none
Server 2012: Windows Firewall intermittently blocking internal hosts after Direct Access Setup RRS feed

  • Question

  • Hello,

    I have configured Server 2012 as a DirectAccess + Remote Management (no VPN) gateway using a single NIC (assined 10.10.4.181/24). The Server is running on a 2008R2 Hyper-V host using a single VNIC.

    Clients can connect and access the company network as expected without issues. Windows Firewall blockes internal hosts (not always the same hosts, not all at the same time) intermittently. For example our monitoring service reported the host as:

    2013-03-15 16:01 - UP
    2013-03-15 16:28 - DOWN
    2013-03-15 17:13 - UP
    2013-03-15 17:48 - DOWN
    2013-03-15 18:28 - UP
    2013-03-15 19:03 - DOWN

    No Windows Firewall related GPOs except the DirectAccess Server GPO are applied to this host. Event log reports the dropped Packets as:

    The Windows Filtering Platform has blocked a packet.
    
    Application Information:
    	Process ID:		0
    	Application Name:	-
    
    Network Information:
    	Direction:		Inbound
    	Source Address:		10.10.3.41
    	Source Port:		0
    	Destination Address:	10.10.4.181
    	Destination Port:		0
    	Protocol:		0
    
    Filter Information:
    	Filter Run-Time ID:	73370
    	Layer Name:		IP Packet
    	Layer Run-Time ID:	0

    wpfdiag.xml contains this:

    				<filters numItems="1">
    					<item>
    						<filterKey>{0dd2351d-f3ae-4014-8387-e9f5553eaffd}</filterKey>
    						<displayData>
    							<name>Windows NAT IP layer filter</name>
    							<description>Filters IP packets that require translation in the external to internal direction</description>
    						</displayData>
    						<flags/>
    						<providerKey/>
    						<providerData/>
    						<layerKey>FWPM_LAYER_INBOUND_IPPACKET_V4</layerKey>
    						<subLayerKey>{c217705d-2fe6-462f-8b3f-ecfb4771b8bb}</subLayerKey>
    						<weight>
    							<type>FWP_EMPTY</type>
    						</weight>
    						<filterCondition/>
    						<action>
    							<type>FWP_ACTION_CALLOUT_TERMINATING</type>
    							<calloutKey>{54da5466-5271-4ec1-8c5e-996fe8481ff2}</calloutKey>
    						</action>
    						<rawContext>0</rawContext>
    						<reserved/>
    						<filterId>73370</filterId>
    						<effectiveWeight>
    							<type>FWP_UINT64</type>
    							<uint64>0</uint64>
    						</effectiveWeight>
    					</item>
    				</filters>


    and the related drop event (10.10.3.41 is our linux based monitoring host, different subnet):

    		<netEvent>
    			<header>
    				<timeStamp>2013-03-16T06:59:28.382Z</timeStamp>
    				<flags numItems="4">
    					<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
    					<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
    					<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
    					<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
    				</flags>
    				<ipVersion>FWP_IP_VERSION_V4</ipVersion>
    				<ipProtocol>0</ipProtocol>
    				<localAddrV4>10.10.4.181</localAddrV4>
    				<remoteAddrV4>10.10.3.41</remoteAddrV4>
    				<localPort>0</localPort>
    				<remotePort>0</remotePort>
    				<scopeId>0</scopeId>
    				<appId/>
    				<userId/>
    				<addressFamily>FWP_AF_INET</addressFamily>
    				<packageSid/>
    			</header>
    			<type>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP</type>
    			<classifyDrop>
    				<filterId>73370</filterId>
    				<layerId>0</layerId>
    				<reauthReason>0</reauthReason>
    				<originalProfile>0</originalProfile>
    				<currentProfile>0</currentProfile>
    				<msFwpDirection>MS_FWP_DIRECTION_IN</msFwpDirection>
    				<isLoopback>false</isLoopback>
    				<vSwitchId/>
    				<vSwitchSourcePort>0</vSwitchSourcePort>
    				<vSwitchDestinationPort>0</vSwitchDestinationPort>
    			</classifyDrop>
    		</netEvent>

    another one (windows 8 worktstation, also different subnet):

    		<netEvent>
    			<header>
    				<timeStamp>2013-03-16T06:59:28.351Z</timeStamp>
    				<flags numItems="4">
    					<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
    					<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
    					<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
    					<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
    				</flags>
    				<ipVersion>FWP_IP_VERSION_V4</ipVersion>
    				<ipProtocol>0</ipProtocol>
    				<localAddrV4>10.10.4.181</localAddrV4>
    				<remoteAddrV4>10.10.10.171</remoteAddrV4>
    				<localPort>0</localPort>
    				<remotePort>0</remotePort>
    				<scopeId>0</scopeId>
    				<appId/>
    				<userId/>
    				<addressFamily>FWP_AF_INET</addressFamily>
    				<packageSid/>
    			</header>
    			<type>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP</type>
    			<classifyDrop>
    				<filterId>73370</filterId>
    				<layerId>0</layerId>
    				<reauthReason>0</reauthReason>
    				<originalProfile>0</originalProfile>
    				<currentProfile>0</currentProfile>
    				<msFwpDirection>MS_FWP_DIRECTION_IN</msFwpDirection>
    				<isLoopback>false</isLoopback>
    				<vSwitchId/>
    				<vSwitchSourcePort>0</vSwitchSourcePort>
    				<vSwitchDestinationPort>0</vSwitchDestinationPort>
    			</classifyDrop>
    		</netEvent>

    Any help is appreciated!

    Regards,

    Mathias

    Saturday, March 16, 2013 3:59 PM

All replies

  • I've a similar issue on DA Server 2012 R2. Did you get your problem solved?

    On my case I receive this logs of drop packets from my Domain Controllers and a monitoring server (zabbix). All DA clients works well as expected, internal host can reach the DA server, even from my monitoring server, but cannot communicate with the zabbix agent installed on the DA server...

    Thursday, January 26, 2017 9:27 AM
  • same problem here with zabbix agent

    do you find a solution?

    Friday, March 20, 2020 11:04 AM