EAP! Event logs are full of DLL path validation errors

by Ed Sparks

Once again, Tier 1 PC vendors are failing to send out products with proper drivers and clean, smoothly operating OS builds.  

It's shocking that in this era of Ultrabooks and tablets - all aimed at a premium market and with premium prices to match - vendors still send out systems littered with terrible bloatware, outdated drivers, and long lists of outstanding OS updates waiting.  Often even the OS is full version-behind or more behind current.

We're particularly looking at you Dell!

The latest cases we're seeing are from current Dell and Lenovo systems with Haswell ("4th Generation Intel Core") chipsets and Intel WiFi onboard.  On these systems, the System Event Logs are littered with entries similar to this:

The description for Event ID 2002 from source Microsoft-Windows-EapHost cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event: 
Eap method DLL path
25
9
0
0
The handle is invalid

As is also often the case the Corporate tech support sites were of no use, and the available driver updates from the vendor did nothing to clear the events or resolve the root cause.

Our own investigation found the issue appears to be some Cisco-specific EAP registry keys are being added, without proper driver or backing software.

The solution? Fire up our old friend RegEdit and look under the following registry path:

HKLM\System\CurentControlSet\Services\Eaphost\Methods\311

There will be several entries referencing paths for Cisco drivers or DLLs that don't exist. Remove any of these type of keys.

No reboot is necessary, and the errors go away immediately.

We've also found this resolves some Cisco and other third-party IPSec VPN issues as well.

806 - Actiontec Killed the VPN Star

by Ed Sparks

This was one of those "pull your hair out" cases, with a completely non-obvious cause and, thankfully, a surprise happy ending.

While troubleshooting a VPN connection problem for a client, we noted the inability to connect to some PPTP VPN servers while behind any TELUS (Canadian ISP) provided Actiontec V1000H DSL modem/router.

Of course, we didn't initially connect the dots, and tried all order of troubleshooting steps related to client OS (Windows 8, 8.1, 7 and 2008 all were unsuccessful, as was iOS). Strangely some Hyper-V hosted test VMs were able to connect, which indicates that they somehow must encapsulate the packets differently.

After much head-scratching and hyper-specific web searches, a few articles were found discussing Actiontec devices arbitrarily blocking GRE - the mysterious and troublesome protocol that allows PPTP to work.  

Sure enough, if we then tried all of the same devices connecting to PPTP over a cellular connection - bingo - they worked like a charm!  This ruled out the OS at least.

Sadly, these combo router/wifi/modems provided by telcos are wonderful non-user-serviceable and tend to be patched and upgraded at the whim of the provider.  We needed a resolution though, as these are widely deployed with our customers and their employees so this could be a big support nightmare.

In a rare win, however, TELUS came through and provided a heavily upgraded firmware for the device which not only resolved this issue, but improved the overall DSL connection speed and dramatically improved wireless range, stability and performance. As a bonus they've added IPv6 support internally, and for a future external deployment.

Solve your headaches: call TELUS (or your local equivalent) if you have an Actiontec V1000H or V2000H and ask for early access to the latest firmware.  It makes a dramatic difference.  You're VPNs and WIFI devices will thank you!

The magic firmware versions:
V1000H:   31.121L.11
V2000H:   31.122L.11

On the flip-side - the broken buggy firmware version appears to be 31.30l.57.

at.png

For another common and annoying issue with Windows L2TP VPNs  see our older article here.

Yes, we know PPTP is ancient and proven somewhat insecure, but it's still generally the easiest to get going for basic needs without all the bother of IPSEC or certificates.

Fix L2TP and PPTP VPNs on Windows Vista/7/8/2008/R2/2012

by Ed Sparks

Update 1: PPTP Broken? Read our latest article!

Update 2: Even more VPN grief - this time with Windows 8/8.1 Metro and PPTP.  See this article for the solution to "Error 850: The Extensible Authentication Protocol type required..."

 

For "security reasons" Microsoft somewhat broke the implementation for L2TP/IPSec (and in some cases PPTP) VPNs in Windows Vista/7/2008 R2.  This was due to an architectural change made in these OS versions to disable NAT Traversal functionality for these protocols by default.

This means that while your old XP machine or iPhone will connect, your brand new Windows 7 or 8 system will spin its wheels hopelessly and eventually error out.  Strange, non-obvious and questionable default choice, in our opinion.  You know you are likely experiencing this issue if you try to connect with L2TP and get errors numbers such as 800, 794 or 809.

Thankfully you can bring back the old behaviour with a couple of changes: a registry key and a Hotfix. 

On your Windows Vista, 7 or 8 client machine change or add the following registry item:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\

New DWORD (32-bit) Value:AssumeUDPEncapsulationContextOnSendRule 
Set the value to 2

This allows the client or server to be behind a NAT firewall.

Reboot after making the change, and retry the connection.  If there's still issues, you may have to apply the following Hotfix:

You cannot establish an IPsec tunnel to a computer that is running Windows 7 or Windows Server 2008 R2 through a NAT device

Better still?  Start using SSTP VPNs which will work through virtually any NAT or Firewall device much more consistently, and only requires a cheap or free public SSL certificate.  

This article has more information, and a link to Microsoft's extensive VPN guide.