S
sugita01
I have a problem where some users is unable to connect to vpn.
I already try to compare everything and when I look at the NPS log
I found out this differences.
When user A able to connect to vpn below is the log of successful connection
<Event>
<Timestamp data_type="4">11/08/2019 10:05:54.044</Timestamp>
<Computer-Name data_type="1">OBJ-SRV-DC1</Computer-Name>
<Event-Source data_type="1">IAS</Event-Source>
<Class data_type="1">311 1 10.20.0.10 11/07/2019 22:45:17 474</Class>
<MS-Extended-Quarantine-State data_type="0">0</MS-Extended-Quarantine-State>
<MS-Quarantine-State data_type="0">0</MS-Quarantine-State>
<Fully-Qualifed-User-Name data_type="1">objgroup.com.au/Obj_Group/Users/Sydney/User A</Fully-Qualifed-User-Name>
<Client-IP-Address data_type="3">10.20.0.1</Client-IP-Address>
<Client-Vendor data_type="0">0</Client-Vendor>
<Client-Friendly-Name data_type="1">OBJ-FW-01</Client-Friendly-Name>
<MS-Link-Drop-Time-Limit data_type="0">120</MS-Link-Drop-Time-Limit>
<Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name>
<Provider-Type data_type="0">1</Provider-Type>
<SAM-Account-Name data_type="1">OBJGROUP\user.a</SAM-Account-Name>
<Authentication-Type data_type="0">4</Authentication-Type>
<MS-CHAP-Domain data_type="2">A24155544F4D494347524F5550</MS-CHAP-Domain>
<NP-Policy-Name data_type="1">Sophos Firewall</NP-Policy-Name>
<Quarantine-Update-Non-Compliant data_type="0">0</Quarantine-Update-Non-Compliant>
<Framed-Protocol data_type="0">1</Framed-Protocol>
<Service-Type data_type="0">2</Service-Type>
<MS-Link-Utilization-Threshold data_type="0">50</MS-Link-Utilization-Threshold>
<Packet-Type data_type="0">2</Packet-Type>
<Reason-Code data_type="0">0</Reason-Code>
</Event>
And when a User B tried to connect to the VPN as well (from the same computer with same vpn configuration), below is the NPS log of unsuccessful attempt
<Event>
<Timestamp data_type="4">11/08/2019 08:58:25.984</Timestamp>
<Computer-Name data_type="1">OBJ-SRV-DC1</Computer-Name>
<Event-Source data_type="1">IAS</Event-Source>
<Class data_type="1">311 1 10.20.0.10 10/22/2019 17:19:49 139761</Class>
<Authentication-Type data_type="0">2</Authentication-Type>
<Fully-Qualifed-User-Name data_type="1">OBJGROUP\user.b</Fully-Qualifed-User-Name>
<SAM-Account-Name data_type="1">OBJGROUP\user.b</SAM-Account-Name>
<Client-IP-Address data_type="3">10.20.0.1</Client-IP-Address>
<Client-Vendor data_type="0">0</Client-Vendor>
<Client-Friendly-Name data_type="1">OBJ-FW-01</Client-Friendly-Name>
<Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name>
<Provider-Type data_type="0">1</Provider-Type><Packet-Type data_type="0">3</Packet-Type>
<Reason-Code data_type="0">19</Reason-Code>
</Event>
If anyone can shed some light to me, as for me this is a dead end.
I tried everything already. I contact Sophos Support.
Sophos said there is nothing wrong with my sophos vpn configuration as the error clearly said reason code 19 (basically they blaming the NPS - Microsoft).
I checked the dial in settings (Control access through NPS Network Policy), group membership in AD, and even tried to use Store password using reversible encryption in AD and it still failed for user b.
The proportion of users who are able to VPN and users who arent is about 40%-60%
On the client machine (Win10) the user is getting error "Can't connect to L2TP VPN. The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server."
And on the eventviewer, there was event ID 20227 error.
Cold={15107339-9A5E-4B1B-8CAA-6BE599A6379E}: The user OBJGROUP\user.b dialed a connection named OBJ L2TP VPN which has failed. The error code returned on failure is 691.
Continue reading...
I already try to compare everything and when I look at the NPS log
I found out this differences.
When user A able to connect to vpn below is the log of successful connection
<Event>
<Timestamp data_type="4">11/08/2019 10:05:54.044</Timestamp>
<Computer-Name data_type="1">OBJ-SRV-DC1</Computer-Name>
<Event-Source data_type="1">IAS</Event-Source>
<Class data_type="1">311 1 10.20.0.10 11/07/2019 22:45:17 474</Class>
<MS-Extended-Quarantine-State data_type="0">0</MS-Extended-Quarantine-State>
<MS-Quarantine-State data_type="0">0</MS-Quarantine-State>
<Fully-Qualifed-User-Name data_type="1">objgroup.com.au/Obj_Group/Users/Sydney/User A</Fully-Qualifed-User-Name>
<Client-IP-Address data_type="3">10.20.0.1</Client-IP-Address>
<Client-Vendor data_type="0">0</Client-Vendor>
<Client-Friendly-Name data_type="1">OBJ-FW-01</Client-Friendly-Name>
<MS-Link-Drop-Time-Limit data_type="0">120</MS-Link-Drop-Time-Limit>
<Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name>
<Provider-Type data_type="0">1</Provider-Type>
<SAM-Account-Name data_type="1">OBJGROUP\user.a</SAM-Account-Name>
<Authentication-Type data_type="0">4</Authentication-Type>
<MS-CHAP-Domain data_type="2">A24155544F4D494347524F5550</MS-CHAP-Domain>
<NP-Policy-Name data_type="1">Sophos Firewall</NP-Policy-Name>
<Quarantine-Update-Non-Compliant data_type="0">0</Quarantine-Update-Non-Compliant>
<Framed-Protocol data_type="0">1</Framed-Protocol>
<Service-Type data_type="0">2</Service-Type>
<MS-Link-Utilization-Threshold data_type="0">50</MS-Link-Utilization-Threshold>
<Packet-Type data_type="0">2</Packet-Type>
<Reason-Code data_type="0">0</Reason-Code>
</Event>
And when a User B tried to connect to the VPN as well (from the same computer with same vpn configuration), below is the NPS log of unsuccessful attempt
<Event>
<Timestamp data_type="4">11/08/2019 08:58:25.984</Timestamp>
<Computer-Name data_type="1">OBJ-SRV-DC1</Computer-Name>
<Event-Source data_type="1">IAS</Event-Source>
<Class data_type="1">311 1 10.20.0.10 10/22/2019 17:19:49 139761</Class>
<Authentication-Type data_type="0">2</Authentication-Type>
<Fully-Qualifed-User-Name data_type="1">OBJGROUP\user.b</Fully-Qualifed-User-Name>
<SAM-Account-Name data_type="1">OBJGROUP\user.b</SAM-Account-Name>
<Client-IP-Address data_type="3">10.20.0.1</Client-IP-Address>
<Client-Vendor data_type="0">0</Client-Vendor>
<Client-Friendly-Name data_type="1">OBJ-FW-01</Client-Friendly-Name>
<Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name>
<Provider-Type data_type="0">1</Provider-Type><Packet-Type data_type="0">3</Packet-Type>
<Reason-Code data_type="0">19</Reason-Code>
</Event>
If anyone can shed some light to me, as for me this is a dead end.
I tried everything already. I contact Sophos Support.
Sophos said there is nothing wrong with my sophos vpn configuration as the error clearly said reason code 19 (basically they blaming the NPS - Microsoft).
I checked the dial in settings (Control access through NPS Network Policy), group membership in AD, and even tried to use Store password using reversible encryption in AD and it still failed for user b.
The proportion of users who are able to VPN and users who arent is about 40%-60%
On the client machine (Win10) the user is getting error "Can't connect to L2TP VPN. The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server."
And on the eventviewer, there was event ID 20227 error.
Cold={15107339-9A5E-4B1B-8CAA-6BE599A6379E}: The user OBJGROUP\user.b dialed a connection named OBJ L2TP VPN which has failed. The error code returned on failure is 691.
Continue reading...