Rasman service init error

Rasman_service_init_error_1_Rule (Rule)

Knowledge Base article:

Management Pack
Summary
The Remote Access Connection Manager service failed to start due to initialization failure.
 
Causes
The most common reasons for initialization failure are:
  1. The Remote Access Connection Manager service failed to start the WAN Mini Port (IP) device driver (NDISWAN). The most common reasons for this error are:
    1. The WAN Mini Port (IP) device driver (NDISWAN) failed to initialize.
    2. The Remote Access Connection Manager service does not have sufficient permissions to open the driver.
  2. The Remote Access Connection Manager service failed to create the security object. The most common reason for this error is that not enough memory is available on the server.
  3. The Remote Access Connection Manager service failed to retrieve information for this media device. The most common reasons for this error are:
    1. Media information for this device could not be retrieved from the registry.
    2. Rastapi.dll failed to load.
  4. The Remote Access Connection Manager service could not start because it failed to register with the Local Security Authority (LSA). The most common reasons for this error are:
    1. The Remote Access Connection Manager service does not have required permissions to register with the LSA.
    2. The LSA does not recognize the authentication package with which the Remote Access Connection Manager service tried to register.
  5. The Remote Access Connection Manager service failed because it encountered an error during RPC initialization. The most common reasons for this error are:
    1. The service could not load the necessary DLLs.
    2. The SYSTEM account does not have read/write permissions for the needed registry keys.
    3. Not enough memory was available on the server.
 
Resolutions
  1. Check whether the System account has read/execute permissions for the file %systemroot%\system32\drivers\ndiswan.sys. To check the permissions:
    1. Right-click the file name, and then click Properties.
    2. On the Securities tab, verify that the System account read/execute permissions for the file.
  2. If the server is low on memory, take appropriate action to increase the available memory. See Help and Support Center for information on low memory.
  3. Verify whether the following registry key exists: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\Medias If the registry key does not exist, you can create it with the following values: Name: Medias; Type: REG_MULTI_SZ; Value: rastapi
  4. Verify whether the file rastapi.dll exists in the %systemroot%\system32 folder.
  5. Verify whether the System account has read/execute permissions for rastapi.dll. To check whether the System account has these permissions:
    1. Right-click rastapi.dll, and click Properties.
    2. On the Security tab, verify whether the System account has read/execute permissions for rastapi.dll. If it does not, add them.
  6. Verify that the following DLLs exist in the %systemroot%\System32 folder:
    1. Rasman.dll
    2. Rasmans.dll
    3. Rasapi32.dll
    If any of these DLLs are not present, you must repair or reinstall the operating system. For more information about repairing and reinstalling the operating system, see Help and Support Center.
  7. Verify whether the SYSTEM account has read/write permissions for the DLLs. To check the permissions:
    1. Right-click each DLL, and click Permissions.
    2. Verify whether the SYSTEM account has read/write permissions for the DLL. If it does not, add them.
    3. If the SYSTEM account has read/write permission for all three DLLs, restart the server. If the problem persists, restart the server.
 
Sample Event
Sample Event #1: Remote Access Connection Manager failed to start because NDISWAN could notbe opened.
Sample Event #2: Remote Access Connection Manager failed to start because it could not initialize thesecurity attributes. Restart the computer. %1
Sample Event #3: Remote Access Connection Manager failed to start because it could not load one ormore communication DLLs. Ensure that your communication hardware is installed and thenrestart the computer. %1
Sample Event #4: Remote Access Connection Manager failed to start because it could not locate portinformation from media DLLs. %1
Sample Event #5: Remote Access Connection Manager failed to start because it could not registerwith the local security authority.Restart the computer. %1
Sample Event #6: Remote Access Connection Manager failed to start because the RAS RPCmodule failed to initialize. %1
 
© 2004 Microsoft Corporation, all rights reserved.

Element properties:

TargetMicrosoft.Windows.RemoteAccess.2012.Class.VPNServer
CategoryEventCollection
EnabledTrue
Event SourceRasman
Alert GenerateFalse
RemotableTrue
Event LogSystem

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Windows.EventProvider Default
WriteToDB WriteAction Microsoft.SystemCenter.CollectEvent Default

Source Code:

<Rule ID="Rasman_service_init_error_1_Rule" Enabled="true" Target="Microsoft.Windows.RemoteAccess.2012.Class.VPNServer" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>System</LogName>
<Expression>
<And>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>MatchesRegularExpression</Operator>
<Pattern>^(20027|20028|20030|20031|20033|20132)$</Pattern>
</RegExExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">Rasman</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="WriteToDB" TypeID="SystemCenter!Microsoft.SystemCenter.CollectEvent"/>
</WriteActions>
</Rule>