none
Server 2012 Direct Access

    Domanda

  • Hi,

    I am trying to setup a DA server with a natted address in the DMZ.
    The infra tunnel is coming up and i can ping th DA server, but cannot resolve any internal servers as it says is cannot resolve DNS names for probes.

    I have set the contoso.com domain to the DNS of the DA server, which can resolve DNS.
    If i use the internal DNS servers i can ping them but it doesn't resolve still.


    I am testing on Win 8.

    Any advice is appreciated.

    Thanks

    Ian



    venerdì 5 aprile 2013 14:09

Tutte le risposte

  • Hi,

    Some initial things to look at.
    1. Is the Windows Firewall enabled (dont forget to verify that the current profile is active also)
    2. Can you see any IPSec associations on the client?
    3. Enable IPSec auditing and check if you have any errors showing up.

    Best wishes,
    Jonas Blom


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    venerdì 5 aprile 2013 16:08
  • Hi,

    Some initial things to look at.
    1. Is the Windows Firewall enabled (dont forget to verify that the current profile is active also)
    2. Can you see any IPSec associations on the client?
    3. Enable IPSec auditing and check if you have any errors showing up.

    Best wishes,
    Jonas Blom


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Thanks Jonas,

    The firewall is on and a profile is assigned. I will do some testing to check the IPSec associations. Thanks for the lead.

    Thanks

    Ian

    venerdì 5 aprile 2013 17:06
  • Hi,

    This is the error iam getting.
    I forgot to say that i am using an external NLS server which we have on our UAG DA deployment, iam also using an external cert.

    Could having another deployment with ISATAP be stopping the native DA from working? Im only testing this as a possible replacement to UAG DA.

    An IPsec main mode negotiation failed.

    Local Endpoint:
     Local Principal Name: -
     Network Address: 
     Keying Module Port: 500

    Remote Endpoint:
     Principal Name:  -
     Network Address: 
     Keying Module Port: 500

    Additional Information:
     Keying Module Name: AuthIP
     Authentication Method: Unknown authentication
     Role:   Initiator
     Impersonation State: Not enabled
     Main Mode Filter ID: 83643

    Failure Information:
     Failure Point:  Local computer
     Failure Reason:  Negotiation timed out

     State:   Sent first (SA) payload
     Initiator Cookie:  f12ff60b89dc9e6e
     Responder Cookie: 0000000000000000

    Thanks

    Ian



    lunedì 8 aprile 2013 08:39
  • I noticed i had two machine certs (computer and auto enroll comp) I deleted one and get:

    An IPsec main mode negotiation failed.

    Local Endpoint:
     Local Principal Name: -
     Network Address: 
     Keying Module Port: 500

    Remote Endpoint:
     Principal Name:  -
     Network Address: 
     Keying Module Port: 500

    Additional Information:
     Keying Module Name: IKEv1
     Authentication Method: Unknown authentication
     Role:   Initiator
     Impersonation State: Not enabled
     Main Mode Filter ID: 0

    Failure Information:
     Failure Point:  Local computer
     Failure Reason:  No policy configured

     State:   No state
     Initiator Cookie:  baf3c4a2c0892c39
     Responder Cookie: 0000000000000000

    lunedì 8 aprile 2013 09:03