Radius point to site VPN issue

Gustavo Puente 1 Reputation point
2020-08-13T04:00:34.12+00:00

Hi, hope someone can help, I am desperate about this. I have setup a Radius point to site vpn to our Azure AD Domain Services. I thought it was working fine, I had a few people saying that sometime the vpn was not accepting their credentials, and I didn't believe them, until it started happening to me with a test account.
The issue is that we login to our domain joined computers dialing the vpn, but sometimes the vpn will say that is not possible to login with those credentials, and there is nothing you can do but wait, after a few minutes, some times lots of minutes the problem disappears and you can dial the vpn again.

This is driving me crazy, because it is already in production.

Please Help

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,435 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,264 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 49,171 Reputation points Microsoft Employee
    2020-08-14T11:14:25.75+00:00

    Hello @Gustavo Puente ,

    You could browse to the Virtual Network Gateway, then Point-to-site configuration, and check the Allocated IP Addresses section at the bottom of that page to find out how many clients are connected or you could run the "Get-AzVirtualNetworkGatewayVpnClientConnectionHealth" PowerShell cmdlet as advised here.

    Since the issue is happening intermittently and on few clients, it may require deeper investigation. Hence, if you have a support plan, I request you to file a support ticket, else please do let us know, we will try and help you get a one-time free technical support. In this case, could you send an email to azcommunity@microsoft.com referencing this thread as well as your subscription ID. Please mention "ATTN gishar" in the subject field.

    Thank you for your cooperation on this matter and I look forward to your reply.

    0 comments
  2. Gustavo Puente 1 Reputation point
    2020-08-14T13:26:19.663+00:00

    Hi @GitaraniSharma-MSFT There are just a few clients there in the Allocated IP addresses, and we are using a /23 mask, so I don't think that's the problem.

    We don't have a support plan, so I am very grateful for your offer, I'll be sending you that email in a bit.

    Thank you again

  3. Gustavo Puente 1 Reputation point
    2020-08-17T17:14:57.203+00:00

    Hi @GitaraniSharma-MSFT , I haven't created that Ticket because I fond the source of the problem, I found that some accounts were being blocked by wrong password attempts so I was getting into this behavior (troubleshoot-account-lockout

    So I started cutting access by restrictting Azure Network Security Groups (like for example restricting all Wan traffic to my VMs and network and only allowing traffic from my VPN network, so right now, the only way to access my Azure AD domain services domain is from within my VPN network.

    The problem appear to be have almost dissapeared, but I still see some "Bad Pwd Count" on my test account (Using Microsoft "Lockoutstatus" aplication) And I don't see how is that possible. this are all azure synced accounts, with MFA enabled, and the only way to get to the domain accounts is by being on the VPN network. How can I find out, where is still that glitch?