Microsoft Always On VPN Troubleshooting

Microsoft Always On VPN Troubleshootin

Troubleshoot Always On VPN

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/troubleshoot-always-on-vpn

Troubleshooting VPN profile issues in Microsoft Intune

https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-configuration/troubleshoot-vpn-profiles?tabs=windows

Tutorial: Deploy Always On VPN - Set up infrastructure for Always On VPN

https://learn.microsoft.com/en-us/windows-server/remote/remote-access/tutorial-aovpn-deploy-setup

Tutorial: Deploy Always On VPN - Configure Certificate Authority templates

https://learn.microsoft.com/en-us/windows-server/remote/remote-access/tutorial-aovpn-deploy-create-certificates

Tutorial: Deploy Always On VPN - Configure Always On VPN profile for Windows 10+ clients

https://learn.microsoft.com/en-us/windows-server/remote/remote-access/tutorial-aovpn-deploy-configure-client

Deploy Always On VPN profile to Windows 10 or newer clients with Microsoft Intune

https://learn.microsoft.com/en-us/windows-server/remote/remote-access/how-to-aovpn-client-intune

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

The initial error displayed to users when connecting was

A screenshot of a computerDescription automatically generated

This error maybe due to issues with home users devices and connections and will most likely be caused by this

The following issue was due to the servers having difficulties after windows security updates being applied to the servers but may be resolvable by running ipconfig /flushdns on both servers if rebooted and don't have a network connection

This link was used during the initial setup https://learn.microsoft.com/en-us/windows-server/remote/remote-access/tutorial-aovpn-deploy-setup

Another very useful article can be found at https://directaccess.richardhicks.com/

When a user becomes a member of the vpn users AD Group, the KIX login script to map drives does not run but will do after 2 hours and will run at connection time the next time they connect as long as the first connection stays open for 2 hours.

Network Configuration

MAO-RAS01 has 3 network interfaces shown in control panel

netlan

IP Address 192.168.0.50

Subnet mask 255.255.254.0

No Default Gateway

Preferred DNS server 192.168.1.117

Alternate DNS server 192.168.1.239

netdmz

IP Address 10.0.0.151

Subnet mask 255.255.255.0

Default Gateway 10.0.0.254

No DNS Servers

loopback

IP Address 10.0.0.103

Subnet mask 255.255.255.0

No Default Gateway

No DNS Servers

When a connection is attempted the PPP adapter RAS is shown when ipconfig is used

IP Address 192.168.80.2

Subnet mask 255.255.255.255

No Default Gateway

No DNS Servers

--------------------------------------------------------------------------------------------

MAO-RAS02 has 3 network interfaces shown in control panel

netlan

IP Address 192.168.0.92

Subnet mask 255.255.254.0

No Default Gateway

Preferred DNS server 192.168.1.117

Alternate DNS server 192.168.1.239

netdmz

IP Address 10.0.0.152

Subnet mask 255.255.255.0

Default Gateway 10.0.0.254

No DNS Servers

loopback

IP Address 10.0.0.103

Subnet mask 255.255.255.0

No Default Gateway

No DNS Servers

When a connection is attempted the PPP adapter RAS is shown when ipconfig is used

IP Address 192.168.82.2

Subnet mask 255.255.255.255

No Default Gateway

No DNS Servers

--------------------------------------------------------------------------------------------

Routing and Remote Access Configuration of MAO-RAS01

Routing and Remote Access Configuration of MAO-RAS02

DNS

In 123-REG there is a record for vpn.beyondhousing.co.uk 213.106.183.106

The Sophos firewall at Redcar uses NAT to pass traffic from 213.106.183.106 to 10.0.0.103 Primary Load Balancer DMZ NIC which uses its internal routing to pass traffic from the DMZ interface to the LAN so it can communicate directly to the MAO-RAS01 and MAO-RAS02

MAO-RAS01 and MAO-RAS02 use the network policy servers MAO-NPS and MAO-NPS01 to authenticate users to via certificate checking.

The RAS servers are configured as NAT Routers to ensure that traffic from the vpn clients can route to the DMZ

Load Balancer Configuration

Routing and Remote Access (launch on MAO-RAS01 and MAO-RAS02) ensure that the server that the icon is green (Started) if not it will be red and can be started from right click – all tasks - start

A screenshot of a computerDescription automatically generated

The Services that need to be running include all Automatic Startup Types apart from Sysmon64 and the following Automatic Delayed Start and Trigger Start services

A screenshot of a computer programDescription automatically generated

If Users still get the error shown at the top of this document open Routing and Remote Access and right click on MAO-RAS01 (local) and go to All Tasks - Restart

The Services that need to be started on MAO-NPS01 are the standard expected Automatic services as well as those shown below

A screenshot of a computer programDescription automatically generated

MAO-NPS01 and MAO-NPS hold the certificate required for authentication

A screenshot of a computerDescription automatically generated

After deploying February’s Security Updates KB6034768 and KB5034127 the VPN failed to work and after uninstalling them the following registry key was preventing the Routing and Remote Access service shown in the Routing and Remote Access Program from starting. The solution was found in a web article at https://directaccess.richardhicks.com/tag/event-id-7024/

-----------------------------------------

Active Directory Group Policy

A Policy exists called Autoenrollment Policy exists that autoenrolls certificates onto client computers

Autoenrollment Policy

Data collected on: 17/04/2024 09:53:37

General

Details

Domain

beyondhousing.local

Owner

BEYONDHOUSING\Domain Admins

Created

21/07/2022 10:42:16

Modified

21/07/2022 10:45:00

User Revisions

2 (AD), 2 (SYSVOL)

Computer Revisions

2 (AD), 2 (SYSVOL)

Unique ID

{561726C4-6EB8-4E43-8953-494D55570B21}

GPO Status

Enabled

Links

Location

Enforced

Link Status

Path

beyondhousing

Enabled

beyondhousing.local

Domain Servers

Enabled

beyondhousing.local/Domain Servers

This list only includes links in the domain of the GPO.

Security Filtering

The settings in this GPO can only apply to the following groups, users, and computers:

Name

NT AUTHORITY\Authenticated Users

Delegation

These groups and users have the specified permission for this GPO

Name

Allowed Permissions

Inherited

BEYONDHOUSING\Domain Admins

Edit settings, delete, modify security

BEYONDHOUSING\Enterprise Admins

Edit settings, delete, modify security

NT AUTHORITY\Authenticated Users

Read (from Security Filtering)

NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS

Read

NT AUTHORITY\SYSTEM

Edit settings, delete, modify security

Computer Configuration (Enabled)

Policies

Windows Settings

Security Settings

Public Key Policies/Certificate Services Client - Auto-Enrollment Settings

Policy

Setting

Automatic certificate management

Enabled

Option

Setting

Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates

Enabled

Update and manage certificates that use certificate templates from Active Directory

Enabled

User Configuration (Enabled)

Policies

Windows Settings

Security Settings

Public Key Policies/Certificate Services Client - Auto-Enrollment Settings

Policy

Setting

Automatic certificate management

Enabled

Option

Setting

Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates

Enabled

Update and manage certificates that use certificate templates from Active Directory

Enabled

Log expiry events, and, for user policy, only show expiry notifications when the percentage of remaining certificate lifetime is

10%

Additional stores to log expiry events

Display user notifications for expiring certificates in user and computer MY store

Disabled

Cisco Switch Configuration There are 2 ranges of IPs delivered by the RAS Servers MAO-RAS01 192.168.80.2 to 192.168.81.253, MAO-RAS02 192.168.82.2 to 192.168.83.253

10.0.255.254 Core Fibre Stack

ip route 192.168.80.0 255.255.254.0 192.168.0.50

ip route 192.168.82.0 255.255.254.0 192.168.0.92

10.99.0.2 Fibre Switch Scarborough

ip route 192.168.80.0 255.255.254.0 10.25.1.1 5

ip route 192.168.82.0 255.255.254.0 10.25.1.1 5

Resolution

This issue is commonly caused when IPv6 is disabled on the server via the registry. To verify, open the registry editor on the RRAS server and navigate to the following location.

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters

If the DisabledComponents value is present and set to anything other than 0, set it to 0 or simply delete the DisabledComponents value completely and reboot the server.

The key was left intact and not deleted but the value was changed to 0 and the server restarted.

An error was then displayed when connecting

A screenshot of a computerDescription automatically generated

This was resolved by running ipconfig /flushdns on both MAO-NPS01 and MAORAS01 servers

Users were then able to connect as shown below from the MAO-RAS01 server

A screenshot of a computerDescription automatically generated

Intune

VPN Devices are managed via a Device Configuration Profile – Beyond Housing VPN accessed via Intune Admin Center – Home – Devices - Configuration

A screenshot of a computerDescription automatically generated

A white background with black linesDescription automatically generated

Certificates

Open certificate manager on the MAO-RAS01 and MAO-RAS02 servers, expand personal - certificates, right click vpn.beyondhousing.co.uk - all tasks - Renew Certificate with New Key - Next - Enroll.

This will automatically update the certificate in IIS

Open Microsoft Entra Admin center - Protection - Conditional Access - VPN connectivity - New Certificate - Change duration to 3 years and click create

Download the certificate (not Base64) and place it in the same folder that command prompt opens to, then open a command prompt as administrator and run the following commands on any domain joined computer

certutil -dspublish -f VpnCert.cer RootCA

certutil -dspublish -f VpnCert.cer NTAuthCA

gpupdate /force