DirectAccess not working on 1 laptop, IPSec issue RRS feed

  • Question

  • We have a UAG DirectAccess setup with about 100 laptops that are all able to connect to the Corporate network.

    Except for 1 laptop!


    On this single laptop I’m able to ping ipv6 addresses of servers that are located in the corporate network, but ping on dns names fails.

    On this laptop I have the following event messages.

    Event id 4653

    An IPsec main mode negotiation failed.

    Additional Information:

                    Keying Module Name:        IKEv1

                    Authentication Method:     Unknown authentication

                    Role:                                      Initiator

                    Impersonation State:           Not enabled

                    Main Mode Filter ID:           0


    Failure Information:

                    Failure Point:                        Local computer

                    Failure Reason:                     No policy configured


                    State:                                     No state

                    Initiator Cookie:                   a6b169bbbecd7464

                    Responder Cookie:              0000000000000000



    Event id 4984

    An IPsec extended mode negotiation failed. The corresponding main mode security association has been deleted.

    Local Endpoint:

                    Principal Name:                   NT AUTHORITY\NETWORK SERVICE

                    Network Address:                (ip6address)

                    Keying Module Port:           500


    Remote Endpoint:

                    Principal Name:                   host/SRV-UAG01.domain.com

                    Network Address:                (ip6 address)

                    Keying Module Port:           500


    Additional Information:

                    Keying Module Name:        AuthIP

                    Authentication Method:     NTLM V2

                    Role:                                      Initiator

                    Impersonation State:           Enabled

                    Quick Mode Filter ID:          968757


    Failure Information:

                    Failure Point:                        Local computer

                    Failure Reason:                     IKE authentication credentials are unacceptable


                    State:                                     Sent second (SSPI) payload


    On the UAG server I see similar event log messages

    The firewall on the laptop is enabled.

    Under “Monitoring – connection security rules” I have my 3 DirectAccess security rules but under the main mode node they are not active.

    I deleted our root certificated from the certificate store and added it again and I did the same for the client certificate.

    Does someone have any idea what can be wrong on this laptop?

    Thursday, April 21, 2011 12:23 PM

All replies

  • What output do you get from a certutil -store my command?

    Does klist show you have a valid kerberos ticket?



    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, April 21, 2011 1:15 PM
  • Hi Jason,

    Thanks for your reply

    Below is the output of the commands. I also did the same on a working laptop and it looks the same


    C:\Users\user>certutil -store my
    ================ Certificate 0 ================
    Serial Number: 6efc4cf300000000034f
    Issuer: CN=ourCA, DC=domain, DC=com
     NotBefore: 4/6/2011 8:49 AM
     NotAfter: 4/5/2013 8:49 AM
    Subject: CN=laptopname.domain.com
    Non-root Certificate
    Cert Hash(sha1): d7 e2 93 76 ab 26 08 7a a0 8a 59 7a e8 38 5a d3 96 e9 7a 15
      Key Container = e06e004d96d3c8671fb218dc4c729ce1_1fd177d0-d845-469a-abb7-ed9f4
      Provider = Microsoft RSA SChannel Cryptographic Provider
    Encryption test FAILED
    CertUtil: -store command completed successfully.



    Current LogonId is 0:0x18059a

    Cached Tickets: (0)

    Wednesday, April 27, 2011 10:48 AM
  • I found that this can occur when a computer isn't 'really' communicating with AD, in both cases we had laptop's re-imaged and everything worked afterwards.  We spent a couple hours looking at everything we can, but in my organization, that was about it - we have a well defined re-imaging process, maybe try removing the device from the domain and adding it again.
    Wednesday, April 27, 2011 4:57 PM
  • Any update?  I'm currious if you decided to re-image the laptop or not.

    MrShannon | Concurrency Blogs | UAG SP1 DirectAccess Configuration Guide
    Tuesday, May 3, 2011 3:03 PM
  • I'm in the Netherlands and the laptop is in the US, but luckely we got some great tools for remote management :D


    So I've removed and re-added the laptop to the domain.

    The DA connection is now partly up and running.

    Now I can ping servers in the corporate network, but I can not browse any unc path to this servers.

    Just logged on again to troubleshoot this further


    Wednesday, May 4, 2011 8:46 AM
  • Sounds to me like you've got the transition tunnels up but no Intranet tunnel.  Can you use the Certificates MMC and re-issue a computer certificate?
    MrShannon | Concurrency Blogs | UAG SP1 DirectAccess Configuration Guide
    Tuesday, May 10, 2011 1:20 AM
  • Also make sure your Personal certificate store (local computer store) is as clean as possible. I have seen machines connect to the transition tunnels (6to4, Teredo, IP-HTTPS) so that pings are successful (because ICMP traffic moves outside of the IPsec tunnels), but fail to establish the IPsec tunnels when they have a bunch of old or invalid certificates hanging around in their cert store.

    Tuesday, May 10, 2011 12:37 PM
  • Ah, nevermind I failed to see your post above with the certutil output, looks like your store is clean. In that case I concur with MrShannon, re-issue the certificate and if that doesn't change anything also attempt revoking the certificate from your CA and then re-issuing it.
    Tuesday, May 10, 2011 12:47 PM