1
00:00:02,040 --> 00:00:03,200
When it comes to troubleshooting,

2
00:00:03,200 --> 00:00:07,890
the single most valuable piece of information an administrator can obtain is

3
00:00:07,890 --> 00:00:11,270
the error code encountered for the failed connection attempt.

4
00:00:11,270 --> 00:00:13,590
Error codes can be found in multiple locations,

5
00:00:13,590 --> 00:00:16,680
but the first and most important location to look for error

6
00:00:16,680 --> 00:00:19,450
codes is in the event log on the endpoint.

7
00:00:19,450 --> 00:00:20,350
Specifically,

8
00:00:20,350 --> 00:00:23,200
we'll be looking in the application event log because that's

9
00:00:23,200 --> 00:00:26,040
where the VPN client records its error messages.

10
00:00:26,040 --> 00:00:29,430
The next place to look for error messages, specifically for user‑based

11
00:00:29,430 --> 00:00:32,540
connections, is the event log on the NPS server.

12
00:00:32,540 --> 00:00:36,450
Here, we're going to find valuable information for failed connection attempts,

13
00:00:36,450 --> 00:00:39,500
specifically failed authentication attempts.

14
00:00:39,500 --> 00:00:42,110
And while digging through the event log on the endpoint,

15
00:00:42,110 --> 00:00:46,040
we'll ultimately reveal an error code for a failed VPN connection attempt.

16
00:00:46,040 --> 00:00:49,430
It's much easier to use tools such as rasphone.exe,

17
00:00:49,430 --> 00:00:53,270
which is a GUI utility used to launch VPN connections,

18
00:00:53,270 --> 00:00:55,310
and rasdial.exe,

19
00:00:55,310 --> 00:00:59,600
which is a command line tool to launch VPN connections because these

20
00:00:59,600 --> 00:01:03,030
tools will surface the error message for a failed connection attempt

21
00:01:03,030 --> 00:01:06,090
immediately without requiring you, the administrator,

22
00:01:06,090 --> 00:01:09,490
to dig through the event logs and try to find the error code.

23
00:01:09,490 --> 00:01:12,950
So this greatly simplifies and streamlines the process of

24
00:01:12,950 --> 00:01:16,140
identifying these error messages for troubleshooting.

25
00:01:16,140 --> 00:01:20,100
It's important to ensure that the NPS server has auditing enabled for

26
00:01:20,100 --> 00:01:23,480
NPS events because without this option administrators are going to be

27
00:01:23,480 --> 00:01:26,110
flying blind when it comes to troubleshooting.

28
00:01:26,110 --> 00:01:27,570
It should be enabled by default,

29
00:01:27,570 --> 00:01:30,940
but I can tell you from experience somehow it gets disabled.

30
00:01:30,940 --> 00:01:34,220
You can view the auditing setting by using the command auditpol

31
00:01:34,220 --> 00:01:38,580
/get /subcategory:"Network Policy Server".

32
00:01:38,580 --> 00:01:41,410
And if NPS auditing is disabled somehow,

33
00:01:41,410 --> 00:01:47,060
you can enable it quickly using the command auditpol.exe /set /subcategory:

34
00:01:47,060 --> 00:01:52,260
"Network Policy Server" /success:enable /failure:enable.

35
00:01:52,260 --> 00:01:57,500
This ensures that the NPS authentication events on the NPS server,

36
00:01:57,500 --> 00:01:59,030
success or failure,

37
00:01:59,030 --> 00:02:01,860
will be audited and recorded in the event log so that

38
00:02:01,860 --> 00:02:04,340
we can use that for troubleshooting.

39
00:02:04,340 --> 00:02:06,790
So some of the common error codes that we're going to cover

40
00:02:06,790 --> 00:02:10,650
in the next demonstration are 809 This is probably one of

41
00:02:10,650 --> 00:02:12,660
the most common error messages.

42
00:02:12,660 --> 00:02:13,470
And honestly,

43
00:02:13,470 --> 00:02:16,910
this is a very simple error message in that it means

44
00:02:16,910 --> 00:02:18,830
that it's a failed connection attempt.

45
00:02:18,830 --> 00:02:21,440
And specifically, it is a timeout error,

46
00:02:21,440 --> 00:02:25,140
meaning the VPN client attempted to establish a connection,

47
00:02:25,140 --> 00:02:28,860
and the VPN server just simply didn't respond.

48
00:02:28,860 --> 00:02:30,200
The next is an 812.

49
00:02:30,200 --> 00:02:35,100
And again, an 812 is really just couldn't authenticate for some reason,

50
00:02:35,100 --> 00:02:39,630
and there are numerous reasons why a user might not be able to authenticate.

51
00:02:39,630 --> 00:02:41,880
We'll go over many of those later.

52
00:02:41,880 --> 00:02:44,810
13801 is specific to IKE v2,

53
00:02:44,810 --> 00:02:48,730
and it simply means that the IKE authentication failed.

54
00:02:48,730 --> 00:02:51,990
So there was some sort of problem presented in the IKE

55
00:02:51,990 --> 00:02:55,310
authentication process. Sometimes certificates,

56
00:02:55,310 --> 00:02:58,390
sometimes other things, but we'll take a look at those as well.

57
00:02:58,390 --> 00:03:04,440
13806, again, is related to IKE v2 specifically, and this is always a

58
00:03:04,440 --> 00:03:08,880
certificate issue of some sort on the endpoint, on the server,

59
00:03:08,880 --> 00:03:11,810
variety of places it could be a problem with, but it is almost

60
00:03:11,810 --> 00:03:14,240
certainly an issue with a certificate.

61
00:03:14,240 --> 00:03:18,680
And then finally, I want to cover the dreaded 13868.

62
00:03:18,680 --> 00:03:22,930
This is, again, an IKE v2‑specific message and it has

63
00:03:22,930 --> 00:03:25,500
to do with an IPsec policy mismatch,

64
00:03:25,500 --> 00:03:29,790
meaning the policy on the client does not match the policy on

65
00:03:29,790 --> 00:03:32,240
the server, specifically the IPsec policy.

66
00:03:32,240 --> 00:03:35,310
And in that scenario, the peers will not be able to

67
00:03:35,310 --> 00:03:45,000
communicate if they cannot agree on IPsec security parameters, and it will bubble up that 13868 event.