Hello everybody,
I am writing this message as one of our end users in my company suddenly lost his ability to connect to our company network via the DirectAccess technology.
This end user is based in Asia and works outside our main company premises all year.
Obviously, the problem started happening right after he changed his password.
I searched the Web before posting this message and I could find some troubleshooting guides.
We are using an IP-HTTPS tunnel and sometimes, Teredo is used when the end user is behind NAT or not.
Here are the tests I could do (by the way, the end user is having the DirectAccess Connectivity Assistant version 2.0 installed on his PC at the moment) :
- Generated logs from the DirectAccess Connectivity Assistant :
The main error message is stating (some addresses were changed for security reasons) :
RED: Corporate connectivity is not working.
Your computer cannot connect to the DirectAccess server. If the problem persists, contact your administrator.
28/9/2016 14:50:28 (UTC)
Probes List
FAIL - HTTP: http://mycompanywebsite
DTE List
FAIL - The server name resolved successfully, but failed to access PING: fd2b:xxxx:xxxx:xxxx::1
FAIL - The server name resolved successfully, but failed to access PING: fd2b:xxxx:xxxx:xxxx::2
Here is the rest of the log and different tests :
ipconfig /all
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
Host Name . . . . . . . . . . . . : hostname Primary Dns Suffix . . . . . . . : corp.mycompany
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : corp.mycompany
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth (PAN)
Physical Address. . . . . . . . . : DC-53-60-DE-50-5C
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-N 7265
Physical Address. . . . . . . . . : DC-53-60-DE-50-58
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::xxxx:xxxx:xxxx:xxxx%12(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.103(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, September 28, 2016 10:35:52 PM
Lease Expires . . . . . . . . . . : Thursday, September 29, 2016 12:43:48 AM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 215765856
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-21-2D-42-DC-4A-3E-5F-2B-E2
DNS Servers . . . . . . . . . . . : 192.168.1.1
8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Ethernet Connection (3) I218-LM
Physical Address. . . . . . . . . : DC-4A-3E-5F-2B-E2
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : iphttpsinterface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
--------------------------------------------------------
netsh int teredo show state
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh int teredo show state
Teredo Parameters
---------------------------------------------
Type : client
Server Name : teredo.ipv6.microsoft.com.
Client Refresh Interval : 30 seconds
Client Port : unspecified
--------------------------------------------------------
netsh int httpstunnel show interfaces
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
Interface IPHTTPSInterface (Group Policy) Parameters
------------------------------------------------------------
Role : client
URL : https://mycompanyportal:443/IPHTTPS
Last Error Code : 0x2745
Interface Status : failed to connect to the IPHTTPS server. Waiting to reconnect
--------------------------------------------------------
netsh dns show state
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
--------------------------------------------------------------------
NetBIOS for any kinds of errors
Access settings are to be used
DNSSEC Settings : Not Configured
--------------------------------------------------------
netsh name show policy
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
DNS Name Resolution Policy Table Settings
I cannot disclose the entries here but I can confirm that I see all items for the NRPT table listed with IPv6 address for each of them.
--------------------------------------------------------
netsh name show effective
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
DNS Effective Name Resolution Policy Table Settings
Same as above here. I cannot disclose the full list but all the items are listed with their IPv6 addresses (I can confirm that after having compared values on a working PC).
--------------------------------------------------------
netsh adv mon show mmsa
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
No SAs match the specified criteria.
--------------------------------------------------------
netsh nap client show state
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh nap client show state
The "Network Access Protection Agent" service is not running.
--------------------------------------------------------
wevtutil query-events Microsoft-Windows-NetworkAccessProtection/Operational /count:20 /format:text /rd:true
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>wevtutil query-events Microsoft-Windows-NetworkAccessProtection/Operational /count:20 /format:text /rd:true
Same thing here where I cannot list the full certificate détails.
I can see all the details related to the certificate and after checking the MMC console, I can find the certificate (PKI) for the personal store like any working PC for DirectAccess.
--------------------------------------------------------
netsh int ipv6 show int level=verbose
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
----------------------------------------------
IfLuid : loopback_0
IfIndex : 1
State : connected
Metric : 50
Link MTU : 4294967295 bytes
Reachable Time : 21000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 0
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : disabled
Neighbor Unreachability Detection : disabled
Router Discovery : enabled
Managed Address Configuration : disabled
Other Stateful Configuration : disabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
----------------------------------------------
IfLuid : wireless_0
IfIndex : 12
State : connected
Metric : 20
Link MTU : 1500 bytes
Reachable Time : 36500 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 1
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : enabled
Managed Address Configuration : enabled
Other Stateful Configuration : enabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
----------------------------------------------
IfLuid : ethernet_6
IfIndex : 11
State : disconnected
Metric : 5
Link MTU : 1468 bytes
Reachable Time : 44000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 1
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : enabled
Managed Address Configuration : disabled
Other Stateful Configuration : disabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
----------------------------------------------
IfLuid : tunnel_7
IfIndex : 17
State : disconnected
Metric : 50
Link MTU : 1280 bytes
Reachable Time : 22000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 1
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : enabled
Managed Address Configuration : enabled
Other Stateful Configuration : enabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
----------------------------------------------
IfLuid : ethernet_9
IfIndex : 14
State : disconnected
Metric : 50
Link MTU : 1500 bytes
Reachable Time : 39500 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 1
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : enabled
Managed Address Configuration : disabled
Other Stateful Configuration : disabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
----------------------------------------------
IfLuid : tunnel_10
IfIndex : 21
State : disconnected
Metric : 50
Link MTU : 1280 bytes
Reachable Time : 17000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 0
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : disabled
Router Discovery : enabled
Managed Address Configuration : disabled
Other Stateful Configuration : disabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
----------------------------------------------
IfLuid : tunnel_11
IfIndex : 20
State : disconnected
Metric : 50
Link MTU : 1280 bytes
Reachable Time : 26000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 0
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : disabled
Router Discovery : enabled
Managed Address Configuration : disabled
Other Stateful Configuration : disabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface Teredo Tunneling Pseudo-Interface Parameters
----------------------------------------------
IfLuid : tunnel_16
IfIndex : 18
State : disconnected
Metric : 50
Link MTU : 1280 bytes
Reachable Time : 31000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 0
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : enabled
Managed Address Configuration : enabled
Other Stateful Configuration : enabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
--------------------------------------------------------
netsh advf show currentprofile
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
----------------------------------------------------------------------
State ON
Firewall Policy BlockInbound,AllowOutbound
LocalFirewallRules N/A (GPO-store only)
LocalConSecRules N/A (GPO-store only)
InboundUserNotification Enable
RemoteManagement Disable
UnicastResponseToMulticast Enable
LogAllowedConnections Disable
LogDroppedConnections Disable
FileName %systemroot%\system32\LogFiles\Firewall\pfirewall.log
MaxFileSize 4096
Ok.
--------------------------------------------------------
netsh advfirewall monitor show consec
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
----------------------------------------------------------------------
IPsec:
StrongCRLCheck 0:Disabled
SAIdleTimeMin 5min
DefaultExemptions ICMP
IPsecThroughNAT Never
AuthzUserGrp None
AuthzComputerGrp None
StatefulPPTP Enable
KeyLifetime 480min,0sess
SecMethods DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
ForceDH No
BootTimeRuleCategory Windows Firewall
FirewallRuleCategory Windows Firewall
StealthRuleCategory Windows Firewall
ConSecRuleRuleCategory Windows Firewall
Quick Mode:
QuickModeSecMethods ESP:SHA1-None+60min+100000kb,ESP:SHA1-AES128+60min+100000kb,ESP:SHA1-3DES+60min+100000kb,AH:SHA1+60min+100000kb
QuickModePFS None
--------------------------------------------------------
Certutil -store my
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>Certutil -store my
my
I cannot disclose information here but I can guarantee that all the relevant information for the certificate is present in this section.
--------------------------------------------------------
Systeminfo and whoami /groups are returning normal information and I can see the relevant security group listed as well.
---------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------
As you may have noticed, the "netsh int httpstunnel show interfaces" is returning error 0x2745 and I do not understand why (I searched the Web for this exact error code but could not find anything similar).
Anyway, I can confirm that after having checked manually, both DirectAccess Connectivity Assistant and related services are set correctly, checking the "gpedit.msc" is returning all the NRPT entries, DirectAccess firewall rules are in place in the Windows Firewal configuration and that IPv6 is enabled and returning a valid address.
Also, the end user has a working connection on the Internet and has the same symptoms when trying a connection behind a router or a mobile hotspot.
The "Registry.pol" for Global Policies is still present as well.
Have you already seen such an issue in the past ?
Do you know if it is possible to extract a full DirectAccess configuration from a working PC to the one impacted by this issue (considering it is outside the company and that the end user will not have the opportunity to come back on site immediately)
?
I know there is a guide to do this on the Technet but this does not solve my issue, should I move the teredo status from client to enterprise client for instance.
Thanks in advance.
Julien