RAS Connection Establishment Issues

  • Article

Applies To: Windows Server 2008

This topic is intended for IT administrators who are troubleshooting RAS connection establishment failure events 20220 and 20227. This topic includes information that can help you diagnose your RAS connection issue.

Informational RAS connection events

The establishment of a RAS connection for Internet or VPN connectivity takes place in stages. The successful completion of a stage is indicated by the generation of an informational (success) event. The following informational events are generated during the setup of the connection:

ROUTERLOG_PRECONNECT_INFO (Event 20221) (Error: 665)

The user has started dialing a RAS connection.

ROUTERLOG_CONNECTING_DEVICE (Event 20222) (Errors 633, 676, 678, 680, 692, 740, 807, 809, 814, 815, 741, 742, 808, 825, 766, 786, 787, 788, 789, 790, 791, 793, 810, 811, 827, 835)

The device specified by the user for the connection has been detected and is working properly.

ROUTERLOG_DEVICE_CONNECTED (Event 20223) (Errors 647, 648, 649, 691, 708, 764, 778, 798, 801, 805, 812, 826, 718, 732, 808, 733, 734, 735, 736, 737, 738, 741, 742, 806)

A basic dial-up/broadband (PPPoE) link or PPTP/L2TP tunnel (for VPN connection) has been successfully set up (the device has been connected).

ROUTERLOG_LINK_ESTABLISHED (Event 20224) (Errors 647, 648, 649, 691, 708, 764, 778, 798, 801, 805, 812, 826, 718, 732, 808, 733, 734, 735, 736, 737, 738, 741, 742, 806)

All of the selected devices have been successfully connected.

ROUTERLOG_RASCONNECTION_ESTABLISHED (Event 20225)

All phases of PPP have been completed, and the RAS connection has been successfully established.

The failure of RAS connection setup is diagnosed based on the last informational event generated and the error code that accompanies ROUTERLOG_RASCONNECTION_FAILED (Event 20227). The problems that could cause the failure are divided into categories. Detailed diagnosis of all error codes in each category are covered in this document.

The diagnosis for the ROUTERLOG_INVALID_SERVER_CERT (Event 20220) event is the same as the diagnosis for error 835 under Problems with IPsec Secure Association (SA) Setup.

Note

Diagnosis might involve checking the values of certain dial-up, PPPoE, or VPN parameters. In the case of Connection Manager profiles, most of these settings are in the .cms files of these profiles.

For all-user profiles (that is, profiles that have been installed for use by all users of the computer), the path for the .cms file is %PROGRAMDATA% \Microsoft\Network\Connections\Cm\<Connection Name>.

For me-only profiles (that is, profiles that have been installed only to be used by a single user), the path for the .cms file is %USERPROFILE% \AppData\Roaming\Microsoft\network\connections\Cm\<Connection Name>.

ROUTERLOG_PRECONNECT_INFO (Event 20221)

If ROUTERLOG_PRECONNECT_INFO is the only informational event that appears during connection setup, it means that the connecting device could not be detected. For dial-up connections, a connecting device is an internal/external modem; for broadband connections, a connecting device is a PPPoE WAN Miniport driver; and for VPN connections, a connecting device is a PPTP/L2TP WAN Miniport driver. In a multi-link scenario (for example, ISDN BRI/PRI links) where there are multiple modems, the devices are detected and then connected in sequence. It is possible that some of these devices were detected and connected successfully, but that the detection of one of the devices failed. This failure results in the disconnection of the connected devices. Therefore, you might find ROUTERLOG_PRECONNECT_INFO, ROUTERLOG_CONNECTING_DEVICE, and ROUTERLOG_DEVICE_CONNECTED events in the Event Viewer for the devices that were successfully detected and connected and the ROUTERLOG_PRECONNECT_INFO event for the device that could not be detected.

The following errors might have occurred at this stage of the connection process:

  • The user might have clicked Cancel on the RAS login dialog box during connection setup.

  • There might be a problem with the connecting device.

Connecting device problems

These problems usually apply only to dial-up connections that use an internal or external modem.

Error 665 (ERROR_PORT_NOT_CONFIGURED)

Message: The modem (or other connecting device) is not properly configured.

In the case of a dial-up connection, check the status of the modem in Device Manager. Disable and re-enable the modem, and uninstall and reinstall the modem drivers.

To open Device Manager

  1. In Control Panel, click Device Manager.

  2. Locate and then double-click the modem.

  3. The properties dialog box of the modem will be displayed.

  4. The modem status can be found on the General and Driver tabs of the properties dialog box. Check that the modem hardware is working and that its drivers are not corrupted. Check the Driver tab to confirm that the modem is not disabled.

In the case of a broadband connection, check the status of PPPoE drivers in Network Connections. If the status of the PPPoE driver for the broadband connection indicates that it is corrupted or has failed, delete the broadband connection. From Network Connections, right-click the RAS connection, and then click Delete. This will automatically uninstall the connection. Re-create the connection and attempt to connect again. If the problem persists, call Microsoft Product Support Services. For more information, see https://go.microsoft.com/fwlink/?LinkId=89446.

To open Network Connections

  1. In Control Panel, under Network and Internet, click View network status and tasks.

  2. Click Manage network connections.

  3. The status of the drivers is indicated on the connection icon.

In the case of a VPN connection, check the status of PPTP/L2TP drivers in Network Connections. Use the preceding procedure to check the status of the drivers. If the status of the PPTP/L2TP driver for the VPN connection indicates that it is corrupted or has failed, delete the VPN connection (in the case of connections created using the Network Connections Wizard) or uninstall it (in the case of Connection Manager profiles) and then re-create and reinstall it. If the problem persists, call Microsoft Product Support Services. For more information, see https://go.microsoft.com/fwlink/?LinkId=89446.

ROUTERLOG_CONNECTING_DEVICE (Event 20222)

This event indicates that the device specified by the user for Internet or VPN connectivity has been detected and is working properly.

If the ROUTERLOG_CONNECTING_DEVICE event is the last informational event that appears during the RAS connection setup process, it means that a failure occurred while trying to connect the device, which for dial-up and broadband involves the setting up of a PPPoE link and for VPN involves the setting up of a PPTP/L2TP tunnel. In a multi-link scenario (for example, ISDN BRI/PRI links) where multiple modems are involved, the devices are detected and then connected in sequence. It is possible that some of these devices were detected and connected successfully, but that the connection of one of the devices failed. This failure results in the disconnection of the connected devices. Therefore, you might find ROUTERLOG_CONNECTING_DEVICE and ROUTERLOG_DEVICE_CONNECTED events in the Event Viewer before a ROUTERLOG_CONNECTING_DEVICE event that does not have a matching ROUTERLOG_DEVICE_CONNECTED event appears.

The following errors might have occurred at this stage of the connection process:

  • The user might have clicked Cancel on the RAS login dialog box during connection setup.

  • There might be network connectivity problems. For errors 633, 676, 678, 680, 692, 740, 807, 809, 814, 815, see Network connectivity problems.

  • There might be problems with the VPN tunnel settings. For errors 741, 742, 808, 825, see VPN tunnel settings errors.

  • There might be problems with the setup of IPsec security associations (SAs). For errors 766, 786, 787, 788, 789, 790, 791, 793, 810, 811, 827, 835, see Problems with IPsec security association setup.

Network connectivity problems

Problems with network connectivity on the client computer or between the client and the remote access server might be preventing the user from successfully setting up a dial-up or broadband link or PPTP/L2TP tunnel.

The following errors are covered in this section:

Error 633 (ERROR_PORT_NOT_AVAILABLE)

Error 676 (ERROR_LINE_BUSY)

Error 678 (ERROR_NO_ANSWER)

Error 680 (ERROR_NO_DIALTONE)

Error 692 (ERROR_PORT_OR_DEVICE)

Error 740 (ERROR_TAPI_CONFIGURATION)

Error 807 (ERROR_VPN_DISCONNECT)

Error 809 (ERROR_VPN_TIMEOUT)

Error 814 (ERROR_BROADBAND_NO_NIC)

Error 815 (ERROR_BROADBAND_TIMEOUT)

Error 633 (ERROR_PORT_NOT_AVAILABLE)

Message: The port is already in use or is not configured for Remote Access dial out.

In the case of a dial-up or broadband connection, the modem might be in use or a dial-up or broadband connection might already be established. To see if there is an active connection on the modem, check the dial-up connections in Network Connections. If there is an active connection already present on the dial-up/broadband modem, Internet connectivity might already be available. Try to access resources on the remote network.

In the case of a VPN connection, the user might be trying to set up a VPN connection on top of another VPN connection, which is not supported in the Windows Vista operating system. To see if there is an active connection, check the VPN connections in Network Connections. Disconnect the existing VPN connection and try again. From Network Connections, right-click the RAS connection, and then click Disconnect.

To open Network Connections

  1. In Control Panel, under Network and Internet, click View network status and tasks.

  2. Click Manage network connections.

Error 676 (ERROR_LINE_BUSY)

Message: The phone line is busy.

This error code applies only to a dial-up connection. The user is not able to dial out because the telephone line is in use. Check if another user is using the phone line for Internet connectivity or for a voice or fax call.

Disconnect the voice or fax call or Internet connection that is using the phone call and try again.

Error 678 (ERROR_NO_ANSWER)

Message: The remote computer did not respond. For further assistance, click More Info or search Help and Support Center for this error number.

In the case of a dial-up connection, the modem might not be receiving any response to connection setup requests from the remote modem pool. There might be problems with the telephone network or the dial-up server might be down and not accepting incoming connection requests.

  • Contact the telephone company and find out if the telephone network in the user’s area is running.

  • Contact the dial-up network service provider and find out if the dial-up server is accepting dial-up connection requests.

In the case of broadband connections, the dialer might not have been able to discover a PPPoE server. There might be problems in the broadband access network or the PPPoE server might be down and not responding to incoming requests.

  • Contact the broadband ISP to find out if the broadband network in the user’s area is running.

In the case of a VPN connection, the VPN client might not be receiving any response to tunnel setup requests. The VPN server might be down or there might be problems with Internet connectivity. Check the status of the dial-up or broadband Internet connectivity in Network Connections.

  • Contact the ISP to find out if there is Internet connectivity.

  • Contact the administrator of the remote network to which the user is trying to connect and find out if the VPN server is running and accepting tunnel setup requests.

Error 680 (ERROR_NO_DIALTONE)

Message: There was no dial tone.

This error code applies only to a dial-up connection. The dial-up modem might not have been able to detect a dial tone. The user’s telephone line might not be working.

  • Contact the telephone company and find out the status of the user’s telephone line and other lines in that area.
Error 692 (ERROR_PORT_OR_DEVICE)

Message: There was a hardware failure in the modem (or other connecting device).

Check connectivity between the modem and the telephone or cable connection jack. If you are using an external modem, check connectivity between the modem and the computer.

  • Replace the cable between the modem and the telephone or cable connection jack. If an external modem is being used, replace the cable between modem and the computer.

Check the status of dial-up modems in Device Manager. For broadband modems, check the modem for visual indications of state.

  • If Device Manager or visual indications on the modem chassis show that the modem has failed replace the modem.
Error 740 (ERROR_TAPI_CONFIGURATION)

Message: An invalid dialing rule was detected.

This error applies only to a dial-up connection. The rules specified to dial the phone number provided by the Internet Service Provider from the user’s location might be incorrect. Check the dialing rules. For both connections created using the Network Connections Wizard and Connection Manager profiles, the dialing rules can be found in the connection properties.

To check dialing rules

  1. In Network Connections, right-click the dial-up connection, and then click Properties.

  2. The Dialing Rules option can be found on the General tab. Select Use dialing rules, and then click Dialing Rules to check the rules.

Error 807 (ERROR_VPN_DISCONNECT)

Message: The network connection between your computer and the VPN server was interrupted. This can be caused by a problem in the VPN transmission and is commonly the result of internet latency or simply that your VPN server has reached capacity. Please try to reconnect to the VPN server. If this problem persists, contact the VPN administrator and analyze quality of network connectivity.

The VPN dialer might not be receiving any responses from the VPN server. The following are possible causes:

  • There are problems with Internet connectivity. Check the status of the dial-up or broadband Internet connectivity in Network Connections.

  • Network latency might be causing the tunneling protocol to time out.

  • The remote access VPN server might be down and not responding to tunnel setup requests.

  • The VPN server might have reached full capacity and might not be accepting any more connections.

  • The IP address of the VPN server might be wrong. Check the configured IP address.

For connections created using Network Connections Wizard, the IP address of the VPN server can be found in the connection properties.

To view the IP address of the VPN server

  1. From Network Connections, right-click the VPN connection, and then click Properties.

  2. The IP address of the VPN server can be found on the General tab.

  • For Connection Manager profiles, if a list of VPN servers is available, the list can be found in the [VPN Servers] section of the VPN list file. The VPN list file can be found under %PROGRAMDATA% \Microsoft\Network\Connections\Cm\<Connection Name> for all-user profiles and %USERPROFILE% \AppData\Roaming\Microsoft\network\connections\Cm\<Connection Name> for me-only profiles. The TunnelFile key under the [Connection Manager] section of the .cms file contains the name of the VPN file.

  • If only a single VPN server is available, the TunnelAddress key under the [Connection Manager] section of the .cms file contains the name of the VPN file.

If the user is trying to set up a VPN connection over a wireless link, problems in the wireless access network could be causing tunnel setup to fail. Check the status of the wireless connection in Network Connections. The wireless access point might have gone down due to loss of power or for other reasons. The user’s computer might be out of the operating range of the wireless network or the RF signal strength might be weak.

Error 809 (ERROR_VPN_TIMEOUT)

Message: The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem.

A firewall, NAT, or router on the path between the computer and the VPN server might not be configured to allow control traffic exchanged for the setup of PPTP or L2TP tunnels. PPTP tunnel setup uses TCP port number 1723. For L2TP, UDP port numbers 500 and Internet Protocol (IP) protocols 50 and 51 are used. If network address translation is taking place between the computer and VPN server, port number 4500 is used for L2TP. Check if these port numbers and protocol numbers are allowed to pass through the routers and firewalls.

Error 814 (ERROR_BROADBAND_NO_NIC)

Message: The underlying Ethernet connectivity required for the broadband connection was not found. Please install and enable the Ethernet adapter on your computer via the Network Connections folder before attempting this connection.

This error code applies only to broadband connections:

  • The Ethernet network adapter is on the computer, but is not working properly. Check the status of the Ethernet network adapter in Device Manager.

To check the status of the Ethernet network adapter

  1. In Control Panel, click Device Manager.

  2. Under Network adapters, locate and then double-click the network adapter. The properties dialog box of the device will be displayed.

  3. The network adapter status can be found on the General and Driver tabs of the properties dialog box. Check that the network adapter hardware is working and that its drivers are not corrupted. Check the Driver tab to confirm that the network adapter is not disabled.

  • If the network adapter is not enabled, enable it. If the drivers of the network adapter are outdated or corrupted, update or reinstall them. Also, try uninstalling and reinstalling the adapter.

  • There might be problems in the physical cable connectivity between the computer and the broadband modem. Check the cables.

Error 815 (ERROR_BROADBAND_TIMEOUT)

Message: The broadband network connection could not be established on your computer because the remote server is not responding. This could be caused by an invalid value for the 'Service Name' field for this connection. Please contact your Internet Service Provider and inquire about the correct value for this field and update it in the Connection Properties.

Contact the ISP for the Service Name field. Correct the Service Name field.

To find the Service Name field

  1. In Network Connections, right-click the VPN connection, and then click Properties.

  2. Click the General tab to find the Service Name field.

VPN tunnel settings errors

The following errors are related to VPN tunnel settings.

Error 741 (ERROR_NO_LOCAL_ENCRYPTION)

Error 742 (ERROR_NO_REMOTE_ENCRYPTION)

Error 808 (ERROR_VPN_REFUSED)

Error 825 (ERROR_INVALID_VPNSTRATEGY)

Error 741 (ERROR_NO_LOCAL_ENCRYPTION)

Message: The local computer does not support the required data encryption type.

Given that VPN connection setup failed after the ROUTERLOG_CONNECTING_DEVICE event, this problem applies to L2TP IPsec tunnels only. For PPTP tunnels, data encryption settings are negotiated only after the tunnel has been successfully set up as a part of PPP.

The tunnel data encryption settings on the client and server might not be compatible. Check the settings on the client.

For connections created using Network Connections Wizard, the tunnel data encryption settings can be found in the connection properties.

To review tunnel data encryption settings for connections created using Network Connections Wizard

  1. In Network Connections, right-click the VPN connection, and then click Properties.

  2. Click the Security tab.

  3. Select Advanced (custom settings), and then click Settings. The tunnel data encryption setting is displayed under Data Encryption.

For Connection Manager profiles, the EncryptionType key under the [Server & TunnelDUN] section in the .cms file contains the tunnel data encryption settings. Following are the possible values of these keys and the settings to which they correspond:

Value Tunnel data encryption setting

0

No Encryption

1

Encryption Required

2

Maximum Strength Encryption

3

Optional Encryption

The value of TunnelDUN, which is a key itself, can be found under the [Connection Manager] section.

Encryption might be required on the server, but might be disabled on the client. It is also possible that the server requires stronger encryption than what is configured on the client.

Contact the network administrator and find out the encryption settings on the VPN server for L2TP/IPsec tunnels. If the server requires only normal encryption, the client encryption settings should be Optional Encryption or Require Encryption. If the server requires strong encryption, the client should be configured for Maximum Strength Encryption.

  • For connections created using the Network Connections Wizard, the tunnel encryption settings can be changed through the connection properties.

  • For Connection Manager profiles, the encryption settings can be changed by changing the value of the EncryptionType key in the .cms file to the appropriate value.

Error 742 (ERROR_NO_REMOTE_ENCRYPTION)

Message: The remote computer does not support the required data encryption type.

Given that VPN connection setup failed after the ROUTERLOG_CONNECTING_DEVICE event, this problem applies to L2TP IPsec tunnels only. For PPTP tunnels, data encryption settings are negotiated only after the tunnel has been successfully set up as a part of PPP.

The tunnel data encryption settings on the client and server might not be compatible. Check the settings on the client.

For connections created using the Network Connections Wizard, the tunnel data encryption settings can be found in the connection properties.

To review tunnel data encryption settings for connections created using Network Connections Wizard

  1. In Network Connections, right-click the VPN connection, and then click Properties.

  2. Click the Security tab.

  3. Select Advanced (custom settings), and then click Settings.

  4. The tunnel data encryption setting is displayed under Data Encryption.

For Connection Manager profiles, the EncryptionType key under the [Server & TunnelDUN] section in the .cms file contains the tunnel data encryption settings. Following are the possible values of these keys and the settings to which they correspond:

Value Tunnel data encryption setting

0

No Encryption

1

Encryption Required

2

Maximum Strength Encryption

3

Optional Encryption

The value of TunnelDUN, which is a key itself, can be found under the [Connection Manager] section.

Encryption might be required, but disabled on the client. It is also possible that the client requires stronger encryption than what is configured on the server.

Contact the network administrator and find out the encryption settings on the VPN server for L2TP/IPSec tunnels. If encryption is not configured on the server, it should be disabled on the client by configuring No Encryption or Optional Encryption. If the server requires only normal encryption, the client configuration should be Require Encryption.

  • For connections created using the Network Connections Wizard, the tunnel encryption settings can be changed through the connection properties.

  • For Connection Manager profiles, the encryption settings can be changed by changing the value of the EncryptionType key in the .cms file to the appropriate value.

Error 808 (ERROR_VPN_REFUSED)

Message: The network connection between your computer and the VPN server could not be established because the remote server refused the connection. This is typically caused by a mismatch between the server's configuration and your connection settings. Please contact the remote server's Administrator to verify the server configuration and your connection settings.

This error indicates that VPN ports are not configured on the RAS server or that the server does not have any L2TP or PPTP ports available to accept tunnel connections.

  • Contact the network administrator. The administrator needs to check if VPN ports are configured on the VPN server and if there are enough PPTP and L2TP ports to accept new tunnel connections.
Error 825 (ERROR_INVALID_VPNSTRATEGY)

Message: Point-to-Point Tunneling Protocol (PPTP) is incompatible with IPv6. Change the type of virtual private network to Layer Two Tunneling Protocol (L2TP).

The user’s computer might be part of an IPv6 network and the VPN tunneling protocol might be PPTP. The Windows Vista operating system does not support PPTP tunneling protocol over an IPv6 network. Check the configuration of the tunneling protocol.

For connections created using the Network Connections Wizard, the settings can be found in the connection properties.

To check the configuration of the tunneling protocol

  1. In Network Connections, select the VPN connection, and then right-click and select Properties.

  2. Click the Networking tab.

  3. The tunneling protocol setting is displayed under Types of VPN. Possible values are Automatic, PPTP VPN, and L2TP IPSec VPN.

For Connection Manager profiles, the VpnStrategy key under the [Networking & TunnelDUN] section in the .cms file contains the tunneling protocol settings on the client. Following are the possible values of this key and the settings to which they correspond:

Value Tunnel type

1

Use PPTP only

2

Try PPTP first

3

Use L2TP only

4

Try L2TP first

The value of TunnelDUN, which is a key itself, can be found under the [Connection Manager] section.

In the case of Network Connections Wizard connections, the configured tunneling protocol might be PPTP VPN. In the case of Connection Manager profiles, the configured tunneling protocol might be Use PPTP only.

Change the tunneling protocol settings on the client to use L2TP. For connections created using the Network Connections Wizard, the tunneling protocol settings can be found in the connection properties.

To change the VPN type

  1. In Network Connections, right-click the RAS connection, and then click Properties.

  2. On the Networking tab, under Type of VPN, select Automatic or L2TP IPsec VPN.

For Connection Manager profiles, the setting can be changed to Try PPTP first, Use L2TP only, or Try L2TP first by changing the value of the VpnStrategy key in the .cms file.

Problems with IPsec security association setup

Problems related to IPsec SA setup apply to VPN connections only. In the case of L2TP tunneling protocol, before the tunnel is set up between the client and server computers, an IPsec SA is established between the two for integrity and security of the traffic exchanged between them. The L2TP tunnel is actually established on top of the IPsec SA. The establishment of the SA might have failed, causing tunnel setup to fail, too.

The following errors are covered in this section:

Error 766 (ERROR_NO_CERTIFICATE)

Error 786 (ERROR_OAKLEY_NO_CERT)

Error 787 (ERROR_OAKLEY_AUTH_FAIL)

Error 788 (ERROR_OAKLEY_ATTRIB_FAIL)

Error 789 (ERROR_OAKLEY_GENERAL_PROCESSING)

Error 790 (ERROR_OAKLEY_NO_PEER_CERT)

Error 791 (ERROR_OAKLEY_NO_POLICY)

Error 793 (ERROR_OAKLEY_ERROR)

Error 810 (ERROR_VPN_BAD_CERT)

Error 811 (ERROR_VPN_BAD_PSK)

Error 827 (ERROR_IPSEC_SERVICE_STOPPED)

Error 835 (ERROR_INVALID_SERVER_CERT)

Error 766 (ERROR_NO_CERTIFICATE)

Message: A certificate could not be found. Connections that use the L2TP protocol over IPsec require the installation of a machine certificate, also known as a computer certificate.

A certificate-based digital signature method is being used for the authentication of the client and server computers for which a valid computer certificate is required to be installed on the two computers. A certificate could not be found on the client. As a result, the client cannot be authenticated.

  • Contact the network administrator to obtain a computer certificate.
Error 786 (ERROR_OAKLEY_NO_CERT)

Message: The connection attempt failed because there is no valid machine certificate on your computer for security authentication.

A certificate-based digital signature method is being used for the authentication of the client and server computers for which a valid computer certificate is required to be installed on the two computers. The client’s certificate is not valid because a public key, private key, or both keys could not be found in the certificate. It is also possible that there is a problem with the digital signature or that the certificate has expired.

  • Contact the network administrator and obtain a valid computer certificate with public and private keys.
Error 787 (ERROR_OAKLEY_AUTH_FAIL)

Message: The L2TP connection attempt failed because the security layer could not authenticate the remote computer.

  • The server computer could not be authenticated by the client.

  • If a certificate-based digital signature is being used for authentication, following are some of the problems that might have caused authentication of the server to fail.

    • The certificate submitted by the server might not be valid and might not be chaining back to a trusted root certification authority (CA).

    • The submitted certificate might not have the correct digital signature.

    • If used for authentication, the preshared key method might be failing.

Contact the network administrator.

Error 788 (ERROR_OAKLEY_ATTRIB_FAIL)

Message: The L2TP connection attempt failed because the security layer could not negotiate compatible parameters with the remote computer.

During the setup of IPsec SA, cryptographic protection suites (encryption and integrity algorithms, authentication method) and keying material (public and private keys) are negotiated between the client and server. The two computers failed to negotiate compatible values for these attributes.

  • Contact the network administrator.
Error 789 (ERROR_OAKLEY_GENERAL_PROCESSING)

Message: The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.

During the setup of IPsec SA, cryptographic protection suites (encryption and integrity algorithms, authentication method) and keying material (public and private keys) are negotiated between the client and server. The attributes received from the server could not be processed by the client. As a result, the negotiation failed.

  • Contact the network administrator.
Error 790 (ERROR_OAKLEY_NO_PEER_CERT)

Message: The L2TP connection attempt failed because certificate validation on the remote computer failed.

  • A certificate-based digital signature method is being used for the authentication of the client and server computers where the two computers validate each other’s computer certificates. Validation of the certificate submitted by the client failed on the server and the client could not be authenticated. Possible causes are:

    • The certificate presented by the server might not be valid and might not be chaining back to a trusted root CA.

    • The submitted certificate might not have the correct digital signature.

Report the problem to the network administrator. You might need a new certificate.

Error 791 (ERROR_OAKLEY_NO_POLICY)

Message: The L2TP connection attempt failed because security policy for the connection was not found.

An IPsec policy could not be found. Contact the network administrator.

Error 793 (ERROR_OAKLEY_ERROR)

Message: The L2TP connection attempt failed because an error occurred while negotiating security.

During the setup of IPsec SA, cryptographic protection suites (encryption and integrity algorithms, authentication method) and keying material (public and private keys) are negotiated between the client and server. An error occurred during negotiation, and as a result, the negotiation failed.

  • Contact the network administrator.
Error 810 (ERROR_VPN_BAD_CERT)

Message: A network connection between your computer and the VPN server was started, but the VPN connection was not completed. This is typically caused by the use of an incorrect or expired certificate for authentication between the client and the server. Please contact your Administrator to ensure that the certificate being used for authentication is valid.

A certificate-based digital signature method is being used for the authentication of the client and server computers for which a valid computer certificate is required to be installed on the two computers. The client’s certificate is not valid or has expired. As a result, the client could not be authenticated.

  • Contact the network administrator to get a new, valid computer certificate or renew the current certificate.
Error 811 (ERROR_VPN_BAD_PSK)

Message: The network connection between your computer and the VPN server could not be established because the remote server is not responding. This is typically caused by a pre-shared key problem between the client and server. A pre-shared key is used to guarantee you are who you say you are in an IP Security (IPsec) communication cycle. Please get the assistance of your administrator to determine where the pre-shared key problem is originating.

Preshared key method is being used for the authentication of the client and server computers. The negotiation of cryptographic protection suites (encryption and integrity algorithms, authentication method) and keying material (public and private keys) during IPsec SA setup timed out.

  • Contact the network administrator.
Error 827 (ERROR_IPSEC_SERVICE_STOPPED)

Message: The L2TP/IPsec connection cannot be completed because the IKE and AuthIP IPSec Keying Modules service and/or the Base Filtering Engine service is not running. These services are required to establish an L2TP/IPsec connection. Please ensure that these services have been started before dialing the connection.

From the Services console, check if the IKE and AuthIP IPSec Keying Modules and Base Filtering Engine services are running.

To open the Services console and check if these services are running

  1. In Control Panel, click System and Maintenance.

  2. Click Administrative Tools.

  3. Double-click Services. The list of services and their status (started or stopped) will be displayed. Check if the two services are started and running.

If the IKE and AuthIP IPSec Keying Modules and Base Filtering Engine services are not already running, (that is, their status is not displayed as Started), use the Services console to start these services. Right-click the service and select Start. Contact the network administrator to find out what the Startup Type should be for these services before you start them.

Error 835 (ERROR_INVALID_SERVER_CERT)

Message: The L2TP connection attempt failed because the security layer could not authenticate the remote computer. This could be because one or more fields of the certificate presented by the remote server could not be validated as belonging to the target destination.

A certificate-based digital signature method is being used for the authentication of the client and server computers where the two computers validate each other's computer certificates. The client could not validate some of the fields in the certificate submitted by the server.

For stronger authentication of the server, the client computer running Windows Vista can be configured to verify additional fields (subject-alternate-name, subject-name, and EKU) in a certificate submitted by the server. Sometimes RAS servers do not have these fields set correctly on their computers' certificates; as a result, verification fails and the server cannot be authenticated. This failure also results in the generation of ROUTERLOG_INVALID_SERVER_CERT. Confirm that these additional checks have been enabled on the client.

For connections created using the Network Connections Wizard, the setting for additional checks can be found in the connection properties.

To see if checks have been enabled on the client

  1. In Network Connections, right-click the VPN connection, and then click Properties.

  2. Click the Networking tab.

  3. Click IPsec Settings.

  4. The Verify Name and Usage attributes of the server's certificate check box in the IPsec Settings dialog box controls the additional checks. If the check box is selected, the checks are enabled.

For Connection Manager profiles, the DisableIKENameEkuCheck key under the [Networking & TunnelDUN] section in the .cms file contains the settings for additional checks on the client. If the key is set to 0, additional checks are enabled for the profile.

The value of TunnelDUN, which is a key itself, can be found under the [Connection Manager] section.

Disable additional verification or checks of server certificate on the client. For connections created using the Network Connections Wizard, the verification settings can be found in the connection properties.

To disable additional verification or checks of server certificate

  1. In Network Connections, right-click the RAS connection, and then click Properties.

  2. On the Networking tab, click IPsec Settings, and then clear the Verify the Name and Usage attributes of the server's certificate check box.

For Connection Manager profiles, this can be achieved by configuring the value of the DisableIKENameEkuCheck key in the .cms file to 1.

The ROUTERLOG_DEVICE_CONNECTED event indicates that a basic dial-up or broadband (PPPoE) link or PPTP/L2TP tunnel (for VPN connectivity) has been successfully established. The ROUTERLOG_LINK_ESTABLISHED event is generated soon after the device has been successfully connected. In a multi-link scenario (for example, ISDN BRI/PRI links) where multiple dial-up modems are involved, the ROUTERLOG_LINK_ESTABLISHED event is generated after all the devices have been successfully connected. After the ROUTERLOG_DEVICE_CONNECTED event is generated, a ROUTERLOG_LINK_ESTABLISHED event will be generated. For this reason, these two events are covered in this section.

If these are the last informational events to appear during the RAS connection setup process, it means that a failure occurred during the PPP phase of the connection setup.

The following sections categorize the problems that might have caused the failure and provide diagnosis under each category based on the relevant error codes:

  • For errors 647, 648, 649, 691, 708, 764, 778, 798, 801, 805, 812, 826, see PPP user authentication failures.

  • For errors 718, 732, 808, 733, 734, 735, 736, 737, 738, 741, 742, 806, PPP negotiation failures.

PPP user authentication failures

This section covers failures that appear during the user authentication phase of PPP. These errors apply to dial-up, broadband, and VPN connections unless stated otherwise.

The following errors are covered in this section:

Error 647 (ERROR_ACCT_DISABLED)

Error 648 (ERROR_PASSWD_EXPIRED)

Error 649 (ERROR_NO_DIALIN_PERMISSION)

Error 691 (ERROR_AUTHENTICATION_FAILURE)

Error 708 (ERROR_ACCT_EXPIRED)

Error 764 (ERROR_NO_SMART_CARD_READER)

Error 778 (ERROR_UNABLE_TO_AUTHENTICATE_SERVER)

Error 798 (ERROR_NO_EAPTLS_CERTIFICATE)

Error 801 (ERROR_VALIDATING_SERVER_CERT)

Error 805 (ERROR_INVALID_MSCHAPV2_CONFIG)

Error 812 (ERROR_SERVER_POLICY)

Error 826 (ERROR_EAPTLS_CACHE_CREDENTIALS_INVALID)

Error 647 (ERROR_ACCT_DISABLED)

Message: The account is disabled.

The user's remote access account has been disabled. Therefore, the user's RAS connection request is being rejected by the server.

  • Contact the ISP or network administrator to enable the account.
Error 648 (ERROR_PASSWD_EXPIRED)

Message: The password for this account has expired.

This error code applies only to password-based authentication protocols such as PAP, CHAP, MSCHAPv2, and EAP-MSCHAPv2. The RAS account password entered by the user has expired. If the user is not being prompted to change the password, it is because the RAS server does not support password change.

  • Contact the ISP or network administrator to change the password on the account.
Error 649 (ERROR_NO_DIALIN_PERMISSION)

Message: The account does not have permission to dial in.

The administrator of the ISP or remote network has not granted the user permission to set up a RAS connection.

  • Contact the ISP or network administrator to obtain the permissions required to set up a remote access connection.
Error 691 (ERROR_AUTHENTICATION_FAILURE)

Message: The connection was denied because the username and/or password you specified is invalid. This could be caused by the following conditions: Your username and/or password was mis-typed. The specified username does not exist on the server. Your password has expired. The administrator has not given you access to connect remotely. The selected authentication protocol is not permitted on the remote server.

This error code applies only to password-based authentication protocols such as PAP, CHAP, MSCHAPv2, and EAP-MSCHAPv2.

  • Try connecting again. Specify the correct user name and password for the remote access account.
Error 708 (ERROR_ACCT_EXPIRED)

Message: The account has expired.

The user's remote access account has expired. Therefore, the user's RAS connection request is being rejected by the server.

  • Contact the ISP or network administrator and renew the account.
Error 764 (ERROR_NO_SMART_CARD_READER)

Message: No smart card reader is installed.

The RAS connection requires a smart card for authentication. However, either a smart card reader is not connected to the user's computer or a smart card reader with drivers is not installed. If a smart card reader is connected to the computer, check Device Manager for its status.

To open Device Manager and check the status of the smart card reader

  1. In Control Panel, click Device Manager.

  2. Under Smart card readers, locate the smart card reader.

  3. Right-click the smart card reader, and then click Properties.

  4. On the General tab, check the status of the card reader. On the Driver tab, make sure that the drivers are installed and enabled.

Connect a smart card reader to the computer, insert a smart card into the reader, and then try to set up the connection. If a smart card reader was never installed on the computer, install the drivers that came with the reader, connect the smart card reader, and check in Device Manager if the reader is correctly installed.

Error 778 (ERROR_UNABLE_TO_AUTHENTICATE_SERVER)

Message: It was not possible to verify the identity of the server.

The RAS client could not authenticate the server. This happens when the authentication protocol negotiated between the client and the server is MSCHAPv2, EAP-TLS, PEAP-TLS, or PEAP-MSCHAPv2. In the case of MSCHAPv2 and PEAP-MSCHAPv2, which are password-based authentication protocols, the client checks if the RAS server has knowledge of the client's password. This check might have failed. In the case of EAP-TLS and PEAP-TLS, which are certificate-based authentication protocols, the client validates the certificate submitted by the server. This validation might have failed. To find the authentication protocol configured on the client:

For connections created using the Network Connections Wizard, the authentication protocol settings can be found in the connection properties.

To review the authentication protocol settings

  1. In Network Connections, right-click the RAS connection, and then click Properties.

  2. On the Security tab, select Advanced (custom settings), and then click Settings.

  3. The configured authentication protocols will be displayed in Advanced Security Settings. If PEAP is being used, under EAP, click Properties. The authentication protocol (PEAP-MSCHAPv2 or PEAP with certificates) will be displayed in Protected EAP Properties in Select Authentication Method.

For Connection Manager VPN profiles, if the value of the Require_MSCHAPv2 key under the [Server & TunnelDUN] section in the .cms file is set to 1, the configured authentication protocol is MSCHAPv2. If the value of Require_EAP key under the [Server & TunnelDUN] section is set to 1 and the CustomAuthKey key is present under this section, an EAP or PEAP authentication protocol is configured based on the value of the CustomAuthKey key. The following are the possible values of this key and the corresponding authentication protocols.

Value Authentication protocol

13

EAP-TLS

25

PEAP-TLS

26

PEAP-MSCHAPv2

For Connection Manager dial-up profiles, the same keys and values are used for the authentication protocol and can be found under the [Server & EntryName] section in the .cms file.

The value of TunnelDUN, which is a key itself, can be found under the [Connection Manager] section. EntryName is the name of the dial-up connection.

Error 798 (ERROR_NO_EAPTLS_CERTIFICATE)

Message: A certificate could not be found that can be used with this Extensible Authentication Protocol.

The authentication protocol negotiated between the client and server is either EAP-TLS or PEAP-TLS, both of which require user certificates for authentication. A certificate could not be found on the client and the client therefore could not be authenticated. The required certificate is present either on a smart card or on the user's computer. For connections created using the Network Connections Wizard, this information can be found in the connection properties.

To get the required user certificate

  1. In Network Connections, right-click the RAS connection, and then click Properties.

  2. On the Security tab, select Advanced (custom settings), and then click Settings.

  3. The Advanced Security Settings dialog box will be displayed with Use Extensible Authentication Protocol (EAP) selected. If the EAP protocol in the drop-down list is Smart Card or other certificate (encryption enabled), click Properties.

  4. The When Connecting option shows the certificate type configured. If the EAP protocol in the drop-down list is Protected EAP (PEAP) (encryption enabled), click Properties. In the properties window, the Select Authentication Method drop-down list will display Smart Card or other certificate. Click Configure. A new properties window will be displayed, and the When Connecting option will show the certificate type configured.

For Connection Manager profiles, it is difficult to find out which kind of certificate the client is configured to use. To find out the certificate type, contact the administrator who provided the profile.

If the client is configured to use a user certificate stored on the computer, the failure might be occurring because a user certificate is not present on the computer.

  • Contact the ISP or network administrator to obtain a new certificate or renew existing certificate.

If the client is configured to use a smart card certificate, the failure might be due to a damaged smart card. It is also possible that a user certificate is present but not valid, or that it has expired or become corrupted.

  • Contact the ISP or network administrator to get a new certificate, renew an existing certificate on the smart card, or obtain a new, valid smart card.
Error 801 (ERROR_VALIDATING_SERVER_CERT)

Message: This connection is configured to validate the identity of the access server, but Windows cannot verify the digital certificate sent by the server.

The authentication protocol negotiated between the client and server is either EAP-TLS or PEAP-TLS, both of which are certificate-based authentication protocols. The client validates the certificate submitted by the server to authenticate the server. This validation failed. Possible causes are:

  • The certificate submitted by the server might not be valid and might not be chaining back to a trusted root CA.

  • The submitted certificate might not have a proper digital signature.

Contact the ISP or network administrator.

Error 805 (ERROR_INVALID_MSCHAPV2_CONFIG)

Message: You cannot dial using this connection at logon time, because it is configured to use logged on user's credentials.

This error applies most often to VPN connections. The client is configured to use Windows login user name and password as the credentials for MSCHAPv2 authentication protocol. The user is trying to set up a RAS connection using the PLAP feature, which enables the user to log in to his computer and simultaneously set up a RAS connection. With PLAP, the credentials used for logging in to the computer are the same as those used for the remote access login. Because the client is configured to use Windows login credentials that are not available unless the user is already logged in, this connection cannot be used with PLAP.

Change the connection properties to not use Windows login user name and password as the credentials for MSCHAPv2 authentication protocol. For connections created using the Network Connections Wizard, this information can be found in the connection properties.

Change connection authentication properties

  1. In Network Connections, right-click the RAS connection, and then click Properties.

  2. Click the Security tab, select Advanced (custom settings), and then click Settings.

  3. The Advanced Security Settings dialog box will be displayed with Allow these protocols selected. Confirm the MS-CHAPv2 check box is selected.

  4. Under MSCHAPv2, clear Automatically use my Windows logon name and password (and domain, if any).

For Connection Manager VPN profiles, the value of the Require_MSCHAPv2 key under the [Server & TunnelDUN] section in the .cms file will be set to 1 to indicate that MSCHAPv2 authentication protocol is configured. The UseWinLogonCredentials key under the same section determines whether the Windows logon credentials should be used for MSCHAPv2 authentication. Set the value of this key to 0 to not use Windows logon credentials.

Error 812 (ERROR_SERVER_POLICY)

Message: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

This error appears when a server running Internet Authentication Server (IAS) or Network Policy Server (NPS) is used for authentication of the client. The client and the RAS server were able to negotiate an authentication protocol, but the server running NPS does not support the negotiated authentication protocol and therefore is not able to recognize the credentials submitted by the client.

  • Contact the ISP or network administrator. All authentication protocols supported by the RAS server should also be supported on IAS or NPS.
Error 826 (ERROR_EAPTLS_CACHE_CREDENTIALS_INVALID)

Message: EAPTLS validation of the cached credentials failed. Please discard cached credentials.

The authentication protocol negotiated between the client and server is EAP-TLS, which is a certificate-based authentication protocol. EAP-TLS requires valid certificates to be present on the client and server for authentication. This error indicates that EAP-TLS is using credentials cached on the client computer that are not valid, or that are expired or corrupted.

  • Contact the network administrator.

PPP negotiation failures

Negotiations in PPP protocol execution occur during the Link Control Protocol (LCP) and Network Control Protocol (NCP) phases. Link and PPP parameters are negotiated during LCP and network parameters are negotiated during NCP. This section covers failures that occur during LCP and NCP negotiations.

The following errors are covered in this section:

Error 718 (ERROR_PPP_TIMEOUT)

Error 732 (ERROR_PPP_NOT_CONVERGING)

Error 808 (ERROR_VPN_TIMEOUT)

Error 733 (ERROR_PPP_CP_REJECTED)

Error 734 (ERROR_PPP_LCP_TERMINATED)

Error 735 (ERROR_PPP_REQUIRED_ADDRESS_REJECTED)

Error 736 (ERROR_PPP_NCP_TERMINATED)

Error 737 (ERROR_PPP_LOOPBACK_DETECTED)

Error 738 (ERROR_PPP_NO_ADDRESS_ASSIGNED)

Error 741 (ERROR_NO_LOCAL_ENCRYPTION)

Error 742 (ERROR_NO_REMOTE_ENCRYPTION)

Error 806 (ERROR_VPN_GRE_BLOCKED)

Error 718 (ERROR_PPP_TIMEOUT)

Message: The connection was terminated because the remote computer did not respond in a timely manner. For further assistance, click More Info or search Help and Support Center for this error number.

This error occurs when the PPP protocol times out. Following are some of the causes:

  • Network connectivity problems might be causing traffic loss or latency, leading to delayed responses to the client. In the case of a dial-up connection, the problem might be in the telephone network. In the case of a broadband connection, the problem might be in the broadband access network. In the case of VPN connections, there might be a problem with Internet connectivity. You can check the status of the Internet connection in Network Connections.

  • Problems on the remote access server might be causing responses to be delayed. For example, the server might have reached capacity and its responses might be slow.

Contact the ISP, the telephone network company, or the network administrator of the remote network.

Error 732 (ERROR_PPP_NOT_CONVERGING)

Message: Your computer and the remote computer could not agree on PPP control protocols.

and

Error 808 (ERROR_VPN_TIMEOUT)

Message: The network connection between your computer and the VPN server could not be established because the remote server refused the connection. This is typically caused by a mismatch between the server's configuration and your connection settings. Please contact the remote server's Administrator to verify the server configuration and your connection settings.

This error indicates the RAS client and server could not agree on the value for one of the several parameters that are negotiated during LCP and NCP phases of PPP. Following are the parameters and options whose negotiation might have failed.

LCP phase: Callback

The client and server might not have been able to agree on whether to execute callback control phase. Callback applies to dial-up connections only. Callback causes the client and server to disconnect after authentication. The server then calls the client back at a specified phone number. The NCP phase of PPP occurs over this new link. Callback is therefore a cost-saving means for the client. Check the settings on the client.

For connections created using the Network Connections Wizard, the callback settings can be found in the connection properties.

To check callback settings

  1. In Network Connections, right-click the dial-up connection, and then click Properties.

  2. Click the Options tab, and then click PPP Settings. PPP settings will be displayed.

  3. The Enable LCP Extensions check box controls the negotiation of callback settings on the connection. Check to see if this option is enabled.

For Connection Manager profiles, the Disable_LCP key under the [Server & EntryName] section in the .cms file contains the LCP Extensions settings. If the key is set to 1, LCP Extensions are enabled; if the key is set to 0, LCP Extensions are disabled.

EntryName is the name of the dial-up connection.

Authentication protocol

The client and server might not have been able to agree on an authentication protocol to use during the authentication phase of PPP. Check the authentication protocols configured on the client.

For connections created using the Network Connections Wizard, the authentication protocol can be found in the connection properties.

To check the authentication protocol

  1. In Network Connections, right-click the RAS connection, and then click Properties.

  2. On the Security tab, select Advanced (custom settings), and then click Settings.

  3. The Advanced Security Settings dialog box displays the configured authentication protocols. If PEAP is being used, under PEAP, click Properties. The Protected EAP Properties dialog box displays the authentication protocol (PEAP-MSCHAPv2 or PEAP with certificates) in Select Authentication Method.

For Connection Manager, the Require_PAP, Require_CHAP, and Require_MSCHAP2 keys under the [Server & TunnelDUN] section in the .cms file are used to configure the PAP, CHAP, and MSCHAPv2 protocols, respectively. When a key is set to 1, the corresponding authentication protocol is enabled. If the Require_EAP key under the [Server & TunnelDUN] section is set to 1 and the CustomAuthKey key is present under this section, an EAP or PEAP authentication protocol is configured based on the value of the CustomAuthKey key. Following are the possible values of this key and the corresponding authentication protocols.

For Connection Manager dial-up profiles, the same keys and values are used for the authentication protocol and can be found under the [Server & EntryName] section in the .cms file.

The value of TunnelDUN, which is a key itself, can be found under the [Connection Manager] section. EntryName is the name of the dial-up connection.

The MSCHAP authentication protocol is not supported in Windows Vista, so this protocol is not found in the properties of a connection created using the Network Connections Wizard. MSCHAP cannot be enabled on Connection Manager profiles either. If the RAS server uses CHAP for authentication, the negotiation will fail.

NCP phase: IP-based parameters

The client and server might not have been able to negotiate IP-based parameters and options such as the client's IP address and primary and secondary DNS and NBNS (WINS) servers. Check if any of these parameters have been manually configured on the client. The configuration of these parameters is not recommended without the approval of the network administrator.

IPX and AppleTalk are not supported on client computers running Windows Vista.

For connections created using the Network Connections Wizard, the IP-based parameters and options can be found in the properties of the connection.

To review the IP-based parameters and options

  1. In Network Connections, select the RAS connection, and then right-click and select Properties.

  2. On the Networking tab, select TCP/IPv4 or TCP/IPv6 (depending on the IP networking type), and then click Properties. The properties dialog box will display any configured static IP address and DNS server IP addresses.

  3. Click Advanced. On Advanced TCP/IP Settings, the configured NBNS (WINS) server IP address (if any) can be found on the WINS tab.

For Connection Manager VPN profiles, the Specify_IP_Address key is set to 1 when a static IP address is specified for the client. The Specify_Server_Address key is set to 1 when static IP addresses are specified for the DNS and WINS servers. Both keys can be found under the [TCP/IP & TunnelDUN] section in the .cms file. When these keys are set to 1, the IP_Address, DNS_Address, DNS_Alt_Address, WINS_Address, and WINS_Alt_Address keys under the same section contain the client's statically configured IP address and the statically configured DNS and WINS server addresses, respectively.

For Connection Manager dial-up profiles, the same keys and values are used for the IP parameter settings and can be found under the [TCP/IP & EntryName] section in the .cms file.

The value of TunnelDUN, which is a key itself, can be found under the [Connection Manager] section. EntryName is the name of the dial-up connection.

The client and server might not have been able to negotiate the compression of data traffic on the remote access connection. Check the compression settings on the client.

For connections created using the Network Connections Wizard, the compression settings can be found in the properties of the connection.

To review the compression settings

  1. In Network Connections, right-click the dial-up connection, and then click Properties.

  2. On the Options tab, click PPP Settings.

  3. The Enable Software Compression check box controls the negotiation of data compression on the RAS connection. Check if this option is enabled.

For Connection Manager VPN profiles, the SW_Compress key that can be found in [Server & TunnelDUN] section of the .cms file contains the setting for data compression for the profile. When the value of this key is set to 1, data compression is negotiated.

For Connection Manager dial-up profiles, the same keys and values are used for the data compression settings and can be found under the [Server & EntryName] section in the .cms file.

The value of TunnelDUN, which is a key itself, can be found under the [Connection Manager] section. EntryName is the name of the dial-up connection.

The client and server might not have been able to negotiate data encryption for the remote access connection. In the case of VPN connections, this only applies for PPTP tunnels. For L2TP tunnels, the encryption is negotiated during IPsec SA establishment. Check the data encryption settings on the client.

For connections created using the Network Connections Wizard, the data encryption settings can be found in the properties of the connection.

To review the data encryption settings

  1. In Network Connections, right-click the RAS connection, and then click Properties.

  2. Click the Security tab.

  3. Select Advanced (custom settings), and then click Settings.

  4. The data encryption setting is displayed under Data Encryption.

For Connection Manager profiles, the EncryptionType key under the [Server & TunnelDUN] section in the .cms file contains the data encryption settings. Following are the possible values of these keys and the settings to which they correspond:

Value Tunnel Data Encryption Setting

0

No Encryption

1

Encryption Required

2

Maximum Strength Encryption

3

Optional Encryption

For Connection Manager dial-up profiles, the same key and values are used for the data encryption settings and can be found under the [Server & EntryName] section in the .cms file.

The value of TunnelDUN, which is a key itself, can be found under the [Connection Manager] section. EntryName is the name of the dial-up connection.

Contact the ISP or the network administrator and find out the recommended settings for Callback, Authentication Protocol, IP parameters, Compression, and Encryption.

  • For connections created using the Network Connections Wizard, the recommended settings can be configured through the connection settings.

  • For Connection Manager profiles, the settings can be changed by changing the values of the respective keys in the .cms file.

Error 733 (ERROR_PPP_CP_REJECTED)

Message: A connection to the remote computer could not be completed. You might need to adjust the protocols on this computer. For further assistance, click More Info or search Help and Support Center for this error number.

During the NCP phase of PPP, several network parameters are negotiated between the client and server using multiple control protocols. For example, Internet Protocol Control Protocol (IPCP) is used for the negotiation of IP-based parameters, and Compression Control protocol (CCP) is used for the negotiation of compression and encryption. A control protocol on the client is not supported on the server. Therefore, it is not possible to negotiate the corresponding network parameters.

  • Contact the ISP or network administrator to disable the control protocol that the client is trying to use for negotiation. The remote access server does not support this protocol.
Error 734 (ERROR_PPP_LCP_TERMINATED)

Message: The PPP link control protocol was terminated.

Link and PPP parameters are negotiated during the LCP phase of PPP. LCP terminated abruptly. Following are some possible causes:

  • Network problems might be causing delay or loss in PPP traffic between the client and server. This results in the timeout of PPP on the client, causing LCP to terminate.

  • The RAS server might not be not responding to the client.

Contact the ISP and the network administrator of the remote network.

Error 735 (ERROR_PPP_REQUIRED_ADDRESS_REJECTED)

Message: The requested address was rejected by the server.

The static IP address requested by the client was rejected by the server. Check the static IP address configured on the client.

For connections created using the Network Connections Wizard, the IP-based parameters and options can be found in the connection properties.

To review the IP-based parameters

  1. In Network Connections, right-click the RAS connection, and then click Properties.

  2. Click the Networking tab.

  3. Select TCP/IPv4 or TCP/IPv6 option (depending on the IP networking type) and click Properties. The properties window displays any static IP address.

For Connection Manager VPN profiles, the IP_Address key under the [TCP/IP & TunnelDUN] section in the .cms file contains the statically configured IP address on the client.

For Connection Manager dial-up profiles, the same key can be found under the [TCP/IP & EntryName] section in the .cms file.

The value of TunnelDUN, which is a key itself, can be found under the [Connection Manager] section. EntryName is the name of the dial-up connection.

Error 736 (ERROR_PPP_NCP_TERMINATED)

Message: The remote computer terminated the control protocol.

Network parameters are negotiated during the NCP phase of PPP. NCP terminated abruptly. Network problems might be causing delay or loss in PPP traffic between the client and server. This results in the timeout of PPP on the server, causing NCP to terminate.

  • Contact the ISP or the network administrator of the remote network.
Error 737 (ERROR_PPP_LOOPBACK_DETECTED)

Message: Loopback was detected.

A loopback was detected on the user's computer as the PPP stack on the computer is receiving frames that it sent out to the RAS server (loopback).

  • Contact the ISP or the network administrator of the remote network.
Error 738 (ERROR_PPP_NO_ADDRESS_ASSIGNED)

Message: The server did not assign an address.

The server could not assign an IP address to the client. Following could be some of the reasons:

  • If the remote access server uses a statically configured IP address pool, it might have run out of IP addresses.

  • If the remote access server obtains IP address blocks from a DHCP server, the DHCP server might have run out of IP addresses, or a scope for the client might not have been defined.

Contact the ISP or the network administrator of the remote network.

Error 741 (ERROR_NO_LOCAL_ENCRYPTION)

Message: The local computer does not support the required data encryption type.

The client and server have not been able to negotiate data encryption for the remote access connection. Given that connection setup failed after the ROUTERLOG_DEVICE_CONNECTED event, in the case of VPN connections, this error applies to PPTP tunnels only. For L2TP VPN tunnels, data encryption settings are negotiated during IPsec SA establishment.

The tunnel data encryption settings on the client and server might not be compatible. Check the settings on the client.

For connections created using the Network Connections Wizard, the tunnel data encryption settings can be found in the connection properties.

To review the tunnel data encryption settings

  1. In Network Connections, right-click the VPN connection, and then click Properties.

  2. Click the Security tab.

  3. Select Advanced (custom settings), and then click Settings.

  4. The tunnel data encryption setting is displayed in the drop-down list under Data Encryption.

For Connection Manager profiles, the EncryptionType key under the [Server & TunnelDUN] section in the .cms file contains the tunnel data encryption settings. Following are the possible values of these keys and the settings to which they correspond:

Value Tunnel date encryption setting

0

No Encryption

1

Encryption Required

2

Maximum Strength Encryption

3

Optional Encryption

The value of TunnelDUN, which is a key itself, can be found under the [Connection Manager] section.

Encryption might be required on the server, but might be disabled on the client. It is also possible that the server requires stronger encryption than what is configured on the client.

Contact the network administrator and find out which encryption settings are being used on the remote access server. If the server requires only normal encryption, the client encryption settings should be Optional Encryption or Encryption Required. If the server requires strong encryption, the client should be configured for Maximum Strength Encryption.

  • For connections created using the Network Connections Wizard, the tunnel encryption settings can be changed through the connection properties.

  • For Connection Manager profiles, the encryption settings can be changed by changing the value of the EncryptionType key in the .cms file to the appropriate value.

Error 742 (ERROR_NO_REMOTE_ENCRYPTION)

Message: The remote computer does not support the required data encryption type.

The client and server have not been able to negotiate data encryption for the remote access connection. Given that connection setup failed after the ROUTERLOG_DEVICE_CONNECTED event, in the case of VPN connections, this error applies to PPTP tunnels only. For L2TP VPN tunnels, data encryption settings are negotiated during IPsec SA establishment.

The tunnel data encryption settings on the client and server might not be compatible. Check the settings on the client.

For connections created using the Network Connections Wizard, the tunnel data encryption settings can be found in the connection properties.

To review the tunnel data encryption settings

  1. In Network Connections, right-click the VPN connection, and then click Properties.

  2. Click the Security tab.

  3. Select Advanced (custom settings), and then click Settings.

  4. The tunnel data encryption setting is displayed in the drop-down menu under Data Encryption.

For Connection Manager profiles, the EncryptionType key under the [Server & TunnelDUN] section in the .cms file contains the tunnel data encryption settings. Following are the possible values of these keys and the settings to which they correspond:

Value Tunnel date encryption setting

0

No Encryption

1

Encryption Required

2

Maximum Strength Encryption

3

Optional Encryption

The value of TunnelDUN, which is a key itself, can be found under the [Connection Manager] section.

Encryption might be required on the client, but might be disabled on the client. It is also possible that the client requires stronger encryption than what is configured on the server.

Contact the network administrator and find out the encryption settings on the remote access server. If encryption is not configured on the server, it should be disabled on the client, too, by configuring No Encryption or Optional Encryption. If the server requires only normal encryption, the client configuration should be Encryption Required.

  • For connections created using the Network Connections Wizard, the tunnel encryption settings can be changed through the connection properties.

  • For Connection Manager profiles, the encryption settings can be changed by changing the value of the EncryptionType key in the .cms file to the appropriate value.

Error 806 (ERROR_VPN_GRE_BLOCKED)

Message: The VPN connection between your computer and the VPN server could not be completed. The most common cause for this failure is that at least one Internet device (for example, a firewall or a router) between your computer and the VPN server is not configured to allow Generic Routing Encapsulation (GRE) protocol packets. If the problem persists, contact your network administrator or Internet Service Provider.

This error applies only when the PPTP tunneling protocol is used for the VPN connection. After the PPTP tunnel is set up, PPP frames are encapsulated in GRE packets before they are sent through the tunnel. At least one device on the network is configured to block GRE packets. As a result, PPP frames sent by the client and server are dropped on the way.

  • Enable IP protocol number 47 (GRE) on all firewalls and routers in the network between the client and remote access server so that GRE frames are not dropped.

  • Consider using the SSTP tunnel type, which does not use the GRE protocol.