question

GregThomas-0401 avatar image
0 Votes"
GregThomas-0401 asked GitaraniSharmaMSFT-4262 commented

Azure Radius Point to Site VPN

Hi,

I've been following a number of walkthroughs on setting up a Point to Site VPN with Radius in Azure.

We seem to have things setup properly, but our users cannot connect via VPN. Unfortunately, when we check the client logs, we see no errors...

[cmdial32] 9:54:54 03 Pre-Init Event CallingProcess = C:\WINDOWS\system32\rasautou.exe
[cmdial32] 9:55:21 04 Pre-Connect Event ConnectionType = 1
[cmdial32] 9:55:21 06 Pre-Tunnel Event UserName = buser@gba.mc Domain = DUNSetting = bfc80066-4b44-4072-bb6b-ab979140f85e Tunnel DeviceName = TunnelAddress = azuregateway-3727CDBA-0436-458C-9216-73A5BC27D215.vpn.azure.com
[cmdial32] 9:57:19 21 On-Error Event ErrorCode = 619 ErrorSource = RAS

This is all we get (NOTE: not the real azuregateway address).

Is there somewhere on the Radius or on the Gateway we can troubleshoot errors?

Currently we have one Radius server up and running with one policy. The Radius server has the IP address of our VPN Gateway configured on it and we have a group of users who are allowed to VPN in.

We have tried with MFA and non-MFA enabled users.

Whereabouts can we go about troubleshooting things?

Thanks.

azure-vpn-gateway
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered GitaraniSharmaMSFT-4262 commented

Hello @GregThomas-0401 ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I see the below error in the log you provided:
[cmdial32] 9:57:19 21 On-Error Event ErrorCode = 619 ErrorSource = RAS

Error 619 occurs when VPN gateway could not reach RADIUS NPS server. And the cause for this error is NPS firewall actively ignoring local firewall rules (which were configured to accept incoming rules for ports 1812,1813,1645 and 1646).
Check your Firewall rules and make sure the allowed rules are enabled for all profiles. And make sure that the Windows Firewall rules for these ports shows "Any" under the Program column. If it is not "Any", then you could try adding custom rules for the same ports(1812,1813,1645 and 1646) and allow them again in your Firewall. You can also test by disabling the Windows Firewall.

Kindly let us know if the above helps or you need further assistance on this issue.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi - thanks for the response.

Do I make these changes on the local client that I am connecting with or the RAD server or in the Network Security Group I have monitoring things?

Thank you.

0 Votes 0 ·

Hello @GregThomas-0401 , You need to make the changes in the Windows Firewall of the local Radius server.

0 Votes 0 ·
GregThomas-0401 avatar image GregThomas-0401 GitaraniSharmaMSFT-4262 ·

Hi - These rules were already on our RAD server.

I extended the port rules (inbound) for these ports on my network security group).

Same issue, the VPN tries to connect for 60 seconds, then starts a new connection, no errors in the log.

[cmdial32] 9:36:50 21 On-Error Event ErrorCode = 619 ErrorSource = RAS

Even when I shut down the Windows Firewall on My RAD server (which already had the rules there), I get the same error.

Thanks

0 Votes 0 ·
Show more comments