This month's Windows Server updates are causing a wide range of issues, including VPN and RDP connectivity problems on servers with Routing and Remote Access Service (RRAS) enabled.
RRAS is a Windows service that offers additional TCP connectivity and routing features, including remote access or site-to-site connectivity with the help of virtual private network (VPN) or dial-up connections.
Last week, Microsoft released the Windows Server 2019 2012 R2 KB5014746, the Windows Server 2019 KB5014692, the Windows Server 20H2 KB5014699, and the Windows Server 2022 KB5014678 updates as part of the June 2022 Patch Tuesday.
However, after deploying these recent updates, Windows admins have reported experiencing multiple issues that could only be resolved after completely uninstalling the updates.
One of the more severe problems is the servers freezing for several minutes after a client connects to the RRAS server with SSTP.
Windows Remote Desktop and VPN connectivity issues
The vast majority of reports related to these problems coming in since Patch Tuesday have a common theme: losing Remote Desktop and VPN connectivity to servers with Routing and Remote Access Service (RRAS) enabled where the June Windows Server Updates have been installed.
"What I saw after the June updates were installed was that no TCP connections established from either the client-side or the server-side would ever get up and running. I couldn't do a basic RDP session into the server either (even where a VPN isn't needed because I'm connecting from a management PC within the same trusted subnet)," one admin told BleepingComputer.
"Furthermore, no remote VPN/RRAS clients could connect to the server (which was the reason why the server was configured for NAT routing in the first place)."
"SSTP failed entirely [..] as well as RDP. RDP also failed to our IKE RRAS servers even though IKE connections continued to work (still not quite sure how)," another one said.
"We ended up using the GCP console interface to get into those servers, to get the RRAS (Routing and Remote Access service) setup not to start so that after a reboot we could remote in and revert the patches."
Multiple other admins [1, 2, 3, 4, 5, 6] have also reported on Reddit and in comments to BleepingComputer stories that they're having issues with LLTP/SSTP VPN clients and RDP failing to connect after deploying the June Windows Server updates.
"Problem goes away after rolling back. Problem occurred a second time after this patch was reinstalled. Rolling back fixed the issue, again. We experienced this problem from two different RRAS servers from two different locations -single domain," one of them explained.
While it is not clear what is causing these issues, Microsoft fixed a 'Windows Network Address Translation (NAT) Denial of Service Vulnerability' tracked as CVE-2022-30152 that may have introduced bugs into RRAS connectivity.
How to fix
Unfortunately, since Microsoft is yet to acknowledge these connectivity problems and provide a fix, the only way to address these issues on affected servers is to uninstall the corresponding cumulative update for your Windows Server version.
Admins can do this by using one of the following commands:
Windows Server 2012 R2: wusa /uninstall /kb:KB5014746
Windows Server 2019: wusa /uninstall /kb:KB5014692
Windows Server 20H2: wusa /uninstall /kb:KB5014699
Windows Server 2022: wusa /uninstall /kb:KB5014678
However, given that Microsoft bundles all security fixes within a single update, removing this month's cumulative update may fix the bugs but will also remove all security patches for vulnerabilities addressed during the June Patch Tuesday.
Therefore, before uninstalling these updates, you should ensure that it is absolutely necessary and that reviving RDP or VPN connectivity on your servers is worth the increased security risks.
As we previously reported, Microsoft is also working on addressing another known issue affecting both client and server platforms, causing connectivity issues when using Wi-Fi hotspots after installing the June Windows updates.
Furthermore, this month's Windows updates may also cause backup issues on Windows Server systems, with some apps failing to backup data using Volume Shadow Copy Service (VSS).
Microsoft told BleepingComputer that admins can temporarily disable the NAT feature on RRAS servers to fix these problems until a fix is released.
"We are aware of the issue and working to provide a resolution. Customers experiencing this issue can temporarily disable the NAT feature on their RRAS server," a Microsoft spokesperson told BleepingComputer.
Update 6/21/22: Added statement from Microsoft
Comments
SiegfriedB - 1 year ago
I hope there is a fix soon, as RRAS servers, especially if they do NAT, are usually exposed to the internet with a public IP. Leaving the unpatched is just asking for trouble. but I don't see another way at the moment.
Markpiz - 1 year ago
I can attest to the fact that on the Windows 2016 and Windows 2019 servers that I manage, I have no trouble with SSTP VPN access for me and my users and I have no trouble with RDP connections AFTER installing the June Patch Tuesday updates.
lgkwang - 1 year ago
Hi Markpiz, do you have the NAT routing feature turned on when using SSTP VPN with RRAS?
Markpiz - 1 year ago
"Hi Markpiz, do you have the NAT routing feature turned on when using SSTP VPN with RRAS?"
NAT routing is not being done on either of these networks on the Windows Server boxes.
All of the LAN nodes (including VPN client outbound traffic) route out through an external Cisco router/firewall. The Cisco router/firewall does a 1<->1 NAT from a dedicated external IP to the inside network address of each of the respective SSTP VPN servers.
lgkwang - 1 year ago
Thanks for the info Markpiz. Yeah... to me it seems uniquely related to the NAT engine in Windows, either server-land with RRAS or on consumer editions with Wi-Fi Hosted Network.
mikejba - 1 year ago
Agreed, I have NAT enabled on my RRAS based SSTP VPN and that breaks with the patch installed. Works fine after removing the update.
mikejba - 1 year ago
I thought I was going nuts today deploying an RRAS based SSTP server on Windows 2019. Only when I crossed checked against a dev system that turned out to have similar issues did I start looking online for similar problems.
Yep, had the weird freezing, sometimes worked, sometimes didn't. I uninstalled the June update and it works flawlessly again. Way to go Microsoft.
fairlane32 - 1 year ago
Time to bring back Mac Server and ditch the brain dead’s over at Redmond. Where are they getting these people from, the local zoo?
serghei - 1 year ago
If Mac Server is macOS Server, I have some bad news ...
"As of April 21, 2022, Apple has discontinued macOS Server. Existing macOS Server customers can continue to download and use the app with macOS Monterey."
https://support.apple.com/en-us/HT208312
HARIOMSAI7 - 1 year ago
Windows Server 2012 R2: wusa /uninstall /kb:5014746
Windows Server 2019: wusa /uninstall /kb:5014692
Windows Server 20H2: wusa /uninstall /kb:5014699
Windows Server 2022: wusa /uninstall /kb:5014678
https://ss64.com/nt/wusa.html
https://support.microsoft.com/en-us/topic/description-of-the-windows-update-standalone-installer-in-windows-799ba3df-ec7e-b05e-ee13-1cdae8f23b19
mikejba - 1 year ago
"We are aware of the issue and working to provide a resolution. Customers experiencing this issue can temporarily disable the NAT feature on their RRAS server"
Yeah, cos if we've got NAT enabled it's for no reason at all, right? #eyeroll
elmernet - 1 year ago
https://www.bleepingcomputer.com/news/microsoft/microsoft-june-2022-patch-tuesday-fixes-1-zero-day-55-flaws/?sa=1#cid23693
But what a nice solution! Microsoft: "I made a mistake and stopped your NAT and RRAS, so momentarily don't use those services until I fix the mistake I made. In the meantime, stop all your infrastructure and in its own way."
Well, the conclusion is that if there was a security flaw that justified the June/22 Patch Thuesday, then now no one will invade our systems anymore... not even we can use them ourselves.
danno3 - 1 year ago
Supposedly a hotfix KB5014699 was released about 2 weeks later and it solved the issue for some. For us - NOT! If the RRAS service is enabled and VPN is attempted, it completely breaks networking (RDP, etc.) and since we're using a cloud server (Amazon), this is a fatal blow with still no solution. Here's what I had tried:
- uninstalling KB5014692 - kept failing uninstall, even after trying things like clearing out the update catalog, using command line wusa ..., etc.
- No ability to take simple images of an AWS server and restore from external disk, can only take 'snapshots' and create new instance from it. This takes all day to recover from since all software licensing becomes invalidated, so passed on this (didn't need VPN at this time). Besides, because it's an AWS server, don't have complete control to prevent the reinstall. Also, don't know how to block this 'bad' update, but allow future updates. Windows Server doesn't allow 'hiding' of updates.
- Now, the VPN is needed again and I'm trying to avoid the difficulty of configuring a 3rd party VPN (such as OpenVPN), especially since the built-in VPN (using L2TP/IpSec) was working prior to KB5014692.
- checked ipnat.sys - has even newer version than what's included in KB5014699
- can't install KB5014699 - it's blocked with error 'this update not applicable...'. Shouldn't need to do this if the concept of 'cumulative updates' applies, since several months worth of cumulative updates have been installed since 6/2022.