Sign in
 
HomeProductsLibraryLearnDownloadsSupportForums
Microsoft Forefront TechCenter >
Server 2012: Windows Firewall intermittently blocking internal hosts after Direct Access Setup

Unanswered Server 2012: Windows Firewall intermittently blocking internal hosts after Direct Access Setup

  • Saturday, March 16, 2013 3:59 PM
     
      Has Code
    Sign In to Vote
    0

    Hello,

    I have configured Server 2012 as a DirectAccess + Remote Management (no VPN) gateway using a single NIC (assined 10.10.4.181/24). The Server is running on a 2008R2 Hyper-V host using a single VNIC.

    Clients can connect and access the company network as expected without issues. Windows Firewall blockes internal hosts (not always the same hosts, not all at the same time) intermittently. For example our monitoring service reported the host as:

    2013-03-15 16:01 - UP
    2013-03-15 16:28 - DOWN
    2013-03-15 17:13 - UP
    2013-03-15 17:48 - DOWN
    2013-03-15 18:28 - UP
    2013-03-15 19:03 - DOWN

    No Windows Firewall related GPOs except the DirectAccess Server GPO are applied to this host. Event log reports the dropped Packets as:

    The Windows Filtering Platform has blocked a packet.

Application Information:
	Process ID:		0
	Application Name:	-

Network Information:
	Direction:		Inbound
	Source Address:		10.10.3.41
	Source Port:		0
	Destination Address:	10.10.4.181
	Destination Port:		0
	Protocol:		0

Filter Information:
	Filter Run-Time ID:	73370
	Layer Name:		IP Packet
	Layer Run-Time ID:	0

    wpfdiag.xml contains this:

    				<filters numItems="1">
					<item>
						<filterKey>{0dd2351d-f3ae-4014-8387-e9f5553eaffd}</filterKey>
						<displayData>
							<name>Windows NAT IP layer filter</name>
							<description>Filters IP packets that require translation in the external to internal direction</description>
						</displayData>
						<flags/>
						<providerKey/>
						<providerData/>
						<layerKey>FWPM_LAYER_INBOUND_IPPACKET_V4</layerKey>
						<subLayerKey>{c217705d-2fe6-462f-8b3f-ecfb4771b8bb}</subLayerKey>
						<weight>
							<type>FWP_EMPTY</type>
						</weight>
						<filterCondition/>
						<action>
							<type>FWP_ACTION_CALLOUT_TERMINATING</type>
							<calloutKey>{54da5466-5271-4ec1-8c5e-996fe8481ff2}</calloutKey>
						</action>
						<rawContext>0</rawContext>
						<reserved/>
						<filterId>73370</filterId>
						<effectiveWeight>
							<type>FWP_UINT64</type>
							<uint64>0</uint64>
						</effectiveWeight>
					</item>
				</filters>


    and the related drop event (10.10.3.41 is our linux based monitoring host, different subnet):

    		<netEvent>
			<header>
				<timeStamp>2013-03-16T06:59:28.382Z</timeStamp>
				<flags numItems="4">
					<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
					<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
					<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
					<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
				</flags>
				<ipVersion>FWP_IP_VERSION_V4</ipVersion>
				<ipProtocol>0</ipProtocol>
				<localAddrV4>10.10.4.181</localAddrV4>
				<remoteAddrV4>10.10.3.41</remoteAddrV4>
				<localPort>0</localPort>
				<remotePort>0</remotePort>
				<scopeId>0</scopeId>
				<appId/>
				<userId/>
				<addressFamily>FWP_AF_INET</addressFamily>
				<packageSid/>
			</header>
			<type>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP</type>
			<classifyDrop>
				<filterId>73370</filterId>
				<layerId>0</layerId>
				<reauthReason>0</reauthReason>
				<originalProfile>0</originalProfile>
				<currentProfile>0</currentProfile>
				<msFwpDirection>MS_FWP_DIRECTION_IN</msFwpDirection>
				<isLoopback>false</isLoopback>
				<vSwitchId/>
				<vSwitchSourcePort>0</vSwitchSourcePort>
				<vSwitchDestinationPort>0</vSwitchDestinationPort>
			</classifyDrop>
		</netEvent>

    another one (windows 8 worktstation, also different subnet):

    		<netEvent>
			<header>
				<timeStamp>2013-03-16T06:59:28.351Z</timeStamp>
				<flags numItems="4">
					<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
					<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
					<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
					<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
				</flags>
				<ipVersion>FWP_IP_VERSION_V4</ipVersion>
				<ipProtocol>0</ipProtocol>
				<localAddrV4>10.10.4.181</localAddrV4>
				<remoteAddrV4>10.10.10.171</remoteAddrV4>
				<localPort>0</localPort>
				<remotePort>0</remotePort>
				<scopeId>0</scopeId>
				<appId/>
				<userId/>
				<addressFamily>FWP_AF_INET</addressFamily>
				<packageSid/>
			</header>
			<type>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP</type>
			<classifyDrop>
				<filterId>73370</filterId>
				<layerId>0</layerId>
				<reauthReason>0</reauthReason>
				<originalProfile>0</originalProfile>
				<currentProfile>0</currentProfile>
				<msFwpDirection>MS_FWP_DIRECTION_IN</msFwpDirection>
				<isLoopback>false</isLoopback>
				<vSwitchId/>
				<vSwitchSourcePort>0</vSwitchSourcePort>
				<vSwitchDestinationPort>0</vSwitchDestinationPort>
			</classifyDrop>
		</netEvent>

    Any help is appreciated!

    Regards,

    Mathias