Share via

RasClient (Always On VPN) returning error code 5

David Spiteri 1 Reputation point
2020-10-12T04:36:54.607+00:00

One of our vpn clients (which was working successfully with Always On VPN) reported that vpn is connecting anymore. No one else is reporting the same issue.

Event Viewer on client shows:

CoId={3BE59FC6-9EED-0001-2712-E73BED9ED601}: The user domain\username dialed a connection named PA_AlwaysOnVPN which has failed. The error code returned on failure is 5.

Logs on Network Policy Server show that the user has been allowed connection, and Event Viewer on RAS server shows the event as:

RoutingDomainID- {00000000-0000-0000-0000-000000000000}: CoID={E8F89131-25DC-CB24-E98E-181802040EE5}: The user user@keyman connected on port VPN2-499 on 11/10/2020 at 07:17 and disconnected on 11/10/2020 at 07:17. The user was active for 0 minutes 0 seconds. 0 bytes were sent and 3284 bytes were received. The reason for disconnecting was administrative settings or explicit request. The tunnel used was WAN Miniport (IKEv2). The quarantine state was .

Trying to connect with rasphone.exe on the client, shows message as:

Applying configured settings

Error 5: Access denied

While rasdial command on same machine shows:

Connecting to PA_AlwaysOnVPN...
Verifying username and password...
Registering your computer on the network...Access is denied.

Any ideas what's going on please31525-1.png31360-2.png31535-3.png31526-4.png

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,743 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
553 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. David Spiteri 1 Reputation point
    2020-10-14T05:56:40.227+00:00

    Update....

    This morning installed Hyper-V Manager on the effected machine and vpn connection is staying in the "Completing Connection" stage

    32134-5.png

    RAS server shows the client as connected and an IP address has been assigned....

    32156-7.png

    Yet, Get-NetIPConfiguration shows that the VPN virtual NIC's address is 169.254.0.80 so the issue seems to be that the virtual nic is not registering the IP address.

    32166-6.png

    If I try to manually disconnect the VPN connection, it stays in the disconnecting state, while still showing as connected in RAS server. If one manually disconnects the session directly from RAS server, the machine still stays in the disconnecting state

    32107-8.png

    Eventviewer shows error returned 631

    32206-9.png

    0 comments
  2. Gloria Gu 3,901 Reputation points
    2020-10-14T06:03:54.56+00:00

    @David Spiteri Hi,

    Thank you for posting in Q&A! Apologize for the late reply!

    > VPN server event 20272:The reason for disconnecting was administrative settings or explicit request. The tunnel used was WAN Miniport (IKEv2).

    This Event normally regarding Maximum ports for IKEV2 connection.
    Did the current user exceed the maximum number of IKEV2 connection? You can manually change the Maximum ports for IKEV2 connection. The number of available ports should be between 0 and 30000.
    In addition, actual limit is network/hardware/performance based. The limiting factors for concurrent VPN connections will be the capacity of the hardware and the number of available IP addresses available to assign to VPN clients.

    32096-49.png

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  3. David Spiteri 1 Reputation point
    2020-10-14T06:09:42.747+00:00

    Thanks for your answer, however it is not an issue from RAS side. The number of ports and IP addresses available is far more than needed.

    32168-image.png

    It is more of a local issue as I have posted this morning in the Updated section.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.