Share via

Azure P2S VPN - Intune Always On Device Tunnel - Error 13801

James Mansell 0 Reputation points
2023-05-06T15:24:16.9766667+00:00

I have been using Azure P2S VPN for device tunnel for Autopilot workstations for months without issue. I recently had a problem with the Cert Authority and which resulted in us having to generate a new root certificate. I uploaded the new root cert into the Intune Root Cert config profile. I also copied the new root cert data into the Azure P2S config. We were also failing on enrollment during Autopilot so we generated a new NDES client cert. Autopilot enrollment is now completing successfully so I think that points to the SCEP and root cert configs being correct.

But when we get to windows after enrollment completes, the VPN is failing on the Autopilot workstation with error "Cold={EB6FDEA8-8026-0003-E714-70EB2680D901}: The user SYSTEM dialed a connection named Autopilot VPN which has failed. The error code returned on failure is 13801."

Everything online says this is a problem with the certificate. I have completely deleted the Azure P2S VPN and recreated it as well as completely deleted the AOVPN profile in Intune and recreated it. Still no change, error 13801 when it tries to connect. These are the configuration directions I followed months ago when i first built Autopilot and P2S VPN. https://inyourcloud.fr/autopilot-with-vpn/#Azure_VPN_Configuration

Windows for business | Windows Client for IT Pros | Networking | Network connectivity and file sharing
Microsoft Security | Intune | Other

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VasimTamboli 5,215 Reputation points
    2023-05-06T18:47:40.7966667+00:00

    Error 13801 in a P2S VPN scenario typically indicates a certificate problem. As you have already recreated the Azure P2S VPN and AOVPN profile in Intune, and verified that the SCEP and root cert configs are correct, the issue may be with the client certificate on the Autopilot workstation.

    You may want to check the following:

    Verify that the client certificate is correctly installed on the Autopilot workstation. You can check this in the certificate store on the device.

    Make sure that the certificate chain is complete and that all required certificates are installed on the device. You can use the Certificates snap-in in MMC to check this.

    Ensure that the certificate is not expired and that the time and date on the device are correct.

    Check that the VPN profile on the Autopilot workstation is configured correctly and that the correct certificate is being used for authentication.

    If you have verified all of the above and the issue persists, you may want to enable VPN client logging on the Autopilot workstation to get more detailed information about the problem. You can use the Event Viewer to access the VPN logs. Additionally, you may want to check the Azure VPN Gateway logs to see if any errors are being reported there.

    1 person found this answer helpful.
  2. Konstantinos Passadis 19,591 Reputation points MVP
    2023-05-06T18:52:02.04+00:00

    Hello @James Mansell !

    Error 13801 as already mentioned by @VasimTamboli usually occurs when there is an issue with the client certificate. In this case, you have already generated a new NDES client certificate and Autopilot enrollment is completing successfully, so the problem is not with the certificate used during enrollment.

    ALSO :

    You mentioned that you copied the new root cert data into the Azure P2S config. Have you also updated the VPN client configuration on the Autopilot workstation to use the new root certificate? You may need to manually update the root certificate on the workstation if it is not being pushed through Intune.

    Another thing to check is if the VPN client configuration on the Autopilot workstation is pointing to the correct VPN server address and using the correct VPN protocol. Double-check the configuration on the workstation against the configuration on the Azure P2S VPN configuration.

    You can also try enabling verbose logging for the VPN client on the Autopilot workstation to get more information about the connection failure. This can be done by creating a registry key on the workstation as described in this Microsoft documentation: https://docs.microsoft.com/en-us/troubleshoot/windows-client/networking/enable-vpn-connection-logging-windows-10.

    The answer or portions of it may have been assisted by AI Source: ChatGPT Subscription

    Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !

    Regards

    1 person found this answer helpful.
  3. Simon Ren-MSFT 40,341 Reputation points Microsoft External Staff
    2023-05-12T10:38:22.33+00:00

    Hi,

    Thank you for posting in Microsoft Q&A forum.

    Honestly, this issue is complex and is needed to analyze the issue based on the actual situation of the client. So, it is better to create an online support ticket to handle this issue more effectively. Here is the online support link and hope it helpful.

    https://docs.microsoft.com/en-us/mem/get-support

    Thanks for your understanding and hope everything goes well with you.

    Best regards,

    Simon

    If the response is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    https://docs.microsoft.com/en-us/answers/articles/67444/email-notifications.html

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.