none
Clients OK but Connectivity assistant shows red cross

    Question

  • <big>Hi guys,
    </big>

    For some reason the connectivity assistant is always showing a red cross even though clients are connected and everything seems to work fine. Clients are Windows 7 Enterprise machines and DA server is running Server 2012 URA.

    Error is:

    RED: Corporate connectivity is not working.
    The DirectAccess Connectivity Assistant application is not configured correctly. If the problem persists, contact your administrator.

    We are in an IPv4 network so we use only IPHTTPS for now.

    Here are some logs, anything that can cause the error?

    ***************************************************************************
    netsh int teredo show state
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32\LogSpace\{489D1C83-5D52-4ABF-85C9-1EF1504D20A3}>netsh int teredo show state
    Teredo Parameters
    ---------------------------------------------
    Type                    : client
    Server Name             : teredo.ipv6.microsoft.com.
    Client Refresh Interval : 30 seconds
    Client Port             : unspecified
    State                   : offline
    Error                   : client is in a managed network


    C:\Windows\system32\LogSpace\{489D1C83-5D52-4ABF-85C9-1EF1504D20A3}>

    ***************************************************************************
    netsh int httpstunnel show interfaces
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32\LogSpace\{489D1C83-5D52-4ABF-85C9-1EF1504D20A3}>netsh int httpstunnel show interfaces

    Interface IPHTTPSInterface (Group Policy)  Parameters
    ------------------------------------------------------------
    Role                       : client
    URL                        : https://direct-access.mygroup.com:443/IPHTTPS
    Last Error Code            : 0x0
    Interface Status           : IPHTTPS interface active


    C:\Windows\system32\LogSpace\{489D1C83-5D52-4ABF-85C9-1EF1504D20A3}>

    ***************************************************************************
    netsh dns show state
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32\LogSpace\{489D1C83-5D52-4ABF-85C9-1EF1504D20A3}>netsh dns show state

    Name Resolution Policy Table Options
    --------------------------------------------------------------------

    Query Failure Behavior                : Always fall back to LLMNR and NetBIOS
                                            if the name does not exist in DNS or
                                            if the DNS servers are unreachable
                                            when on a private network

    Query Resolution Behavior             : Resolve only IPv6 addresses for names

    Network Location Behavior             : Let Network ID determine when Direct
                                            Access settings are to be used

    Machine Location                      : Outside corporate network

    Direct Access Settings                : Configured and Enabled

    DNSSEC Settings                       : Not Configured


    C:\Windows\system32\LogSpace\{489D1C83-5D52-4ABF-85C9-1EF1504D20A3}>

    ***************************************************************************
    netsh name show policy
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32\LogSpace\{489D1C83-5D52-4ABF-85C9-1EF1504D20A3}>netsh name show policy

    DNS Name Resolution Policy Table Settings

    Settings for .mygroup.com
    ----------------------------------------------------------------------
    Certification authority                 :
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              : fd42:d58e:cce4:2222::1
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Bypass proxy



    Settings for nls.mygroup.com
    ----------------------------------------------------------------------
    Certification authority                 :
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Use default browser settings



    Settings for direct-access.mygroup.com
    ----------------------------------------------------------------------
    Certification authority                 :
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Use default browser settings



    Settings for .corp.mygroup.local
    ----------------------------------------------------------------------
    Certification authority                 :
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              : fd42:d58e:cce4:2222::1
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Bypass proxy



    Settings for .mygroup.local
    ----------------------------------------------------------------------
    Certification authority                 :
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              : fd42:d58e:cce4:2222::1
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Bypass proxy

    ***************************************************************************
    netsh adv mon show mmsa
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32\LogSpace\{489D1C83-5D52-4ABF-85C9-1EF1504D20A3}>netsh adv mon show mmsa

    Main Mode SA at 05/08/2013 16:31:06                      
    ----------------------------------------------------------------------
    Local IP Address:                     fd42:d58e:cce4:1000:ac7d:c35f:5b69:e9b0
    Remote IP Address:                    fd42:d58e:cce4:1000::1
    Auth1:                                ComputerCert
    Auth2:                                UserNTLM
    MM Offer:                             None-AES128-SHA256
    Cookie Pair:                          1291941026f8d7ab:8b29fef7515b60ad
    Health Cert:                          No

    Main Mode SA at 05/08/2013 16:31:06                      
    ----------------------------------------------------------------------
    Local IP Address:                     fd42:d58e:cce4:1000:ac7d:c35f:5b69:e9b0
    Remote IP Address:                    fd42:d58e:cce4:1000::1
    Auth1:                                ComputerCert
    Auth2:                                UserNTLM
    MM Offer:                             None-AES128-SHA256
    Cookie Pair:                          1541a2126e95934c:081afc9152312438
    Health Cert:                          No

    Main Mode SA at 05/08/2013 16:31:06                      
    ----------------------------------------------------------------------
    Local IP Address:                     fd42:d58e:cce4:1000:ac7d:c35f:5b69:e9b0
    Remote IP Address:                    fd42:d58e:cce4:1000::1
    Auth1:                                ComputerCert
    Auth2:                                UserNTLM
    MM Offer:                             None-AES128-SHA256
    Cookie Pair:                          7a897ab53ec5af42:ae1bbf0ab8ff0487
    Health Cert:                          No
    Ok.

    C:\Windows\system32\LogSpace\{489D1C83-5D52-4ABF-85C9-1EF1504D20A3}>netsh int ipv6 show int level=verbose

    Interface Loopback Pseudo-Interface 1 Parameters
    ----------------------------------------------
    IfLuid                             : loopback_0
    IfIndex                            : 1
    State                              : connected
    Metric                             : 50
    Link MTU                           : 4294967295 bytes
    Reachable Time                     : 18000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : disabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface Wireless Network Connection Parameters
    ----------------------------------------------
    IfLuid                             : wireless_0
    IfIndex                            : 12
    State                              : connected
    Metric                             : 25
    Link MTU                           : 1500 bytes
    Reachable Time                     : 44000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : enabled
    Other Stateful Configuration       : enabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface isatap.corp.remarkgroup.local Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_4
    IfIndex                            : 16
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 34500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface isatap.{87EAE99E-A4E9-42AE-8804-418D832356C1} Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_5
    IfIndex                            : 17
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 27000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface isatap.{EDD7C23D-2456-49CC-95A1-D8B10101C1F4} Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_6
    IfIndex                            : 26
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 16500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface iphttpsinterface Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_7
    IfIndex                            : 27
    State                              : connected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 27000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface Local Area Connection Parameters
    ----------------------------------------------
    IfLuid                             : ethernet_9
    IfIndex                            : 11
    State                              : connected
    Metric                             : 10
    Link MTU                           : 1500 bytes
    Reachable Time                     : 43000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : enabled
    Other Stateful Configuration       : enabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface Teredo Tunneling Pseudo-Interface Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_12
    IfIndex                            : 15
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 40000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface Bluetooth Network Connection Parameters
    ----------------------------------------------
    IfLuid                             : ethernet_22
    IfIndex                            : 14
    State                              : disconnected
    Metric                             : 40
    Link MTU                           : 1500 bytes
    Reachable Time                     : 16000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    ***************************************************************************
    netsh advf show currentprofile
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32\LogSpace\{489D1C83-5D52-4ABF-85C9-1EF1504D20A3}>netsh advf show currentprofile

    Private Profile Settings:
    ----------------------------------------------------------------------
    State                                 OFF
    Firewall Policy                       BlockInbound,AllowOutbound
    LocalFirewallRules                    N/A (GPO-store only)
    LocalConSecRules                      N/A (GPO-store only)
    InboundUserNotification               Enable
    RemoteManagement                      Disable
    UnicastResponseToMulticast            Enable

    Logging:
    LogAllowedConnections                 Disable
    LogDroppedConnections                 Disable
    FileName                              %systemroot%\system32\LogFiles\Firewall\pfirewall.log
    MaxFileSize                           4096

    Ok.


    • Edited by TomaVit Wednesday, May 08, 2013 2:57 PM
    Wednesday, May 08, 2013 2:49 PM

All replies

  • Hi

    I would deployed DirectAccess in a behind a edge device scenario. So no Teredo available. But when you read your log you can notice that your Teredo interface is operational with default configuration. This means you have both Teredo and IPHTTPS active. I would say that Teredo is not required in your scenario (DirectAccess behind an edge device) and disable Teredo on client-side with a NETSH.EXE Interface Teredo Set State Disable command. It should be better.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, May 09, 2013 6:48 AM
  • Hi,

    I have disabled Teredo as advised but i still got the red cross on the client.

    Friday, May 10, 2013 9:19 AM
  • Hi,

    I also realized it was a mistake. Your Teredo interface is offline and you have IPSEC associations in your log. It's not a connection problem. You might have problem with probes used by the DAC or the DAC configuration itself. Does this configuration was generated by the URA console?


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Friday, May 10, 2013 9:24 AM
  • Does your DirectAccess clients are using DAC 2.0 and not 1.5. Version 2.0 is required for Windows 7 DirectAccess clients connecting to an URA based infrastructure only. The are some minor changes in DAC 2.0 that make the configuration different from a registry point of view.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Friday, May 10, 2013 9:29 AM
  • Yes this is DAC version 2 i am running.

    The configuration is generated from the URA console and probes were giving me errors (from Windows 8 clients) but then i enabled ICMP exceptions on the URA server and the ping test on the probes is now successful.

    Windows 8 clients do not complain.

    Friday, May 10, 2013 9:50 AM