vNet Virtual Network Gateway - Basic SKU no longer works with VPN Point-to-site Self-Signed Certificates

Question

vNet Virtual Network Gateway - Basic SKU no longer works with VPN Point-to-site Self-Signed Certificates

Neil McAlister 291

Back in August 2023 I had a template of infrastructure code that provisioned a Virtual Network Gateway with the Basic SKU in the UK South region - and set it up with a self-signed certificate - as per instructions - and it worked perfectly. https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site

Yesterday, October 12th 2023 I returned to this template to spin up another new service and while the resource/service provisions successfully - the VPN Client won't connect. The error on the Windows machines GUI is displayed as follows...

Root certificate which is not trusted by the trust provider. (0x800b0109)

The log file displays the following error...

[cmdial32] 08:15:58 21 On-Error Event ErrorCode = -2146762487 ErrorSource = RAS

I've no idea what error code -2146762487 means

I took the same template configuration and spun up the same thing with a SKU of VpnGw1 (Generation1) and it works with no issues

My question is therefore - what has broken the Basic SKU version of Virtual Network Gateway since August 2023 to October 2023? As this was working OK previously, many times.

Can it be fixed? I don't think Basic SKU is working now for new resource provisions - maybe UK South or maybe worldwide?

Please note: I've tried everything around this initial GUI error of 0x800b0109 - it's not that - I've moved certs around into different stores, done a Windows repair etc. etc. thank you but it's something to do with the SKU's

KapilAnanth-MSFT 49,326 Reputation points Microsoft Employee

2023-10-13T13:54:35.0833333+00:00
@Neil McAlister

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you are experiencing issues with deploying a Basic SKU VPN Gateway using a ARM template.

I take it that you are using an ARM template as documented below:

https://learn.microsoft.com/en-us/azure/templates/microsoft.network/virtualnetworkgateways?pivots=deployment-language-arm-template

And using "vpnClientRootCertificates" property to define the "publicCertData" using the Public Data

Also, it appears the same template is working while you use a VpnGw1 (Generation1) SKU.

If you are using a different template such as Terraform, do let me know.

To troubleshoot,

This looks like a deployment issue.

Are you able to reproduce the error for second time? (using Basic SKU itself)

If so, can you please upload the cert Data from Portal once the VPN gateway is deployed and see if that works?

This will tell us if the issue is with the template or just with the basic SKU.

Are you deploying a PolicyBased or RouteBased VPN Gateway?

i.e., The property "vpnType".

NOTE :

You will still be able to deploy new gateways using Basic SKU.

But only using Azure CLI or PowerShell.

Refer : Can I create a VPN gateway with the Basic gateway SKU in the portal?

Cheers,

Kapil

Neil McAlister 291

Hi @KapilAnanth-MSFT - thanks for the reply

Here are the steps to reproduce

Generate the certificates from here: The script I used is similar to this one, but I changed the names of the P2SRootCert and P2SChildCert to my names https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site

$params = @{
    Type = 'Custom'
    Subject = 'CN=P2SRootCert'
    KeySpec = 'Signature'
    KeyExportPolicy = 'Exportable'
    KeyUsage = 'CertSign'
    KeyUsageProperty = 'Sign'
    KeyLength = 2048
    HashAlgorithm = 'sha256'
    NotAfter = (Get-Date).AddMonths(24)
    CertStoreLocation = 'Cert:\CurrentUser\My'
}
$cert = New-SelfSignedCertificate @params

$params = @{
    Type = 'Custom'
    Subject = 'CN=P2SChildCert'
    DnsName = 'P2SChildCert'
    KeySpec = 'Signature'
    KeyExportPolicy = 'Exportable'
    KeyLength = 2048
    HashAlgorithm = 'sha256'
    NotAfter = (Get-Date).AddMonths(18)
    CertStoreLocation = 'Cert:\CurrentUser\My'
    Signer = $cert
    TextExtension = @(
     '2.5.29.37={text}1.3.6.1.5.5.7.3.2')
}
New-SelfSignedCertificate @params

Using Terraform - I apply this - inserting the ROOT Certificates exported text - as per instructions in the link above - into the public_cert_data field

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=3.52.0"
    }
  }
}

provider "azurerm" {
  features {
    resource_group {
      prevent_deletion_if_contains_resources = false
    }
  }
}

# Resource Group
resource "azurerm_resource_group" "rg01core" {
  name     = "rg-test-core"
  location = "uksouth"
}

# Virtual Networks
resource "azurerm_virtual_network" "vnet01core" {
  name                = "vNet-test-01"
  address_space       = ["172.17.0.0/16"]
  location            = azurerm_resource_group.rg01core.location
  resource_group_name = azurerm_resource_group.rg01core.name
}

# Virtual Network Subnets
resource "azurerm_subnet" "subnet-defaultcore" {
  name                                      = "subnet-default"
  resource_group_name                       = azurerm_resource_group.rg01core.name
  virtual_network_name                      = azurerm_virtual_network.vnet01core.name
  address_prefixes                          = ["172.17.0.0/24"]
  private_endpoint_network_policies_enabled = true
}
# The name has to be "GatewaySubnet" otherwise the vNet Gateway will not provision successfully
resource "azurerm_subnet" "subnet-vnetgatewaycore" {
  name                 = "GatewaySubnet"
  resource_group_name  = azurerm_resource_group.rg01core.name
  virtual_network_name = azurerm_virtual_network.vnet01core.name
  address_prefixes     = ["172.17.1.0/24"]
}

# Vnet Gateway for VPN Access
# Cert generation instructions here: https://blog.netwrix.com/2022/11/14/how-to-set-up-azure-point-to-site-vpn/
resource "azurerm_public_ip" "pip-vnetgatewaycore" {
  name                = "pip-vNetGW"
  location            = azurerm_resource_group.rg01core.location
  resource_group_name = azurerm_resource_group.rg01core.name
  allocation_method   = "Dynamic"
}

resource "azurerm_virtual_network_gateway" "vnetgateway-core" {
  depends_on = [
    azurerm_public_ip.pip-vnetgatewaycore,
    azurerm_virtual_network.vnet01core,
    azurerm_subnet.subnet-vnetgatewaycore,
    azurerm_subnet.subnet-defaultcore
  ]
  name                = "vNetGW-test-01"
  location            = azurerm_resource_group.rg01core.location
  resource_group_name = azurerm_resource_group.rg01core.name
  type                = "Vpn"
  vpn_type            = "RouteBased"
  active_active       = false
  enable_bgp          = false
  sku                 = "Basic"
  #sku                 = "VpnGw1"

  ip_configuration {
    name                          = "vnetGatewayConfig"
    public_ip_address_id          = azurerm_public_ip.pip-vnetgatewaycore.id
    private_ip_address_allocation = "Dynamic"
    subnet_id                     = azurerm_subnet.subnet-vnetgatewaycore.id
  }

  vpn_client_configuration {
    address_space = ["172.18.1.0/24"]
    root_certificate {
      name = "VPNGatewaySelfCertROOT"

      public_cert_data = <<EOF
MIIC/TCCAeWgAwIBAgIQ{redacted-different-in-your-certificate}
EOF
    }
  }
}

After deployment and downloading the VPN Client Package and attempting to connect from Windows - I get the following GUI error

User's image

Clicking Properties on this box gets you to the log - view log - the following error is logged...

[cmdial32] 08:15:58 21 On-Error Event ErrorCode = -2146762487 ErrorSource = RAS

To tear down the resources - terraform destroy
If I change the single line of Terraform code from sku = "Basic" to sku = "VpnGw1" and do a Terraform Apply again, it provisions and everything works

To answer your questions, I've tried sku="Basic" approximately 4 times over a 2 day period with the same result - it doesn't work. It used to work a few months ago, but now it does not

Thanks

Neil

KapilAnanth-MSFT 49,326 Reputation points Microsoft Employee

2023-10-16T09:51:48.6266667+00:00
@Neil McAlister

Thanks for sharing the template with us Neil.

May I ask what happens when you re-upload the cert Data from Portal after the VPN gateway is deployed with Terraform ?

Does this work?

Thanks,

Kapil
Neil McAlister 291 Reputation points

2023-10-16T14:19:59.4766667+00:00

Hi @KapilAnanth-MSFT

I've just re-run my exact same provision from last week without any changes whatsoever and the Basic SKU has worked! For some reason it might have been fixed by someone somewhere? Not sure, but that's another 3 days of my life I won't get back :/

Is there somewhere online that publishes changes that are going on with these SKUs ? Or is there a reference that might highlight what error code -2146762487 actually means - for future issues

Thanks
KapilAnanth-MSFT 49,326 Reputation points Microsoft Employee

2023-10-17T06:32:11.54+00:00
@Neil McAlister

I checked this behavior internally and I am not aware of any such changes going on with SKU.

I still believe this is something specific to your local system and not with the Platform.

During the issue period, where you able to repo this using a different remote server? The error code -2146762487 (0x800b0109) is issues by the OS and by Azure platform.

This, as the error states, generally means there is a trust issue with the certificate(s) used.

https://serverfault.com/questions/184505/cant-get-my-sstp-vpn-to-works-due-to-a-certificate-issue Should the issue resurface, I would suggest you to file a support ticket, where a support engineer can have a screen share session to pinpoint the issue.

If you do not have a support plan, please do let us know and we will try and help you get a one-time free technical support.

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

Cheers,

Kapil
Neil McAlister 291 Reputation points

2023-10-17T10:39:36.0433333+00:00

Hi @KapilAnanth-MSFT

I've tried it again this morning to double check and it works.

It wouldn't have been my local system or environment though - I even spun up x2 new Windows Server VM's from the official Azure Marketplace images and tried the VPN connection for there last week when I was having issue, and the problem persisted there as well - this was to disprove the local system question.

Anyway, the issue is resolved for now - maybe it was something only in the UK South region - but without it being logged anywhere - impossible to tell

Thanks
KapilAnanth-MSFT 49,326 Reputation points Microsoft Employee

2023-10-18T09:20:48.9233333+00:00

You are welcome @Neil McAlister .

Yes, I agree. The behavior is strange indeed.

As you stated, without logs or active repo, it will be challenging for us to isolate the root cause.

Accepting one's own answer is currently not supported in Microsoft Q&A.

Hence, I shall summarize our discussion and post it as a new answer. I would highly appreciate if you could Accept the answer and close this thread

Should the issue resurface, please let us know and we can work on it with a support ticket

Cheers,

Kapil
KapilAnanth-MSFT 49,326 Reputation points Microsoft Employee

2023-10-20T06:02:17.6666667+00:00

Hi @Neil McAlister

Request you to pleas e"Accept the answer" and close the thread.

This might be beneficial to other community members reading this thread as well.

And, if you have any further query do let us know.

Thanks,

Kapil

Accepted answer

0 additional answers

Your answer

KapilAnanth-MSFT 49,326 Reputation points Microsoft Employee

2023-10-13T13:54:35.0833333+00:00

@Neil McAlister

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you are experiencing issues with deploying a Basic SKU VPN Gateway using a ARM template.

I take it that you are using an ARM template as documented below:

https://learn.microsoft.com/en-us/azure/templates/microsoft.network/virtualnetworkgateways?pivots=deployment-language-arm-template

And using "vpnClientRootCertificates" property to define the "publicCertData" using the Public Data

Also, it appears the same template is working while you use a VpnGw1 (Generation1) SKU.

If you are using a different template such as Terraform, do let me know.

To troubleshoot,

This looks like a deployment issue.

Are you able to reproduce the error for second time? (using Basic SKU itself)

If so, can you please upload the cert Data from Portal once the VPN gateway is deployed and see if that works?

This will tell us if the issue is with the template or just with the basic SKU.

Are you deploying a PolicyBased or RouteBased VPN Gateway?

i.e., The property "vpnType".

NOTE :

You will still be able to deploy new gateways using Basic SKU.

But only using Azure CLI or PowerShell.

Refer : Can I create a VPN gateway with the Basic gateway SKU in the portal?

Cheers,

Kapil
KapilAnanth-MSFT 49,326 Reputation points Microsoft Employee

2023-10-16T09:51:48.6266667+00:00

@Neil McAlister

Thanks for sharing the template with us Neil.

May I ask what happens when you re-upload the cert Data from Portal after the VPN gateway is deployed with Terraform ?

Does this work?

Thanks,

Kapil
Neil McAlister 291 Reputation points

2023-10-16T14:19:59.4766667+00:00

Hi @KapilAnanth-MSFT

I've just re-run my exact same provision from last week without any changes whatsoever and the Basic SKU has worked! For some reason it might have been fixed by someone somewhere? Not sure, but that's another 3 days of my life I won't get back :/

Is there somewhere online that publishes changes that are going on with these SKUs ? Or is there a reference that might highlight what error code -2146762487 actually means - for future issues

Thanks
KapilAnanth-MSFT 49,326 Reputation points Microsoft Employee

2023-10-17T06:32:11.54+00:00

@Neil McAlister

I checked this behavior internally and I am not aware of any such changes going on with SKU.

I still believe this is something specific to your local system and not with the Platform.

During the issue period, where you able to repo this using a different remote server? The error code -2146762487 (0x800b0109) is issues by the OS and by Azure platform.

This, as the error states, generally means there is a trust issue with the certificate(s) used.

https://serverfault.com/questions/184505/cant-get-my-sstp-vpn-to-works-due-to-a-certificate-issue Should the issue resurface, I would suggest you to file a support ticket, where a support engineer can have a screen share session to pinpoint the issue.

If you do not have a support plan, please do let us know and we will try and help you get a one-time free technical support.

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

Cheers,

Kapil
Neil McAlister 291 Reputation points

2023-10-17T10:39:36.0433333+00:00

Hi @KapilAnanth-MSFT

I've tried it again this morning to double check and it works.

It wouldn't have been my local system or environment though - I even spun up x2 new Windows Server VM's from the official Azure Marketplace images and tried the VPN connection for there last week when I was having issue, and the problem persisted there as well - this was to disprove the local system question.

Anyway, the issue is resolved for now - maybe it was something only in the UK South region - but without it being logged anywhere - impossible to tell

Thanks
KapilAnanth-MSFT 49,326 Reputation points Microsoft Employee

2023-10-18T09:20:48.9233333+00:00

You are welcome @Neil McAlister .

Yes, I agree. The behavior is strange indeed.

As you stated, without logs or active repo, it will be challenging for us to isolate the root cause.

Accepting one's own answer is currently not supported in Microsoft Q&A.

Hence, I shall summarize our discussion and post it as a new answer. I would highly appreciate if you could Accept the answer and close this thread

Should the issue resurface, please let us know and we can work on it with a support ticket

Cheers,

Kapil
KapilAnanth-MSFT 49,326 Reputation points Microsoft Employee

2023-10-20T06:02:17.6666667+00:00

Hi @Neil McAlister

Request you to pleas e"Accept the answer" and close the thread.

This might be beneficial to other community members reading this thread as well.

And, if you have any further query do let us know.

Thanks,

Kapil

Answer 1

@Neil McAlister

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you are experiencing P2S Certificate issues while deploying a Basic SKU VPN Gateway using a Terraform template.

To troubleshoot,

I enquired if you were able to reproduce the error for second time? (using Basic SKU itself)
- You confirmed yes
If so, can you please upload the cert Data from Portal once the VPN gateway is deployed and see if that works?

Meanwhile, you confirmed the issue is no longer reproducible

The error code -2146762487 (0x800b0109) is issues by the OS. This, as the error states, generally means there is a trust issue with the certificate(s) used.

https://serverfault.com/questions/184505/cant-get-my-sstp-vpn-to-works-due-to-a-certificate-issue

I also checked this behavior internally but could not find any similar reported incident, or support cases wrt Basic SKU.

I further suggested we file a support ticket to isolate the issue, should it ever resurface.

Thanks,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.

Share via

vNet Virtual Network Gateway - Basic SKU no longer works with VPN Point-to-site Self-Signed Certificates

0 additional answers

Your answer