Help! Mobile VPN IKEv2 Cannot connect

12.7.2 update 1 T20

Hello, we've been able to connect via VPN IKEv2 using windows 10 with no problem, but today when we start the vpn it shows "General Processing Error"

Event viewer shows 20227. The user dialed a connection named "VPN" which has failed. The error code returned on failure is 13804.

Can anyone help?

Thanks!

«1

Comments

  • Exact same thing started happening to me today, right after I installed a series of Window 10 Pro patches as part of patch Tuesday. These include a series of Office/Word/Excel patches (KB5002115, KB5002114, KB5002060, KB5002116, KB5002052, and KB5002057), a .NET 3.5/4.8 2022-01 cumulative update (KB5008876), and the 2022-01 cumulative update for Windows 10 Version 21H2 x64 (KB5009543). Was fine yesterday pre-patch and that's the only change I can see that would have caused the issue. Getting the same values in Event Viewer as the original poster.

  • Hi BPL,

    You're right it was right after the Windows 10 updates =( I'm not sure how we can solve this now.

  • I pulled out a second laptop that had been updated to December's patch Tuesday and it connected fine. Then I patched it and it installed the same series of patches. It wanted me to reboot but I tried the VPN client one more time before rebooting and it worked fine. Specifically it wanted me to reboot to complete the 2022-01 cumulative update for Windows 10 Version 21H2 x64 (KB5009543). After rebooting, the VPN client immediately starts getting the same error, so I can confirm that it is directly related to something in that January patch.

  • I can confirm that it is KB5009543 too. For this case, we could uninstall the KB5009543 to make the vpn work again, but that means it's not secured, how would one proceed?

  • I just uninstalled KB5009543 and rebooted and the client works again. Maybe the WatchGuard engineers should talk to Microsoft about this because avoiding that patch is a sloppy workaround and I'm sure lots of my staff are going to have their laptops patching this week in the background and destroying their VPN connections. Lots of upset people trying to work from home.

  • 100% agree

  • It is confirmed that both IKEv2 and L2TP VPN will not work when applying the January patch.

  • SSL VPN client does not seem to be affected, only IKE2 and L2TP

  • james.carsonjames.carson Moderator, WatchGuard Representative

    A KB has been posted here:
    https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA16S000000SO0eSAG&lang=en_US

    We're exploring if any changes need to be made and will update that KB article accordingly.

    -James Carson
    WatchGuard Customer Support

  • Gotta love Microsoft forcing updates down our throat without a care. Their updates broke network printing months ago and there's no fix as of today. Now they're breaking VPN. Thanks for making my job secure.

  • @morpheus27 said:
    Gotta love Microsoft forcing updates down our throat without a care. Their updates broke network printing months ago and there's no fix as of today. Now they're breaking VPN. Thanks for making my job secure.

    I know it´s not good, but to be fair, i think Windows OS has become a very complex OS with tons of dependencies.

  • Microsoft confirmed on Thursday that "Certain IPSEC connections might fail" and that they will fix the issue in an upcoming release of Windows.

    "After installing KB5009543, IP Security (IPSEC) connections which contain a Vendor ID might fail. VPN connections using Layer 2 Tunneling Protocol (L2TP) or IP security Internet Key Exchange (IPSEC IKE) might also be affected."

    Microsoft states that it may be possible to mitigate the bug by disabling the 'Vendor ID,' if possible, on the VPN server.

    "To mitigate the issue for some VPNs, you can disable Vendor ID within the server-side settings. Note: Not all VPN servers have the option to disable Vendor ID from being used," Microsoft explains in a new known update issue.

  • edited January 14

    I need this to be solved asap as well. Please let us know how we disable Vendor ID in VPN Configuration (L2TP in my case)
    This is urgent as all customers using L2TP VPN -- and this are lots of worldwide -- need a better solution than uninstalling an important Microsoft Security Update as workaround.

    Microsoft:
    Workaround: To mitigate the issue for some VPNs, you can disable Vendor ID within the server-side settings. Note: Not all VPN servers have the option to disable Vendor ID from being used.

    https://docs.microsoft.com/en-us/windows/release-health/status-windows-10-21h2#2773msgdesc

  • @james.carson said:
    A KB has been posted here:
    https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA16S000000SO0eSAG&lang=en_US

    We're exploring if any changes need to be made and will update that KB article accordingly.

    Your workaround is not working for my client with mutiple Surface Pro X Devices that all have ARM Processors. We can not install WG VPN Client on this ARM Proc Devices, or has this changed recently?

  • edited January 14

    @[email protected] said:

    I know it´s not good, but to be fair, i think Windows OS has become a very complex OS with tons of dependencies.

    True but at least give us an easier & better updates control like the previous versions instead of shoving them down and breaking stuff here and there.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @Alex_S
    It's not possible to disable vendor_id on the firebox.
    https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA16S000000SO0eSAG&lang=en_US

    The firebox isn't running Microsoft's remote access services, so the setting changes they suggest may not match or even be possible.

    There are OpenVPN based clients for ARM64 based processors. You can find the official OpenVPN ones here:
    https://openvpn.net/community-downloads/

    You can connect an OpenVPN based client to the firebox's SSLVPN by following these instructions:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ssl/mvpn_ssl_ovpn_profile_c.html

    -James Carson
    WatchGuard Customer Support

  • So has anyone come up with a solution besides Deleting the update and disable more updates?

  • @yoR said:
    So has anyone come up with a solution besides Deleting the update and disable more updates?

    I think this is the only solution. I had to remove kb5009624 due to Hyper V issues and KB5009557 due to Refs bugs.

    Happy new year! What a start :)

  • Thanks for everyone's input here. We got a couple of these and just uninstalled them. Hopefully the new Microsoft updates will work.

  • I checked for updates manually but it's not seeing KB5010793. It isn't in the Optional updates either.

  • KB5010793 still not showing up in optional updates but it’s in Microsoft update Catalog page

  • KB5010793 was in my optional updates list prior to noon EST 1/18/2022.

  • Thanks Bruce. That's strange we still not seeing the KB5010793 in the optional updates. All we see is "Feature update to Windows 10, version 21H2" Anyone else seeing the optional update?

  • I've been checking manually once or twice per hour but I'm still not seeing it yet. 21H2 is the only optional update I get.

  • Same here. Thanks.

  • It was in my list for a 21H2 and a 20H2 PC.

  • Lucky you. Did the patch really fix IKEv2 VPN connection?

Sign In to comment.