Recent Windows Server updates break VPN, RDP, RRAS connections
This month's Windows Server updates are causing a wide range of issues, including VPN and RDP connectivity problems on servers with Routing and Remote Access Service (RRAS) enabled.
RRAS is a Windows service that offers additional TCP connectivity and routing features, including remote access or site-to-site connectivity with the help of virtual private network (VPN) or dial-up connections.
Last week, Microsoft released the Windows Server 2019 2012 R2 KB5014746, the Windows Server 2019 KB5014692, the Windows Server 20H2 KB5014699, and the Windows Server 2022 KB5014678 updates as part of the June 2022 Patch Tuesday.
However, after deploying these recent updates, Windows admins have reported experiencing multiple issues that could only be resolved after completely uninstalling the updates.
One of the more severe problems is the servers freezing for several minutes after a client connects to the RRAS server with SSTP.
The vast majority of reports related to these problems coming in since Patch Tuesday have a common theme: losing Remote Desktop and VPN connectivity to servers with Routing and Remote Access Service (RRAS) enabled where the June Windows Server Updates have been installed.
"What I saw after the June updates were installed was that no TCP connections established from either the client-side or the server-side would ever get up and running. I couldn't do a basic RDP session into the server either (even where a VPN isn't needed because I'm connecting from a management PC within the same trusted subnet)," one admin told BleepingComputer.
"Furthermore, no remote VPN/RRAS clients could connect to the server (which was the reason why the server was configured for NAT routing in the first place)."
"SSTP failed entirely [..] as well as RDP. RDP also failed to our IKE RRAS servers even though IKE connections continued to work (still not quite sure how)," another one said.
"We ended up using the GCP console interface to get into those servers, to get the RRAS (Routing and Remote Access service) setup not to start so that after a reboot we could remote in and revert the patches."
Multiple other admins [1, 2, 3, 4, 5, 6] have also reported on Reddit and in comments to BleepingComputer stories that they're having issues with LLTP/SSTP VPN clients and RDP failing to connect after deploying the June Windows Server updates.
"Problem goes away after rolling back. Problem occurred a second time after this patch was reinstalled. Rolling back fixed the issue, again. We experienced this problem from two different RRAS servers from two different locations -single domain," one of them explained.
While it is not clear what is causing these issues, Microsoft fixed a 'Windows Network Address Translation (NAT) Denial of Service Vulnerability' tracked as CVE-2022-30152 that may have introduced bugs into RRAS connectivity.
Unfortunately, since Microsoft is yet to acknowledge these connectivity problems and provide a fix, the only way to address these issues on affected servers is to uninstall the corresponding cumulative update for your Windows Server version.
Admins can do this by using one of the following commands:
However, given that Microsoft bundles all security fixes within a single update, removing this month's cumulative update may fix the bugs but will also remove all security patches for vulnerabilities addressed during the June Patch Tuesday.
Therefore, before uninstalling these updates, you should ensure that it is absolutely necessary and that reviving RDP or VPN connectivity on your servers is worth the increased security risks.
As we previously reported, Microsoft is also working on addressing another known issue affecting both client and server platforms, causing connectivity issues when using Wi-Fi hotspots after installing the June Windows updates.
Furthermore, this month's Windows updates may also cause backup issues on Windows Server systems, with some apps failing to backup data using Volume Shadow Copy Service (VSS).
Microsoft told BleepingComputer that admins can temporarily disable the NAT feature on RRAS servers to fix these problems until a fix is released.
"We are aware of the issue and working to provide a resolution. Customers experiencing this issue can temporarily disable the NAT feature on their RRAS server," a Microsoft spokesperson told BleepingComputer.
Update 6/21/22: Added statement from Microsoft
Microsoft fixes WSUS servers not pushing Windows 11 22H2 updates
Microsoft fixes Windows bug causing File Explorer freezes
Microsoft blames ‘unsupported processor’ blue screens on OEM vendors
MSI: Recent wave of Windows blue screens linked to MSI motherboards
New Windows updates cause UNSUPPORTED_PROCESSOR blue screens