Facing one issue with only DA client , it connects to Direct access for few seconds and then get disconnected.

Looking at error on Event viewer I see below error

Any help appreciated certificate looks ok on client not sure why IPSEC is still failing.

Main

An IPsec main mode negotiation failed.

 

Local Endpoint:

                Local Principal Name:          -

                Network Address: fd03:c8e4:6dc5:1000:65c3:ec29:19db:d27

                Keying Module Port:            500

 

Remote Endpoint:

                Principal Name:                    -

                Network Address: fd03:c8e4:6dc5:1000::1

                Keying Module Port:            500

 

Additional Information:

                Keying Module Name:         IKEv1

                Authentication Method:      Unknown authentication

                Role:                                       Initiator

                Impersonation State:            Not enabled

                Main Mode Filter ID:            0

 

Failure Information:

                Failure Point:                         Local computer

                Failure Reason:                      No policy configured

 

                State:                                      No state

                Initiator Cookie:                    9859f832aff8f6c2

                Responder Cookie:               0000000000000000

 

 

Quick

An IPsec quick mode negotiation failed.

 

Local Endpoint:

                Network Address: ::

                Network Address mask:       0

                Port:                                        0

                Tunnel Endpoint:                  fd03:c8e4:6dc5:1000:65c3:ec29:19db:d27

 

Remote Endpoint:

                Network Address: fd03:c8e4:6dc5:7777::405a:e2f2

                Address Mask:                       0

                Port:                                        0

                Tunnel Endpoint:                  fd03:c8e4:6dc5:1000::1

                Private Address:                    0.0.0.0

 

Additional Information:

                Protocol:                                0

                Keying Module Name:         AuthIP

                Virtual Interface Tunnel ID:  0

                Traffic Selector ID: 0

                Mode:                                     Tunnel

                Role:                                       Initiator

                Quick Mode Filter ID:           148975

                Main Mode SA ID: 9

 

Failure Information:

                State:                                      Sent first (SA) payload

                Message ID:                           3

                Failure Point:                         Local computer

                Failure Reason:                      Main mode SA assumed to be invalid because peer stopped responding.

 

 

Can you post DCA logs here?

Error: Corporate connectivity is not working. Windows is unable to contact the DirectAccess server. 2/4/2015 16:2:15 (

DTE List 
PING: fd03:c8e4:6dc5:1000::1 (Fail) 
PING: fd03:c8e4:6dc5:1000::2 (Fail)

6to4 Configuration (Get-Net6to4Configuration)

Description               : 6to4 Configuration
State                     : Default
AutoSharing               : Default
RelayName                 : 6to4.ipv6.microsoft.com.
RelayState                : Default
ResolutionIntervalSeconds : 1440

Proxy Configuration (netsh winhttp show proxy)

urrent WinHTTP proxy settings:

    Direct access (no proxy server).

IP-HTTPs State (Get-NetIPHttpsState)
LastErrorCode   : 0x0
InterfaceStatus : IPHTTPS interface active

my "Personal"
================ Certificate 0 ================
Serial Number: db275ae51a55dc55fbe5
Issuer: CN=Communications Server
 NotBefore: 3/27/2015 5:16 PM
 NotAfter: 9/23/2015 5:16 PM
Subject: CN=username@bentley.com
Non-root Certificate
Cert Hash(sha1): b3 1a 83 46 a7 3b 35 81 d5 b8 df 4a cf c7 b5 84 3d 16 4f 19
  Key Container = OC_KeyContainer_Lync_username@bentley.com
  Unique container name: c8d28464bd8e19954e01e055a437dac2_9a8ca7a5-b032-4abe-aa4f-78479e291b9e
  Provider = Microsoft Enhanced Cryptographic Provider v1.0
Private key is NOT exportable
Signature test passed

================ Certificate 1 ================
Serial Number: acf56029651a29985555bc204feec2906e0e623c
Issuer: CN=Token Signing Public Key
 NotBefore: 11/2/2014 1:10 PM
 NotAfter: 11/9/2014 1:10 PM
Subject: CN=8cb8436c5273712d
Non-root Certificate
Cert Hash(sha1): 96 40 a0 e3 d8 d3 a1 83 3d 7d 53 89 78 13 ec ea 14 57 59 e2
  Key Container = IDENTITYCRL_CERT_CONTAINER_781dc55f-39ad-4acf-908b-077a9f0892c0
  Unique container name: fa2317742ecd4995840a96d529ded279_9a8ca7a5-b032-4abe-aa4f-78479e291b9e
  Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed

================ Certificate 2 ================
Serial Number: 1ecfdba10000000711f6
Issuer: CN=certificates1.bentley.com, OU=IT, O=Bentley Systems Inc, L=Exton, S=PA, DC=bentley, DC=com, C=US
 NotBefore: 10/14/2014 3:00 PM
 NotAfter: 10/14/2015 3:00 PM
Subject: E=username@bentley.com, CN= user name
Non-root Certificate
Template: 1.3.6.1.4.1.311.21.8.11654720.1572043.7097246.3836610.15498332.49.1051303.5974672, Bentley User
Cert Hash(sha1): 34 b0 4d a3 c0 ea 3f 91 c4 e8 1f bf bc a3 eb 8d 0e 13 71 3b
  Key Container = le-BentleyUser-b08f3f78-54cf-490e-9778-24c8c7bb9c0e
  Unique container name: fe0554406294c67f04d3b9898a803d95_9a8ca7a5-b032-4abe-aa4f-78479e291b9e
  Provider = Microsoft Software Key Storage Provider
Private key is NOT exportable
Encryption test passed

Thanks for logs.

Can you confirm, if you have any third party softwares/configurations which might be disturbing IPHLPSVC (IP Helper service which is essential for DA) or can you confirm, if you have persistent internet connection?

And are you able to reach web sites when you are having issues.

Hello,

Are you using Computer Certificates for IPsec tunnels?
It seems that you don't have one a correct one for DirectAccess or this is only the User's certificates.

Gerald

• Edited by Gerald Mathieu 16 hours 7 minutes ago

why do you think it is not correct I checked  on his box and looks like cert is correct one.

we are using machine cert for authentication.

"certutil -store my" ==> This command would list the Computer certificates from machine.

"certutil -store -user my" ==> This command would list the certificates from logged on user's store.

In my opinion: the required certificates are there in place and thats why you are able to connect in first place.

And ICMP is not included in IPSec traffic "This is true for all traffic except ICMP traffic. In a UAG DirectAccess scenario, IPsec policy is configured to exempt ICMP from IPsec authentication and encryption. Therefore when you ping a resource on the intranet, you are sending those pings outside of the infrastructure and intranet IPsec DirectAccess tunnels." ==> http://blogs.technet.com/b/tomshinder/archive/2010/07/14/considerations-when-using-ping-to-troubleshoot-directaccess-connectivity-issues.aspx

In DCA logs, I could see, even ICMP is not working : so it looks more either like Network connectivity issue OR we have some software disabling IPHLPSVC or Windows Firewall intermittently

That is really helpful , lets say if any other third party software is disabling IPHLPSVC service when I check in services.msc IPhelper service is running fine there,

Though If I restart that service DA works for 2 minutes and again gets dropped.

How can we determine which service is disabling IPHLPSVC service ?

thanks aagain.

Hello,

Are you using Computer Certificates for IPsec tunnels?
It seems that you don't have one a correct one for DirectAccess or this is only the User's certificates.

Gerald

• Edited by Gerald Mathieu Monday, April 20, 2015 3:13 PM

Hello,

Are you using Computer Certificates for IPsec tunnels?
It seems that you don't have one a correct one for DirectAccess or this is only the User's certificates.

Gerald

• Edited by Gérald Mathieu Monday, April 20, 2015 3:13 PM

Hello,

Are you using Computer Certificates for IPsec tunnels?
It seems that you don't have one a correct one for DirectAccess or this is only the User's certificates.

Gerald

• Edited by Gérald Mathieu Monday, April 20, 2015 3:13 PM

First you might have to isolate if the issue is because of IPHLPSVC or any Network fluctuation. May be you could check in the eventvwr to see, if you have any evidence of IPHLPSVC getting restarted.

If that is getting restarted you can use ProcMon or SYSMON from sysinternals to see who is restarting the service https://technet.microsoft.com/en-us/sysinternals/dn798348 - SYSMON

https://technet.microsoft.com/en-us/library/bb896645.aspx - ProcMon

Also can you please confirm, if we have the same issue happening for all the users?

only single user is facing this issue.

Ok I will check event viewer logs , but when DA drops I checked IPhelper services is running just to give you clear idea.

Then after I restart IP helper service it works for 3-4 minutes then again DA drops.