none
Remote Access cannot reach inside resources

    Question

  • Hi everyone,

    I am at a stalled point in this Windows 2012 Remote Access (DirectAccess) server setup.

    I have installed a 2 NIC Natted Windows 2012 server. Everything seems fine but my client cannot connect to intranet resources using FQDN. 6to4 IPs work when I use NAT64 prefix before the IPv4 address of my internal resources. That means that the IPSec tunnels don't come up, with I can confirm, I have to MMSA in the Windows Firewall.

    This would usually lead to certificates, but I have confirmed that they are OK on both the server and client. CRL can be reached from both inside and outside.

    Client is trying to connect through IPHTTPS tunnel as it was the only protocol the network team would allow through (which is fine by me).

    I went through the usual toubleshooting steps.. Certificates OK, GPO OK, Connectivity to DC from Server OK. Nothing of interest in event log.

    Security log though shows a few interesting errors like this one:

    LocalMMPrincipalName -
    RemoteMMPrincipalName -
    LocalAddress fd7f:f176:b9e5:1000::1
    LocalKeyModPort 500
    RemoteAddress fd7f:f176:b9e5:1000:4dc3:2fa2:cff4:66fe
    RemoteKeyModPort 500
    KeyModName %%8223
    FailurePoint %%8199
    FailureReason No policy configured
    MMAuthMethod %%8194
    State %%8201
    Role %%8206
    MMImpersonationState %%8217
    MMFilterID 0
    InitiatorCookie 845028da40eb76b6
    ResponderCookie

    65dfe542402e19b4

    Network trace shows a little bit more info:

    4:50:47 PM 4/30/2013 FD7F:F176:B9E5:1000:0:0:0:1 FD7F:F176:B9E5:1000:FCC7:9A72:9FBD:11D1 WFP WFP:IPsec: Main Mode Failure - Error: ERROR_SUCCESS
    4:50:40 PM 4/30/2013   WFP WFP:User Mode Error
    ErrorCode: ERROR_IPSEC_IKE_NO_POLICY

    Client is Win8 Enterprise btw.

    I am kind of at a lost point now.. Any help is appreciated.

    Thanks

    Wednesday, May 01, 2013 2:32 PM

Answers