Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Openvpn stops working

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Jamerson
      last edited by

      Dear All,
      my open VPN has worked fine for the last year, today i've tried to log in remotely it stops working.
      i am using RADUIS over the Domain controller with SSL certificate.
      i went to the Diagnostic and  Authentication and tried to check the Raduis
      but the system keeps saying :
      The following input errors were detected:

      Authentication failed.

      i've checked on the Domain controller server both ports :
      1812 and 1813 both are listening.

      any suggestions how could such thing happend ?

      thank you

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        RADIUS is rejecting the authentication. You'll have to look at the NPS and security event logs on your domain controller to see why. A packet capture of the RADIUS traffic might be helpful, in that it'll at least confirm or deny whether the server is replying at all. No reply means a host firewall on the server is the likely cause, an error code reply at least will rule that out but probably not more beyond that, the Windows logs will be necessary to get any kind of specifics.

        1 Reply Last reply Reply Quote 0
        • J
          Jamerson
          last edited by

          @cmb:

          RADIUS is rejecting the authentication. You'll have to look at the NPS and security event logs on your domain controller to see why. A packet capture of the RADIUS traffic might be helpful, in that it'll at least confirm or deny whether the server is replying at all. No reply means a host firewall on the server is the likely cause, an error code reply at least will rule that out but probably not more beyond that, the Windows logs will be necessary to get any kind of specifics.

          i turned the firewall off on the domain controller, and it didn't works !
          the NPS Event are the next :

          "DC","IAS",10/19/2014,20:17:19,1,"julien","Julien.lan/Users/Julien Angelo",,,,,"Pfsense.domain.nl","192.168.2.4",,0,"192.168.4.1","VPN-Server",,,,,,,1,"Connections to other access servers",0,"311 1 192.168.4.2 10/19/2014 15:16:24 48",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
"DC","IAS",10/19/2014,20:17:19,3,,"Julien.lan/Users/Julien Angelo",,,,,,,,0,"192.168.4.1","VPN-Server",,,,,,,1,"Connections to other access servers",65,"311 1 192.168.4.2 10/19/2014 15:16:24 48",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
"DC","IAS",10/19/2014,20:17:28,1,"julien","Julien.lan/Users/Julien Angelo",,,,,"Pfsense.domain.nl","192.168.2.4",,0,"192.168.4.1","VPN-Server",,,,,,,1,"Connections to other access servers",0,"311 1 192.168.4.2 10/19/2014 15:16:24 49",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
"DC","IAS",10/19/2014,20:17:28,3,,"Julien.lan/Users/Julien Angelo",,,,,,,,0,"192.168.4.1","VPN-Server",,,,,,,1,"Connections to other access servers",65,"311 1 192.168.4.2 10/19/2014 15:16:24 49",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
"DC","IAS",10/19/2014,20:23:52,1,"julien","Julien.lan/Users/Julien Angelo",,,,,"Pfsense.domain.nl","0.0.0.0",,0,"192.168.4.1","VPN-Server",,,,,,,1,"Connections to other access servers",0,"311 1 192.168.4.2 10/19/2014 15:16:24 50",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
"DC","IAS",10/19/2014,20:23:52,3,,"Julien.lan/Users/Julien Angelo",,,,,,,,0,"192.168.4.1","VPN-Server",,,,,,,1,"Connections to other access servers",65,"311 1 192.168.4.2 10/19/2014 15:16:24 50",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,

          Authentication Details:
          Connection Request Policy Name: Use Windows authentication for all users
          Network Policy Name: Connections to other access servers
          Authentication Provider: Windows
          Authentication Server: DC.Domain.lan
          Authentication Type: PAP
          EAP Type: -
          Account Session Identifier: -
          Logging Results: Accounting information was written to the local log file.
          Reason Code: 65
          Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.

          and from the client side it said the username or password is invalid !
          Note : i have rebooted both Domain controller and Pfsense. but no changes

          thank you

          1 Reply Last reply Reply Quote 0
          • J
            Jamerson
            last edited by

            i am answering my questions,
            people with the same problem follow the next

            Within NPS, goto:
            •Policies >> Network Policies
            •Disabled "Connections to other access servers"

            This corrected the issue and just to be safe and Ordered the policies as follows:
            1.Connections to Microsoft Routing and Remote Access server (Enabled)
            2.Allow pfSense (Enabled)
            3.Connections to other access servers (Disabled)

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              "The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user."

              That's your problem, fix your Windows account and/or NPS policy.

              NPS will only reply with essentially one of two things - auth failed, or auth successful. To get details as to why it fails when it does, you have to check the Windows side.

              1 Reply Last reply Reply Quote 0
              • J
                Jamerson
                last edited by

                @cmb:

                "The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user."

                That's your problem, fix your Windows account and/or NPS policy.

                NPS will only reply with essentially one of two things - auth failed, or auth successful. To get details as to why it fails when it does, you have to check the Windows side.

                @cmb:

                "The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user."

                That's your problem, fix your Windows account and/or NPS policy.

                NPS will only reply with essentially one of two things - auth failed, or auth successful. To get details as to why it fails when it does, you have to check the Windows side.

                hi cmb
                i've checked this permission and was set ok, i even change it to the allow permission and it didn't works,
                this happens after the latest microsoft update probably they miss with the settings of the NPS,
                after i disabled the connection to other devices.
                voila everything start working !
                i am really curious to understand what changes are happend.
                other customers are working fine and had the same update lately on their OS but the settings are still the same
                i am very curious to know the changes that happens.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.