question

JonathanSpringham avatar image
0 Votes"
JonathanSpringham asked ChrisBower-5756 published

Always on VPN - Bulk Disconnects

We have an Always on VPN RRAS server (Server 2019 Std), which has been in place for 2yrs now without any issues, but over the last couple of weeks, we have started to experience mass client disconnects.

At any one time there will be 500-800 people connected, and suddenly 50-150 people will disconnect all at exactly the same time, then reconnect automatically a few seconds later.

Normally this would not be much of an issue, but the software the clients are using is very sensitive to network drops and it makes the issue more obvious.

When this happens, Event ID 20275 is logged on the VPN server - The user with IP address x.x.x.x has disconnected, but no other errors or events are logged that correspond with this time of disconnects.

All other users (there is a mix of device and users connections) remain unaffected, and so far no discernable pattern has been found for the users that do disconnect.

All users are running Windows 10 1909 or later, and are joined to the same Active Directory Domain and receiving the same Group Policies.
Windows Firewall is enabled on all client devices.

We have other Always on VPN RRAS servers for other clients built to exactly the same specification, and none of these experience this problem.

The server and the FW are both located in our private Datacentre.

We have also run SysLog but have not found any corresponding events that tie in with this.

Curious if anyone has any thoughts around what else this could be, or if anyone else has experienced this before.

Cheers.

windows-10-networkwindows-platform-network
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @JonathanSpringham-4933,

Are there any entries in the Application event log on the affected clients from the RasClient source at the corresponding time?

Gary

0 Votes 0 ·

Hi @GaryNebbett

Nothing conclusive that I can find; standard logs showing that it disconnected and after checking a few different ones, there are Informational Event ID's ranging from 20221-20226 and some report error code 808, 809, 828 and 829.

The VPN server IKEv2 timeout setting is the default 5mins and there is no limit on the client side or the NPS side.

0 Votes 0 ·

Hi,


Just want to confirm the current situations.


Please feel free to let us know if you need further assistance.


Best Regards,
Sunny

0 Votes 0 ·

Hi. We are facing a similar issue - did you find a resolution in the end?

0 Votes 0 ·
SunnyQi-MSFT avatar image
0 Votes"
SunnyQi-MSFT answered ArturasRadzysASRS-5693 commented

Hi,

Thanks for posting in Q&A platform.

I understand that we encounter windows 10 always on VPN client disconnected intermittently and then reconnected automatically issue

May I know if there is Windows Firewall or any other brand Firewall enabled in our environment? If yes, I would suggest temporally disable the Firewall to test if the issue still existed.

And if the IKEv2 Fragmentation was enabled on both VPN server and client? IKEv2 fragmentation was introduced in Windows 10 1803 and is enabled by default. No client-side configuration is required. IKEv2 fragmentation was introduced in Windows Server 1803 and is also supported in Windows Server 2019. It is enabled via a registry key. The following PowerShell command can be used to enable IKEv2 fragmentation on supported servers.

New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\Ikev2\” -Name EnableServerFragmentation -PropertyType DWORD -Value 1 -Force

Meanwhile, here are 2 articles regarding of troubleshooting Always on VPN for your reference:

Troubleshoot Always On VPN

Troubleshooting Always On VPN Error Code 809
Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

Best Regards,
Sunny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @SunnyQi-MSFT

I can confirm that all clients are running Windows 10 1909 or later, and that the VPN server is running Windows Server 2019Std with the latest updates installed.

We have also enabled IKEv2 fragmentation.

Apart from their own personal home routers and our Datacentre FW, Windows FW is the only other FW in play and all users are domain joined so have the exact same FW settings.

We will try and disable the OS FW for a select number of users to see if it has any effect.

Thank you for the articles above; I have previously been through those and unfortunately, none of them seem to apply in this particular instance.

Cheers.

0 Votes 0 ·

Hi Jonathan,

May I know if there is any updates for this thread?

Best Regards,
Sunny

0 Votes 0 ·

Hi @SunnyQi-MSFT

No change yet, I'm afraid. We are in the middle of deploying a couple of KEMP GEO LM's to sit in front of the VPN server but so far, we've not found anything that has assisted in diagnosing the issues.

I will update again once we have KEMP deployed and if it has any positive impact.

We had another 140 people drop briefly on Friday as well, but no obvious cause that we can find.

0 Votes 0 ·
Show more comments
SunnyQi-MSFT avatar image
0 Votes"
SunnyQi-MSFT answered

Hi,

Thanks for your update and sorry for the late response.

Based on my experience, I would suggest you could collect network traffics or some necessary traces for further troubleshooting.

You could download network monitor tool from the following link:
https://www.microsoft.com/en-sg/download/details.aspx?id=4865

However, analysis of network traffic is beyond our forum support level. I would suggest you open a case with Microsoft where more in-depth investigation can be done so that you would get a more satisfying explanation to this question.

You may find phone number for your region accordingly from the link below:

Global Customer Service phone numbers

Best Regards,
Sunny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.