π ~1 min read
Table of contents
Symptom & Impact
RRAS on Windows Server 2019 fails to start, so VPN, NAT, and routing functions go offline. Remote workers cannot connect, branch tunnels drop, and inbound site-to-site sessions remain unreachable through the day.
Environment & Reproduction
Reproduce after certificate rotation, IP changes, or removal of a required Windows feature. Inspect RRAS configuration and System log.
Get-Service -Name rras
Get-WinEvent -LogName System -MaxEvents 40
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10Root Cause Analysis
Causes include a missing IKEv2 certificate, deleted IP interface, conflicting IPsec policy, or NPS dependency failure.
Quick Triage
Capture RRAS service state, configured tunnel types, and most recent error event before changes.
sc.exe query rras
Get-Service -Name rras | Select-Object Status,StartType
Get-EventLog -LogName System -Newest 30 | Where-Object {$_.Source -match 'rras'}Step-by-Step Diagnosis
Read RRAS events and confirm certificate, interface, and NPS dependency health.
Get-WinEvent -LogName System -MaxEvents 50 | Where-Object {$_.ProviderName -match 'rras'} | Select TimeCreated,Id,LevelDisplayName,Message
sc.exe qfailure rras
sfc /verifyonly
Solution β Primary Fix
Reissue the IKEv2 certificate, repair interface bindings, and restart RemoteAccess and dependent services.
Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.
Restart-Service -Name rras -Force
Get-Service -Name rras | Select-Object Status,StartType
Get-WinEvent -LogName System -MaxEvents 20 | Where-Object {$_.ProviderName -match 'rras'}
Solution β Alternative Approaches
If RRAS configuration is corrupt, reset via netsh ras and reimport the saved configuration.
sc.exe config rras start= auto
sc.exe failure rras reset= 86400 actions= restart/60000/restart/60000/run/1000
Restart-Service -Name rras -ForceVerification & Acceptance Criteria
RRAS runs, test connections complete, and the routing table shows expected tunnels and routes.
Get-Service -Name rras
Get-WinEvent -LogName System -MaxEvents 25 | Where-Object {$_.ProviderName -match 'rras' -and $_.LevelDisplayName -eq 'Error'}
Test-NetConnection -ComputerName localhost -Port Rollback Plan
Restore the previous RRAS configuration export and rebind the prior certificate thumbprint.
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 5
wbadmin get versions
# Restore previous configuration export if availablePrevention & Hardening
Track tunnel certificates with expiry alerts and back up RRAS configuration before major changes.
Get-Service -Name rras | Export-Clixml C:/Temp/rras-baseline.xml
Get-WinEvent -LogName System -MaxEvents 50 > C:/Temp/rras-events.txt
Get-ScheduledTask | Where-Object {$_.TaskName -match 'rras'}Related Errors & Cross-Refs
Related to events 20227, 7024, and IKE error 13801.
Related tutorial: View the step-by-step tutorial for Windows Server 2019.
View all Windows Server 2019 tutorials on the Tutorials Hub β
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
Microsoft Learn references for RRAS troubleshooting and certificate management on Windows Server 2019.
Need Expert Help?
If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β we respond within one business day.
