The story… one of our customers called in that he had just finished with the migration to TMG and as a last step he wanted to enable
VPN Client Access. He did that, but the outcome was unexpected. The TMG array was not reachable through the NLB address anymore.
According to the TMG console: the VPN Client Access was enabled, but on the Services tab under Monitoring the Remote Access service
and Network Load Balancing were in stopped state. Actually, Network Load Balancing was complaining about a VPN problem.
The services could not be started manually.
The first thing what I checked was the Application log:
Log Name: Application
Source: Microsoft Forefront TMG Firewall
Date: 25/01/2012 16:32:05
Event ID: 14104
Task Category: None
Failed to start the Routing and Remote Access service. Look at the system event log for more errors.
Event ID: 21199
The Remote Access Service configuration for VPN could not be completed. As a result, the Remote Access Service may be stopped.
Date: 25/01/2012 16:32:36
Event ID: 21122
Network Load Balancing on the local computer will be stopped because the Remote Access Service is not running or not responding, although VPN is enabled.
Since the service related issues are logged in the System log, had a look at that log as well:
Log Name: System
Date: 25/01/2012 16:32:04
Event ID: 20103
Unable to load C:\Windows\System32\iprtrmgr.dll.
Source: Service Control Manager
Date: 25/01/2012 16:32:06
Event ID: 7024
The Routing and Remote Access service terminated with service-specific error A device attached to the system is not functioning..
Based on the logs it turned out that we have here a Remote Access service starting issue. Searching on the
error message “A device attached to the system is not functioning” gave many hits. In most of the cases the issue started after
IPv6 had been disabled by the registry value DisabledComponents (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters).
Checking out the registry we noticed that the value was really there.
So we deleted it and rebooted the server. After this the problem was gone and everything worked fine.
Only one question remained: How to disable IPv6 in a supported way on a TMG server?
Fortunately, our Technet document about “Unsupported configurations” gives a clear answer:
Forefront TMG does not support IPv6 traffic
Issue: IPv6 traffic is not supported by Forefront TMG (except for DirectAccess).
Cause: Filtering of IPv6 traffic is not supported, and all IPv6 traffic is blocked by default.
Solution: It is recommended that you unbind IPv6 on the Forefront TMG computer network adapters. To do so, open each network adapter’s properties, and on the Networking tab, clear the checkbox for Internet Protocol Version 6 (TCP/IPv6).
The most important takeaway is that the story might be different, but the Routing and Remote access service will not start if you fully disable IPv6 by the DisabledComponents registry value.
Microsoft CSS Forefront Security Edge Team
Sr. Escalation Engineer