Forefront TMG 2010 as an L2TP/IPsec VPN remote access server “malfunctions”, turns out to be a DHCP server scope issue

I came across today upon an interesting case where a user was trying to configure Forefront TMG 2010(on Windows Server 2008 R2) as an L2TP/IPsec VPN remote access server.

The configuration seemed OK and it was pretty standard(for address assignment for VPN clients DHCP was used).

The Vista SP2 L2TP/IPsec VPN client showed error 736:


I took a quick look within the RRAS mmc on TMG(RRAS provides the VPN functionality for TMG), the Internal interface of the RRAS obtained an IP address from the DHCP server:


And then looked at the Event Viewer on TMG. I noticed a warning and an error thrown by the Remote Access service:

Warning: No IP address is available to hand out to the dial-in client.


Error: CoId={BCE3AB30-44F8-4466-967E-25E13C94BE15}: The user x connected to port VPN2-9 has been disconnected because no network protocols were successfully negotiated.


Noticing the above warning I decided to look at the local DHCP server.

Within the Event Viewer on  the DHCP server(Windows Server 2008 R2), two warnings were present, indicating that the scope was simply left without any IP addresses to lease (TMG obtained the last IP address available(which was used on the RRAS Internal interface) and could not obtain other IP address for the VPN clients(IPCP is used with L2TP/IPsec to provide the VPN clients with IP addressing information, the VPN clients do not talk with the DHCP server directly)

Warning: There are no IP addresses available for lease in the scope or superscope "LAN Use Scope".


Warning : Scope, 192.168.x.x, is 100 percent full with only 0 IP addresses remaining.


The DHCP server admin configured a small scope which was insufficient as the network expanded and more clients were provisioned.

So what appeared a TMG issue simply turned into a DHCP scope one due to network growth.

Comments are closed