AOVPN 809 error
When balancing AOVPN you periodically get 809 Errors on the VPN client
Application: Microsoft Always On Virtual Private Network
When balancing AOVPN you periodically get 809 Errors on the VPN client, especially after a failover or when busy.
|Steps to Reproduce:|
Error 809 on connecting client
“Can’t connect to [connection name]. The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g. firewalls, NAT, routers, etc.) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem.”
Application event log records an error message with Event ID 20227 from the RasClient source
Possible causes include:
1. DNS name resolution
2. Firewall not forwarding ports
3. Port following not enabled
4. IKE fragmentation
5. Persistence Timeout value is not suited
1. Ensure the correct DNS resolution for the FQDN to the correct IP. Check your DNS provider
2. Check the firewall for NAT forwarding rules and ensure that TCP port 443 for SSTP and UDP ports 500 and 4500 are forwarded for IKEv2.
3. Ensure that under advanced properties of the IKEv2 services (port 500 and 4500 UDP) are set to "Port following enabled" with the 4500 service following the 500 service and the 500 service following the 4500 service.
4. The following PowerShell command can be used to enable IKEv2 fragmentation on supported servers.
New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\Ikev2\” -Name EnableServerFragmentation -PropertyType DWORD -Value 1 -Force
5. The Persistence Timeout value on both the UDP port 500 and port 4500 Virtual Services created from the template is set to 4 days by default. In most cases, this value will be sufficient. If not, a higher or lower persistence timeout value may need to be set. As each configuration is different, fine-tuning and testing different persistence timeout values is to be expected.
Always On VPN Document:
Virtual Service Template: