This guide will help you troubleshoot cases where an Always On VPN fails to install and connect. It is the sixth part in our series about Always On VPNs.

An Always On VPN infrastructure is complex. The chances are that if you are reading this, your Always On VPN setup is failing to connect clients to your internal network. This could be caused by an invalid VPN certificate, incorrect NPS policies, or issues in Routing and Remote Access. Or you might be running into problems with the client deployment scripts from Microsoft. Either way, let’s walk through the Always On VPN connection process and fix some failures!

Understanding the core components of the Always On VPN infrastructure is the first step in troubleshooting and testing your VPN connection. If you haven’t done so, review this services guide first as it lays out the server role relationships.

This article is divided into two sections. In the first section, client installation issues are discussed. In the second session, client connection issues are addressed. Because Always On VPN services are interrelated, there will be some overlap between the two sections.

PowerShell installation script issues

Grab a test machine and ensure that you are connected to an external network. I prefer to use the computer that I configured the VPN template on as it allows me to test initial golden settings. Select your VPN template (either in Settings or from the notification area at the bottom right of the Taskbar). Press Connect.

Testing the Always On VPN template.

Testing the Always On VPN template.

Hopefully, your VPN template connected successfully. If it did not, you will need to refer to the second section and resolve the template connection issue first. Now disconnect the session and install the Always On VPN profile. There are multiple ways to install the VPN profile, and the most troublesome one is when using the VPN_Profile.ps1 script.

The most common issues when manually running the VPN_Profile.ps1 script are:

  1. The user is not logged in interactively, or you are using a remote connection tool that messes with the user logon detection mechanism. Ensure that RDP or another remote connection method is not being used.
  2. The user is not an administrator of that local machine while the script is being run. (They do not have to be an administrator after the script has completed successfully.)
  3. Additional PowerShell security features have been enabled. Ensure that the PowerShell execution policy is not blocking the script. Consider turning off Constrained Language mode if enabled. (Constrained Language mode can be activated after the script completes successfully.)
  4. Other security features, such as AppLocker, are blocking the script from completing.

If you are still having an issue installing the VPN connection on a client, leave a detailed comment below.

Always On VPN client connection fails

Good news! The problem is likely to be a small misconfiguration or missing check mark somewhere. The trick is finding out where that misconfiguration is. On the client template machine, open the Application Event log and look for events with a RasClient source. You should see a message and an error code. Microsoft provides some basic guidance for Always On VPN 800 X errors here.

Always On VPN Error Code 809 is caused by UDP 500 or 4500 being blocked on the VPN server or the firewall.

An Always On VPN client goes through several steps before a connection is established. The items listed below are roughly in order from the beginning until the end of the connection process.

  • Is the template machine externally connected? A whatismyip scan should show a public IP address that does not belong to you.
  • Can you resolve the Remote Access/VPN server name to an IP address. In Control Panel\Network and Internet\Network Connections, open the properties for your VPN Profile. The value in the General tab should be publicly resolvable through DNS.
  • Can you access the VPN server from an external network? Consider opening ICMP to the external interface and pinging the name from the remote client. After a ping is successful, you can remove the ICMP allow rule.
  • Do you have the internal and external NICs on the VPN server configured correctly? Are they in different subnets? Does the external NIC connect to the correct interface on your firewall?
  • Are UDP 500 and 4500 open from the client to the VPN server’s external interface? Check the client firewall, server firewall, and any hardware firewalls.
  • Port 500 is used for IPSEC. Ensure that you do not have IPEC disabled or blocked anywhere.
  • Does everyone have the correct certificates (users and servers)? Refer to Part 2 if you aren’t sure.
  • Check your NPS rules and client configuration carefully. Ensure that you have the correct VPN server IP specified as an NPS client. Make sure that you are authenticating with PEAP, and the Protected EAP properties should only allow authentication with a certificate. You can check the NPS event logs for authentication failures. Refer to Part 3.
  • Is certificate validation failing? If you are not sure, test by unchecking Verify the server’s identity; click Configure and uncheck the same option there as well.
    Testing certificate validation issues with Always On VPN connections

    Testing certificate validation issues with Always On VPN connections

    If you connect but do not have internet/local network access, check your DHCP/VPN server IP pools for configuration issues.

  • If you connect and have a valid internal IP but do not have access to local resources, ensure that clients know how to get to those resources. Your VPN server can be used to route requests.

Hopefully, your issue was fixed in one of the bullet points above! If you still have a connection issue, leave a detailed comment below. If you had another problem and fixed it, be sure to let me know as well.

  1. Avatar
    Sergey 5 years ago


    First the post is amazing and it was really easy for me to setup everything by following it.

    If you could help me as I have client connected, but apparently because of not havving proper configuration on my Cisco ASA client have problems connecting to LAN after recieving IP address.

    Any suggestion would help. Much appreciated.

  2. Avatar Author

    Thank you, Sergey! Do you have any routing statements in your Always On VPN profile?

    • Avatar
      Sergey 5 years ago


      I’m sorry for the late reply, but I was thrown into another projects.

      I don’t have any routing statement in profile. Should I?

      I believe that I missed something and cannot find what exactly.

      Thank you

      • Avatar
        Sergey 5 years ago

        Hi Joseph,

        I found how to add routing statements in my VPN profile.

        Connection is done and I see routes for internal subnets in routing table.

        When I do trace route to internal ip I hit the VPN Server and then nothing.

        I’m not sure what could be missing on RRAS VPN server.

        Any ideas?

        Thank you

  3. Avatar
    Connor Williams 5 years ago

    Hey Joseph.

    I am getting an IKE certificate cannot be found on the VPN server error. I have checked the certificates and the templates and everything appears to be correct. I have done some searching on the internet, but everything just says make sure the certs are there. Now what?

  4. Avatar Author

    Hey Connor – what did you find out about your problem?

  5. Avatar
    Harris 4 years ago

    AutoVPN working without issue for a year, today users have started to get the below error:

    "IKE failed to find a valid machine certificate. Contact your Network Security Administrator about installing a valid certificate in the appropriate certificate store."

    Checked local cert and the certsrv and the certs are expiring, however there not renewing ?


    I check the below settings again, just in case I have missed the "Renew" tickbox, which I had not.

    In the Group Policy Management Console (GPMC), create and link a new Group Policy Object (GPO) to the root of your domain. Name this GPO Certificate Enrollment and do not change the security scope from Authenticated Users. Edit the GPO and navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies. Right-click on Certificate Services Client – Auto-Enrollment and select Properties. Change Configuration Model to Enabled and check the next two boxes. Click OK.

    Anyone come accross this issue before

  6. Avatar
    Kyle 4 years ago


    I know if this a really old post, but I am hoping you see this and can maybe help me.  I have gone through creating VPN_Profile.ps1 per MS instructions using a template profile.  Template profile does connect successfully.  The script runs successfully, without errors, but it does not seem to put all of the information in the connection.  Below is output of running the script.  I have confirmed that the script does have alwayon, trustednetworkdetection etc. configured. 

    Any ideas?

  7. Avatar
    Kyle 4 years ago

    It looks like my screen shot didnt make it in my previous comment.

    The output of the script says that it created the VPN profile and the script completed.  But the section that shows some of the settings has most blank.


    AlwaysOn                         :

    ByPassForLocal                :

    DnsSuffix                          :

    InstanceID                         : "MyVpnProfileName"



    There are more settings, but none of the show any information.  I  hope this helps.

    • Avatar
      Ryan Berenji 3 years ago

      did you ever figure this out?  I am having the same issue.

Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account