Recent Windows Server updates break VPN, RDP, RRAS connections

This month's Windows Server updates are causing a wide range of issues, including VPN and RDP connectivity problems on servers with Routing and Remote Access Service (RRAS) enabled.

RRAS is a Windows service that offers additional TCP connectivity and routing features, including remote access or site-to-site connectivity with the help of virtual private network (VPN) or dial-up connections.

Last week, Microsoft released the Windows Server 2019 2012 R2 KB5014746, the Windows Server 2019 KB5014692, the Windows Server 20H2 KB5014699, and the Windows Server 2022 KB5014678 updates as part of the June 2022 Patch Tuesday.

However, after deploying these recent updates, Windows admins have reported experiencing multiple issues that could only be resolved after completely uninstalling the updates.

One of the more severe problems is the servers freezing for several minutes after a client connects to the RRAS server with SSTP.

Windows Remote Desktop and VPN connectivity issues 

The vast majority of reports related to these problems coming in since Patch Tuesday have a common theme: losing Remote Desktop and VPN connectivity to servers with Routing and Remote Access Service (RRAS) enabled where the June Windows Server Updates have been installed.

"What I saw after the June updates were installed was that no TCP connections established from either the client-side or the server-side would ever get up and running. I couldn't do a basic RDP session into the server either (even where a VPN isn't needed because I'm connecting from a management PC within the same trusted subnet)," one admin told BleepingComputer.

"Furthermore, no remote VPN/RRAS clients could connect to the server (which was the reason why the server was configured for NAT routing in the first place)."

"SSTP failed entirely [..] as well as RDP. RDP also failed to our IKE RRAS servers even though IKE connections continued to work (still not quite sure how)," another one said.

"We ended up using the GCP console interface to get into those servers, to get the RRAS (Routing and Remote Access service) setup not to start so that after a reboot we could remote in and revert the patches."

Multiple other admins [123456] have also reported on Reddit and in comments to BleepingComputer stories that they're having issues with LLTP/SSTP VPN clients and RDP failing to connect after deploying the June Windows Server updates.

 

"Problem goes away after rolling back. Problem occurred a second time after this patch was reinstalled. Rolling back fixed the issue, again. We experienced this problem from two different RRAS servers from two different locations -single domain," one of them explained.

While it is not clear what is causing these issues, Microsoft fixed a 'Windows Network Address Translation (NAT) Denial of Service Vulnerability' tracked as CVE-2022-30152 that may have introduced bugs into RRAS connectivity.

 

How to fix

Unfortunately, since Microsoft is yet to acknowledge these connectivity problems and provide a fix, the only way to address these issues on affected servers is to uninstall the corresponding cumulative update for your Windows Server version.

Admins can do this by using one of the following commands:

Windows Server 2012 R2: wusa /uninstall /kb:KB5014746
Windows Server 2019: wusa /uninstall /kb:KB5014692
Windows Server 20H2: wusa /uninstall /kb:KB5014699
Windows Server 2022: wusa /uninstall /kb:KB5014678

However, given that Microsoft bundles all security fixes within a single update, removing this month's cumulative update may fix the bugs but will also remove all security patches for vulnerabilities addressed during the June Patch Tuesday.

Therefore, before uninstalling these updates, you should ensure that it is absolutely necessary and that reviving RDP or VPN connectivity on your servers is worth the increased security risks.

As we previously reported, Microsoft is also working on addressing another known issue affecting both client and server platforms, causing connectivity issues when using Wi-Fi hotspots after installing the June Windows updates.

Furthermore, this month's Windows updates may also cause backup issues on Windows Server systems, with some apps failing to backup data using Volume Shadow Copy Service (VSS).

Microsoft told BleepingComputer that admins can temporarily disable the NAT feature on RRAS servers to fix these problems until a fix is released.

"We are aware of the issue and working to provide a resolution. Customers experiencing this issue can temporarily disable the NAT feature on their RRAS server," a Microsoft spokesperson told BleepingComputer.

 

Link: https://www.bleepingcomputer.com/news/microsoft/recent-windows-server-updates-break-vpn-rdp-rras-connections/