Hi all. I have a DA server on 2012 R2. Has been working more or less well for a year at least. I was attempting to fix an issue where it has stopped working as an isatap router for manage out capability. However i have somehow made things much worse to the point i have no clients able to connect.
There has been no configuration changes to DA setup itself, no firewall changes. I was playing around with netsh and the various interfaces doing things like: netsh int ipv6 set int 25 forwarding=enabled & netsh int isatap set state enabled etc.
After a sneaky reboot this morning no clients can connect. I can see they are trying if i run this on the server...
PS C:\> netsh interface httpstunnel show statistics Interface IPHTTPSInterface Parameters ------------------------------------------------------------ Total bytes received : 1533841 Total bytes sent : 178784 Most Recent Client Address Total Bytes In Total Bytes Out ------------------------------------------ ----------------- ----------------- fd99:b398:e8:1000:79ff:a645:853e:47d2 6148 456 fd99:b398:e8:1000:9421:9c61:58e4:889e 14936 952 fd99:b398:e8:1000:acd9:5700:ba5b:b3e 21636 1432 fd99:b398:e8:1000:c47d:4e01:cfce:e044 6460 4864 fd99:b398:e8:1000:2453:d87b:7971:b267 7116 5168 fd99:b398:e8:1000:795b:6774:592a:25ea 7936 6992 fd99:b398:e8:1000:b034:626a:a1a4:be41 8381 8056 fd99:b398:e8:1000:6cd3:2aa2:50e1:ec17 9944 9024 fd99:b398:e8:1000:744b:dda:ce9d:dd6e 9248 9432 fd99:b398:e8:1000:85a9:e46a:8311:7c76 9084 9976 fd99:b398:e8:1000:b0b2:da6:549c:70fb 48408 10248 fe80::8c13:4577:fff1:c7cb 9332 10640 fd99:b398:e8:1000:1d38:2ebd:a27e:634c 39895 11472 fd99:b398:e8:1000:d91b:a7c5:6624:8b68 155468 12152
But no current client connections on the server console. The clients all sit at connecting forever.
DA Troublehooter reveals the following log.
[22/01/2016 4:42:34 PM]: In worker thread, going to start the tests. [22/01/2016 4:42:34 PM]: Running Network Interfaces tests. [22/01/2016 4:42:34 PM]: Ethernet (Intel(R) Ethernet Connection (3) I218-V): fe80::9114:5c94:c6f3:53e2%3;: 192.168.1.9/255.255.255.0; [22/01/2016 4:42:34 PM]: Default gateway found for Ethernet. [22/01/2016 4:42:34 PM]: iphttpsinterface (iphttpsinterface): fd99:b398:e8:1000:ed74:fb87:8380:e553;: fd99:b398:e8:1000:2404:2cc0:72fb:8c4e;: fe80::ed74:fb87:8380:e553%12; [22/01/2016 4:42:34 PM]: No default gateway found for iphttpsinterface. [22/01/2016 4:42:34 PM]: Ethernet has configured the default gateway 192.168.1.1. [22/01/2016 4:42:46 PM]: Warning - default gateway 192.168.1.1 for Ethernet does not reply on ICMP Echo requests, the request or response is maybe filtered? [22/01/2016 4:42:46 PM]: Received a response from the public DNS server (8.8.8.8), RTT is 34 msec. [22/01/2016 4:42:46 PM]: The public DNS Server (2001:4860:4860::8888) does not reply on ICMP Echo requests, the request or response is maybe filtered? [22/01/2016 4:42:46 PM]: Running Inside/Outside location tests. [22/01/2016 4:42:46 PM]: NLS is https://DirectAccess-NLS.ToastAustralia.local:62000/insideoutside. [22/01/2016 4:42:46 PM]: NLS is not reachable via HTTPS, the client computer is not connected to the corporate network (external) or the NLS is offline. [22/01/2016 4:42:46 PM]: NRPT contains 2 rules. [22/01/2016 4:42:46 PM]: Found (unique) DNS server: fd99:b398:e8:3333::1 [22/01/2016 4:42:46 PM]: Send an ICMP message to check if the server is reachable. [22/01/2016 4:42:49 PM]: DNS Server fd99:b398:e8:3333::1 does not reply on ICMP Echo requests. [22/01/2016 4:42:49 PM]: Running IP connectivity tests. [22/01/2016 4:42:49 PM]: The 6to4 interface is disabled. [22/01/2016 4:42:49 PM]: Teredo inferface status is offline. [22/01/2016 4:42:49 PM]: The configured DirectAccess Teredo server is directaccessta.Toast.com.au (Group Policy). [22/01/2016 4:42:49 PM]: The IPHTTPS interface is operational. [22/01/2016 4:42:49 PM]: The IPHTTPS interface status is IPHTTPS interface active. [22/01/2016 4:42:49 PM]: IPHTTPS is used as IPv6 transition technology. [22/01/2016 4:42:49 PM]: The configured IPHTTPS URL is https://directaccessta.Toast.com.au:443. [22/01/2016 4:42:49 PM]: IPHTTPS has a single site configuration. [22/01/2016 4:42:49 PM]: IPHTTPS URL endpoint is: https://directaccessta.Toast.com.au:443. [22/01/2016 4:42:50 PM]: Successfully connected to endpoint https://directaccessta.Toast.com.au:443. [22/01/2016 4:42:50 PM]: No response received from ToastAustralia.local. [22/01/2016 4:42:50 PM]: Running Windows Firewall tests. [22/01/2016 4:42:50 PM]: The current profile of the Windows Firewall is Public. [22/01/2016 4:42:50 PM]: The Windows Firewall is enabled in the current profile Public. [22/01/2016 4:42:50 PM]: The outbound Windows Firewall rule Core Networking - Teredo (UDP-Out) is enabled. [22/01/2016 4:42:50 PM]: The outbound Windows Firewall rule Core Networking - IPHTTPS (TCP-Out) is enabled. [22/01/2016 4:42:50 PM]: Running certificate tests. [22/01/2016 4:42:50 PM]: Found 1 machine certificates on this client computer. [22/01/2016 4:42:50 PM]: Checking certificate [no subject] with the serial number [207395180001000004C0]. [22/01/2016 4:42:50 PM]: The certificate [207395180001000004C0] contains the EKU Client Authentication. [22/01/2016 4:42:50 PM]: The trust chain for the certificate [207395180001000004C0] was sucessfully verified. [22/01/2016 4:42:50 PM]: Running IPsec infrastructure tunnel tests. [22/01/2016 4:42:50 PM]: Failed to connect to domain sysvol share \\ToastAustralia.local\sysvol\ToastAustralia.local\Policies. [22/01/2016 4:42:50 PM]: Running IPsec intranet tunnel tests. [22/01/2016 4:43:02 PM]: Failed to connect to fd99:b398:e8:1000::1 with status TimedOut. [22/01/2016 4:43:14 PM]: Failed to connect to fd99:b398:e8:1000::2 with status TimedOut. [22/01/2016 4:43:14 PM]: Failed to connect to HTTP probe at http://directaccess-WebProbeHost.ToastAustralia.local. [22/01/2016 4:43:14 PM]: Running selected post-checks script. [22/01/2016 4:43:14 PM]: No post-checks script specified or the file does not exist. [22/01/2016 4:43:14 PM]: Finished running post-checks script. [22/01/2016 4:43:14 PM]: Finished running all tests.
Comparing that to a working log, the first failure of interest is:
[22/01/2016 4:42:46 PM]: Found (unique) DNS server: fd99:b398:e8:3333::1 [22/01/2016 4:42:46 PM]: Send an ICMP message to check if the server is reachable. [22/01/2016 4:42:49 PM]: DNS Server fd99:b398:e8:3333::1 does not reply on ICMP Echo requests.
I can however ping that ip address from the supposedly non connected client and it is successful.
I enabled loging for ipsec failures and can see these 4653 events in the security log.
An IPsec main mode negotiation failed. Local Endpoint: Local Principal Name: - Network Address: fe80::9114:5c94:c6f3:53e2 Keying Module Port: 500 Remote Endpoint: Principal Name: - Network Address: fd99:b398:e8:1000::1 Keying Module Port: 500 Additional Information: Keying Module Name: IKEv1 Authentication Method: Unknown authentication Role: Initiator Impersonation State: Not enabled Main Mode Filter ID: 0 Failure Information: Failure Point: Local computer Failure Reason: No policy configured State: No state Initiator Cookie: 6bf1495f7920c0a8 Responder Cookie: 0000000000000000
DNS, Firewalls etc are all ok. No changes were made to anything other than the netsh shenanigans while i was trying to get the ISATAP stuff working.
Any help would be appreciated!
HughMc