Richard M. Hicks Consulting, Inc. Enterprise Mobility and Security Infrastructure – Microsoft Always On VPN and DirectAccess, NetMotion Mobility, PKI and MFA


When implementing Windows 10 Always On VPN, directors may come upon errors 691 or 812 when setting up a VPN connection. There are a number of different configuration issues which will bring about these errors. For example they might occur when TLS 1. 0 has been disabled on the RRAS server when installed on servers earlier than Windows Server 2016.

It may also happen if a user’s Active Directory account is configured to deny dial in access and the NPS server is not configured to disregard user account dial in houses. Another scenario that will bring about 691/812 errors is when the Active Directory defense groups are configured as conditions on the Network Policy Server NPS Network Policy. See below for more particulars. Microsoft these days announced aid for native Windows 10 Always On VPN device tunnel configuration in Intune. Previously directors had to use the complicated and error prone custom XML configuration to deploy the Windows 10 Always On VPN device tunnel to their clients.

That is no longer required with this recent Intune update. In addition, directors may now specify custom cryptography settings for IPsec Security Association SA parameters for IKEv2 for both device tunnel and user tunnel connections. This effectively gets rid of the requirement to use custom ProfileXML for many deployment eventualities. During the making plans phase of a Windows 10 Always On VPN implementation the administrator must decide among two tunneling options for VPN client traffic – split tunneling or force tunneling. When split tunneling is configured, only site visitors for the on premises community is routed over the VPN tunnel.

See also  Invesp Conversion Rate Optimization Experts

Everything else is distributed at once to the Internet. With force tunneling, all client site visitors, including Internet site visitors, is routed over the VPN tunnel. There’s been much discussion currently on this topic, and this text serves to define the advantages and downsides for both tunneling methods. User adventure is always degraded when all Internet traffic is routed over the VPN. These suboptimal network paths augment latency, and VPN encapsulation and encryption overhead augment fragmentation, leading to reduced throughput.


Most Internet traffic is already encrypted in some form, and encrypting site visitors that is already encrypted makes the problem even worse. In addition, force tunneling short circuits geographic based Content Delivery Networks CDNs additional reducing Internet functionality. Further, region based amenities are sometimes broken which can result in incorrect default language preference or misguided web search results. Over the previous couple of weeks, I’ve worked with a large number of corporations and folks troubleshooting connectivity and function issues associated with Windows 10 Always On VPN, and particularly connections using the Internet Key Exchange edition 2 IKEv2 VPN protocol. An issue that appears with some regularity is when Windows 10 clients fail to connect with error 809. In this situation, the server will accept connections without issue for a period of time after which suddenly stop accepting requests.

When this occurs, existing connections retain to work with out issue most often. Frequently this occurs with Windows Server Routing and Remote Access Service RRAS servers configured in a clustered array behind an External Load Balancer ELB. It is not uncommon to use Network Address Translation NAT when configuring Always On VPN. In fact, for most deployments the general public IP address for the VPN server resides not on the VPN server, but on an edge firewall or load balancer connected at once to the Internet. The firewall/load balancer is then configured to translate the vacation spot address to the private IP address assigned to the VPN server in the perimeter/DMZ or the inner community. This is thought a Destination NAT DNAT.

See also  Insular Manuscripts AD : Networks of Knowledge Medieval manuscripts blog

Using this configuration, the customer’s fashioned source IP tackle is left intact. This configuration presents no issues for Always On VPN.