We have a DA infrastructure running on Server 2012, using IP-HTTPS. Apart from one system, it works as it should. And we don´t know how to debug the problem of that single system properly.
The Problem:
On the Client side it always looks like the DA client is not able to connect at all. DNS queries for internal Networks are not working as well (resolving Internet resources works of course).
Looking on the DA Console, we cannot see a IP-HTTPS connection from that system also.
What we looked for so far on the Client:
Using the Windows Firewall Monitoring, we cannot see any IPSec negotiations.
"netsh int httpstunnel show interfaces" reveals the correct URL, a Last Error Code of 0x0 and a Interface Status of IPHTTPS interface active.
Get-DAConnectionStatus reveals Status = Error and Substatus = NameResolutionFailure
In the DA Diagnostics File we can see a "Error: Corporate connectivity is not working. Windows is unable to resolve DNS names for probes." message on top. The rest of the Diagnostic logs (the Configuration pushed via the GPOs for example) seem to be correct when compared to another, working client.
The Client is not resolving any internal DNS names. But we can ping the IPv6 address of the DNS64 Proxy, despite having no IPSec negotiations and the DA Server claiming that nobody is connected. If we run nslookup and point it to the IPv6 address of the DNS64 proxy, we also cannot resolve internal DNS names.
We cannot spot any errors in the Eventlogs.
GPResult shows no errors on the Client, so the Policies should be applied correctly.
The Client had a Teredo Interface in status Up. We did not know why, but we disabled it with netsh just to make sure it is not causing any problems. No change in behaviour on the DA side.
The Client with the Problem is a Windows 8 x64 system.
What we looked for so far on the DA Server:
Looking on the DA Console, we cannot see a IP-HTTPS connection from that system also.
But using Netstat, we can see a connection on Port 443 from that system. Using the Direct Access Tracing and feeding it to the MS Network Monitor, we can see a "State = EstablishedState" from that IP as well.
We cannot spot any errors in the Eventlogs.
We run out of Ideas now how to debug that connection and why the DNS resolution is not working. The Client seems to be partly connected somehow, so we don´t know if the DNS queries are failing because of the incomplete connection of if the connection cannot be established completely because of the DNS problem.
We removed that PC from the DA Client Security group (and so from the GPO) for a day and added it again to make sure there was not a problem applying the policy to the PC the first time.
The Diagnostics chapter of this Article already mentiones the limited logging capabilities, but also talks about Log correlation. Which logs are meant here? Should there be tools like we have them to create and analyze Logs for Lync Servers? These are pretty powerful and would help a lot if we had something similar for DA.
