Issues with remoteaccess feature - SSTP VPN

Rick Molnar 0 Reputation points

I have setup remoteaccess feature and setup a self-signed SSL certificate VPN. I have been battling with it would only allow 1 connection. All other connection attempts would get a "no response from server error". When the 1st connection disconnects and tries to connect later, they get the same error.

I did a reinstall of the server software fresh. I had joined an existing domain from Server Essentials 2016 and then took control of the domain and powered off the SE 2016 server. I was hoping that a fresh install would fix this. I recreated the domain and underlaying features 1 by 1.

The problem continued.

In trying to debug, I had goofed up the server policies. I did a repair install .

When I got to installing the remoteaccess feature, I only selected a SSTP VPN and used the RRAS server to configure the SSTP VPN.

Now SSTPSVC starts and stops... I need some guidance to get the SSTP VPN up and running.

0 comments No comments
Sign in to comment

2 answers

  1. Jason Nguyen Tran 20,115 Reputation points Independent Advisor

    Hi Rick Molnar,

    From what you describe, the SSTPSVC service starting and stopping usually points to a certificate binding or listener configuration problem in RRAS. Since you’re using a self-signed SSL certificate, please double-check that it is correctly bound to the SSTP listener and that the certificate chain is trusted by the server and clients. Also, confirm that TCP port 443 is open and not blocked by another service.

    Another common cause is overlapping policies or misconfigured NPS rules. Since you mentioned earlier policy changes, I’d recommend reviewing the RRAS configuration and ensuring that the VPN server is allowed to handle multiple concurrent connections. You can also run netsh ras show config to verify the listener settings and confirm that the SSTP binding is active.

    If the service continues to stop, check the System and Application event logs for SSTP or RRAS errors, they often provide a more specific reason. Reinstalling RRAS with the Remote Access role and re-binding the certificate can also help clear out corrupted settings.

    Give these steps a try, and if this guidance helps you get the VPN running smoothly, please hit “accept answer” so I know it was useful.

    Jason.

    1. Rick Molnar 0 Reputation points

      Thanks for the suggestions!

      I tried removing the remoteaccess feature and installing - I see the creating a new certificate, but SSTPsvc still starts and stops...

      Another application that uses a TCPIP port stops working after remoteaccess feature is installed...

    2. Jason Nguyen Tran 20,115 Reputation points Independent Advisor

      The fact that SSTPSVC still starts and stops after reinstalling Remote Access and creating a new certificate suggests that the issue is not just with the certificate itself, but with how RRAS is binding and interacting with other services on the server. When another application using a TCP/IP port stops working after Remote Access is installed, it often means there is a port conflict, most commonly with TCP 443, which SSTP requires.

      Here are a few steps you can try:

      • Run netsh http show sslcert to confirm the SSL binding and check if multiple services are trying to use port 443.
      • Verify that IIS or any other web service is not already bound to 443, as this will prevent SSTP from listening correctly.
      • If another application must use 443, consider moving that application to a different port so RRAS can reserve 443 exclusively for SSTP.
      • Double‑check that the certificate is installed in the Local Computer’s Personal store and has the proper Server Authentication EKU.
      • Review the System and RRAS event logs for Event IDs related to SSTP startup—these often point directly to binding or policy conflicts.
      • If policies were previously misconfigured, you may want to reset NPS policies and re‑create them cleanly to ensure no overlapping rules are blocking multiple connections.

      Give these steps a try, and if this guidance helps you get the VPN running smoothly, please hit “accept answer” so I know it was useful.

    3. Rick Molnar 0 Reputation points

      Thanks for the quick response!
      I ended up doing a fresh server install. I setup my SSTP and managed to get a single VPN session.

      I updated the amounts of SSTP sessions to a number greater than 2 and rebooted the server - Now RRAS won't start saying it cannot find a file.

      If I go into remote access manager, I see an error loading vpn configuration...

    Sign in to comment

  2. AI answer

    Use a structured VPN troubleshooting approach and validate each component of the SSTP/Remote Access stack.

    1. Verify basic Remote Access/VPN configuration
    • Confirm that Remote Access (RRAS) is correctly installed and configured for VPN, and that SSTP is enabled as the tunnel type.
    • Ensure the VPN server is reachable from the client over the public name used in the VPN profile:
      • On the client, open Control Panel > Network and Internet > Network Connections, open the VPN connection properties, and verify the value on the General tab resolves in DNS to the correct public IP of the VPN server.
      • If the name does not resolve, fix public DNS so the SSTP endpoint can be reached.
    1. Check network reachability and ports
    • From a remote client, verify connectivity to the VPN server’s external interface:
      • Temporarily allow ICMP on the external interface and ping the VPN server. If ping fails, the VPN server is likely not reachable.
      • Ensure any firewalls between client and server allow the required VPN ports:
        • For SSTP: TCP 443 must be open from client to the server’s external IP.
        • If Always On VPN or IKE/IPsec is also in use, ensure UDP 500 and 4500 are not blocked.
    • If only one client can connect and others get “no response from server,” check that no firewall/NAT device is limiting concurrent connections or performing aggressive session timeouts.
    1. Validate certificate and SSTP binding
    • SSTP requires a valid server certificate bound to the HTTPS listener:
      • Confirm the certificate’s subject or SAN matches the public DNS name used by clients.
      • Ensure the certificate is trusted by clients (import the issuing CA if self‑signed).
    • If using HTTP.sys/SSL bindings (for example, with SSRS or other services), verify that nothing else is incorrectly binding to port 443 and that the SSTP listener is active on that port.
    1. Check RRAS and SSTP service state
    • Confirm RRAS is running and that the SSTP service (SstpSvc) is not repeatedly starting and stopping due to configuration errors.
    • Review the Remote Access/VPN logs and application logs on the server for SSTP‑related errors.
    • If SstpSvc stops immediately, typical causes include:
      • Invalid or missing server certificate for SSTP.
      • Port 443 already in use by another service.
      • Misconfigured Remote Access role (for example, conflicting web listeners).
    1. Validate IP addressing and VPN capacity
    • On the server side, confirm that the VPN IP address pool is not exhausted:
      • If using a static IP pool, ensure there are enough addresses for multiple concurrent VPN clients.
      • If using DHCP, verify the DHCP server is reachable and the scope is not exhausted.
    • If the pool is exhausted or DHCP is unavailable, clients can fail to connect or only one client may be able to connect at a time.
    1. General Always On VPN/Remote Access checks
    • Ensure the NPS policies and authentication configuration match what the clients are using.
    • If clients can connect but then lose access or fail on subsequent attempts, verify routing and IP pools as well as any firewall rules on the internal and external NICs.

    If the issue persists after these checks, focus on:

    • Event logs for SstpSvc and RemoteAccess.
    • Certificate validity and binding to port 443.
    • IP pool/DHCP availability and firewall rules limiting concurrent connections.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.
Sign in to answer

Your answer