Dear Community,
My Situation and Problem:
I have set up a second Direct Access entry Point (Server 2012) for my Windows 7 Clients.
One DA Server is located in Austria, the other one is located in the US. (I did this because of latency issues)
The DA Server in Austria is up and running since over month without any Problems. It's working really great.
The new DA Server in the US is my Problem at the Moment. (You guys have to know that I haven't created multisite yet, because we don't want Clients to choose their site by theirself. -> because of Timing issues)
Now, my Problem is, if a Windows 7 Client tries to establish a DA Connection, it's working for about 10-12seconds. (I get 12 ping replies if I do a ping to my Domain) After 12 ping replies, it Drops the direct Access Connection and it takes about 3-10minutes until it is up and running again. (It's all via IPHTTPS)
That's just at the US site. My Austrian Clients Need about 5sec. to connect to their site.
Actually, I have one single Domain. CRL is published.
DA appliance is reachable from external.
Certificates are also looking good (otherwise it would not work after a couple of minutes)
I have seen the following Event log Messages (security): (look at the time stamps)
************************************************************************************************************
Logged: 15.04.2014 15:06:45
An IPsec quick mode security association was established.
Local Endpoint:
Network Address: -
Network Address mask: -
Port: 0
Tunnel Endpoint: 2002:d8d6:f652:1000:ad74:80fd:720f:9a7
Remote Endpoint:
Network Address: fdbc:c182:958e:7777::c0a8:1017
Network Address Mask: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Port: 0
Private Address: -
Tunnel Endpoint: 2002:d8d6:f652::d8d6:f652
Protocol: 0
Keying Module Name: -
Cryptographic Information:
Integrity Algorithm - AH: -
Integrity Algorithm - ESP: SHA-1
Encryption Algorithm: AES-192
Security Association Information:
Lifetime - seconds: 3600
Lifetime - data: 100000
Lifetime - packets: 2147483647
Mode: Tunnel
Role: Initiator
Quick Mode Filter ID: 240325
Main Mode SA ID: 24
Quick Mode SA ID: 39
Additional Information:
Inbound SPI: 3737530002
Outbound SPI: 1911190268
Virtual Interface Tunnel ID: 0
Traffic Selector ID:
0
*************************************************************************
Logged 15.04.2014 15:06:47
An IPsec main mode security association ended.
Local Network Address: 2002:d8d6:f652:1000:ad74:80fd:720f:9a7
Remote Network Address: 2002:d8d6:f652:5::1
Keying Module Name: AuthIP
Main Mode SA ID: 23
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
An IPsec main mode security association ended.
Local Network Address: 2002:d8d6:f652:1000:ad74:80fd:720f:9a7
Remote Network Address: 2002:d8d6:f652::d8d6:f652
Keying Module Name: AuthIP
Main Mode SA ID: 24
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Logged 15.04.2014 15:14:46
An IPsec main mode negotiation failed.
Local Endpoint:
Local Principal Name: -
Network Address: 2002:d8d6:f652:1000:1c59:c185:6bee:daba
Keying Module Port: 500
Remote Endpoint:
Principal Name: -
Network Address: 2002:d8d6:f652::d8d6:f652
Keying Module Port: 500
Additional Information:
Keying Module Name: IKEv1
Authentication Method: Unknown authentication
Role: Initiator
Impersonation State: Not enabled
Main Mode Filter ID: 0
Failure Information:
Failure Point: Local computer
Failure Reason: No policy configured.
State: No state
Initiator Cookie: 353cdaf2266169f4
Responder Cookie: 0000000000000000
++++++++++++++++++++++++++++++++++++++++++
Logged 15.04.2014 15:14:49
IPsec main mode and extended mode security associations were established.
Local Endpoint:
Principal Name: NB-VW-018.my.domain.wels
Network Address: 2002:d8d6:f652:1000:1c59:c185:6bee:daba
Keying Module Port: 500
Local Certificate:
SHA Thumbprint: 4607316a4afd380fe91c0405af882636ef6175e8
Issuing CA: CompanyCA
Root CA: DC=wels, DC=domain, DC=my, CN=Company CA
Remote Endpoint:
Principal Name: S-FR-DA-02.ad.teufelberger.wels
Network Address: 2002:d8d6:f652::d8d6:f652
Keying Module Port: 500
Remote Certificate:
SHA Thumbprint: eaaf103d93789dcb88996a289a9de7fb8fe96129
Issuing CA: Company CA
Root CA: DC=wels, DC=domain, DC=my, CN=Company CA
Cryptographic Information:
Cipher Algorithm: AES-128
Integrity Algorithm: SHA 256
Diffie-Hellman Group: None
Security Association Information:
Lifetime (minutes): 480
Quick Mode Limit: 0
Main Mode SA ID: 26
Additional Information:
Keying Module Name: AuthIP
Authentication Method: SSL
Role: Initiator
Impersonation State: Not enabled
Main Mode Filter ID: 240295
Extended Mode Information:
Local Principal Name: NT-AUTORITÄT\NETZWERKDIENST
Remote Principal Name: host/servername.my.domain.wels
Authentication Method: NTLM V2
Impersonation State: Enabled
Quick Mode Filter ID: 240369
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
An IPsec quick mode security association was established.
Local Endpoint:
Network Address: -
Network Address mask: -
Port: 0
Tunnel Endpoint: 2002:d8d6:f652:1000:1c59:c185:6bee:daba
Remote Endpoint:
Network Address: 2002:d8d6:f652:3333::1
Network Address Mask: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Port: 0
Private Address: -
Tunnel Endpoint: 2002:d8d6:f652::d8d6:f652
Protocol: 0
Keying Module Name: -
Cryptographic Information:
Integrity Algorithm - AH: -
Integrity Algorithm - ESP: SHA-1
Encryption Algorithm: AES-192
Security Association Information:
Lifetime - seconds: 3600
Lifetime - data: 100000
Lifetime - packets: 2147483647
Mode: Tunnel
Role: Initiator
Quick Mode Filter ID: 240370
Main Mode SA ID: 26
Quick Mode SA ID: 40
Additional Information:
Inbound SPI: 3532959696
Outbound SPI: 137365260
Virtual Interface Tunnel ID: 0
Traffic Selector ID:
0
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
As well, here is the ping:
Reply from fdbc:c182:958e:7777::c0a8:1017: time=2ms |
Reply from fdbc:c182:958e:7777::c0a8:1017: time=2ms |
Reply from fdbc:c182:958e:7777::c0a8:1017: time=2ms | ==
Reply from fdbc:c182:958e:7777::c0a8:1017: time=2ms | === Connected via Direct Access
Reply from fdbc:c182:958e:7777::c0a8:1017: time=3ms | ==
Reply from fdbc:c182:958e:7777::c0a8:1017: time=2ms |
General failure. |
General failure. |
General failure. |=== net stop iphlpsvc
General failure. |
General failure. |
Reply from fdbc:c182:958e:7777::c0a8:1017: time=2ms |
Reply from fdbc:c182:958e:7777::c0a8:1017: time=2ms |
Reply from fdbc:c182:958e:7777::c0a8:1017: time=2ms |
Reply from fdbc:c182:958e:7777::c0a8:1017: time=2ms |
Reply from fdbc:c182:958e:7777::c0a8:1017: time=3ms |
Reply from fdbc:c182:958e:7777::c0a8:1017: time=4ms | ==== net start iphlpsvc and
Reply from fdbc:c182:958e:7777::c0a8:1017: time=2ms | ====== got connected immediatly
Reply from fdbc:c182:958e:7777::c0a8:1017: time=2ms | ==== (took about 1sec to connect)
Reply from fdbc:c182:958e:7777::c0a8:1017: time=3ms |
Reply from fdbc:c182:958e:7777::c0a8:1017: time=2ms |
Reply from fdbc:c182:958e:7777::c0a8:1017: time=2ms |
Reply from fdbc:c182:958e:7777::c0a8:1017: time=2ms | ===== got 12 replies when doing a ping to my domain
PING: transmit failed. General failure. |
PING: transmit failed. General failure. |
PING: transmit failed. General failure. |
PING: transmit failed. General failure. |===== Drops DA Connection and takes about 3-10minutes to reconnect again.
PING: transmit failed. General failure. |====== In the meantime, no Access is provided (not even DNS lookup or
PING: transmit failed. General failure. |===== anything else)
PING: transmit failed. General failure. |
PING: transmit failed. General failure. |
PING: transmit failed. General failure. |
PING: transmit failed. General failure. |
PING: transmit failed. General failure. |
PING: transmit failed. General failure. |
PING: transmit failed. General failure. |
++++++++++++++++++++++++++++++++++++++++++++++++++++++
I would be happy if anybody has a solution or an idea how to fix that.
Many thanks in advance!! :- )
Regards
Daniel