How to debug SSTP specific connection failures

Hi All,

To all our beta testers who are trying out SSTP, first of all "many many thanks from my RRAS team". This post talks about how to debug failures specific to SSTP based VPN tunnel

(Note: I am not discussing all the error codes displayed on RAS client - as most error codes will be common across all VPN tunnels i.e. PPTP, L2TP, SSTP - like when remote access policy fails or authentication fails or server doesn’t support required port etc).

The common failure scenarios when the the VPN client is not able to connect to SSTP server and gets different error codes are:

Symptom1: Client tries to connect to SSTP VPN server and it fails to connect giving error message 0x800704C9
Trouble-shooting steps: This can happen if either remote access is disabled on the server OR no SSTP ports are free on the server OR server is not listening on the appropriate port number. Ensure remote access and SSTP services are running on the server by running following commands on command prompt: “sc query remoteaccess” and “sc query sstpsvc”. If they are disabled, start it using RRAS MMC snap-in or services snap-in. Ensure RRAS server has sufficient number of ports configured – open RRAS MMC Snap-in, go under Ports->Properties and see SSTP ports. Check whether it is listening on correct port number by running following command on command prompt: netstat –aon

Symptom2: Client tries to connect to SSTP VPN server and it fails to connect giving error message 0x80070040
Trouble-shooting steps: This can happen if the server authentication certificate is not installed on the RRAS server. Open MMC certificate snap-in for “Computer Store” on the server side, go under “Personal”->”Certificates” and see if the appropriate certificate of type “Server Authentication” is installed.

Symptom3: Client tries to connect to SSTP VPN server and it fails to connect giving error message 0x800B0101
Trouble-shooting steps: This can happen if the server authentication certificate is expired. Open MMC certificate snap-in for “Computer Store” on the server side, go under “Personal”->”Certificates” and see if the appropriate certificate is valid and not expired. If expired, renew the certificate

Symptom4: Client tries to connect to SSTP VPN server and it fails to connect giving error message 0x800B0109
Trouble-shooting steps: This can happen if the appropriate trusted root CA certificate server is not installed on the client side. This certificate normally gets installed if you join the machine to the domain and using the domain credentials to log-on to VPN server. But if you are using some other certificate chain OR this machine is not joined to correct domain (like a home machine), then it is possible.
Open MMC certificate snap-in for “Computer Store” on the client side, go inside “Trusted Root Certificate Authorities” and check whether relevant CA is installed. If not, install the same.

Symptom5: Client tries to connect to SSTP VPN server and it fails to connect giving error message 0x800B010F
Trouble-shooting steps: This can happen if the destination hostname in VPN connection (i.e. VPN server name) does not match the SSL server certificate subject name sent from server to client. Open MMC certificate snap-in for “Computer Store” on the server side, go under “Personal”->”Certificates” and see if the appropriate certificate with correct subject name (i.e. matching the VPN server name) is correct. If you are using the destination name as IPv4 or IPv6 address on the VPN client, then you need to install the appropriate certificate (i.e. subject name = IP address) on the server side. If you are using destination name as DNS based hostname, then you need to install the appropriate certificate (i.e. subject name = full name with which client connects).

Symptom6: Client tries to connect to SSTP VPN server and it fails to connect giving error message 0x80092013
Trouble-shooting steps: This will happen if client is failing the certificate revocation check of the SSL certificate obtained from server side.

This can happen because of two reasons:

a) Ensure the CRL check servers on the server side are exposed on the Internet (i.e. are available on the Internet). This is because CRL check is done on the client side during SSL connection establishment phase and the CRL check query will be directly going on the Internet (and not on top of VPN connection because it is not up yet).
b) CRL URL that is set inside the machine certificate on RRAS server is pointing to the internal DNS name (e.g. myvpn.contoso.local) and not the external name (special thanks to one of our esteemed customers, Bill Voltmer, in pointing this out). To validate this, open the certificate snap-in on your RRAS server, go to details tab and look at "CRL distribution point" field. To fix this:

1. Open Server Manager and navigate to Roles, Active Directory Certificate Services

2. Right click on CA name (e.g. mycompany-vpn1-CA) and choose Properties.

3. Click Extensions tab.

4. Select the pre-existing http: URL and click Remove.

5. Click Add…

6. Type https://

7. Type external URL of VPN server

8. Type CertEnroll/

9. Insert variable <CaName>

10. Insert variable <CRLNameSuffix>

11. Insert variable <DeltaCRLAllowed>

12. Type .crl

13. Check boxes Include in CRLs… and Include in the CDP…

The above should be done before SSTP VPN is configured on RRAS. Or if it is already configured, change the machine certificate by following this blog.

Symptom7: Client tries to connect to SSTP VPN server and it fails to connect giving error message 809
These are the trouble-shooting steps because reasons can be multi-fold

a) This can happen if any firewall between client and server is blocking the SSTP connection.

b) check the proxy settings on the client (i.e. open the Internet explorer and go under inside Tools->Internet Options->Connections) and see if it is correct – you can also check to see if you are able to access other Internet sites.

c) This can also happen if SSTP service or remote access service is stopped on the RRAS server side. Ensure remote access and SSTP services are running on the server by running following commands on command prompt: sc query remoteaccess and sc query sstpsvc. If they are stopped, start it using RRAS MMC snap-in or services snap-in.

d) Ensure SSTP service is listening on TCP port 443 (or the appropriate port number on which you have configured) by running “netstat –aon | findstr 443”.

e) See the server certificate plumbed to http.sys using “netsh http show sslcert”. See the IP address and port number of the certificate – RRAS reads only ::0 or 0.0.0.0.

f) Ensure the same server certificate is present in the machine store by opening MMC certificate snap-in for “Computer Store” and going under “Personal” certificate. Ensure that certificate is valid and not expired.
Ensure the same certificate hash is present under Sha256CertificateHash or Sha1CertificateHash regkeys.

g) Ensure RRAS inbound/outbound filters are not blocking SSTP connections. Open RRAS MMC Snap-in, go under IPv4->General or IPv6->General. Select the appropriate interface and see the properties->Inbound/Outbound filters. See if the appropriate port number (default TCP port 443) is enabled.

h) Ensure Windows firewall is not blocking SSTP connections. Open Firewall and see if SSTP is added to exception.

i) Ensure some other firewall infront of RRAS server is not dropping the connection (i.e. TCP port 443 connection are blocked towards RRAS server). Revisit your network topology.

j) Look for the events inside eventvwr and look for events from remote access and SSTP service.

If you cannot still figure out, feel free to contact us at our blog email alias given above

With Regards,

Samir Jain
Lead Program Manager (samirj@online.microsoft.com **)
RRAS, Windows Enterprise Networking

** Remove the "online" to actually email me

[This posting is provided "AS IS" with no warranties, and confers no rights.]