Troubleshooting Common VPN issues on Windows Server 2012 R2

Windows VPN port

Windows / August 13, 2020

If you are seeing errors while establishing VPN connection using Windows in-built VPN client, you have reached the right place. This article will help you to easily troubleshoot some of the common VPN related errors.

1) Error Code: 800

Error Description: The remote connection was not made because the attempted VPN tunnels failed. The VPN server might be unreachable. If this connection is attempting to use an L2TP/IPsec tunnel, the security parameters required for IPsec negotiation might not be configured properly.

Possible Cause: This error comes when the VPN tunnel type is ‘Automatic’ and the connection establishment fails for all the VPN tunnels.

Possible Solutions:

a> If you know which tunnel should actually be used for your deployment, try to set the ‘Type of VPN’ to that particular tunnel type on the VPN client side. [This can be set by clicking the ‘Network Connections’ icon on the bottom right of the task bar, Select your Connection, Right Click -> Properties -> Securities Tab -> Under ‘Type of VPN’ select the interested VPN tunnel type ]

By making VPN connection with a particular tunnel type, your connection will still fail but it will give a more tunnel specific error (for example: GRE blocked for PPTP, Certificate error for L2TP, SSL negotiation errors for SSTP, etc.)

b> This error usually comes when the VPN server is not reachable or the tunnel establishment fails.

i. Make sure the VPN server is reachable (try to PING the server).

ii. If interested in PPTP, make sure PPTP port (TCP 1723) or GRE Port (47) is not blocked on in between firewalls.

iii. If interested in L2TP, make sure

1. Correct pre-shared key or machine certificate are present both on client and server.

2. L2TP port (UDP 1701) is not blocked on any of the firewalls.

iv. If interested in IKEv2 based VPN tunnel, make sure

1. IKE port (UDP port 500, UDP port 4500) is not blocked.

2. Correct machine certificate for IKE are present both on client and server.

v. If interested in SSTP, make sure correct machine certificate is installed on the server and correct trusted root certificate is installed on the client machine.

2) Error Code: 609, 633

Error Description:

609: A device type was specified that does not exist.

633: The modem (or other connecting device) is already in use or is not configured properly.

Possible Cause: This error usually comes when the connecting VPN device (aka miniport) is not configured properly.

To confirm the issue: From the elevated command prompt, type the following command to confirm the presence of miniport: –

netcfg.exe –q

Following is the Miniport Device name for different tunnels:


L2TP Tunnel: MS_L2TP


VPN Reconnect (IKEv2) Tunnel: MS_AGILEVPN

Possible Solution:

1. In Windows 7, a built-in diagnostic with repair is provided for the ‘miniport missing’ issue for locally created VPN connections. A ‘Diagnostic’ button is shown on the Error page of the VPN connection. By clicking this button, it will give a ‘repair’ option if it finds the issue to be miniport missing which if clicked will automatically try to fix the issue.

2. On Vista or below OS, if the miniport device is missing, you can run the following command from ‘elevated’ command prompt:

a> netcfg.exe -e -c p -i

Details of the is given above.

b> Stop and Start ‘rasman’ (‘Remote Access Connection Manager’) service.