Hello everybody,
I am writing this message as one of our end users in my company suddenly lost his ability to connect to our company network via the DirectAccess technology.
This end user is based in Asia and works outside our main company premises all year.
Obviously, the problem started happening right after he changed his password.
I searched the Web before posting this message and I could find some troubleshooting guides.
We are using an IP-HTTPS tunnel and sometimes, Teredo is used when the end user is behind NAT or not.
Here are the tests I could do (by the way, the end user is having the DirectAccess Connectivity Assistant version 2.0 installed on his PC at the moment) :
- Generated logs from the DirectAccess Connectivity Assistant :
The main error message is stating (some addresses were changed for security reasons) :
RED: Corporate connectivity is not working.
Your computer cannot connect to the DirectAccess server. If the problem persists, contact your administrator.
28/9/2016 14:50:28 (UTC)
Probes List
FAIL - HTTP: http://mycompanywebsite
DTE List
FAIL - The server name resolved successfully, but failed to access PING: fd2b:xxxx:xxxx:xxxx::1
FAIL - The server name resolved successfully, but failed to access PING: fd2b:xxxx:xxxx:xxxx::2
Here is the rest of the log and different tests :
***************************************************************************
ipconfig /all
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : hostname Primary Dns Suffix . . . . . . . : corp.mycompany
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : corp.mycompany
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth (PAN)
Physical Address. . . . . . . . . : DC-53-60-DE-50-5C
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Wireless Network Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-N 7265
Physical Address. . . . . . . . . : DC-53-60-DE-50-58
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::xxxx:xxxx:xxxx:xxxx%12(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.103(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, September 28, 2016 10:35:52 PM
Lease Expires . . . . . . . . . . : Thursday, September 29, 2016 12:43:48 AM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 215765856
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-21-2D-42-DC-4A-3E-5F-2B-E2
DNS Servers . . . . . . . . . . . : 192.168.1.1
8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Ethernet Connection (3) I218-LM
Physical Address. . . . . . . . . : DC-4A-3E-5F-2B-E2
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter iphttpsinterface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : iphttpsinterface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{33420098-E978-49D4-99F8-803C726FAC4A}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{36D48669-8A75-483C-B2B7-F42F6B3806FC}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
--------------------------------------------------------
***************************************************************************
netsh int teredo show state
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh int teredo show state
Teredo Parameters
---------------------------------------------
Type : client
Server Name : teredo.ipv6.microsoft.com.
Client Refresh Interval : 30 seconds
Client Port : unspecified
--------------------------------------------------------
***************************************************************************
netsh int httpstunnel show interfaces
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh int httpstunnel show interfaces
Interface IPHTTPSInterface (Group Policy) Parameters
------------------------------------------------------------
Role : client
URL : https://mycompanyportal:443/IPHTTPS
Last Error Code : 0x2745
Interface Status : failed to connect to the IPHTTPS server. Waiting to reconnect
--------------------------------------------------------
***************************************************************************
netsh dns show state
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh dns show state
Name Resolution Policy Table Options
--------------------------------------------------------------------
Query Failure Behavior : Always fall back to LLMNR and
NetBIOS for any kinds of errors
Query Resolution Behavior : Resolve only IPv6 addresses for names
Network Location Behavior : Let Network ID determine when Direct
Access settings are to be used
Machine Location : Outside corporate network
Direct Access Settings : Configured and Enabled
DNSSEC Settings : Not Configured
--------------------------------------------------------
***************************************************************************
netsh name show policy
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh name show policy
DNS Name Resolution Policy Table Settings
I cannot disclose the entries here but I can confirm that I see all items for the NRPT table listed with IPv6 address for each of them.
--------------------------------------------------------
***************************************************************************
netsh name show effective
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh name show effective
DNS Effective Name Resolution Policy Table Settings
Same as above here. I cannot disclose the full list but all the items are listed with their IPv6 addresses (I can confirm that after having compared values on a working PC).
--------------------------------------------------------
***************************************************************************
netsh adv mon show mmsa
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh adv mon show mmsa
No SAs match the specified criteria.
--------------------------------------------------------
***************************************************************************
netsh nap client show state
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh nap client show state
The "Network Access Protection Agent" service is not running.
--------------------------------------------------------
***************************************************************************
wevtutil query-events Microsoft-Windows-NetworkAccessProtection/Operational /count:20 /format:text /rd:true
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>wevtutil query-events Microsoft-Windows-NetworkAccessProtection/Operational /count:20 /format:text /rd:true
Same thing here where I cannot list the full certificate détails.
I can see all the details related to the certificate and after checking the MMC console, I can find the certificate (PKI) for the personal store like any working PC for DirectAccess.
--------------------------------------------------------
***************************************************************************
netsh int ipv6 show int level=verbose
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh int ipv6 show int level=verbose
Interface Loopback Pseudo-Interface 1 Parameters
----------------------------------------------
IfLuid : loopback_0
IfIndex : 1
State : connected
Metric : 50
Link MTU : 4294967295 bytes
Reachable Time : 21000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 0
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : disabled
Neighbor Unreachability Detection : disabled
Router Discovery : enabled
Managed Address Configuration : disabled
Other Stateful Configuration : disabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface Wireless Network Connection Parameters
----------------------------------------------
IfLuid : wireless_0
IfIndex : 12
State : connected
Metric : 20
Link MTU : 1500 bytes
Reachable Time : 36500 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 1
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : enabled
Managed Address Configuration : enabled
Other Stateful Configuration : enabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface Local Area Connection Parameters
----------------------------------------------
IfLuid : ethernet_6
IfIndex : 11
State : disconnected
Metric : 5
Link MTU : 1468 bytes
Reachable Time : 44000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 1
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : enabled
Managed Address Configuration : disabled
Other Stateful Configuration : disabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface iphttpsinterface Parameters
----------------------------------------------
IfLuid : tunnel_7
IfIndex : 17
State : disconnected
Metric : 50
Link MTU : 1280 bytes
Reachable Time : 22000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 1
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : enabled
Managed Address Configuration : enabled
Other Stateful Configuration : enabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface Bluetooth Network Connection Parameters
----------------------------------------------
IfLuid : ethernet_9
IfIndex : 14
State : disconnected
Metric : 50
Link MTU : 1500 bytes
Reachable Time : 39500 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 1
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : enabled
Managed Address Configuration : disabled
Other Stateful Configuration : disabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface isatap.{33420098-E978-49D4-99F8-803C726FAC4A} Parameters
----------------------------------------------
IfLuid : tunnel_10
IfIndex : 21
State : disconnected
Metric : 50
Link MTU : 1280 bytes
Reachable Time : 17000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 0
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : disabled
Router Discovery : enabled
Managed Address Configuration : disabled
Other Stateful Configuration : disabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface isatap.{36D48669-8A75-483C-B2B7-F42F6B3806FC} Parameters
----------------------------------------------
IfLuid : tunnel_11
IfIndex : 20
State : disconnected
Metric : 50
Link MTU : 1280 bytes
Reachable Time : 26000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 0
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : disabled
Router Discovery : enabled
Managed Address Configuration : disabled
Other Stateful Configuration : disabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface Teredo Tunneling Pseudo-Interface Parameters
----------------------------------------------
IfLuid : tunnel_16
IfIndex : 18
State : disconnected
Metric : 50
Link MTU : 1280 bytes
Reachable Time : 31000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 0
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : enabled
Managed Address Configuration : enabled
Other Stateful Configuration : enabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
--------------------------------------------------------
***************************************************************************
netsh advf show currentprofile
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh advf show currentprofile
Public Profile Settings:
----------------------------------------------------------------------
State ON
Firewall Policy BlockInbound,AllowOutbound
LocalFirewallRules N/A (GPO-store only)
LocalConSecRules N/A (GPO-store only)
InboundUserNotification Enable
RemoteManagement Disable
UnicastResponseToMulticast Enable
Logging:
LogAllowedConnections Disable
LogDroppedConnections Disable
FileName %systemroot%\system32\LogFiles\Firewall\pfirewall.log
MaxFileSize 4096
Ok.
--------------------------------------------------------
***************************************************************************
netsh advfirewall monitor show consec
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh advfirewall monitor show consec
Global Settings:
----------------------------------------------------------------------
IPsec:
StrongCRLCheck 0:Disabled
SAIdleTimeMin 5min
DefaultExemptions ICMP
IPsecThroughNAT Never
AuthzUserGrp None
AuthzComputerGrp None
StatefulFTP Enable
StatefulPPTP Enable
Main Mode:
KeyLifetime 480min,0sess
SecMethods DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
ForceDH No
Categories:
BootTimeRuleCategory Windows Firewall
FirewallRuleCategory Windows Firewall
StealthRuleCategory Windows Firewall
ConSecRuleRuleCategory Windows Firewall
Quick Mode:
QuickModeSecMethods ESP:SHA1-None+60min+100000kb,ESP:SHA1-AES128+60min+100000kb,ESP:SHA1-3DES+60min+100000kb,AH:SHA1+60min+100000kb
QuickModePFS None
Security Associations:
No SAs match the specified criteria.
--------------------------------------------------------
***************************************************************************
Certutil -store my
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>Certutil -store my
my
I cannot disclose information here but I can guarantee that all the relevant information for the certificate is present in this section.
--------------------------------------------------------
Systeminfo and whoami /groups are returning normal information and I can see the relevant security group listed as well.
---------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------
As you may have noticed, the "netsh int httpstunnel show interfaces" is returning error 0x2745 and I do not understand why (I searched the Web for this exact error code but could not find anything similar).
Anyway, I can confirm that after having checked manually, both DirectAccess Connectivity Assistant and related services are set correctly, checking the "gpedit.msc" is returning all the NRPT entries, DirectAccess firewall rules are in place in the Windows Firewal configuration and that IPv6 is enabled and returning a valid address.
Also, the end user has a working connection on the Internet and has the same symptoms when trying a connection behind a router or a mobile hotspot.
The "Registry.pol" for Global Policies is still present as well.
Have you already seen such an issue in the past ?
Do you know if it is possible to extract a full DirectAccess configuration from a working PC to the one impacted by this issue (considering it is outside the company and that the end user will not have the opportunity to come back on site immediately) ?
I know there is a guide to do this on the Technet but this does not solve my issue, should I move the teredo status from client to enterprise client for instance.
Thanks in advance.
Julien
I am writing this message as one of our end users in my company suddenly lost his ability to connect to our company network via the DirectAccess technology.
This end user is based in Asia and works outside our main company premises all year.
Obviously, the problem started happening right after he changed his password.
I searched the Web before posting this message and I could find some troubleshooting guides.
We are using an IP-HTTPS tunnel and sometimes, Teredo is used when the end user is behind NAT or not.
Here are the tests I could do (by the way, the end user is having the DirectAccess Connectivity Assistant version 2.0 installed on his PC at the moment) :
- Generated logs from the DirectAccess Connectivity Assistant :
The main error message is stating (some addresses were changed for security reasons) :
RED: Corporate connectivity is not working.
Your computer cannot connect to the DirectAccess server. If the problem persists, contact your administrator.
28/9/2016 14:50:28 (UTC)
Probes List
FAIL - HTTP: http://mycompanywebsite
DTE List
FAIL - The server name resolved successfully, but failed to access PING: fd2b:xxxx:xxxx:xxxx::1
FAIL - The server name resolved successfully, but failed to access PING: fd2b:xxxx:xxxx:xxxx::2
Here is the rest of the log and different tests :
***************************************************************************
ipconfig /all
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : hostname Primary Dns Suffix . . . . . . . : corp.mycompany
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : corp.mycompany
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth (PAN)
Physical Address. . . . . . . . . : DC-53-60-DE-50-5C
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Wireless Network Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-N 7265
Physical Address. . . . . . . . . : DC-53-60-DE-50-58
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::xxxx:xxxx:xxxx:xxxx%12(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.103(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, September 28, 2016 10:35:52 PM
Lease Expires . . . . . . . . . . : Thursday, September 29, 2016 12:43:48 AM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 215765856
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-21-2D-42-DC-4A-3E-5F-2B-E2
DNS Servers . . . . . . . . . . . : 192.168.1.1
8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Ethernet Connection (3) I218-LM
Physical Address. . . . . . . . . : DC-4A-3E-5F-2B-E2
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter iphttpsinterface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : iphttpsinterface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{33420098-E978-49D4-99F8-803C726FAC4A}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{36D48669-8A75-483C-B2B7-F42F6B3806FC}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
--------------------------------------------------------
***************************************************************************
netsh int teredo show state
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh int teredo show state
Teredo Parameters
---------------------------------------------
Type : client
Server Name : teredo.ipv6.microsoft.com.
Client Refresh Interval : 30 seconds
Client Port : unspecified
--------------------------------------------------------
***************************************************************************
netsh int httpstunnel show interfaces
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh int httpstunnel show interfaces
Interface IPHTTPSInterface (Group Policy) Parameters
------------------------------------------------------------
Role : client
URL : https://mycompanyportal:443/IPHTTPS
Last Error Code : 0x2745
Interface Status : failed to connect to the IPHTTPS server. Waiting to reconnect
--------------------------------------------------------
***************************************************************************
netsh dns show state
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh dns show state
Name Resolution Policy Table Options
--------------------------------------------------------------------
Query Failure Behavior : Always fall back to LLMNR and
NetBIOS for any kinds of errors
Query Resolution Behavior : Resolve only IPv6 addresses for names
Network Location Behavior : Let Network ID determine when Direct
Access settings are to be used
Machine Location : Outside corporate network
Direct Access Settings : Configured and Enabled
DNSSEC Settings : Not Configured
--------------------------------------------------------
***************************************************************************
netsh name show policy
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh name show policy
DNS Name Resolution Policy Table Settings
I cannot disclose the entries here but I can confirm that I see all items for the NRPT table listed with IPv6 address for each of them.
--------------------------------------------------------
***************************************************************************
netsh name show effective
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh name show effective
DNS Effective Name Resolution Policy Table Settings
Same as above here. I cannot disclose the full list but all the items are listed with their IPv6 addresses (I can confirm that after having compared values on a working PC).
--------------------------------------------------------
***************************************************************************
netsh adv mon show mmsa
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh adv mon show mmsa
No SAs match the specified criteria.
--------------------------------------------------------
***************************************************************************
netsh nap client show state
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh nap client show state
The "Network Access Protection Agent" service is not running.
--------------------------------------------------------
***************************************************************************
wevtutil query-events Microsoft-Windows-NetworkAccessProtection/Operational /count:20 /format:text /rd:true
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>wevtutil query-events Microsoft-Windows-NetworkAccessProtection/Operational /count:20 /format:text /rd:true
Same thing here where I cannot list the full certificate détails.
I can see all the details related to the certificate and after checking the MMC console, I can find the certificate (PKI) for the personal store like any working PC for DirectAccess.
--------------------------------------------------------
***************************************************************************
netsh int ipv6 show int level=verbose
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh int ipv6 show int level=verbose
Interface Loopback Pseudo-Interface 1 Parameters
----------------------------------------------
IfLuid : loopback_0
IfIndex : 1
State : connected
Metric : 50
Link MTU : 4294967295 bytes
Reachable Time : 21000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 0
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : disabled
Neighbor Unreachability Detection : disabled
Router Discovery : enabled
Managed Address Configuration : disabled
Other Stateful Configuration : disabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface Wireless Network Connection Parameters
----------------------------------------------
IfLuid : wireless_0
IfIndex : 12
State : connected
Metric : 20
Link MTU : 1500 bytes
Reachable Time : 36500 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 1
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : enabled
Managed Address Configuration : enabled
Other Stateful Configuration : enabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface Local Area Connection Parameters
----------------------------------------------
IfLuid : ethernet_6
IfIndex : 11
State : disconnected
Metric : 5
Link MTU : 1468 bytes
Reachable Time : 44000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 1
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : enabled
Managed Address Configuration : disabled
Other Stateful Configuration : disabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface iphttpsinterface Parameters
----------------------------------------------
IfLuid : tunnel_7
IfIndex : 17
State : disconnected
Metric : 50
Link MTU : 1280 bytes
Reachable Time : 22000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 1
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : enabled
Managed Address Configuration : enabled
Other Stateful Configuration : enabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface Bluetooth Network Connection Parameters
----------------------------------------------
IfLuid : ethernet_9
IfIndex : 14
State : disconnected
Metric : 50
Link MTU : 1500 bytes
Reachable Time : 39500 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 1
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : enabled
Managed Address Configuration : disabled
Other Stateful Configuration : disabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface isatap.{33420098-E978-49D4-99F8-803C726FAC4A} Parameters
----------------------------------------------
IfLuid : tunnel_10
IfIndex : 21
State : disconnected
Metric : 50
Link MTU : 1280 bytes
Reachable Time : 17000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 0
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : disabled
Router Discovery : enabled
Managed Address Configuration : disabled
Other Stateful Configuration : disabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface isatap.{36D48669-8A75-483C-B2B7-F42F6B3806FC} Parameters
----------------------------------------------
IfLuid : tunnel_11
IfIndex : 20
State : disconnected
Metric : 50
Link MTU : 1280 bytes
Reachable Time : 26000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 0
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : disabled
Router Discovery : enabled
Managed Address Configuration : disabled
Other Stateful Configuration : disabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface Teredo Tunneling Pseudo-Interface Parameters
----------------------------------------------
IfLuid : tunnel_16
IfIndex : 18
State : disconnected
Metric : 50
Link MTU : 1280 bytes
Reachable Time : 31000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 0
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : enabled
Managed Address Configuration : enabled
Other Stateful Configuration : enabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
--------------------------------------------------------
***************************************************************************
netsh advf show currentprofile
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh advf show currentprofile
Public Profile Settings:
----------------------------------------------------------------------
State ON
Firewall Policy BlockInbound,AllowOutbound
LocalFirewallRules N/A (GPO-store only)
LocalConSecRules N/A (GPO-store only)
InboundUserNotification Enable
RemoteManagement Disable
UnicastResponseToMulticast Enable
Logging:
LogAllowedConnections Disable
LogDroppedConnections Disable
FileName %systemroot%\system32\LogFiles\Firewall\pfirewall.log
MaxFileSize 4096
Ok.
--------------------------------------------------------
***************************************************************************
netsh advfirewall monitor show consec
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh advfirewall monitor show consec
Global Settings:
----------------------------------------------------------------------
IPsec:
StrongCRLCheck 0:Disabled
SAIdleTimeMin 5min
DefaultExemptions ICMP
IPsecThroughNAT Never
AuthzUserGrp None
AuthzComputerGrp None
StatefulFTP Enable
StatefulPPTP Enable
Main Mode:
KeyLifetime 480min,0sess
SecMethods DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
ForceDH No
Categories:
BootTimeRuleCategory Windows Firewall
FirewallRuleCategory Windows Firewall
StealthRuleCategory Windows Firewall
ConSecRuleRuleCategory Windows Firewall
Quick Mode:
QuickModeSecMethods ESP:SHA1-None+60min+100000kb,ESP:SHA1-AES128+60min+100000kb,ESP:SHA1-3DES+60min+100000kb,AH:SHA1+60min+100000kb
QuickModePFS None
Security Associations:
No SAs match the specified criteria.
--------------------------------------------------------
***************************************************************************
Certutil -store my
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>Certutil -store my
my
I cannot disclose information here but I can guarantee that all the relevant information for the certificate is present in this section.
--------------------------------------------------------
Systeminfo and whoami /groups are returning normal information and I can see the relevant security group listed as well.
---------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------
As you may have noticed, the "netsh int httpstunnel show interfaces" is returning error 0x2745 and I do not understand why (I searched the Web for this exact error code but could not find anything similar).
Anyway, I can confirm that after having checked manually, both DirectAccess Connectivity Assistant and related services are set correctly, checking the "gpedit.msc" is returning all the NRPT entries, DirectAccess firewall rules are in place in the Windows Firewal configuration and that IPv6 is enabled and returning a valid address.
Also, the end user has a working connection on the Internet and has the same symptoms when trying a connection behind a router or a mobile hotspot.
The "Registry.pol" for Global Policies is still present as well.
Have you already seen such an issue in the past ?
Do you know if it is possible to extract a full DirectAccess configuration from a working PC to the one impacted by this issue (considering it is outside the company and that the end user will not have the opportunity to come back on site immediately) ?
I know there is a guide to do this on the Technet but this does not solve my issue, should I move the teredo status from client to enterprise client for instance.
Thanks in advance.
Julien