DirectAccess - IPSec Main Mode Negotiation Failed
-
Friday, January 20, 2012 11:20 PM
I configured DirectAccess. Client machine has Windows 7 Enterprise, All Servers in the domain run Windows 2008 R2 SP1.
Domain and Forest level are both 2008 R2.
On the client machine, EventID 4653 “IPsec main mode negotiation failed” is logged in the Windows Security log.
In the Monitoring view of DirectAccess management console, I can see the high number of Failed Main Mode Negotiations.
The result of netsh advfirewall monitor show mmsa on both of DA1 and Client is “No SAs match the specified criteria”.
Off course IPSec main mode failed to establish the connection, there is no SA found.
I can ping DirectAccess Server (DA1) and DNS server (DC1) with IPv6 addresses from the client machine and ping the client machine from DA1 with IPv6 as well.
However nslookup against DC1 from the client machine using IPv6 fails with “DNS request timed out”
DA1, client machine, Network Location server (NLS) all seem to have appropriate certificates.
All information for the DNS name, CRL Distribution point, and other information for those certificates seem OK to me.
The Internal domain name is a single level (mydomain, not mydomain.com or mydomain.net) .
External domain is mydomain.com. I have 2 A records of DA1.mydomain.com and crl.mydomain.com in the hosted DNS registry.
My concern is DirectAccess has any issue with a single domain name? Also DNS name space in my case causes any conflicts?
I want to clarify that the domain naming schema in this particular case is not issue or not.
Appreciate any suggestion and comments!
- Moved by Christopher Palmer - Windows Sunday, January 22, 2012 11:13 AM DirectAccess forum is probably more appioppiate. (From:IPv6)
All Replies
-
Sunday, January 22, 2012 4:31 PM
Hi
Single label domain are painfull. In DirectAccess case, the Name Resolution Policy Table does not anot Single-Label Domain as explained in a recent blog post of Jason : http://blog.msedge.org.uk/2011/10/single-label-dns-domain-names-and-uag.html. Unless you accept to access your internal ressources with an alternate fully qualified domain name, there is no real solution.
You should think about to starting an inter-forest Active Directory migration project. Many Microsoft applications does not operate in signe label domain mode (Exchange, ...). DirectAccess is only one of theses but not the most critical from my point of view.
BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx- Marked As Answer by sakura_hime Thursday, January 26, 2012 9:07 PM
-
Thursday, January 26, 2012 9:13 PM
Hi Benoits,
Thanks for the information.
When I started to work here, I pointed out the domain name would be a risk in the future, but we haven't done anything. I will bring the issue again and try to come up with the best solution.
-
Tuesday, May 08, 2012 3:50 PM
I'm getting the exact issue with mine.
not a single level domain. DNS query fails because the tunnel is not established, but why is is not authenticating? CRL is accessible, certificates, DNS is pingable (no tunnel used?)
equivalent messages on each endpoint (initiator/responder)
IKE authentication credentials are unacceptable.
-
Tuesday, May 08, 2012 4:18 PM
Hi
Not sure it is the same problem. Initial problem cas caused by DNS Single label domain. In his situation DNS queries were working. In your situation it is no the case. Are you sure you can ping your UAG server?
BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
-
Monday, May 21, 2012 1:52 PM
I found he reason for this.
it is because when setting up DA on the server I simply chose a server certificate and not actually the root CA certificate.
not solved all my trouble, but I have had the tunnel going OK.
.png)
