Ras connection failure

Ras_connection_failure_1_Rule (Rule)

Knowledge Base article:

Management Pack
Summary
The user's connection to the Routing and Remote Access server terminated.
 
Causes
The most common reasons for this error are:
  1. The Routing and Remote Access server couldn't receive or recognize the initial frame or data.
  2. The user has been disconnected due to inactivity.
  3. The user failed to authenticate.
  4. The authentication process did not complete within the required amount of time.
  5. Point to Point Protocol negotiation did not converge.
  6. The user password has expired.
  7. The user account has expired.
  8. The user account does not have Remote Access privilege.
  9. The Routing and Remote Access server's attempt to callback the user failed.
 
Resolutions
  1. Make sure the user specifies the correct credentials.
  2. Verify whether the network protocols are configured correctly on the client and the server.
  3. If the user password is expired, the user needs to change the password.
  4. If the user account is expired, verify whether the account needs to be continued.
  5. If the user needs to have the Remove Access privilege, enable the user for Remote Access.
  6. The user can try to reconnect to the server.
 
© 2004 Microsoft Corporation, all rights reserved.

Element properties:

TargetMicrosoft.Windows.RemoteAccess.2012.Class.VPNServer
CategoryEventCollection
EnabledTrue
Event SourceRemoteAccess
Alert GenerateFalse
RemotableTrue
Event LogSystem

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Windows.EventProvider Default
WriteToDB WriteAction Microsoft.SystemCenter.CollectEvent Default

Source Code:

<Rule ID="Ras_connection_failure_1_Rule" Enabled="true" Target="Microsoft.Windows.RemoteAccess.2012.Class.VPNServer" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>System</LogName>
<Expression>
<And>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>MatchesRegularExpression</Operator>
<Pattern>^(20007|20008|20014|20049|20050|20073|20076|20077|20078|20079|20080|20089|20093|20094|20095|20096|20108|20109|20110|20130|20188|20195)$</Pattern>
</RegExExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">RemoteAccess</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="WriteToDB" TypeID="SystemCenter!Microsoft.SystemCenter.CollectEvent"/>
</WriteActions>
</Rule>