Event ID 20007 — RAS Connection
Applies To: Windows Server 2008 R2
A server running Routing and Remote Access provides two different types of remote access connectivity: virtual private networking (VPN) and dial-up networking. VPN is the creation of secured, point-to-point connections across a private network or a public network, such as the Internet. A VPN client uses special TCP/IP-based protocols called tunneling protocols to make a virtual call to a virtual port on a VPN server. In dial-up networking, a remote access client makes a nonpermanent, dial-up connection to a physical port on a remote access server by using the service of a telecommunications provider, such as analog phone or ISDN. In contrast to dial-up networking, VPN is always a logical, indirect connection between the VPN client and the VPN server over a public network, such as the Internet.
Event Details
Product: | Windows Operating System |
ID: | 20007 |
Source: | RemoteAccess |
Version: | 6.1 |
Symbolic Name: | ROUTERLOG_CANT_RECEIVE_FRAME |
Message: | Cannot receive initial frame on port: %1 because of the following error: %2 The user has been disconnected. |
Diagnose
The remote access connection must have permissions through dial-in properties of the user account and remote access policies. In addition, the credentials of the remote access client (user name, password, and domain name) must be validated by the remote access server.
This error might be caused by the incorrect configuration of one of the following:
- Connection settings
- Credentials of the remote access client
Check connection settings
- Match all of the conditions of at least one remote access policy.
- Grant remote access permission through the local user account (set to Allow access). Or, you can grant remote access permission through the domain user account (set to Control access through NPS Network Policy) and the remote access permission of the matching remote access policy (set to Grant access).
- Match all of the settings of the profile.
- Match all of the settings of the dial-in properties of the user account.
Check the credentials of the remote access client in Windows or RADIUS
- If Windows is used as the authentication and accounting provider, the remote access server uses native Windows functions to validate the security credentials of the remote access client (typically, the remote access user's user name and password) and access the remote access client's user account dial-in properties.
- If RADIUS is used as the authentication and accounting provider, the remote access server acts as a RADIUS client and sends the user's credentials and other connection settings to a RADIUS server. The RADIUS server validates the credentials of the remote access client, authorizes the connection attempt, and stores remote access connection accounting information.
Resolve
Configure remote access dial-in
To perform these procedures, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
Follow these procedures in the order in which they appear until the problem is resolved.
Configure remote access user properties
To configure remote access user properties:
If the remote access server is part of a Windows Server 2008 or Windows Server 2003 domain:
- Click Start, click Administrative Tools, and then double-click Active Directory Users and Computers.
- In the console tree, click Users (console tree location: Active Directory Users and Computers/domain name/Users).
- In the details pane, right-click a user name, and then click Properties.
- On the Dial-in tab, under Remote Access Permission (Dial-in or VPN), click Allow access, Deny access, or Control access through NPS Network Policy, and then click OK.
- Configure other settings, as appropriate.
If the remote access server is a standalone server (not part of a domain):
- Click Start, click Administrative Tools, and then double-click Computer Management.
- In the console tree, click Users (console tree location: Computer Management/System Tools/Local Users and Groups/Users).
- In the details pane, right-click a user name, and then click Properties.
- On the Dial-in tab, under Remote Access Permission (Dial-in or VPN), click Allow access, Deny access, or Control access through NPS Network Policy, and then click OK.
- Configure other settings, as appropriate.
Unlock remote access client
- For more information about how to configure remote access client lockout, see article 816118 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkID=92611).
Configure remote access server to access Active Directory
For a remote access server that is a member server of a domain that is configured for Windows authentication, check that:
- The RAS and IAS Servers security group exists. If not, create the group, and then set the group type to Security and the group scope to Domain local.
- The RAS and IAS Servers security group has read permission to the RAS and IAS Servers Access Check object.
- The computer account of the remote access server computer is a member of the RAS and IAS Servers security group. You can use the netsh ras show registeredserver command to view the current registration. You can use the netsh ras add registeredserver command to register the server in a domain.
- If you add or remove the remote access server to or from the RAS and IAS Servers security group, the change does not take effect immediately (due to the way that Active Directory information is cached). To make the change take effect immediately, you must restart the remote access server computer.
- The remote access server has joined the domain.
Configure authentication protocols
To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
To enable authentication protocols:
- Open Routing and Remote Access. Click Start, click Run, type rrasmgmt.msc, and then press ENTER.
- Right-click the server name for which you want to enable authentication protocols, and then click Properties.
- On the Security tab, click Authentication Methods.
- In the Authentication Methods dialog box, select the check boxes for the authentication protocols that the remote access server will use to authenticate remote clients, and then click OK.
Configure access privileges
To perform these procedures, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
Follow the procedures in the order in which they appear until the problem is resolved.
Configure remote access user properties
To configure remote access user properties:
If the remote access server is part of a Windows Server 2008 or Windows Server 2003 domain:
- Click Start, click Administrative Tools, and then double-click Active Directory Users and Computers.
- In the console tree, click Users (console tree location: Active Directory Users and Computers/domain name/Users).
- In the details pane, right-click a user name, and then click Properties.
- On the Dial-in tab, under Remote Access Permission (Dial-in or VPN), click Allow access, Deny access, or Control access through NPS Network Policy, and then click OK.
- Configure other settings, as appropriate.
If the remote access server is a standalone server (not part of a domain):
- Click Start, click Administrative Tools, and then double-click Computer Management.
- In the console tree, click Users (console tree location: Computer Management/System Tools/Local Users and Groups/Users).
- In the details pane, right-click a user name, and then click Properties.
- On the Dial-in tab, under Remote Access Permission (Dial-in or VPN), click Allow access, Deny access, or Control access through NPS Network Policy, and then click OK.
- Configure other settings, as appropriate.
Unlock remote access client
- For more information about how to configure remote access client lockout, see article 816118 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkID=92611).
Configure remote access server to access Active Directory
For a remote access server that is a member server of a domain that is configured for Windows authentication, check that:
- The RAS and IAS Servers security group exists. If not, create the group, and then set the group type to Security and the group scope to Domain local.
- The RAS and IAS Servers security group has read permission to the RAS and IAS Servers Access Check object.
- The computer account of the remote access server computer is a member of the RAS and IAS Servers security group. You can use the netsh ras show registeredserver command to view the current registration. You can use the netsh ras add registeredserver command to register the server in a domain.
- If you add or remove the remote access server to or from the RAS and IAS Servers security group, the change does not take effect immediately (due to the way that Active Directory information is cached). To make the change take effect immediately, you must restart the remote access server computer.
- The remote access server has joined the domain.
Use the same authentication method
To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
To enable authentication protocols:
- Open Routing and Remote Access. Click Start, click Run, type rrasmgmt.msc, and then press ENTER.
- Right-click the server name for which you want to enable authentication protocols, and then click Properties.
- On the Security tab, click Authentication Methods.
- In the Authentication Methods dialog box, select the check boxes for the authentication protocols that the remote access server will use to authenticate remote clients, and then click OK.
Configure authentication settings
To perform these procedures, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
Follow the procedures in the order in which they appear until the problem is resolved.
Configure remote access user properties
To configure remote access user properties:
If the remote access server is part of a Windows Server 2008 or Windows Server 2003 domain:
- Click Start, click Administrative Tools, and then double-click Active Directory Users and Computers.
- In the console tree, click Users (console tree location: Active Directory Users and Computers/domain name/Users).
- In the details pane, right-click a user name, and then click Properties.
- On the Dial-in tab, under Remote Access Permission (Dial-in or VPN), click Allow access, Deny access, or Control access through NPS Network Policy, and then click OK.
- Configure other settings, as appropriate.
If the remote access server is a stand-alone server (not part of a domain):
- Click Start, click Administrative Tools, and then double-click Computer Management.
- In the console tree, click Users (console tree location: Computer Management/System Tools/Local Users and Groups/Users).
- In the details pane, right-click a user name, and then click Properties.
- On the Dial-in tab, under Remote Access Permission (Dial-in or VPN), click Allow access, Deny access, or Control access through NPS Network Policy, and then click OK.
- Configure other settings, as appropriate.
Unlock remote access client
- For more information about how to configure remote access client lockout, see article 816118 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkID=92611).
Configure remote access server to access Active Directory
For a remote access server that is a member server of a domain that is configured for Windows authentication, check that:
- The RAS and IAS Servers security group exists. If not, create the group and then set the group type to Security and the group scope to Domain local.
- The RAS and IAS Servers security group has read permission to the RAS and IAS Servers Access Check object.
- The computer account of the remote access server computer is a member of the RAS and IAS Servers security group. You can use the netsh ras show registeredserver command to view the current registration. You can use the netsh ras add registeredserver command to register the server in a domain.
- If you add or remove the remote access server to the RAS and IAS Servers security group, the change does not take effect immediately (due to the way that Active Directory information is cached). To make the change take effect immediately, you must restart the remote access server computer.
- The remote access server has joined the domain.
Configure network protocol settings
To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.
To configure network protocol properties of the remote access server:
- Open Routing and Remote Access. Click Start, click Run, type rrasmgmt.msc, and then press ENTER.
- Right-click the server name for which you want to view properties, and then click Properties.
- Check the settings on the IPv4 and IPv6 tabs.
Reconnect to port or increase the PPP negotiation time
Try to connect to port again. If the problem persists, increase the PPP negotiation time.
In the registry, change the time for the PPP negotiation process to time out. You set the NegotiateTime entry in the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\Parameters\NegotiateTime
Note: The default value is 150 seconds. Changes to the registry setting will not take effect until the Routing and Remote Access service or Internet Authentication Service (IAS) are restarted.
Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
Review the remote access service error code
There is not enough information available in the Routing and Remote Access service event message to provide a recommendation for resolution of the problem. If you continue to get this error, contact Microsoft Product Support Services. For more information, see https://go.microsoft.com/fwlink/?LinkId=52267.
For more information about remote access service error codes, see article 163111 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkID=91455).
Correct the mismatch in client and server configuration parameters
Possible resolution:
Check that the remote access client connection is configured with the same connection parameters as the remote access server. For example, Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) version 1 is not supported in the Windows Vista operating system. MS-CHAP version 2 should be used instead because it provides better security. However, Network Policy Server (NPS) supports and can be configured to use MS-CHAPv1 or MS-CHAPv2. There is a potential mismatch in this case with authentication protocols in the client and server configuration parameters. In this case, on the client computer running Windows Vista, change the authentication protocol configuration parameter from MSCHAPv1 to MSCHAPv2, and attempt to re-establish the connection.
Check the authentication protocols
To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.
To check authentication protocols:
- Open Routing and Remote Access. Click Start, click Run, type rrasmgmt.msc, and then press ENTER.
- Right-click the server name for which you want to check authentication protocols, and then click Properties.
- On the Security tab, click Authentication Methods.
- In the Authentication Methods dialog box, select the check boxes for the authentication protocols that the remote access server will use to authenticate remote clients, and then click OK.
Check for packet corruption
Possible resolution:
- Use the information in the Diagnose section to narrow down the issue.
Configure dial-in settings
To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.
Follow the procedures in the order in which they appear until the problem is resolved.
Configure remote access user properties
To configure remote access user properties:
If the remote access server is part of a Windows Server 2008 or Windows Server 2003 domain:
- Click Start, click Administrative Tools, and then double-click Active Directory Users and Computers.
- In the console tree, click Users (console tree location: Active Directory Users and Computers/domain name/Users).
- In the details pane, right-click a user name, and then click Properties.
- On the Dial-in tab, under Remote Access Permission (Dial-in or VPN), click Allow access, Deny access, or Control access through NPS Network Policy, and then click OK.
- Configure other settings, as appropriate.
If the remote access server is a stand-alone server (not part of a domain):
- Click Start, click Administrative Tools, and then double-click Computer Management.
- In the console tree, click Users (console tree location: Computer Management/System Tools/Local Users and Groups/Users).
- In the details pane, right-click a user name, and then click Properties.
- On the Dial-in tab, under Remote Access Permission (Dial-in or VPN), click Allow access, Deny access, or Control access through NPS Network Policy, and then click OK.
- Configure other settings, as appropriate.
Unlock remote access client
- For more information about how to configure remote access client lockout, see article 816118 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkID=92611).
Configure remote access server to access Active Directory
For a remote access server that is a member server of a domain that is configured for Windows authentication, check that:
- The RAS and IAS Servers security group exists. If not, then create the group and set the group type to Security and the group scope to Domain local.
- The RAS and IAS Servers security group has read permission to the RAS and IAS Servers Access Check object.
- The computer account of the remote access server computer is a member of the RAS and IAS Servers security group. You can use the netsh ras show registeredserver command to view the current registration. You can use the netsh ras add registeredserver command to register the server in a domain.
- If you add or remove the remote access server to the RAS and IAS Servers security group, the change does not take effect immediately (due to the way that Active Directory information is cached). To make the change take effect immediately, you must restart the remote access server computer.
- The remote access server has joined the domain.
Reset password
To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.
Reset a password for a local user account
To reset a password for a local user account:
- Click Start, click Administrative Tools, and then double-click Computer Management.
- In the console tree, click Users (console tree location: Computer Management/System Tools/Local Users and Groups/Users).
- In the details pane, right-click the user name, and then click Set Password.
- Read the warning message, and if you want to continue, click Proceed.
- In New password and in Confirm password, type a new password, and then click OK.
Reset a password for a domain user account on a member server
To reset a password for a domain user account when you are on a member server or a workstation that is joined to the domain:
- Open Microsoft Management Console (MMC). Click Start, click Run, type mmc, and then press ENTER.
- On the File menu, click Add/Remove Snap-in, and then click Add.
- Click Active Directory Users and Computers, and then click Add.
- Click Close, and then click OK.
- In the console tree, click Users (console tree location: Active Directory Users and Computers/domain name/Users).
- In the details pane, right-click the user name, and then click Reset Password.
- In New password and Confirm password, type a new password, and then click OK.
Reset a password for a domain user account on a domain controller
To reset a password for a domain user account when you are on a domain controller:
- Open Active Directory Users and Computers. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
- In the console tree, click Users (console tree location: Active Directory Users and Computers/domain name/Users).
- In the details pane, right-click the user name, and then click Reset Password.
- In New password and Confirm password, type a new password, and then click OK.
Add more client licenses
A client access license (CAL) is required for each client device or user that accesses a Windows Server operating system. For information about managing and tracking licenses, including Microsoft Volume License Services, see Manage Your Volume Licenses (https://go.microsoft.com/fwlink/?LinkId=96141) and Microsoft Volume License Services (https://go.microsoft.com/fwlink/?LinkId=92143).
Verify
To verify that the remote access server can accept connections, establish a remote access connection from a client computer.
To create a VPN connection:
- Click Start, and then click Control Panel.
- Click Network and Internet, click Network and Sharing Center, and then click Set up a connection or network.
- Click Connect to a workplace, and then click Next.
- Complete the steps in the Connect to a Workplace wizard.
To connect to a remote access server:
- In Network and Sharing Center, click Manage network connections.
- Double-click the VPN connection, and then click Connect.
- Verify that the connection was established successfully.