AlwaysON VPN EventID 4652 - Negotiation Timed Out

sysadminjames 126 Reputation points
2020-09-30T15:41:04.757+00:00

I am having a number of users recieve Error 809 intermittently when using AOVPN User & Device tunnel. The problem is intermittent and seems resolve itself after some time.

I cannot see an issue in my network trace other that it just does not connect after the response.
I see this message in the Event Viewer, how can I troubleshoot Negotiation timed out issue?

2016 RAS Server
Going through KEMP Loadbalancer

Local Endpoint:
Principal Name: aovpn.domainname.org
Network Address: <ip of ras server>
Keying Module Port: 4500

Local Certificate:
SHA Thumbprint: <thumbprint>
Issuing CA: SUB-CA
Root CA: CN=<Name of ROOT CA>

Remote Endpoint:
Principal Name: -
Network Address: <public ip>
Keying Module Port: 4500

Remote Certificate:
SHA thumbprint: -
Issuing CA: -
Root CA: -

Additional Information:
Keying Module Name: IKEv2
Authentication Method: Certificate
Role: Responder
Impersonation State: Not enabled
Main Mode Filter ID: 85822

Failure Information:
Failure Point: Local computer
Failure Reason: Negotiation timed out

State: EAP payload sent
Initiator Cookie: 4fa1669d52dcb7bd
Responder Cookie: 122da5507bae859b

Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,270 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
512 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Candy Luo 12,656 Reputation points Microsoft Vendor
    2020-10-01T03:05:48.343+00:00

    Hi ,

    Based on my understanding, IKEv2 connections to Windows RRAS servers sporadically fail. The RRAS servers are behind a load balancer and the load balancer NAT the IPsec connections. Is that right? Please feel free to let me know, if my understanding is wrong.

    Please check the following article to see if it helps:

    Always On VPN IKEv2 Load Balancing and NAT

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    In your case, we might need to analyze IKE Debug logging to see if there is any error like Max number of established MM SAs to peer exceeded or ERROR_IPSEC_IKE_MM_LIMIT. However, please understand, analysis of traffic is beyond our forum support level. If you want to find root cause, I would suggest you open a case with Micorosoft.

    If you can find any error message related to MM SAs, then you can modify IkeNumEstablishedForInitialQuery value in registry and see if the problem is solved.

    Best Regards,

    Candy

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. sysadminjames 126 Reputation points
    2020-10-01T10:28:02.57+00:00

    I do not have MM SAs error, I am also using Transparency on the Load Balancer so clients present their public IP.

    I am going to try and test today to see if it affects SSTP as well.