New Windows updates KB5009543, KB5009566 break L2TP VPN connections


Update 01/17/21: Microsoft has released OOB updates to address Windows L2TP VPN connection issues.

Windows 10 users and administrators are reporting issues establishing L2TP VPN connections after installing the recent Windows 10 KB5009543 and Windows 11 KB5009566 cumulative updates.

Yesterday, Microsoft released Windows updates to fix security vulnerabilities and bugs as part of the January 2022 patch on Tuesday.

These updates include KB5009566 for Windows 11 and KB5009543 for Windows 10 2004, 20H1 and 21H1.

Updates break L2TP connections

After installing yesterday’s updates, Windows users find that their L2TP VPN connections drop when they attempt to connect using the Windows VPN client.

When they attempt to connect to a VPN device, an error is displayed stating “Unable to connect to VPN. The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the VPN. ‘remote computer’, as shown below.

Windows error when connecting to an LT2P VPN
Windows error when connecting to an LT2P VPN

The event log will also record entries with error code 789, indicating that the VPN connection failed.

Windows event log when L2TP VPN connection fails
Windows event log when L2TP VPN connection fails

The bug does not affect all VPN devices and appears to only affect users using the built-in Windows VPN client to establish the connection.

A security researcher known as Ronny on Twitter told BleepingComputer that the bug affects their Ubiquiti Client-to-Site VPN connections for those using the Windows VPN client.

Many Windows admins are also reporting on Reddit that the bug also affects connections to SonicWall, Cisco Meraki, and WatchGuard firewalls, with the latter’s client also affected by the bug.

With many users still working remotely, administrators were forced to remove updates KB5009566 and KB5009543, which immediately fixes L2TP VPN connections on reboot.

Windows users can remove updates KB5009566 and KB5009543 using the following commands from an elevated command prompt.

Windows 10: wusa /uninstall /kb:5009543
Windows 11: wusa /uninstall /kb:5009566

However, because Microsoft bundles all security updates into a single Windows Cumulative Update, removing the update will remove all fixes for vulnerabilities fixed in January’s Patch Tuesday.

Therefore, Windows administrators must weigh the risks of unpatched vulnerabilities against the disruption caused by the inability to connect to VPN connections.

The cause of the bug is unclear, but Microsoft’s January patch fixed numerous vulnerabilities in the Windows Internet Key Exchange (IKE) protocol (CVE-2022-21843, CVE-2022-21890, CVE-2022-21883 , CVE-2022-21889, CVE-2022-21848 and CVE-2022-21849) and in the Windows Remote Access Connection Manager (CVE-2022-21914 and CVE-2022-21885) which could be origin of the problems.

Microsoft confirms bug and provides mitigation

Microsoft confirmed on Thursday that “Some IPSEC connections may fail” and will fix the problem in an upcoming version of Windows.

“After installing KB5009543, IP Security (IPSEC) connections that contain a vendor ID may fail. VPN connections using Layer 2 Tunneling Protocol (L2TP) or IP Security Internet Key Exchange (IPSEC IKE) may also be affected.”

Microsoft states that it may be possible to mitigate the bug by disabling “Vendor ID”, if possible, on the VPN server.

“To mitigate the issue for some VPNs, you can disable Provider ID in server-side settings. To note: Not all VPN servers have the ability to disable the use of Provider ID,” Microsoft explains in a new known issue update.

On January 17, Microsoft released out-of-band updates to resolve Windows L2TP VPN connection issues and several critical issues on Windows Server.

You can find more information about these updates in our dedicated article “Microsoft releases emergency fixes for Windows Server, VPN bugs”.

Update 01/13/22: Added update with more information from Microsoft.
Update 01/17/21: Added information about new OOB updates.


Comments are closed.