On November 12, support.kemptechnologies.com will be migrating to the Progress Community.

Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

AOVPN 809 error

 

Information

 

Summary:

When balancing AOVPN you periodically get 809 Errors on the VPN client

Environment:

Product: LoadMaster

Version: all

Platform: all

Application: Microsoft Always On Virtual Private Network

Question/Problem Description:

When balancing AOVPN you periodically get 809 Errors on the VPN client, especially after a failover or when busy.

Steps to Reproduce:  
Error Message:

Error 809 on connecting client

“Can’t connect to [connection name]. The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g. firewalls, NAT, routers, etc.) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem.”

Application event log records an error message with Event ID 20227 from the RasClient source

Defect Number:  
Enhancement Number:  
Cause:

Possible causes include:

1. DNS name resolution 

2. Firewall not forwarding ports

3. Port following not enabled 

4. IKE fragmentation

5. Persistence Timeout value is not suited

Resolution:

1. Ensure the correct DNS resolution for the FQDN to the correct IP. Check your DNS provider

2. Check the firewall for NAT forwarding rules and ensure that TCP port 443 for SSTP and UDP ports 500 and 4500 are forwarded for IKEv2.

3. Ensure that under advanced properties of the IKEv2 services (port 500 and 4500 UDP) are set to "Port following enabled" with the 4500 service following the 500 service and the 500 service following the 4500 service.

4. The following PowerShell command can be used to enable IKEv2 fragmentation on supported servers.

New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\Ikev2\” -Name EnableServerFragmentation -PropertyType DWORD -Value 1 -Force 

5. The Persistence Timeout value on both the UDP port 500 and port 4500 Virtual Services created from the template is set to 4 days by default. In most cases, this value will be sufficient. If not, a higher or lower persistence timeout value may need to be set. As each configuration is different, fine-tuning and testing different persistence timeout values is to be expected.

Workaround:  
Notes:

Error 809:

https://directaccess.richardhicks.com/2019/02/14/troubleshooting-always-on-vpn-error-code-809/

Always On VPN Document:

https://support.kemptechnologies.com/hc/en-us/articles/10106757377293-Microsoft-Always-On-VPN

Virtual Service Template:

https://support.kemptechnologies.com/hc/en-us/articles/360048431492-Always-On-VPN


Was this article helpful?
0 out of 0 found this helpful

Comments