RRAS/NAT/IIS/File share issues after KB5014702 on Server 2016

Question

3 web/mail/ftp servers, 1 sql/file server. The 3 servers have one NIC connected to an ISP, one NIC to our LAN, RRAS NAT enabled. LAN sets gateway/dns to be one of the 3 servers LAN addresses. Been this way for the last 25 years or so without issue through Server 2000, 2003, 2008, 2012, 2012R2, and 2016. Only thing changed was finally switching to centralized certificate store(located on the sql/file server) back in like Jan.

Yesterday KB5014702 installed on the 4 servers. Suddenly we started having network issues. Systems would randomly freeze trying to connect to drive shares or on sql connections. Immediately uninstalled KB5014702 but problems persisted. I got up for work at 4am and it's currently 9:30am the next day and I've done nothing but fight as the phones rang off the hook and emails flooded in.

TL;DR, I can either have RRAS NAT enabled and our LAN can get out to the internet or I can have customers connect to our web servers. I can't have both.

After rebooting from installing KB5014702, trying to connect to our SQL/File server would produce a 15-30 second delay until it finally said it couldn't find the name. Doing a ping/tracert to the name showed the IP4 of the SQL/File server. Since our centralized certificate store is on that server, of course, IIS couldn't work. NAT worked as expected. My Windows 11(Dev) desktop had no issues connecting to any of the 4 servers. Noticed that my W11 machine was connecting through IP6 so created static IP6 assignments for the servers and even though they couldn't resolve the names, I could use a hosts file to force them to connect. Discovered that customers couldn't connect to our web servers(IIS).

Uninstalled KB5014702, discovered this changed -nothing-. One of the servers I uninstalled IIS/RRAS, did a network reset, and reconfigured everything and got the same results.

Disabling RRAS allowed IIS to work. I could also connect to shares via IP4.

I even enabled another NIC on one of the servers, gave it a different static IP and when I enable RRAS-NAT for it, it kills IP4 and being able to connect to IIS through our WAN.

I'm now 30 hours awake and in a state of panic as I don't even remotely know how to address this. Once another employee came in and found out I was there overnight he sent me home since I didn't take last nights meds nor this morning. So I'm on my internet at home writing this. If I keep RRAS disabled, our customers can run just fine, but none of our employees can access the internet(nor our phones work). This is one of those "working for decades now" and just broke yesterday after this(and the .NET 4.8 update) and frustratingly didn't revert after uninstalling. I let all of the servers pull back down KB5014702 since it doesn't make a difference one way or another. Any suggestions on how to get it back up and operational?

Answer 1

Having similar issues, have a VM (server 2012r2) dedicated to RRAS (NAT duty), it seems to block networking after a short while, RDP drops off, file shares cannot be accessed, but ping to the server and from server always works...

Lucky this server has no data which needs to be current, so restored from a 1 week old backup and back to normal.

Answer 2

As part of our Friday night updates before the weekend kicks-in we applied KB5014702 after encountering no issues on our dev and test VM earlier in the week. After being fully applied to our prod and dev networks, it has totally broken RRAS dial-in. The issue appears to be with authenticating against the domain controller. I am quite shocked that KB5014702 broke RRAS dial-in on both networks since they are on different domains, and that Microsoft would release an update that would break this everywhere.

Answer 3

Uninstalling KB5014702 from the RRAS server appears to have fixed the problem.

Answer 4

I am having the same exact issue. This is a real problem.

Answer 5

We are having the same problem with routing and remote access service. When we enable NAT, we lost RDP connection to the host machine.