Recently we came across an error while configuring Always On VPN for a client that was tricky to resolve. There wasn’t much on the forums/blogs etc which talked about resolving the issue.
The AlwaysOn infrastructure was deployed successfully on Windows Server 2016 virtual machines in DMZ/Production networks. The issue was even more difficult to resolve as all the log entries associated with the connection appeared as successful. The authentication was successful against the local AD domain controllers, the Network Policy Server was successfully matching the connection to the configured policy, and the wireshark logs all appeared normal.
When the client tries to connect it fails after a few seconds with the error shown in the image below “The specified protocol identifier is not known to the router”. After checking the event logs on the NPS server you will see the connection is successfully authenticating and the policy is matched then quickly followed by the 902 error with no further explanation. The error is a hint to the problem.
The issue is related to the presence of IPv6 or lack there of. In our case, IPv6 was enabled on the VPN server’s NICs. (The IPv6 check box had a tick in it) so IPv6 appeared to be enabled. Although this looked as if IPv6 was enabled, the server was missing registry settings which the RRAS server needs in order to process the connection.
To correct the issue perform the following on the VPN server:
- Verify that ipv6 is selected on both of the network adapters
- Add HKLM\SYSTEM\CurrentControlset\Services\Tcpip6\Parameters\DisableComponents (DWORD) with decimal value of 32
- Restart the server
- Add a registry key named IPV6 key to the following location – HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\RouterManagers\
- Restart the RRAS service
- Once you restart the service you should see the IPV6 key you just created populated with a number of registry settings.
- Test your client connection again for a successful connection
We would be more than happy to assist you with your Always On VPN so If you would like assistance planning, designing, deploying, or troubleshooting your AlwaysOn VPN infrastructure please contact us on 1300 22 13 10 (Australia) or email firstname.lastname@example.org