locked
Azure stack SDK 1.1805.1.47 VPN connectivity fails with 789 RRS feed

  • Question

  • I cannot get the VPN connection to work, the stack installation appears to allow all winrm.

    I have altered the client firewall to allow winrm  from 'any' on all profiles.

    I have imported the azurestackroot cert as trusted root

    Output of the scripts and commands from https://docs.microsoft.com/en-us/azure/azure-stack/asdk/asdk-connect:

    PS C:\AzureStack-Tools-master> Remove-VpnConnection -Name azurestack

    PS C:\AzureStack-Tools-master> # Change directories to the default Azure Stack tools directory
    cd C:\AzureStack-Tools-master

    # Configure Windows Remote Management (WinRM), if it's not already configured.
    winrm quickconfig  

    Set-ExecutionPolicy RemoteSigned

    # Import the Connect module.
    Import-Module .\Connect\AzureStack.Connect.psm1

    # Add the development kit host computer’s IP address as the ASDK certificate authority (CA) to the list of trusted hosts. Make sure you update the IP address and password values for your environment.

    $hostIP = "x.x.x.x"

    $Password = ConvertTo-SecureString `
      "passwd" `
      -AsPlainText `
      -Force

    Set-Item wsman:\localhost\Client\TrustedHosts `
      -Value $hostIP `
      -Concatenate

    # Create a VPN connection entry for the local user.
    Add-AzsVpnConnection `
      -ServerAddress $hostIP `
      -Password $Password
    WinRM service is already running on this machine.
    winrm : WSManFault
    At line:5 char:1
    + winrm quickconfig
    + ~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (WSManFault:String) [], RemoteException
        + FullyQualifiedErrorId : NativeCommandError
     
        Message
            ProviderFault
                WSManFault
                    Message = WinRM firewall exception will not work since one of the network connection types on this machine is set to Public. Change the network connection type to 
    either Domain or Private and try again. 
    Error number:  -2144108183 0x80338169
    WinRM firewall exception will not work since one of the network connection types on this machine is set to Public. Change the network connection type to either Domain or Private and 
    try again. 
    Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully, but the setting is overridden by a policy defined at a more specific scope.  Due to the override, 
    your shell will retain its current effective execution policy of Unrestricted. Type "Get-ExecutionPolicy -List" to view your execution policy settings. For more information please see 
    "Get-Help Set-ExecutionPolicy".
    At line:7 char:1
    + Set-ExecutionPolicy RemoteSigned
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : PermissionDenied: (:) [Set-ExecutionPolicy], SecurityException
        + FullyQualifiedErrorId : ExecutionPolicyOverride,Microsoft.PowerShell.Commands.SetExecutionPolicyCommand
    VERBOSE: Creating Azure Stack VPN connection named azurestack
    VERBOSE: Adding routes to Azure Stack VPN connection named azurestack


    Name                  : azurestack
    ServerAddress         : x.x.x.x
    AllUserConnection     : False
    Guid                  : {B746E9FA-61AA-4C22-A64D-05690426C770}
    TunnelType            : L2tp
    AuthenticationMethod  : {MsChapv2}
    EncryptionLevel       : Required
    L2tpIPsecAuth         : Psk
    UseWinlogonCredential : False
    EapConfigXmlStream    : 
    ConnectionStatus      : Disconnected
    RememberCredential    : True
    SplitTunneling        : True
    DnsSuffix             : 
    IdleDisconnectSeconds : 0




    PS C:\AzureStack-Tools-master> Connect-AzsVpn `
      -Password $Password
    VERBOSE: Connecting to Azure Stack VPN using connection named azurestack...
    Connecting to azurestack...

    Remote Access error 789 - The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.

    For more help on this error:
    Type 'hh netcfg.chm'
    In help, click Troubleshooting, then Error Messages, then 789
    VERBOSE: Connection-specific files will be saved in C:\Users\DCallaghan\Documents\azurestack
    VERBOSE: Retrieving Azure Stack Root Authority certificate...
    [x.x.x.x] Connecting to remote server x.x.x.x failed with the following error message : WinRM cannot complete the operation. Verify that the specified computer name is valid, 
    that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall 
    exception for public profiles limits access to remote computers within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic.
        + CategoryInfo          : OpenError: (x.x.x.x:String) [], PSRemotingTransportException
        + FullyQualifiedErrorId : WinRMOperationTimeout,PSSessionStateBroken
    Connect-AzsVpn : Certificate has not been retrieved!
    At line:1 char:1
    + Connect-AzsVpn `
    + ~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
        + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Connect-AzsVpn
     


    • Edited by cryptic12 Thursday, November 1, 2018 12:02 AM
    Thursday, November 1, 2018 12:01 AM

All replies

  • According to your error:

        Message = WinRM firewall exception will not work since one of the network connection types on this machine is set to Public. Change the network connection type to 
    either Domain or Private and try again. 

    Have you tried changing your network type off of public and trying again? To change the network type, you can use these PowerShell instructions for "Windows 8/2012 and up"

    Monday, November 5, 2018 6:19 PM