Always On VPN (IKEv2) suddenly stopped working.

Valentin Giyenko 21 Reputation points
2021-01-19T22:58:03.583+00:00

Last Saturday, the Always On VPN stopped working for all clients. On the server I observe events 20255, 20271 and on the client event 20227 error 812. <<The user connected from IP address but failed an authentication attempt due to the following reason: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.>>

To my knowledge, there were no changes on either, the server or the clients. The certs are not expired.

Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,302 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
526 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Valentin Giyenko 21 Reputation points
    2022-01-27T20:56:52.533+00:00

    Yes. I figured it out. In my case it was the certs.

    1. make sure they are not expired
    2. If using IKEv2, make sure that rras cert has the following extended key usage: server authentication, client authentication, IP security IKE intermediate
    3. Make sure that NPS cert has the following extended key usage: client authentication and server authentication
    4. Most important, check the NPS certs. Both EAP and "Smart card or other certificate" must use the SAME cert.

    169177-nps-vpn-cert.png

    2 people found this answer helpful.
  2. Candy Luo 12,686 Reputation points Microsoft Vendor
    2021-01-20T06:25:35.327+00:00

    Hi ,

    First check the authentication method on server and client. If you’ve made any changes to the default settings for IKEv2 cryptography settings, those must match on the client and VPN server.

    Before we go further, I would like to confirm the following questions:

    1.If you change to SSTP connection, will it still failed to connect?

    2.What's the OS version of your windows server? server 2016 or server 2019?

    In fact, the error message is very general and it is hard for troubleshooting without tracing network traffic. We need to trace network monitor to see what is actually occurring on the network when Always On VPN stopped working.

    However, analysis of network traffic is beyond our forum support level and due to forum security policy, we have no such channel to collect user log information. So we recommend you open a case with MS Professional tech support service, they will help you open a phone or email case to Microsoft, so that you would get a technical support on a one-to-one basis while ensuring private information.

    Here is the link:

    https://support.microsoft.com/en-us/gp/customer-service-phone-numbers

    In addition, check if the following article is helpful with you:

    Always On VPN and IKEv2 Fragmentation

    Best Regards,

    Candy

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  3. Valentin Giyenko 21 Reputation points
    2021-01-20T19:52:28.103+00:00

    Hi Candy,

    1. When I change to SSTP, it complains about Cert revocation list.
      When I switch to machine certificate in the VPN profile, it connects and works as expected.
      When I add Secured password eap-MSCHAPv2, it also works after credentials are provided.
    2. The server OS is 2019 It is the IKEv2 PEAP with the trusted root certificate that stopped working.

    On the client, the error message is: the authentication method used by the server to verify your username and password by the server may not match the authentication method configured in your connection profile.

    On the server, the error is: UserName: <Unauthenticated User>. The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

    I tried restoring the VPN server from a backup prior to the issue to no avail.

    I am not sure if it is a coincidence or correlation, but this morning I discovered that our CA server had a glitch at the same time the issue with VPN arose. The service could not start. I dont know if there is a direct dependency between the CA server and the VPN server.

    Thanks,

  4. Zachary Eisenhauer 1 Reputation point
    2022-01-27T16:35:48.47+00:00

    Did you find a solution for this? We have a similar issue - hoping you have a solution. Thanks!