Remotewebaccess VPN disconnects (Error 829)

Client told me he couldn’t access the remotewebaccess.com vpn to the office. Would connect and disconnect and or any connection would only last a few seconds before disconnecting. Event log errors include Error 829.

At first I thought it could be the server needed a reboot. Nope, wasn’t it.

Looked at the RWA certificates on the server and did notice that the one that was being used expired today. Hmmm. So I checked IIS and looked at the Bindings for the Default Website – but the server had already bound the new RWA certificate to it. Still clients couldn’t connect.

Looking further at the client event logs this is example of one of error messages:

CoId={3AE1BD1D-CF91-4B7B-A93F-7A59705A1EF5}: The user WIN10TEST\username dialed a connection named customerDomain.remotewebaccess.com which has terminated. The reason code returned on termination is 829. All this means is a disconnected session. Great no help there.

Searched the web and found this bit of information:

The RWA certificate set in IIS is also used by Routing and Remote Access Server Configuration – not for authentication but for maintaining secure TLS connection. So even though the IIS cert was updated, RRAS console doesn’t upgrade it automatically :(.

Solution: Go to Routing and Remote Access snap-in, right-click on the properties of your router (MACHINE-NAME (local) properties in the tree-view to the left) select the Security Tab; you will be warned that there’s no TLS certificate selected (the previous has expired in my case) and select the certificate that has the next year’s expiration date – can select and then view them prior to saving. This will force a RRAS service restart. Thereafter clients can connect and remain connected :).

For those running Windows 2016 Essentials… the Routing and Remote access console doesn’t allow you to do anything. In order to make sure the binding on the IIS certificate is the same as remote access managment console, you wil need to do it via powershell.

PS C:\>$cert = Get-ChildItem -Path cert:\localmachine\my

PS C:\>$cert

PSParentPath: Microsoft.PowerShell.Security\Certificate::localmachine\my

Thumbprint Subject
———- ——-
2E8C3E033E6FE206D361BD3E320069281C84DBFF CN=ClientName.remotewebaccess.com
C27BA22FB767A07BA8509ECF88E847047AB83E5F CN=DirectAccess-RADIUS-Encrypt-domain.local
In this case the 2E8C… Thumbprint is bound to the IIS Default website Bindings under :443.

Next command:

$cert2 = Get-ChildItem -Path cert:\localmachine\my |Where-Object Thumbprint -eq 2E8C3E033E6FE206D361BD3E320069281C84DBFF

Set-RemoteAccess -SslCertificate $cert2 -Verbose.

This will set Remote Access to same certificate Thumbprint as the IIS Default Web Site Binding certificate for 443. This will now allow your VPN clients to connect successfully.

Second part is to make sure the Remote access management console has the same certificate set as the IIS Default website one.

Here are commands to run in Powershell to setup static IP address pool for the Anywhere Access VPN connection:

Set-VpnIPAddressAssignment -IPAssignmentMethod “StaticPool” -IPAddressRange “192.168.25.80”, “192.168.25.99” -PassThru
To check the IP Assignment method without changing it:
(Get-RemoteAccess).IPAssignmentMethod
Check IP Range: (Get-RemoteAccess).IPAddressRangeList
Get-RemoteAccess – gets you complete status of Remote Access configuration
After doing this, Reboot Essentials Server. Afterwards you should be able to connect to Essentials server VPN and connect to client’s network (servers, gateway etc).