Microsoft Knowledge Base Archive

Introduction

This guide helps you understand and troubleshoot VPN profile issues that you may encounter when you use Microsoft Intune.

This article is divided into the following sections:

Overview of VPN profiles
Creating VPN profiles
Assigning VPN profiles
What successful VPN profiles look like on your device
Entries in Company Portal logs of successful VPN profile deployment
Troubleshooting common issues

The examples in this guide use SCEP certificate authentication for these profiles and assume that the Trusted Root and SCEP profiles work correctly on the device. In the examples, the Trusted Root and SCEP profiles are named as follows.

	Android	iOS	Windows
Trusted Root Profile	AndroidRoot	iOSRoot	WindowsRoot2
SCEP profile	AndroidSCEP	iOSSCEP	WindowsSCEP2

↑ Back to the top

Overview of VPN profiles

Virtual private networks (VPNs) give your users secure remote access to your organization network. Devices use a VPN connection profile to start a connection with the VPN server. VPN profiles in Microsoft Intune assign VPN settings to users and devices in your organization so that they can easily and securely connect to your organizational network.

For example, you want to configure all iOS devices to have the required settings to connect to a file share on the organization network. You create a VPN profile that includes these settings. Then, you assign this profile to all users who have iOS devices. The users see the VPN connection in the list of available networks and can connect with minimal effort.

You can create VPN profiles by using different VPN connection types.

Note Before you can use VPN profiles that are assigned to a device, you must install the applicable VPN app for the profile.

↑ Back to the top

Creating VPN Profiles

To create a VPN profile, follow the steps in the "Create a device profile" section of the following Microsoft Docs article:

Create VPN profiles to connect to VPN servers in Intune

The Properties screen on the supported platforms resembles the following examples:

For Android

4519426_1

Note In the examples, the connection type for Android and iOS VPN profile is Cisco AnyConnect, and the one for Windows 10 is Automatic. Also, the VPN profile is linked to the SCEP profile.

For more information about how to create an Extensible Authentication Protocol (EAP) configuration XML for the VPN profile, see EAP configuration.

↑ Back to the top

Assigning VPN Profiles

After you create the VPN profile, assign the profile to selected groups.

See the following Assignments screen examples.

For Android

4519426_4

↑ Back to the top

What successful VPN profiles look like on your device

For Android

The following is an example of Nokia 6.1 device. Because the Trusted Root and SCEP profiles are already installed on the device, you won't be prompted to install the SCEP certificates.

You receive a notification to install the corporate VPN profile:
In the AnyConnect app, because External Control is currently disabled, tap the Change Setting button to enable External Control.
In the AnyConnect app, select the SCEP Certificate.

Note If you use a device administrator-managed Android device, there may be multiple certificates. This is because the certificates aren’t revoked or removed when a certificate profile is changed or removed. In this case, select the latest certificate. Usually, this is the last one in the list of certificates.

This situation doesn’t occur on Android Enterprise and Samsung Knox devices. For more information, see Manage Android work profile devices with Intune and Remove SCEP and PKCS certificates in Microsoft Intune.
The VPN connection is successfully created.

↑ Back to the top

Entries in Company Portal logs of successful VPN profile deployment

For Android

On an Android device, the Omadmlog.log file logs detail activities of the VPN profile when it's processed on the device. Depending on how long the Company Portal app has been installed, you may have up to five Omadmlog log files. You can use the timestamp of the last sync to help find the related entries.

The following example uses CMTrace to read the logs and uses “android.vpn.client” as the search string filter.

4519426_21

Sample log snippet:

2019-08-02T20:31:36.7120000   INFO   com.microsoft.omadm.platforms.android.vpn.client.IntentVpnProfileProvisionStateMachine   13229   00622   Notifying to provision vpn profile 'AnyConnect'.
2019-08-02T20:31:36.7620000   INFO   com.microsoft.omadm.platforms.android.vpn.client.IntentVpnProfileProvisionStateMachine   13229   00622   VPN Profile "AnyConnect" state changed from RECEIVED to PENDING_USER_INSTALL
2019-08-02T20:33:49.3810000   VERB   com.microsoft.omadm.platforms.android.vpn.client.VpnClient   13229   00002   Creating VPN Provision Intent: anyconnect://create/?host=VPN.contoso.com&name=AnyConnect&usecert=true&keychainalias=UserID
2019-08-02T20:33:49.4270000   INFO   com.microsoft.omadm.platforms.android.vpn.client.IntentVpnProfileProvisionStateMachine   13229   00002   Vpn profile 'AnyConnect' provisioned and complete.
2019-08-02T20:33:49.4290000   INFO   com.microsoft.omadm.platforms.android.vpn.client.IntentVpnProfileProvisionStateMachine   13229   00002   VPN Profile "AnyConnect" state changed from PENDING_USER_INSTALL to PROVISIONED

↑ Back to the top

Troubleshooting common issues

Issue 1: The VPN profile isn't deployed to the device

For Android

Verify that the VPN profile is assigned to the correct group.

In the Intune portal, go to Device configuration > Profiles, select Assignments, and then examine the selected groups.

Also, review the Assignments information in the Troubleshoot pane.
Verify that the device can sync with Intune by checking the Last Check In time in the Troubleshoot pane.
If the VPN profile is linked to the Trusted Root and SCEP profiles, verify that both profiles have been deployed to the device. The VPN profile has a dependency on these profiles.

If the Trusted Root and SCEP profiles aren't installed on the device, you will see the following entry in the Company Portal Omadmlog file:

2019-08-08T20:30:37.6400000 INFO com.microsoft.omadm.platforms.android.vpn.client.IntentVpnProfileProvisionStateMachine 14210 00948 Waiting for required certificates for vpn profile 'androidVPN'.

Note There is a scenario when the Trusted Root and SCEP profiles are on the device and compliant, but the VPN profile is still not on the device. This issue occurs when the CertificateSelector provider from the Company Portal app doesn't find a certificate that matches the specified criteria. The specific criteria can be on the Certificate Template or in the SCEP profile. If matching certificate isn't found, the certificates on the device will be excluded, this will result in the skipping of the VPN profile because it doesn’t have the right certificate. In this scenario, you see the following entry in the Company Portal Omadmlog file:

Waiting for required certificates for vpn profile 'androidVPN'.

The following is a sample log snippet in which certificates are excluded because the Any Purpose Extended Key Usage
(EKU) criteria was specified but the certificates that are assigned to the device don’t have that EKU:

2018-11-27T21:10:37.6390000 VERB com.microsoft.omadm.utils.CertUtils 14210 00948 Excluding cert with alias User<ID1> and requestId <requestID1> as it does not have any purpose EKU.
2018-11-27T21:10:37.6400000 VERB com.microsoft.omadm.utils.CertUtils 14210 00948 Excluding cert with alias User<ID2> and requestId <requestID2> as it does not have any purpose EKU.
2018-11-27T21:10:37.6400000 VERB com.microsoft.omadm.utils.CertUtils 14210 00948 0 cert(s) matched criteria:
2018-11-27T21:10:37.6400000 VERB com.microsoft.omadm.utils.CertUtils 14210 00948 2 cert(s) excluded by criteria:
2018-11-27T21:10:37.6400000 INFO com.microsoft.omadm.platforms.android.vpn.client.IntentVpnProfileProvisionStateMachine 14210 00948 Waiting for required certificates for vpn profile '<profile name>'.

In this example, the SCEP profile has the option of Any Purpose EKU specified but it is not specified in the Certificate Template on the certificate authority (CA). To fix the issue, add the Any Purpose option to the certificate template, or remove the Any Purpose option from the SCEP profile.
Verify that External Control of AnyConnect is Enabled.

External Control must be enabled so the profile can be created. When the profile is pushed to the device, the user is prompted to enable External Control.
Verify that all required certificates in the complete certificate chain are on the device. Otherwise, you see the following entry in the Company Portal Omadmlog file:

Waiting for required certificates for vpn profile 'androidVPN'.

For more information, see Missing intermediate certificate authority.

Issue 2: The VPN profile is deployed to the device, but the device can't connect to the network

Typically, this is not an Intune issue. There can be multiple causes of a connectivity issue. The following items that may help you understand and troubleshoot the issue:

Can you manually connect to the network by using a certificate by using the same criteria that's specified in the VPN profile?

If so, examine the properties of the certificate that you used in the manual connection, and make change to the Intune VPN profile accordingly.
For Android and iOS devices, did the VPN client Application logs show that the device tried to connect by using the VPN profile? Usually, connectivity errors are logged in the VPN client Application logs.

For Windows devices, did the Radius server log show that the device tried to connect by using the VPN profile? Usually. connectivity errors are logged in the Radius server log.
Example: How to view logs in the AnyConnect app on Android devices
1. Tap Menu, and select Diagnostics.
2. Select Certificate Management to view the certificates.
3. Select Logging and System Information, and tap the Debug tab to view logs to analyze AnyConnect issues.
4. To send logs, tap Menu > Send Logs, and select Report to Administrator.
5. After you get the debug logs, examine the debug_logs_unfiltered.txt file for profile creation and connection information.
  
  Sample log snippet for VPN creation:
  
  08-02 16:40:22.787 I/AnyConnect(14530): URIHandlerActivity: Received command: anyconnect://create?host=VPN.Contoso.com&name=AnyConnect&usecert=true&keychainalias=UserID
  08-02 16:40:22.815 I/AnyConnect(14530): VpnService: VpnService is being created.
  
  Sample log snippet for VPN connection failure:
  
  08-02 16:44:50.316 I/vpnapi (14530): Message type information sent to the user: Contacting VPN.Contoso.com.
  08-02 16:44:50.319 I/vpnapi (14530): Initiating VPN connection to the secure gateway https://VPN.Contoso.com
  08-02 16:44:50.322 I/acvpnagent(14592): Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.
  08-02 16:44:50.325 I/acvpnagent(14592): Function: processConnectNotification File: MainThread.cpp Line: 14616 Received connect notification (host VPN.Contoso.com, profile N/A)
  08-02 16:44:50.388 W/acvpnagent(14592): Function: getHostIPAddrByName File: SocketSupport.cpp Line: 344 Invoked Function: ::getaddrinfo Return Code: 11 (0x0000000B) Description: unknown
  08-02 16:44:50.392 W/acvpnagent(14592): Function: resolveHostName File: HostLocator.cpp Line: 710 Invoked Function: CSocketSupport::getHostIPAddrByName Return Code: -31129588 (0xFE25000C) Description: SOCKETSUPPORT_ERROR_GETADDRINFO
  08-02 16:44:50.392 W/acvpnagent(14592): Function: ResolveHostname File: HostLocator.cpp Line: 804 Invoked Function: CHostLocator::resolveHostName Return Code: -31129588 (0xFE25000C) Description: SOCKETSUPPORT_ERROR_GETADDRINFO failed to resolve host name VPN.Contoso.com to IPv4 address
  08-02 16:44:50.553 I/vpnapi (14530): Message type warning sent to the user: Connection attempt has failed.
  08-02 16:44:50.553 E/vpnapi (14530): Function: processIfcData File: ConnectMgr.cpp Line: 3399 Content type (unknown) received. Response type (DNS resolution failed) from VPN.Contoso.com: DNS resolution failed
  08-02 16:44:50.553 I/vpnapi (14530): Message type warning sent to the user: Unable to contact VPN.Contoso.com.
  08-02 16:44:50.554 E/vpnapi (14530): Function: processIfcData File: ConnectMgr.cpp Line: 3535 Unable to contact VPN.Contoso.com DNS resolution failed
  08-02 16:44:50.554 I/vpnapi (14530): Message type error sent to the user: The VPN connection failed due to unsuccessful domain name resolution.

↑ Back to the top

More information

If you’re still looking for a solution to a related problem, or if you want more information about Intune, post a question in our Microsoft Intune forum. Many support engineers, MVPs, and members of our development team visit the forums. So, there’s a good chance that you can find someone who has the information that you need.

If you want to open a support request with the Microsoft Intune Support team, see the following article:

How to get support for Microsoft Intune

For more information about VPN profiles in Microsoft Intune, see the following articles:

For all the latest news, information, and tech tips, visit our official blogs:

↑ Back to the top

Article ID	:	4519426
Revision	:	56
Created on	:	9/25/2019
Published on	:	9/25/2019
Exists online	:	False
Views	:	632

Microsoft KB Archive Search

Troubleshooting VPN profile issues in Microsoft Intune

Introduction

Overview of VPN profiles

Creating VPN Profiles

Assigning VPN Profiles

What successful VPN profiles look like on your device

Entries in Company Portal logs of successful VPN profile deployment

Troubleshooting common issues

Issue 1: The VPN profile isn't deployed to the device

Issue 2: The VPN profile is deployed to the device, but the device can't connect to the network

More information

Applies to: