Always On VPN User Tunnel Error 812

James Edmonds 811 Reputation points
2022-08-03T14:53:16.033+00:00

Hello,

We are deploying Always On VPN device and user tunnels using a powershell script run as SYSTEM via a scheduled startup task.
During testing, everything seemed to go really smoothly, but now we are deploying to live, we are seeing a number of issues we did not experience, and have so far been unable to resolve.

  1. We have several users whose device tunnels and user tunnels have deployed to their machines. The device tunnels connect ok, but when attempting to connect the user tunnels, they get the error:
    "The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the administrator of the RAS server and notify them of this error."
    On the client machine, I see event IDs 2027, which states an error code of 812. The various causes for this error do not seem to apply.

Looking at our NPS server, for the times of these connection attempts, we see events 6273 in the security log with a reason code of 16
(Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.)

As we are using user certificate authentication, I don't understand why it would be complaining of a mismatch? Some users are working fine with the same deployment, so what would prevent only some users from not being able to connect (they are all in the same VPN Users security group used on both NPS and the CA where the VPN template sits).
Equally, if I log into another test machine as one of these affected users, I am able to connect without issue.

  1. We have some users whose device and user tunnels have been deployed, but their device tunnels do not seem to be automatically connecting, even though their user ones are. Again, I cannot see any reason why their machines would not auto connect one but not the other?
    Does anyone have any thoughts on what may be ocurring here?

Many thanks
James

Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,300 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
526 questions
0 comments

7 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Edmonds 811 Reputation points
    2022-08-17T14:21:55.077+00:00

    What am I looking for in the packet captures? Client side or server side?
    I would have thought that as the packets get to the server and log errors, the packets won't necessarily contain any information on what auth was actually submitted to the NPS server?

    Anything specific in the registry I should be checking?

    They are all Windows 10. I recall the update you are referring to, and will check this to see if applicable.

  2. Juliano PS 1 Reputation point
    2024-06-14T19:43:57.6866667+00:00

    Best work solution!

    My Always On VPN resolved!

    Applied on Windows 11 21H2.

    Thanks

    0 comments