Windows Server - Restart Breaks VPN Access

Asked By Jonathon

18-Nov-09 09:38 AM

Greetings,

I am having VPN problems, after a restart no one can connect over the VPN. I
can fix this by restarting the microsoft firewall service, then it is all fine
but my servers all install updates and restart over the weekend, so often I
cannot get to them until I restart the service on monday morning.

There does not seem to be anything in the event logs that indicates a problem.

Can anyone help?

Thanks,
Jonathon

19-Nov-09 04:33 AM

Hi Jonathon,

Thank you for posting in our Community.

According to your description, I understand the issue is that sometime VPN
clients cannot to VPN server until you restart Microsoft Firewall service.
Please correct me if I have any misunderstanding.

To investigate this issue, could you collect the following information?

1. Collect MPS report on VPN Server
=================
a)	Download the mpsreports_x86(64).exe from
-88B7-F9C79B7306C0&displaylang=en>
NOTE: The link may be truncated when you read the E-mail. Be sure to
include all text between '<' and '>' when navigating to the download
location.
b)	Right click mpsreports_x86(64).exe and select Run as Administrator to
run this tool.
c)	The tool will automatically collect the information. This procedure will
take 10~15 minutes.
d)	Open Windows Explorer, navigate to the folder:
%SystemRoot%\MPSReports\Network\Reports\Cab\


2. Enable RAS tracing on VPN server and VPN client computer, then collect
RAS logs:
==================================
a)	To enable RAS logging, run the command "netsh ras diagnostics set
rastracing * enabled"

3. Collect ISA BPA log
==================================
a.   please download and install ISABPA on ISA server
http://www.microsoft.com/downloads/details.aspx?FamilyID=d22ec2b9-4cd3-4bb6-
91ec-0829e5f84063&DisplayLang=en

b. On ISA, Start a command prompt, change directory into:
C:\Program Files\Microsoft IsaBPA>
Run "IsaBpaPack.exe +Repro /TrConfig:all" (without quotation mark)
It will then ask you to press space bar when you want to start capturing
network traffic.

4. Reproduce the problem again and send me the screenshot from VPN client
Note: Please tell me the IP address of the client computer.

5.  Collect log files
==================================
b)	Stop the RAS tracing by executing the command "netsh ras diagnostics set
rastracing * disabled"
c)	The trace logs are created and available at %windir%\tracing folder.
d)	Some of the trace log files that would help in diagnosing the problem
are:
PPP.log
RASMAN.log
IASHLPR.log
RASIPCP.log
RASIPV6CP.log

e. After that please press space bar again on ISA to stop capturing network
traffic. It will package everything into a CAB file on the desktop.

Please send all  files with name 44290124.zip under the following location
https://sftasia.one.microsoft.com/choosetransfer.aspx?key=bc9a11d2-c67b-47c6
-870f-2e2c22a94952
Password:2)T3wV$cxXc

Thank you for your cooperation.

Warm Regards,
Brandon Jiang

Get Secure! - www.microsoft.com/security
======================================================
PLEASE NOTE:  The partner managed newsgroups are provided to assist with
break/fix issues and simple how to questions.

We also love to hear your product feedback! Let us know what you think by
posting from the web interface: Partner Feedback from your newsreader:
microsoft.private.directaccess.partnerfeedback.

We look forward to hearing from you!
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

19-Nov-09 07:48 AM

Hi Brandon,

Unfortunatly I am unable to reproduce the issue right now, the issue always
occurs after a restart of the ISA 2006 server. As this is a production server
a restart is not possible at the moment.

I have collected the logs anyway and sent them to you using the website you
provided.

Many thanks,
Jonathon

20-Nov-09 01:19 AM

Hi Jonathon,

Thanks for your reply!

I had fully analyzed the log files, however I did not find the same symptom
without reproducing.

From the log files, I can see the issue seems only occurs on 11/8, but
did not occur on 11/15 after rebooting ISA server.

1.  Most of Remote Access failure are caused by the following similar
Event Type:	Warning
Event Source:	RemoteAccess
Event Category:	None
Event ID:	20189
Description:
The user Jonathon connected from 82.132.139.72 but failed an authentication
attempt due to the following reason: Authentication was not successful
because an unknown user name or incorrect password was used.

2. On 11/8, I noticed the following 5719 which means ISA can not access DC
to authentication. But it did not occur on 11/15.
Event Type:	Error
Event Source:	NETLOGON
Event Category:	None
Event ID:	5719
Description:
This computer was not able to set up a secure session with a domain
controller in domain UK due to the following:
There are currently no logon servers available to service the logon
request.
This may lead to authentication problems. Make sure that this computer is
connected to the network. If the problem persists, please contact your
domain administrator.

Based on the situation, please enable Netlogon log by following
http://support.microsoft.com/?id=109626 and collect log files again when
reproducing this issue.

Have a good day!

Regards,
Brandon

20-Nov-09 09:28 AM

Hi Brandon,

I have enabled netlogon logging, I will post back with all of the logs on
monday after the server restart on sunday which may reproduce the issue.

Thanks,
Jonathon

25-Nov-09 06:28 AM

Hi Brandon,

The issue reoccured today, I have collected all of the logs and asked a user
to send me a screenshot of the problem. I have sent them to you using the link
you provided earlyer. Their IP address was 89.195.197.125.

Thanks,
Jonathon

27-Nov-09 04:49 AM

service cannot get VPN configuration and thus stopped.  However, the issue
is too complicated and I cannot find the exact cause and provide solution
for you now.
1.The following error indicate ISA failed to start RRAS sevice.
Error
Event Code	14104
Event ID	0xC0003718 (3221239576)
Data	21, 0, 7, 128
Generated	20091125091152.000000+000
Source	Microsoft Firewall
Message	Failed to start the Routing and Remote Access service. Look at the
system event log for more errors.

2.  The reason is that RRAS configuration  could not be completed.
Error
Event Code	21199
Event ID	0xC00052CF (3221246671)
Data	21, 0, 7, 128
Generated	20091125091152.000000+000
Source	Microsoft Firewall
Message	The Remote Access Service configuration for VPN could not be
completed. As a result, the Remote Access Service may be stopped.

However, I cannot identify the cause why RRAS VPN configuration cannot
completed.

Based on this situation and complexity of this issue, I would recommend you
to contact Microsoft Professional support.

Have a good day!

Regards,
Brandon

27-Nov-09 05:18 AM

Hi Brandon,

Did you get my Files ok?

Thanks,
Jonathon

30-Nov-09 08:46 PM

Hi Jonathon,,

Thanks for posting back!

Yes,  I had got those files and carefully analyzed them. It seems you have
not received my previous response. As I mentioned early in my previous
reply, we can narrow down the cause to "The Remote Access Service
configuration for VPN could not be completed." However, the issue is
extraordinary complicated  and the cause had not been identified.   Please
contact Professional Incident Support
http://support.microsoft.com/?LN=en-us&scid=gp;en-us;offerprophone for
further assistance.

Please feel free to let me know if  you have any concern on my reply!

Regards,
Brandon

08-Dec-09 08:57 AM

I have the same problem reported by Jonathon, with ISA 2006 and windows 2003.
All sp's are installed.
After restarting the microsoft firewall service, VPN is OK.
Sometimes after a reboot all is OK, but normaly VPN does'n work until i
restart the service.
Maybe the execution order of the services...!?