Rock around the Remote Access Service

Rock around the Remote Access Service

  • Comments 3
  • Likes

The story… one of our customers called in that he had just finished with the migration to TMG and as a last step he wanted to enable VPN Client Access. He did that, but the outcome was unexpected. The TMG array was not reachable through the NLB address anymore.

According to the TMG console: the VPN Client Access was enabled, but on the Services tab under Monitoring the Remote Access service and Network Load Balancing were in stopped state. Actually, Network Load Balancing was complaining about a VPN problem.

The services could not be started manually.

clip_image002

clip_image004

The first thing what I checked was the Application log:

Log Name:      Application

Source:        Microsoft Forefront TMG Firewall

Date:          25/01/2012 16:32:05

Event ID:      14104

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      XXX

Description:

Failed to start the Routing and Remote Access service. Look at the system event log for more errors.

Log Name:      Application

Source:        Microsoft Forefront TMG Firewall

Date:          25/01/2012 16:32:05

Event ID:      21199

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      XXX

Description:

The Remote Access Service configuration for VPN could not be completed. As a result, the Remote Access Service may be stopped.

Log Name:      Application

Source:        Microsoft Forefront TMG Firewall

Date:          25/01/2012 16:32:36

Event ID:      21122

Task Category: None

Level:         Warning

Keywords:      Classic

User:          N/A

Computer:      XXX

Description:

Network Load Balancing on the local computer will be stopped because the Remote Access Service is not running or not responding, although VPN is enabled.

Since the service related issues are logged in the System log, had a look at that log as well:

Log Name:      System

Source:        RemoteAccess

Date:          25/01/2012 16:32:04

Event ID:      20103

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      XXX

Description:

Unable to load C:\Windows\System32\iprtrmgr.dll.

Log Name:      System

Source:        Service Control Manager

Date:          25/01/2012 16:32:06

Event ID:      7024

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      XXX

Description:

The Routing and Remote Access service terminated with service-specific error A device attached to the system is not functioning..

Based on the logs it turned out that we have here a Remote Access service starting issue.  Searching on the error message “A device attached to the system is not functioning” gave many hits. In most of the cases the issue started after IPv6 had been disabled by the registry value DisabledComponents (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters).

Checking out the registry we noticed that the value was really there.

clip_image006

So we deleted it and rebooted the server. After this the problem was gone and everything worked fine.

Only one question remained: How to disable IPv6 in a supported way on a TMG server?

Fortunately, our Technet document about “Unsupported configurations” gives a clear answer:

Forefront TMG does not support IPv6 traffic

Issue: IPv6 traffic is not supported by Forefront TMG (except for DirectAccess).

Cause: Filtering of IPv6 traffic is not supported, and all IPv6 traffic is blocked by default.

Solution: It is recommended that you unbind IPv6 on the Forefront TMG computer network adapters. To do so, open each network adapter’s properties, and on the Networking tab, clear the checkbox for Internet Protocol Version 6 (TCP/IPv6).

Unsupported configurations

http://technet.microsoft.com/en-us/library/ee796231.aspx

The most important takeaway is that the story might be different, but the Routing and Remote access service will not start if you fully disable IPv6 by the DisabledComponents registry value.

Author:

Arpad Gulyas

Microsoft CSS Forefront Security Edge Team

Technical Reviewer:

Lars Bentzen

Sr. Escalation Engineer

Microsoft CSS Forefront Security Edge Team

Comments
  • Also delete HKEY_LOCAL_MACHINE\System\currentcontrolset\services\remoteaccess\routermanagers\IPV6 if it causes same problem again after the restart.

    The tip above worked for me, but we had to restart the server after two weeks, and RRAS couldn't start again with 7024 error this time, deletion of this key resolved our problem.

  • I read your article and a lot of others but didn't work for me.
    I installed TMG, disabled IPV6 by unbinding for NICs, enabled VPN and everything worked like charm.But, after a while, 15-16 hours, RRAS service got disabled! and I have to make it enable manually!
    I didn't do any registry changes.
    what's the problem?

  • I read your article and a lot of others but didn't work for me.
    I installed TMG, disabled IPV6 by unbinding for NICs, enabled VPN and everything worked like charm.But, after a while, 15-16 hours, RRAS service got disabled! and I have to make it enable manually!
    I didn't do any registry changes.
    what's the problem?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment