au/Obj_Group/Users/Sydney/User A</Fully-Qualifed-User-Name>
    <Client-IP-Address data_type="3">10.20.0.1</Client-IP-Address>
    <Client-Vendor data_type="0">0</Client-Vendor>
    <Client-Friendly-Name data_type="1">OBJ-FW-01</Client-Friendly-Name>
    <MS-Link-Drop-Time-Limit data_type="0">120</MS-Link-Drop-Time-Limit>
    <Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name>
    <Provider-Type data_type="0">1</Provider-Type>
    <SAM-Account-Name data_type="1">OBJGROUP\user.a</SAM-Account-Name>
    <Authentication-Type data_type="0">4</Authentication-Type>
    <MS-CHAP-Domain data_type="2">A24155544F4D494347524F5550</MS-CHAP-Domain>
    <NP-Policy-Name data_type="1">Sophos Firewall</NP-Policy-Name>
    <Quarantine-Update-Non-Compliant data_type="0">0</Quarantine-Update-Non-Compliant>
    <Framed-Protocol data_type="0">1</Framed-Protocol>
    <Service-Type data_type="0">2</Service-Type>
    <MS-Link-Utilization-Threshold data_type="0">50</MS-Link-Utilization-Threshold>
    <Packet-Type data_type="0">2</Packet-Type>
    <Reason-Code data_type="0">0</Reason-Code>
    </Event>

    And when a User B tried to connect to the VPN as well (from the same computer with same vpn configuration), below is the NPS log of unsuccessful attempt

    <Event>
    <Timestamp data_type="4">11/08/2019 08:58:25.984</Timestamp>
    <Computer-Name data_type="1">OBJ-SRV-DC1</Computer-Name>
    <Event-Source data_type="1">IAS</Event-Source>
    <Class data_type="1">311 1 10.20.0.10 10/22/2019 17:19:49 139761</Class>
    <Authentication-Type data_type="0">2</Authentication-Type>
    <Fully-Qualifed-User-Name data_type="1">OBJGROUP\user.b</Fully-Qualifed-User-Name>
    <SAM-Account-Name data_type="1">OBJGROUP\user.b</SAM-Account-Name>
    <Client-IP-Address data_type="3">10.20.0.1</Client-IP-Address>
    <Client-Vendor data_type="0">0</Client-Vendor>
    <Client-Friendly-Name data_type="1">OBJ-FW-01</Client-Friendly-Name>
    <Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name>
    <Provider-Type data_type="0">1</Provider-Type><Packet-Type data_type="0">3</Packet-Type>
    <Reason-Code data_type="0">19</Reason-Code>
    </Event>

    If anyone can shed some light to me, as for me this is a dead end. 
    I tried everything already. I contact Sophos Support.
    Sophos said there is nothing wrong with my sophos vpn configuration as the error clearly said reason code 19 (basically they blaming the NPS - Microsoft).

    I checked the dial in settings (Control access through NPS Network Policy), group membership in AD, and even tried to use Store password using reversible encryption in AD and it still failed for user b.

    The proportion of users who are able to VPN and users who arent is about 40%-60%

    On the client machine (Win10) the user is getting error "Can't connect to L2TP VPN. The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server."

    And on the eventviewer, there was event ID 20227 error.
    Cold={15107339-9A5E-4B1B-8CAA-6BE599A6379E}: The user OBJGROUP\user.b dialed a connection named OBJ L2TP VPN which has failed. The error code returned on failure is 691.


    quarta-feira, 13 de novembro de 2019 06:12

Todas as Respostas

  • Hi,

    >>Sophos said there is nothing wrong with my sophos vpn configuration as the error clearly said reason code 19 (basically they blaming the NPS - Microsoft).

    For the VPN is a three-party software, we cannot provide support and we only focus on the NPS error.

    The error code “19”, no reversibly encrypted password is stored for the user account.

    This means you should enable reversible encryption on you domain controllers with the policy setting "Store password using reversible encryption for all users in the domain"

    You can do a test to check if the problem is solved.

    NPS Reason Codes 0 Through 37

    http://technet.microsoft.com/pt-pt/library/dd197464(v=ws.10)

    Hope this can help you, if you have anything unclear, please let me know.

    Have a nice day!

    Ellen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact 
    tnmff@microsoft.com.




    quinta-feira, 14 de novembro de 2019 08:01
  • Hi 

    Sophos confirmed it is a NPS/active directory error that is related to reversible encryption.

    I tried to enable the store password using reversible encryption in ad

    then reset the password and tried to connect vpn again.

    But i still getting same error 19.

    sexta-feira, 15 de novembro de 2019 01:09
  • Hi,

    Please check if all your clients are in user group?

    Like this picture: in network policies:

    Hope this can help you, if you have anything unclear, please let me know.

    Have a nice day!

    Ellen



    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    sexta-feira, 15 de novembro de 2019 09:02
  • Hi,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Ellen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    terça-feira, 19 de novembro de 2019 07:01
  • Hi,

    As this thread has been quiet for a while, we will propose it as ‘Answered’ as the information provided should be helpful.

    If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.

    Best regards,

    Ellen

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    quinta-feira, 21 de novembro de 2019 01:55