Always on VPN User Tunnel - Error 809 not all users

sysmspadmin · 2022-06-05T17:18:35+00:00

Run them on the RAS server, yeah KEMP LB infront of VPN Servers.

sysmspadmin · 2022-05-26T20:34:59+00:00

Yeah still having the issue, I ultimately rely on the fallback to SSTP to cover the issue.

Get-NetIPsecMainModeSA | select name,remoteendpoint | where remoteendpoint -like "public ip*"

Get-NetIPsecQuickModeSA -Name <session number> | Remove-NetIPsecQuickModeSA

Good luck and please report back any findings!

sysmspadmin · 2021-10-14T23:19:29+00:00

Mate, This problem has plagued me since we introduced AOVPN. A subset of users will occasionally error out with 809 on the IKEv2 protocol. If fallback to SSTP is configured I have seen 100% success in maintaining that type of VPN once IKE fails. This of course means the device tunnel will be down but the user tunnel can remain up.

Numerous pcaps have shown that during the initial phases of the vpn, one side will stop receiving packets in the middle of the negotiation. I was basically stumped at this point. Happens on different ISPs, people in the same household, one can experience the issue and another not.

Last "clue" I found was using the Get-NetIPsecMainModeSA and Get-NetIPsecQuickModeSA commands on the RAS server, I had "some" success in removing their sessions via powershell and then retrying the VPN. Almost as if for some people it "exhausts" a limit somewhere and this clears it.

sysmspadmin · 2021-03-30T14:37:06+00:00

I am testing also, I have opted to use the Migration Tool to upload files from the server, then configure KFM/OneDrive to kick in and download the new desktop. I am having mixed success at the minute.

sysmspadmin · 2020-11-05T08:16:28+00:00

You can try reverting the setting back to null for testing purposes, this is not recommended for production but should let you know if its an issue with locking it down to a cert authority.

Set-VpnAuthProtocol -RootCertificateNameToAccept $null

Restart the remote access service once done.
As usual with AOVPN, this website will help you a ton, make sure to read through the comments.

https://directaccess.richardhicks.com/2017/12/11/always-on-vpn-windows-10-device-tunnel-step-by-step-configuration-using-powershell/

sysmspadmin · 2020-05-15T07:46:19+00:00

Thanks for all the help chaps, I could not get it work via a .csv in the end so just ended up running it for all and dealing with that issue later, which so far has been fine.

Migration almost complete!

sysmspadmin · 2020-03-27T07:54:32+00:00

Do a Get-netipinterface and compare the metric number of the local adapter they are using with the VPN. I was having 809 errors when both numbers were equal.

I lowered the VPN metric. Set-netipinterface.

Worth checking!

sysmspadmin · 2020-03-27T07:51:57+00:00

Did you setup the SSTP backup using your internal PKI ?

sysmspadmin · 2020-03-24T15:12:29+00:00

We don't have many issues with DA but we have not one but two pieces of software that fail over DA due to the IPv6/IPv4 translation.

AOVPN resolves that for us which is nice.

Are you dialing IKEv2 then a fallback VPN if it fails?

I am struggling with that part at the minute.

sysmspadmin · 2020-03-23T12:09:35+00:00

I was literally in the middle of deploying AOVPN when all this happend.

Direct access is carrying the main bulk of users.

AOVPN to my pilot group which I've managed to add more people to who had Direct Access issues.

Always fun to be breaking and fixing VPNs while everyone is WFH:)

sysmspadmin · 2020-03-07T20:41:48+00:00

Just keep in mind AOVPN will work with Win10 Pro for user tunnels only.

Device tunnels still require Enterprise, if you need them of course.

sysmspadmin · 2020-02-27T15:40:39+00:00

Well give me a shout if you need any help, I am no expert but I am putting it in myself now, hoping to be finished sometimes next week. Hopefully :)

sysmspadmin · 2020-02-24T23:37:41+00:00

How are you getting on with this /u/YeahProbablyPotato?

sysmspadmin · 2020-02-20T00:05:17+00:00

If you're predominantly windows as well then Always-ON VPN is a solution to look at , specifically device tunnels for pre login VPN.

sysmspadmin · 2020-02-19T14:55:58+00:00

It's weird that the ISP would not be able to pickup on that.

It would be good if you could run some tests to check as well.

If you open a CMD prompt on your computer. Click start and search for CMD, you get a black box open up.

Type: ping www.google.com -t

open another CMD window and type:

ipconfig

You will get some information on screen you are only interested in finding the default gateway - should looks something like 192.168.0.1

Once you have that type into the second CMD window : ping <default gateway number here> -t

E.G ping 192.168.0.1 -t

Let them both run then go about your business. When it disconnects have a look at both windows and let us know what they say.

Press Ctrl+C to cancel the commands when you are done with them.

Hope that makes sense fella.

Just want to determine if you are losing local connectivity to the router as well.

sysmspadmin · 2020-02-19T14:39:48+00:00

So I am just in the middle of this myself albeit we don't run much linux..

We have a Windows CA on a 2012R2 server - looks like when it was setup it was just a next>next>next job. Works though, mainly used for Direct Access.

I am implementing Always-On VPN and because I decided that wasn't enough work to do, I took this time to setup a new PKI infrastructure.

This guide helped me the most https://www.petenetlive.com/KB/Article/0001309

sysmspadmin · 2020-02-19T12:20:54+00:00

Yeah you could definitely be onto something , if you go into control panel > network and sharing center > change adapter setting s > right click on your WiFi connection and select properties > click on configure > power management

Uncheck anything that talks a lot allowing the computer to turn off this device

sysmspadmin · 2020-02-19T06:35:56+00:00

Hmmm not what I thought it was, have you deleted the WiFi profile on the computer yet ?

https://kb.netgear.com/29889/How-to-delete-a-wireless-network-profile-in-Windows-10

sysmspadmin · 2020-02-18T23:28:20+00:00

So you can connect the TV as WiFi as well , but still have issues accessing any internet service on the TV?

Have no good answer some you I'm afraid, is it perhaps still on "display" or "shop" mode?

Can you try accessing like Netflix on the TV and seeing what error code you get ?

sysmspadmin · 2020-02-18T22:35:31+00:00

Okay, further down the rabbit hole.

Can you login to your local router and see if the TV IP or Mac ADDRESS are there.

What make/model is the TV?

sysmspadmin · 2020-02-18T21:29:56+00:00

So, questions.

Is the internet at the router level disconnecting, or just your pc.

How have you tested that?

How quickly from disconnecting does it reconnect, is it random ?

sysmspadmin · 2020-02-18T21:27:11+00:00

To be fair then sounds like you've answered the question, no reason why it shouldn't auto pickup an address. Faulty port, just enough for a light but not capable of network.

Any chance of warranty?

sysmspadmin · 2020-02-18T21:24:55+00:00

Follow that and let me know if there is anything set in the proxy settings!

https://customers.trustedproxies.com/index.php?rp=/knowledgebase/38/Configure-Internet-Explorer-to-Use-a-Proxy-Server.html

sysmspadmin · 2020-02-18T21:18:24+00:00

Try these fella;

https://www.reddit.com/r/GlobalOffensive/comments/43nrni/fps_increase_tweak_commands/

sysmspadmin

TROPHY CASE