Event ID 20111, Error 792 or Error 781 When Establishing an L2TP/IPSec Connection
| Article ID | : | 247231 |
| Last Review | : | February 28, 2007 |
| Revision | : | 3.2 |
This article was previously published under Q247231
SYMPTOMS
When you attempt to manually establish a Layer 2 Tunneling Protocol (L2TP)/IP Security Protocol (IPSec) connection with a Windows 2000-based server by using the Routing and Remote Access snap-in, you may be unable to do so, and the initiator computer may display the following error message:
When you attempt to establish an L2TP/IPSec connection by using Network and Dial-up Connections, you are unable to do so, and the initiator computer may display the following error message:
Routing and Remote Access
An error occurred during connection of the interface.
The L2TP connection attempt failed because security negotiation timed out.
In addition, the following event is logged in the System event log of the initiator computer: An error occurred during connection of the interface.
The L2TP connection attempt failed because security negotiation timed out.
Source: RemoteAccess
Event ID: 20111
Description: A Demand Dial connection to the remote interface on port VPNx-y was successfully initiated but failed to complete successfully because of the following error: The L2TP connection attempt failed because security negotiation timed out.
NOTE: If the connection is triggered by demand-dial traffic, then only Event 20111 is logged.Event ID: 20111
Description: A Demand Dial connection to the remote interface
When you attempt to establish an L2TP/IPSec connection by using Network and Dial-up Connections, you are unable to do so, and the initiator computer may display the following error message:
Error Connecting to
Connecting to...
Error 792: The L2TP connection attempt failed because security negotiation timed out.
Connecting to
Error 792: The L2TP connection attempt failed because security negotiation timed out.
-or-
Error Connecting to
Connecting to...
Error 781: Encryption failed because no valid certificate was found.
NOTE: That Event 20111 is not logged at either the client or server when you attempt to establish the connection by using Network and Dial-up Connections. Connecting to
Error 781: Encryption failed because no valid certificate was found.
Back to the topCAUSE
This issue can occur because of one of the following reasons:
| • | The certificate on the virtual private networking (VPN) server is not a valid machine certificate or is missing. If the VPN server got a certificate during the Certificate Authority installation, this certificate is not valid for IPSec machine authentication. |
| • | The IPSec Policy Agent service is stopped and started without stopping and starting the Routing and Remote Access service on the remote computer. |
| • | The IPSec Policy Agent service is not running when you start the Routing and Remote Access service. |
RESOLUTION
To resolve this issue, do one of the following:
| • | Install a valid machine certificate on the VPN server. | ||||||
| • | Stop and start the IPSec Policy Agent service, and then stop and start the Routing and Remote Access service on the remote computer. To do so, use one of the following methods. Method 1
Method 2At a command prompt, type the following commands pressing ENTER after each command:net stop policyagent NOTE: The IPSec Policy Agent service must be started when the Routing and Remote Access service initializes.net start policyagent net stop remoteaccess net start remoteaccess |
MORE INFORMATION
When you stop and start the IPSec Policy Agent service without stopping and starting the Routing and Remote Access service, the automatic IPSec policy that is usually created for the L2TP/IPSec connection is not created and the connections are not successful.
If you stop the IPSec Policy Agent service while you have active tunnel connections without first stopping the Routing and Remote Access service, the tunnels are unsecured, and data is exposed in the clear. It is recommended that you stop active tunnel connections before you stop the IPSec Policy Agent service.
Note that stopping the IPSec Policy Agent and the Routing and Remote Access services may remove filters that are critical to protecting your computers, and to prevent this downtime in security, it is recommended that you disconnect the network cable.
If you stop the IPSec Policy Agent service while you have active tunnel connections without first stopping the Routing and Remote Access service, the tunnels are unsecured, and data is exposed in the clear. It is recommended that you stop active tunnel connections before you stop the IPSec Policy Agent service.
Note that stopping the IPSec Policy Agent and the Routing and Remote Access services may remove filters that are critical to protecting your computers, and to prevent this downtime in security, it is recommended that you disconnect the network cable.
APPLIES TO
| • | Microsoft Windows 2000 Server |
| • | Microsoft Windows 2000 Advanced Server |
No comments:
Post a Comment