Update 1/17/21: Microsoft has released OOB updates to fix the Windows L2TP VPN connection issues.
Windows 10 users and administrators report problems making L2TP VPN connections after installing the recent Windows 10 KB5009543 and Windows 11 KB5009566 cumulative updates.
Yesterday, Microsoft released Windows updates to fix security vulnerabilities and bugs as part of the January 2022 Patch Tuesday.
These updates include KB5009566 for Windows 11 and KB5009543 for Windows 10 2004, 20H1, and 21H1.
Updates break L2TP connections
After installing yesterday's updates, Windows users find their L2TP VPN connections broken when attempting to connect using the Windows VPN client.
When attempting to connect to a VPN device, they are shown an error stating, "Can't connect to VPN. The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer," as shown below.
The Event Log will also log entries with error code 789, stating that the connection to the VPN failed.
The bug is not affecting all VPN devices and seems only to be affecting users using the built-in Windows VPN client to make the connection.
A security researcher known as Ronny on Twitter told BleepingComputer that the bug affects their Ubiquiti Client-to-Site VPN connections for those using the Windows VPN client.
Many Windows admins also report on Reddit that the bug also affects connections to SonicWall, Cisco Meraki, and WatchGuard Firewalls, with the latter's client also affected by the bug.
With many users still working remotely, admins have been forced to remove the KB5009566 and KB5009543 updates, which immediately fixes the L2TP VPN connections on reboot.
Windows users can remove the KB5009566 and KB5009543 updates using the following commands from an Elevated Command Prompt.
Windows 10: wusa /uninstall /kb:5009543
Windows 11: wusa /uninstall /kb:5009566
However, as Microsoft bundles all security updates in a single Windows cumulative update, removing the update will remove all fixes for vulnerabilities patched during the January Patch Tuesday.
Therefore, Windows admins need to weigh the risks of unpatched vulnerabilities versus the disruption caused by the inability to connect to VPN connections.
It is not clear what caused the bug, but Microsoft's January Patch Tuesday fixed numerous vulnerabilities in the Windows Internet Key Exchange (IKE) protocol (CVE-2022-21843, CVE-2022-21890, CVE-2022-21883, CVE-2022-21889, CVE-2022-21848, and CVE-2022-21849) and in the Windows Remote Access Connection Manager (CVE-2022-21914 and CVE-2022-21885) that could be causing the problems.
Microsoft confirms bug, provides mitigation
Microsoft confirmed on Thursday that "Certain IPSEC connections might fail" and that they will fix the issue in an upcoming release of Windows.
"After installing KB5009543, IP Security (IPSEC) connections which contain a Vendor ID might fail. VPN connections using Layer 2 Tunneling Protocol (L2TP) or IP security Internet Key Exchange (IPSEC IKE) might also be affected."
Microsoft states that it may be possible to mitigate the bug by disabling the 'Vendor ID,' if possible, on the VPN server.
"To mitigate the issue for some VPNs, you can disable Vendor ID within the server-side settings. Note: Not all VPN servers have the option to disable Vendor ID from being used," Microsoft explains in a new known update issue.
On January 17th, Microsoft released out-of-band updates to resolve the Windows L2TP VPN connections issues and multiple critical issues on Windows Server.
More information about these updates can be found in our dedicated "Microsoft releases emergency fixes for Windows Server, VPN bugs" article.
Update 1/13/22: Added update with more information from Microsoft.
Update 1/17/21: Added information about new OOB updates.
Comments
DFlood - 2 years ago
I can confirm this on both Pro and Home connecting to Meraki MX.
bluto4x - 2 years ago
+1 here. And laptop claims the permanent package cannot be uninstalled as both above fix and DISM /online /Remove-Package /PackageName:Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.1466.1.6.
Both fail.
IhateMicroSoft - 2 years ago
And lets not forget that KB5009624 breaks Hyper-V on Server 2012 R2.
jimmyjones1256 - 2 years ago
These "fixes" really need to be tested more thoroughly. They must know what systems are reliant on the connections they break. If not then that's a whole other worry.
2patchornot2patch - 2 years ago
Windows 10 will not allow for uninstall of 5009543. It is apparently necessary for your system according to the MS overlords
LairdDavid - 2 years ago
I'm using a WatchGuard firewall and the WatchGuard client on Win10.
I am not experiencing any issues with my VPN.
Pharkurnell - 2 years ago
Windows 10 users can remove the KB5009543 updates using the following commands from an Elevated Command Prompt.
No they cant... says its required or the world will end.
Have you tried it on a Windows 10 machine?
Lawrence Abrams - 2 years ago
Of course. Was able to roll back the KB5009543 update.
Pharkurnell - 2 years ago
7 hours later, Im still on random machines I'm getting
Security Update for MS (kb5009543) is required by your computer and cannot be uninstalled
noelprg4 - 2 years ago
I can uninstall KB5009543 from my Win10 21H2 computer (from the old appwiz.cpl app & clicking on view installed updates) cuz I manually installed it from MS Catalog earlier, not from WU
bjoneill74 - 2 years ago
I can also confirm.
I spent a few hours on this last night and ended up re-installing Windows 10.
Update 5009543 breaks the built in Windows L2TP.
It also breaks IKEv2 connections. The error for IKEv2 is different though (Security Processing Error).
Uninstalling corrects this, but my system won't let me pause updates. It says I'm over the limit of doing so. I literally installed Windows 10 today and haven't paused any updates. Super annoying!
jmwoods - 2 years ago
Why did you install the updates on the day they were released, instead of waiting a week or two for the smoke to clear?
If you thought it was urgent to install them right away, why didn't you image your system first?
If you want better control over Windows updates, try one of these free tools...
Windows Automatic Updates Manager, Windows Update MiniTool, or Windows Update Manager.
https://www.carifred.com/wau_manager/
https://www.majorgeeks.com/files/details/windows_update_minitool.html
https://www.majorgeeks.com/files/details/wumgr.html
noelprg4 - 2 years ago
speaking of Windows Update MiniTool, it recently got a 1-14-2022 update with a bigger UI
on Core/Home Win10/Win11 editions, I also use WUB (windows update blocker) to disable auto updates as it's a little harder to control updates on home editions unlike in the Pro or higher editions:
https://www.sordum.org/9470/windows-update-blocker/
then I use windows update blocker again to re-enable updates when I'm ready to update
AlexGeek - 2 years ago
My customer was affected too, removing the KB fixed the issue
Btiltman - 2 years ago
Uninstalling KB5009543 from the Windows Update History screen worked fine and fixed the L2TP error
cajef - 2 years ago
I uninstalled it yesterday and it reappeared again today. This time I stopped updates temporarily until Microsoft releases a fix. 2 days in a row, I get woken up at 4 am and chaos since most of my staff are working from home. Make sure you stop updates temporarily or it will show up again.
tollhahee - 2 years ago
We manually helped all of our employees uninstall the patch yesterday to be able to connect to VPN. Of course, this morning, it re-installed for everyone. Downloaded wushowhide to a network share and directed all our employees on how to go about hiding this update. That program is pretty simple so our users were able to handle it themselves. This way we can still get updates without having to unpause. Just a thought..
cajef - 2 years ago
Interesting. Thank you for this. My staff are all using their own devices at home and I try to do as less as possible not to crash their home PC. I definitely do not want that episode to begin. They do not have access to shared drives unless they connect to VPN. So I stopped all updates till Feb and hopefully our wise folks at Microsoft will come up with a patch.
primetime82 - 2 years ago
The process I took was to pause updates first then remove the KB via elevated command prompt on 5 machines all windows 10 pro and can confirm it works. VPN now connects without the L2TP error to Meraki MX. My users are not getting prompted for updates "yet" but I am sure in the next few days it could happen once again.
bluto4x - 2 years ago
Are your machines domained or standalone?
Which Feature Update are you using?
Luckily, I only had one user install this. Unfortunately, I am unable to roll back via:
Update Settings
wusa /uninstall /kb:5009543
DISM /online /Remove-Package /PackageName:Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.1466.1.6
That machine was stand alone, Win 10 21H1.
Most of our machines are domained and thus won't get the updates until I push them out, but we do have a handful of machines that were deployed in early 2019 for our WFH orders.
cajef - 2 years ago
It will come back again unless you stop them until a certain time.
Type Settings in Start menu - Go to Updates and Security - Advanced and pause updates for a few days. This way you will get some breathing space till the wise folks at MS find the solution.
shanethegeek - 2 years ago
I just dealt with this issue this morning and spent more time than I needed to trying all sorts of "fixes". Nothing was making sense as to why this one machine was not connecting. Well this computer is using Intune and just so happened to have the latest updates loaded vs the rest of the fleet.I was able to remove the latest update and fixed the issue. Thank you for posting this Lawrence!
cajef - 2 years ago
Can you believe my home MAC users are poking fun at me now. They never have any issues LOL.
DFlood - 2 years ago
MS has put a note in their patch description Known Issues section: https://support.microsoft.com/en-us/topic/january-11-2022-kb5009543-os-builds-19042-1466-19043-1466-and-19044-1466-b763552f-73bd-435a-b220-fc3e0bc9765b
Issue:
After installing this update, IP Security (IPSEC) connections that contain a Vendor ID might fail. VPN connections using Layer 2 Tunneling Protocol (L2TP) or IP security Internet Key Exchange (IPSEC IKE) might also be affected.
Workaround:
To mitigate the issue for some VPNs, you can disable Vendor ID within the server-side settings.
Note Not all VPN servers have the option to disable Vendor ID from being used.
We are presently investigating and will provide an update in an upcoming release.
WMCI - 2 years ago
The Vendor ID solution does intrigue me. Not so sure I'm in agreement with the mitigation suggestion. I noticed when a user with the "patch" connects, the L2TP error pops up IMMEDIATELY. There is no way it even attempted to connect back to the corporate VPN. As all have shared, removing the KB did fix. Only to have to deal with this when it gets pushed out again. I love the Windows Native VPN client, but I'm pretty much done with the headaches over the last year. WANTED: Working 3rd party Windows VPN client. Please respond.
cajef - 2 years ago
We use Meraki and you are right WMCI. The Error pops up immediately so agree with you It does not even route to the VPN
WMCI - 2 years ago
If you speak of AnyConnect, yes, I have used in the past. I'm not affiliated with anything Cisco and cannot download the 4.9 Windows/Mac/Linux client.
louyo - 2 years ago
FWWIIW, I found this fix and it worked for me. YMMV.
The culprit is IKEEXT.DLL in the update. I found and executed this fix, successfully, if you are comfortable moogying around with file permissions:
Using a log in with administrator credentials, find in <systemdrive>:\Windows\System32 the above file. Change ownership to Administrators. To be safe, rename it to something like IKEEXT.DLL.SAVE. Now, locate a previous version of the dll. The W11 version I found and used was from 11/24/2021, I think the W10 version was December. Make sure it is over 1 MB in size. My W11 version was in:
C:\Windows\WinSxS\amd64_microsoft-windows-network-security_31bf3856ad364e35_10.0.22000.318_none_c89c76cfafa900e6
I copied it to the Windows\System32 folder and then restarted the IKEandAuthblahblah service. That allowed me to keep the update and run our Meraki VPN.
louyo - 2 years ago
Oops, should have added to give administrators full control for the original file before you can rename or delete it.
louyo - 2 years ago
Sorry, me again. If you run Wireshark, you will see one exchange with your VPN server and it will be identical with a working one. Windows just bails out when it gets the response.
You can also tell by disabling your network connection and retry, it will time out. I only run Windows in virtual machines, so it is easy to do that, and my Firewall has built in Wireshark.
Lou
slatoja - 2 years ago
Could you please elaborate what did you do to IKEEXT.DLL? thanks
Hanry45 - 2 years ago
Uninstalling the update is a solution too...
Lawrence Abrams - 2 years ago
OOB updates released for the L2TP VPN connection and Windows Server issues.
https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergency-fixes-for-windows-server-vpn-bugs/
cajef - 2 years ago
I paused updates for 4 weeks. Uninstalled the update and I would think MS would release a patch in the next scary patch Tuesday
cajef - 2 years ago
Thanks Lawrence. Read this. Awesome
SlalomJohn - 2 years ago
Add to registry:
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters]
"ProhibitIpSec"=dword:00000001
and reboot PC - well done!
peter949 - 2 years ago
Not sure what to make of this but I had two users today tell me this issue was back. I check their computers, and indeed KB5009543 was re-installed yesterday 2/7/2022 and I DID Pause Updates and it still shows Updates paused until 2/16/2022.