We've been running UAG DirectAccess on Server 2008 R2 for up to two years without much troubles, but we've run in a serious issue by know. I think I know what the issue is, but not what te cause is. Mostly because it seems to be 'random'.
Most of our users are able to connect to our internal resources, but after some time not spending in the office, working abroad or at home using DirectAccess it will stop working and show the following error in the EventLog of the connecting client:
An IPsec main mode negotiation failed.
Local Endpoint:
Local Principal Name: -
Network Address: 2001:0:57fb:2bd9:349c:4767:c17b:a3bc
Keying Module Port: 500
Remote Endpoint:
Principal Name: -
Network Address: 2002:57fb:2bda::57fb:2bda
Keying Module Port: 500
Additional Information:
Keying Module Name: IKEv1
Authentication Method: Unknown authentication
Role: Initiator
Impersonation State: Not enabled
Main Mode Filter ID: 0
Failure Information:
Failure Point: Local computer
Failure Reason: No policy configured
State: No state
Initiator Cookie: 345f17fa320e0b31
Responder Cookie: 0000000000000000
I've checked all steps mentioned in the General Methodology for Troubleshooting DirectAccess Connections http://technet.microsoft.com/en-us/library/ee624058%28WS.10%29.aspx
I'm able to ping the Unified Access Gateway, I'm able to do ipv6 lookups using the UAG DNS. I'm able to ping internal resources (because this doesn't need IPSec) and Strong CRL check is set to: Strong CRL check Fail if cert is revoked, so it shouldn't fail when CRL isn't externally reachable. (right?) the computer certificates aren't out of date, the UAG server has the same root certificate as the computer has (both signed using the same root certificate).
At first I suspected that when people where in the office and go home, it would work for a day (or something) and stop working after a while. This is the case for most of the people, but there are some who didn't come back to the offices for several months.
So as you (hopefully) can imagine, I'm out of options (I don't have that much Ipv6/Ipsec troubleshooting degrees)
Most of our users are able to connect to our internal resources, but after some time not spending in the office, working abroad or at home using DirectAccess it will stop working and show the following error in the EventLog of the connecting client:
An IPsec main mode negotiation failed.
Local Endpoint:
Local Principal Name: -
Network Address: 2001:0:57fb:2bd9:349c:4767:c17b:a3bc
Keying Module Port: 500
Remote Endpoint:
Principal Name: -
Network Address: 2002:57fb:2bda::57fb:2bda
Keying Module Port: 500
Additional Information:
Keying Module Name: IKEv1
Authentication Method: Unknown authentication
Role: Initiator
Impersonation State: Not enabled
Main Mode Filter ID: 0
Failure Information:
Failure Point: Local computer
Failure Reason: No policy configured
State: No state
Initiator Cookie: 345f17fa320e0b31
Responder Cookie: 0000000000000000
I've checked all steps mentioned in the General Methodology for Troubleshooting DirectAccess Connections http://technet.microsoft.com/en-us/library/ee624058%28WS.10%29.aspx
I'm able to ping the Unified Access Gateway, I'm able to do ipv6 lookups using the UAG DNS. I'm able to ping internal resources (because this doesn't need IPSec) and Strong CRL check is set to: Strong CRL check Fail if cert is revoked, so it shouldn't fail when CRL isn't externally reachable. (right?) the computer certificates aren't out of date, the UAG server has the same root certificate as the computer has (both signed using the same root certificate).
At first I suspected that when people where in the office and go home, it would work for a day (or something) and stop working after a while. This is the case for most of the people, but there are some who didn't come back to the offices for several months.
So as you (hopefully) can imagine, I'm out of options (I don't have that much Ipv6/Ipsec troubleshooting degrees)