locked
DA/UAG up, but not reliable RRS feed

  • Question

  • All,

    Have set DA/UAG up, but am having problems with a few things.

    1) On the client side, I intermittently cannot ping or RDP to a few machines, including both workstations and servers, from XP to 2008R2, and the DCA also intermittently shows "Corporate network names cannot be resolved". Most annoying is that I cannot connect to our Lync 2010 server (running on Win2k8R2), although I *can* ping and RDP to it. In the client's event logs, I see many failure audits in the Security event log (4653 IPSec Main Mode, trying to connect to the UAG server) and somewhat fewer warnings in the System event log (1014 DNS Client Events and 131 Time-Server, both relating to timeouts on name resolution).

    2) On the server side I see many failure audits in the Security event log (4653 IPSec Main Mode), trying to connect to DNS servers on the public network - which I find very strange - why on Earth would these be happening? The only DNS servers listed on the UAG server are those in the domain.

    3) I cannot RDP to the UAG server - for some reason it stopped, and I don't know why. I know I could manually make an adjustment to the firewall settings on the machine, but that doesn't solve the root problem, so I'd like to see if I can figure it out.

    I have done my testing from our guest wireless network (which transits our corporate firewall) and from a public IP address in the same subnet as the UAG server, and get the same results either way.

    The UAG server has two NICs, with a public address in our public address space (that is, its connection terminates on the same switch as our corporate firewall and our router), and the private address in a subnet between our firewall and our Layer3 switch (again, they connect to the same switch). Below is a sanitized log file from the DCA.

    Lastly, we have three offices. The HQ has two Win2k8R2 DCs, which is where the UAG server is set up, and the overseas offices each have a Win2k3R2 DC. I have removed the Win2k3R2 DCs from the list of infrastructure servers as a troubleshooting measure, based on a couple of pages I found, but that seems not to have made a difference.

    I have a sanitized DCA log available should someone want to see it - I can't seem to post it, as the page times out when I try to do so.

    Thanks,

    Kurt

    Wednesday, April 25, 2012 5:47 PM

All replies

  • Hi

    Strange situation. Si seems that your client computers are able to establish the IPSEC tunnel but may have problem to generate new security associations. I've seen that with virtualization plateform such as VMWARE that changed the time on the UAG virtual machine. A 5 minutes clock screw is enought to break Kerberos protocol and by extension user IPSEC tunnel.

    You can post DCA logs, this might be helpfull, just like the full 4653 IPSec Main Mode error message cause it include a failure reason.

    Best regards.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, April 25, 2012 7:30 PM
  • Benoit,

    Thanks for the quick response. I'll post the log here, and see if it takes, then a copy of one of the 4653 IPSec Main Mode audit failures. Just so you have more info, the UAG server is a Dell PE 1950 with a single dual-core processor and 16gb of RAM, and is not virtualized. The log looks to be too large - I'm getting an error message trying to post the whole thing, so I've chopped the log and will post consecutive parts in my replies to you.

    Kurt

    Part One

    DirectAccess Connectivity Assistant Logs

    RED: Corporate connectivity is not working.

    Corporate network names cannot be resolved. If the problem persists, contact your administrator.

    24/4/2012 22:30:27 (UTC)

    Probes List

    PASS -         PING: 2002:4332:7627::4332:7627

    FAIL -         HTTP: https://inside.example.com

    DTE List

    PASS -         PING: 2002:4332:7627::4332:7627

    PASS -         PING: 2002:4332:7626::4332:7626

    ***************************************************************************
    ipconfig /all
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : it-kbuff7
       Primary Dns Suffix  . . . . . . . : example.com
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : example.com
                                           guest.example.com

    Ethernet adapter Local Area Connection:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : example.com
       Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
       Physical Address. . . . . . . . . : D4-BE-D9-22-09-B6
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes

    Wireless LAN adapter Wireless Network Connection:

       Connection-specific DNS Suffix  . : guest.example.com
       Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6205
       Physical Address. . . . . . . . . : 8C-70-5A-03-84-24
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::483f:894:5771:3fa2%13(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.20.222(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : Tuesday, April 24, 2012 3:28:47 PM
       Lease Expires . . . . . . . . . . : Tuesday, April 24, 2012 4:28:47 PM
       Default Gateway . . . . . . . . . : 192.168.20.1
       DHCP Server . . . . . . . . . . . : 192.168.20.11
       DHCPv6 IAID . . . . . . . . . . . : 294416474
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-19-14-C0-8C-70-5A-03-84-24
       DNS Servers . . . . . . . . . . . : 8.8.8.8
                                           74.118.212.1
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter Bluetooth Network Connection:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
       Physical Address. . . . . . . . . : 7C-E9-D3-C0-3E-4C
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.example.com:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.guest.example.com:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : guest.example.com
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter iphttpsinterface:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : iphttpsinterface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2001:0:4332:7626:3c3a:d9b2:bccd:89a5(Preferred)
       Link-local IPv6 Address . . . . . : fe80::3c3a:d9b2:bccd:89a5%15(Preferred)
       Default Gateway . . . . . . . . . : ::
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter isatap.{1CE3B0C4-475D-4D09-BD7D-33E729293D3C}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes


    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}>netsh int teredo show state

    ***************************************************************************
    netsh int teredo show state
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> netsh int teredo show state
    Teredo Parameters
    ---------------------------------------------
    Type                    : client
    Server Name             : xx.yy.zz.38 (Group Policy)
    Client Refresh Interval : 30 seconds
    Client Port             : unspecified
    State                   : qualified
    Client Type             : teredo client
    Network                 : unmanaged
    NAT                     : symmetric (port)
    NAT Special Behaviour   : UPNP: No, PortPreserving: No
    Local Mapping           : 192.168.20.222:56546
    External NAT Mapping    : xx.yy.zz.90:9805



    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> netsh int httpstunnel show interfaces

    ***************************************************************************
    netsh int httpstunnel show interfaces
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.


    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> netsh int httpstunnel show interfaces

    Interface IPHTTPSInterface (Group Policy)  Parameters
    ------------------------------------------------------------
    Role                       : client
    URL                        : https://outside.example.com:443/IPHTTPS
    Last Error Code            : 0x0
    Interface Status           : IPHTTPS interface deactivated



    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> netsh dns show state

    ***************************************************************************
    netsh dns show state
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}>netsh dns show state

    Name Resolution Policy Table Options
    --------------------------------------------------------------------

    Query Failure Behavior                : Always fall back to LLMNR and NetBIOS
                                            if the name does not exist in DNS or
                                            if the DNS servers are unreachable
                                            when on a private network

    Query Resolution Behavior             : Resolve only IPv6 addresses for names

    Network Location Behavior             : Let Network ID determine when Direct
                                            Access settings are to be used

    Machine Location                      : Outside corporate network

    Direct Access Settings                : Configured and Enabled

    DNSSEC Settings                       : Not Configured


    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> netsh name show policy

    ***************************************************************************
    netsh name show policy
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}>netsh name show policy

    DNS Name Resolution Policy Table Settings

    Settings for inside.example.com
    ----------------------------------------------------------------------
    Certification authority                 : DC=com, DC=example, CN=example-Issuing-CA-1
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Use default browser settings



    Settings for outside.example.com
    ----------------------------------------------------------------------
    Certification authority                 : DC=com, DC=example, CN=example-Issuing-CA-1
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Use default browser settings



    Settings for .example.com
    ----------------------------------------------------------------------
    Certification authority                 : DC=com, DC=example, CN=example-Issuing-CA-1
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              : 2002:4332:7627::4332:7627
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Bypass proxy


    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> netsh name show effective

    ***************************************************************************
    netsh name show effective
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}>netsh name show effective

    DNS Effective Name Resolution Policy Table Settings


    Settings for inside.example.com
    ----------------------------------------------------------------------
    Certification authority                 : DC=com, DC=example, CN=example-Issuing-CA-1
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (Proxy Settings)           : Use default browser settings



    Settings for outside.example.com
    ----------------------------------------------------------------------
    Certification authority                 : DC=com, DC=example, CN=example-Issuing-CA-1
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (Proxy Settings)           : Use default browser settings



    Settings for .example.com
    ----------------------------------------------------------------------
    Certification authority                 : DC=com, DC=example, CN=example-Issuing-CA-1
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              : 2002:4332:7627::4332:7627
    DirectAccess (Proxy Settings)           : Bypass proxy


    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> netsh adv mon show mmsa

    ***************************************************************************
    netsh adv mon show mmsa
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}>netsh adv mon show mmsa

    Main Mode SA at 04/24/2012 15:30:29                      
    ----------------------------------------------------------------------
    Local IP Address:                     2001:0:4332:7626:3c3a:d9b2:bccd:89a5
    Remote IP Address:                    2002:4332:7627::4332:7627
    Auth1:                                ComputerCert
    Auth2:                                UserNTLM
    MM Offer:                             None-AES128-SHA256
    Cookie Pair:                          90fa390ac14321d0:cd357eacfcfb8e1e
    Health Cert:                          No

    Main Mode SA at 04/24/2012 15:30:29                      
    ----------------------------------------------------------------------
    Local IP Address:                     2001:0:4332:7626:3c3a:d9b2:bccd:89a5
    Remote IP Address:                    2002:4332:7626::4332:7626
    Auth2 Local ID:                       example\kurt-work
    Auth2 Remote ID:                      host/G1.example.com
    Auth1:                                ComputerCert
    Auth2:                                UserKerb
    MM Offer:                             None-AES128-SHA256
    Cookie Pair:                          c2cea33a3ad63552:899e3b512fa8ccca
    Health Cert:                          No

    Main Mode SA at 04/24/2012 15:30:29                      
    ----------------------------------------------------------------------
    Local IP Address:                     2001:0:4332:7626:3c3a:d9b2:bccd:89a5
    Remote IP Address:                    2002:4332:7626::4332:7626
    Auth2 Local ID:                       example\kbuff
    Auth2 Remote ID:                      host/G1.example.com
    Auth1:                                ComputerCert
    Auth2:                                UserKerb
    MM Offer:                             None-AES128-SHA256
    Cookie Pair:                          1786fc6ca04cb0fd:cf1ecea2a6372180
    Health Cert:                          No
    Ok.


    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> netsh nap client show state

    ***************************************************************************
    netsh nap client show state
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}>netsh nap client show state
    The "Network Access Protection Agent" service is not running.

    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> wevtutil query-events Microsoft-Windows-NetworkAccessProtection/Operational /count:20 /format:text /rd:true

    ***************************************************************************
    wevtutil query-events Microsoft-Windows-NetworkAccessProtection/Operational /count:20 /format:text /rd:true
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}>wevtutil query-events Microsoft-Windows-NetworkAccessProtection/Operational /count:20 /format:text /rd:true

    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> netsh int ipv6 show int level=verbose

    ***************************************************************************
    netsh int ipv6 show int level=verbose
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    Wednesday, April 25, 2012 8:00 PM
  • Log, Part 2

    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}>netsh int ipv6 show int level=verbose

    Interface Loopback Pseudo-Interface 1 Parameters
    ----------------------------------------------
    IfLuid                             : loopback_0
    IfIndex                            : 1
    State                              : connected
    Metric                             : 50
    Link MTU                           : 4294967295 bytes
    Reachable Time                     : 34500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : disabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface Wireless Network Connection Parameters
    ----------------------------------------------
    IfLuid                             : wireless_0
    IfIndex                            : 13
    State                              : connected
    Metric                             : 25
    Link MTU                           : 1500 bytes
    Reachable Time                     : 40000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : enabled
    Other Stateful Configuration       : enabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface isatap.example.com Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_4
    IfIndex                            : 18
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 35000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface isatap.guest.example.com Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_5
    IfIndex                            : 19
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 16500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface Bluetooth Network Connection Parameters
    ----------------------------------------------
    IfLuid                             : ethernet_6
    IfIndex                            : 12
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1477 bytes
    Reachable Time                     : 20000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface iphttpsinterface Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_6
    IfIndex                            : 17
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 30000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface Local Area Connection Parameters
    ----------------------------------------------
    IfLuid                             : ethernet_7
    IfIndex                            : 14
    State                              : disconnected
    Metric                             : 5
    Link MTU                           : 1500 bytes
    Reachable Time                     : 17000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : enabled
    Other Stateful Configuration       : enabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface Teredo Tunneling Pseudo-Interface Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_7
    IfIndex                            : 15
    State                              : connected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 21000 ms
    Base Reachable Time                : 15000 ms
    Retransmission Interval            : 2000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface isatap.{1CE3B0C4-475D-4D09-BD7D-33E729293D3C} Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_8
    IfIndex                            : 21
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 43000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled


    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> netsh advf show currentprofile

    ***************************************************************************
    netsh advf show currentprofile
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}>netsh advf show currentprofile

    Public Profile Settings:
    ----------------------------------------------------------------------
    State                                 ON
    Firewall Policy                       BlockInbound,AllowOutbound
    LocalFirewallRules                    N/A (GPO-store only)
    LocalConSecRules                      N/A (GPO-store only)
    InboundUserNotification               Enable
    RemoteManagement                      Disable
    UnicastResponseToMulticast            Enable

    Logging:
    LogAllowedConnections                 Disable
    LogDroppedConnections                 Disable
    FileName                              %systemroot%\system32\LogFiles\Firewall\pfirewall.log
    MaxFileSize                           4096

    Ok.

    Wednesday, April 25, 2012 8:02 PM
  • Hi

    Strange, there is no netsh adv mon show QMSA results?


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, April 25, 2012 8:04 PM
  • Log, Part 3

    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> netsh advfirewall monitor show consec

    ***************************************************************************
    netsh advfirewall monitor show consec
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}>netsh advfirewall monitor show consec

    Global Settings:
    ----------------------------------------------------------------------
    IPsec:
    StrongCRLCheck                        0:Disabled
    SAIdleTimeMin                         5min
    DefaultExemptions                     ICMP
    IPsecThroughNAT                       Never
    AuthzUserGrp                          None
    AuthzComputerGrp                      None

    StatefulFTP                           Enable
    StatefulPPTP                          Enable

    Main Mode:
    KeyLifetime                           60min,0sess
    SecMethods                            DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
    ForceDH                               No

    Categories:
    BootTimeRuleCategory                  Windows Firewall
    FirewallRuleCategory                  Windows Firewall
    StealthRuleCategory                   Windows Firewall
    ConSecRuleRuleCategory                Windows Firewall


    Quick Mode:
    QuickModeSecMethods                   ESP:SHA1-None+60min+100000kb,ESP:SHA1-AES128+60min+100000kb,ESP:SHA1-3DES

    +60min+100000kb,AH:SHA1+60min+100000kb
    QuickModePFS                          None

    Security Associations:

    Main Mode SA at 04/24/2012 15:30:29                      
    ----------------------------------------------------------------------
    Local IP Address:                     2001:0:4332:7626:3c3a:d9b2:bccd:89a5
    Remote IP Address:                    2002:4332:7627::4332:7627
    Auth1:                                ComputerCert
    Auth2:                                UserNTLM
    MM Offer:                             None-AES128-SHA256
    Cookie Pair:                          90fa390ac14321d0:cd357eacfcfb8e1e
    Health Cert:                          No

    Main Mode SA at 04/24/2012 15:30:29                      
    ----------------------------------------------------------------------
    Local IP Address:                     2001:0:4332:7626:3c3a:d9b2:bccd:89a5
    Remote IP Address:                    2002:4332:7626::4332:7626
    Auth2 Local ID:                       example\kurt-work
    Auth2 Remote ID:                      host/G1.example.com
    Auth1:                                ComputerCert
    Auth2:                                UserKerb
    MM Offer:                             None-AES128-SHA256
    Cookie Pair:                          c2cea33a3ad63552:899e3b512fa8ccca
    Health Cert:                          No

    Main Mode SA at 04/24/2012 15:30:29                      
    ----------------------------------------------------------------------
    Local IP Address:                     2001:0:4332:7626:3c3a:d9b2:bccd:89a5
    Remote IP Address:                    2002:4332:7626::4332:7626
    Auth2 Local ID:                       example\kbuff
    Auth2 Remote ID:                      host/G1.example.com
    Auth1:                                ComputerCert
    Auth2:                                UserKerb
    MM Offer:                             None-AES128-SHA256
    Cookie Pair:                          1786fc6ca04cb0fd:cf1ecea2a6372180
    Health Cert:                          No

    Quick Mode SA at 04/24/2012 15:30:29                     
    ----------------------------------------------------------------------
    Local IP Address:                     2001:0:4332:7626:3c3a:d9b2:bccd:89a5
    Remote IP Address:                    2002:4332:7627::4332:7627
    Local Port:                           Any
    Remote Port:                          Any
    Protocol:                             Any
    Direction:                            Both
    QM Offer:                             ESP:SHA1-AES192+60min+100000kb
    PFS:                                  None

    Quick Mode SA at 04/24/2012 15:30:29                     
    ----------------------------------------------------------------------
    Local IP Address:                     2001:0:4332:7626:3c3a:d9b2:bccd:89a5
    Remote IP Address:                    2002:4332:7627::4332:7627
    Local Port:                           Any
    Remote Port:                          Any
    Protocol:                             Any
    Direction:                            Both
    QM Offer:                             ESP:SHA1-AES192+60min+100000kb
    PFS:                                  None

    Quick Mode SA at 04/24/2012 15:30:29                     
    ----------------------------------------------------------------------
    Local IP Address:                     2001:0:4332:7626:3c3a:d9b2:bccd:89a5
    Remote IP Address:                    2002:4332:7626::4332:7626
    Local Port:                           Any
    Remote Port:                          Any
    Protocol:                             Any
    Direction:                            Both
    QM Offer:                             ESP:SHA1-AES192+60min+100000kb
    PFS:                                  None

    Quick Mode SA at 04/24/2012 15:30:29                     
    ----------------------------------------------------------------------
    Local IP Address:                     2001:0:4332:7626:3c3a:d9b2:bccd:89a5
    Remote IP Address:                    2002:4332:7626::4332:7626
    Local Port:                           Any
    Remote Port:                          Any
    Protocol:                             Any
    Direction:                            Both
    QM Offer:                             ESP:SHA1-AES192+60min+100000kb
    PFS:                                  None

    Quick Mode SA at 04/24/2012 15:30:29                     
    ----------------------------------------------------------------------
    Local IP Address:                     2001:0:4332:7626:3c3a:d9b2:bccd:89a5
    Remote IP Address:                    2002:4332:7627::4332:7627
    Local Port:                           Any
    Remote Port:                          Any
    Protocol:                             Any
    Direction:                            Both
    QM Offer:                             ESP:SHA1-AES192+60min+100000kb
    PFS:                                  None


    IPsec Statistics
    ----------------

    Active Assoc                : 5
    Offload SAs                 : 0
    Pending Key                 : 0
    Key Adds                    : 21
    Key Deletes                 : 17
    ReKeys                      : 0
    Active Tunnels              : 5
    Bad SPI Pkts                : 0
    Pkts not Decrypted          : 0
    Pkts not Authenticated      : 0
    Pkts with Replay Detection  : 0
    Confidential Bytes Sent     : 1,067,744
    Confidential Bytes Received : 1,166,120
    Authenticated Bytes Sent    : 1,136,240
    Authenticated Bytes Received: 1,166,120
    Transport Bytes Sent        : 0
    Transport Bytes Received    : 0
    Bytes Sent In Tunnels       : 1,136,240
    Bytes Received In Tunnels   : 1,166,120
    Offloaded Bytes Sent        : 0
    Offloaded Bytes Received    : 0

    Ok.


    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> Certutil -store my

    ***************************************************************************
    Certutil -store my
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}>Certutil -store my
    my
    ================ Certificate 0 ================
    Serial Number: 184387d3000000000140
    Issuer: CN=example-Issuing-CA-1, DC=example, DC=com
     NotBefore: 4/12/2012 4:32 PM
     NotAfter: 4/12/2013 4:32 PM
    Subject: EMPTY (DNS Name=IT-KBUFF7.example.com)
    Non-root Certificate
    Template: exampleWorkstationAuthentication, example Workstation Authentication
    Cert Hash(sha1): cd 48 65 93 3c 93 7a ed 2a 3c ae b2 f3 52 65 55 34 3e 09 ac
      Key Container = le-exampleWorkstationAuthentication-480b72d9-b2c3-407f-b748-fbb9b5e8a9d7
      Unique container name: a992cfe7f97619297c4a14eb899a00e3_f330131e-0b2e-4b73-8b3d-1126da8ecac3
      Provider = Microsoft Software Key Storage Provider
    Private key is NOT exportable
    Encryption test passed
    CertUtil: -store command completed successfully.

    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> Systeminfo

    ***************************************************************************
    Systeminfo
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}>Systeminfo

    Host Name:                 IT-KBUFF7
    OS Name:                   Microsoft Windows 7 Enterprise
    OS Version:                6.1.7601 Service Pack 1 Build 7601
    OS Manufacturer:           Microsoft Corporation
    OS Configuration:          Member Workstation
    OS Build Type:             Multiprocessor Free
    Registered Owner:          example-it
    Registered Organization:   
    Product ID:                55041-011-2696075-86440
    Original Install Date:     4/12/2012, 3:41:12 PM
    System Boot Time:          4/24/2012, 2:53:13 PM
    System Manufacturer:       Dell Inc.
    System Model:              Latitude E6520
    System Type:               x64-based PC
    Processor(s):              1 Processor(s) Installed.
                               [01]: Intel64 Family 6 Model 42 Stepping 7 GenuineIntel ~2601 Mhz
    BIOS Version:              Dell Inc. A12, 2/28/2012
    Windows Directory:         C:\Windows
    System Directory:          C:\Windows\system32
    Boot Device:               \Device\HarddiskVolume1
    System Locale:             en-us;English (United States)
    Input Locale:              en-us;English (United States)
    Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)
    Total Physical Memory:     8,073 MB
    Available Physical Memory: 3,261 MB
    Virtual Memory: Max Size:  16,263 MB
    Virtual Memory: Available: 11,368 MB
    Virtual Memory: In Use:    4,895 MB
    Page File Location(s):     C:\pagefile.sys
    Domain:                    example.com
    Logon Server:              N/A
    Hotfix(s):                 68 Hotfix(s) Installed.
                               [01]: 982861
                               [02]: KB958830
                               [03]: KB2425227
                               [04]: KB2479943
                               [05]: KB2484033
                               [06]: KB2488113
                               [07]: KB2491683
                               [08]: KB2492386
                               [09]: KB2505438
                               [10]: KB2506014
                               [11]: KB2506212
                               [12]: KB2506928
                               [13]: KB2507618
                               [14]: KB2509553
                               [15]: KB2511250
                               [16]: KB2511455
                               [17]: KB2512715
                               [18]: KB2515325
                               [19]: KB2518869
                               [20]: KB2522422
                               [21]: KB2529073
                               [22]: KB2532531
                               [23]: KB2533552
                               [24]: KB2534111
                               [25]: KB2536275
                               [26]: KB2536276
                               [27]: KB2541014
                               [28]: KB2544893
                               [29]: KB2545698
                               [30]: KB2547666
                               [31]: KB2552343
                               [32]: KB2556532
                               [33]: KB2560656
                               [34]: KB2563227
                               [35]: KB2564958
                               [36]: KB2567680
                               [37]: KB2570947
                               [38]: KB2572077
                               [39]: KB2579686
                               [40]: KB2584146
                               [41]: KB2585542
                               [42]: KB2588516
                               [43]: KB2603229
                               [44]: KB2607047
                               [45]: KB2619339
                               [46]: KB2620704
                               [47]: KB2620712
                               [48]: KB2621440
                               [49]: KB2631813
                               [50]: KB2633873
                               [51]: KB2633952
                               [52]: KB2640148
                               [53]: KB2641653
                               [54]: KB2641690
                               [55]: KB2644615
                               [56]: KB2645640
                               [57]: KB2647518
                               [58]: KB2653956
                               [59]: KB2654428
                               [60]: KB2656356
                               [61]: KB2656373
                               [62]: KB2660075
                               [63]: KB2665364
                               [64]: KB2667402
                               [65]: KB2675157
                               [66]: KB2679255
                               [67]: KB976902
                               [68]: KB982018
    Network Card(s):           4 NIC(s) Installed.
                               [01]: Bluetooth Device (Personal Area Network)
                                     Connection Name: Bluetooth Network Connection
                                     Status:          Media disconnected
                               [02]: Intel(R) Centrino(R) Advanced-N 6205
                                     Connection Name: Wireless Network Connection
                                     DHCP Enabled:    Yes
                                     DHCP Server:     192.168.20.11
                                     IP address(es)
                                     [01]: 192.168.20.222
                                     [02]: fe80::483f:894:5771:3fa2
                               [03]: Intel(R) 82579LM Gigabit Network Connection
                                     Connection Name: Local Area Connection
                                     Status:          Media disconnected
                               [04]: Aventail VPN Adapter
                                     Connection Name: Local Area Connection 2
                                     DHCP Enabled:    No
                                     IP address(es)

    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> whoami /groups

    ***************************************************************************
    whoami /groups
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}>whoami /groups

    GROUP INFORMATION
    -----------------

    Group Name                             Type             SID          Attributes                                   


    ====================================== ================ ============

    ==================================================
    BUILTIN\Administrators                 Alias            S-1-5-32-544 Enabled by default, Enabled group, Group

    owner    
    Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled

    group
    NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled

    group
    Mandatory Label\System Mandatory Level Label            S-1-16-16384                                              

    C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}>

    Wednesday, April 25, 2012 8:05 PM
  • Now the text of the event two log entries - 4653 IPSec Main Mode audit failure, each slightly different than the other:

    **********Begin Event 1**********
    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          2012-04-25 08:44:24
    Event ID:      4653
    Task Category: IPsec Main Mode
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      it-kbuff7.example.com
    Description:
    An IPsec main mode negotiation failed.

    Local Endpoint:
        Local Principal Name:    -
        Network Address:    2002:4332:7626:8000:0:5efe:192.168.15.83
        Keying Module Port:    500

    Remote Endpoint:
        Principal Name:        -
        Network Address:    2002:4332:7627::4332:7627
        Keying Module Port:    500

    Additional Information:
        Keying Module Name:    IKEv1
        Authentication Method:    Unknown authentication
        Role:            Initiator
        Impersonation State:    Not enabled
        Main Mode Filter ID:    0

    Failure Information:
        Failure Point:        Local computer
        Failure Reason:        No policy configured

        State:            No state
        Initiator Cookie:        c5881fbfb763e896
        Responder Cookie:    0000000000000000
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>4653</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12547</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2012-04-25T15:44:24.617178300Z" />
        <EventRecordID>19793</EventRecordID>
        <Correlation />
        <Execution ProcessID="656" ThreadID="728" />
        <Channel>Security</Channel>
        <Computer>it-kbuff7.example.com</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="LocalMMPrincipalName">-</Data>
        <Data Name="RemoteMMPrincipalName">-</Data>
        <Data Name="LocalAddress">2002:4332:7626:8000:0:5efe:192.168.15.83</Data>
        <Data Name="LocalKeyModPort">500</Data>
        <Data Name="RemoteAddress">2002:4332:7627::4332:7627</Data>
        <Data Name="RemoteKeyModPort">500</Data>
        <Data Name="KeyModName">%%8222</Data>
        <Data Name="FailurePoint">%%8199</Data>
        <Data Name="FailureReason">No policy configured
    </Data>
        <Data Name="MMAuthMethod">%%8194</Data>
        <Data Name="State">%%8201</Data>
        <Data Name="Role">%%8205</Data>
        <Data Name="MMImpersonationState">%%8217</Data>
        <Data Name="MMFilterID">0</Data>
        <Data Name="InitiatorCookie">c5881fbfb763e896</Data>
        <Data Name="ResponderCookie">0000000000000000</Data>
      </EventData>
    </Event>
    **********End Event 1**********

    **********Begin Event 2**********

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          2012-04-25 08:48:01
    Event ID:      4653
    Task Category: IPsec Main Mode
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      it-kbuff7.example.com
    Description:
    An IPsec main mode negotiation failed.

    Local Endpoint:
        Local Principal Name:    -
        Network Address:    2002:4332:7626:8100:9d5:77c5:8dfa:2017
        Keying Module Port:    500

    Remote Endpoint:
        Principal Name:        -
        Network Address:    2002:4332:7627::4332:7627
        Keying Module Port:    500

    Additional Information:
        Keying Module Name:    IKEv1
        Authentication Method:    Unknown authentication
        Role:            Initiator
        Impersonation State:    Not enabled
        Main Mode Filter ID:    0

    Failure Information:
        Failure Point:        Local computer
        Failure Reason:        No policy configured

        State:            No state
        Initiator Cookie:        3aa1e756733bd98e
        Responder Cookie:    0000000000000000
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>4653</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12547</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2012-04-25T15:48:01.130862400Z" />
        <EventRecordID>19837</EventRecordID>
        <Correlation />
        <Execution ProcessID="656" ThreadID="3812" />
        <Channel>Security</Channel>
        <Computer>it-kbuff7.example.com</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="LocalMMPrincipalName">-</Data>
        <Data Name="RemoteMMPrincipalName">-</Data>
        <Data Name="LocalAddress">2002:4332:7626:8100:9d5:77c5:8dfa:2017</Data>
        <Data Name="LocalKeyModPort">500</Data>
        <Data Name="RemoteAddress">2002:4332:7627::4332:7627</Data>
        <Data Name="RemoteKeyModPort">500</Data>
        <Data Name="KeyModName">%%8222</Data>
        <Data Name="FailurePoint">%%8199</Data>
        <Data Name="FailureReason">No policy configured
    </Data>
        <Data Name="MMAuthMethod">%%8194</Data>
        <Data Name="State">%%8201</Data>
        <Data Name="Role">%%8205</Data>
        <Data Name="MMImpersonationState">%%8217</Data>
        <Data Name="MMFilterID">0</Data>
        <Data Name="InitiatorCookie">3aa1e756733bd98e</Data>
        <Data Name="ResponderCookie">0000000000000000</Data>
      </EventData>
    </Event>
    **********End Event 2**********

    Wednesday, April 25, 2012 8:09 PM
  • Benoit,

    Nope, not present in log. I can put the machine outside again and try the log again after failure if you wish.

    Kurt

    Wednesday, April 25, 2012 8:21 PM
  • Benoit,

    I set up my machine again on the guest wireless network, and let the DCA show failure, then ran manually ran " netsh adv mon show QMSA" in an elevated prompt, with the following output:

    C:\temp>netsh adv mon show QMSA

    Quick Mode SA at 04/25/2012 15:16:53
    ----------------------------------------------------------------------
    Local IP Address:                     2001:0:4332:7626:387b:dc21:bccd:89a5
    Remote IP Address:                    2002:4332:7627::4332:7627
    Local Port:                           Any
    Remote Port:                          Any
    Protocol:                             Any
    Direction:                            Both
    QM Offer:                             ESP:SHA1-AES192+60min+100000kb
    PFS:                                  None

    Quick Mode SA at 04/25/2012 15:16:53
    ----------------------------------------------------------------------
    Local IP Address:                     2001:0:4332:7626:387b:dc21:bccd:89a5
    Remote IP Address:                    2002:4332:7627::4332:7627
    Local Port:                           Any
    Remote Port:                          Any
    Protocol:                             Any
    Direction:                            Both
    QM Offer:                             ESP:SHA1-AES192+60min+100000kb
    PFS:                                  None

    Quick Mode SA at 04/25/2012 15:16:53
    ----------------------------------------------------------------------
    Local IP Address:                     2001:0:4332:7626:387b:dc21:bccd:89a5
    Remote IP Address:                    2002:4332:7627::4332:7627
    Local Port:                           Any
    Remote Port:                          Any
    Protocol:                             Any
    Direction:                            Both
    QM Offer:                             ESP:SHA1-AES192+60min+100000kb
    PFS:                                  None

    Quick Mode SA at 04/25/2012 15:16:53
    ----------------------------------------------------------------------
    Local IP Address:                     2001:0:4332:7626:387b:dc21:bccd:89a5
    Remote IP Address:                    2002:4332:7626::4332:7626
    Local Port:                           Any
    Remote Port:                          Any
    Protocol:                             Any
    Direction:                            Both
    QM Offer:                             ESP:SHA1-AES192+60min+100000kb
    PFS:                                  None

    Quick Mode SA at 04/25/2012 15:16:53
    ----------------------------------------------------------------------
    Local IP Address:                     2001:0:4332:7626:387b:dc21:bccd:89a5
    Remote IP Address:                    2002:4332:7627::4332:7627
    Local Port:                           Any
    Remote Port:                          Any
    Protocol:                             Any
    Direction:                            Both
    QM Offer:                             ESP:SHA1-AES192+60min+100000kb
    PFS:                                  None

    Quick Mode SA at 04/25/2012 15:16:53
    ----------------------------------------------------------------------
    Local IP Address:                     2001:0:4332:7626:387b:dc21:bccd:89a5
    Remote IP Address:                    2002:4332:7627::4332:7627
    Local Port:                           Any
    Remote Port:                          Any
    Protocol:                             Any
    Direction:                            Both
    QM Offer:                             ESP:SHA1-AES192+60min+100000kb
    PFS:                                  None
    Ok.

    Wednesday, April 25, 2012 10:19 PM
  • Does anyone have further input on this?

    Thanks,

    Kurt

    Friday, April 27, 2012 3:57 PM
  • I would try replacing your machine certificates (the certs issued to the server and the clients by your internal CA server) with certificates that are based off of the default "Computer" template. I see in your log file that the Subject line of the client certificate is EMPTY and this could definitely cause you some problems. If you want to use a custom template instead of the default Computer template, make sure that it is marked for the intended purposes of Server Authentication and Client Authentication, and also make sure that both the Subject field and the SAN field are populated with the FQDN of the client machine.
    Monday, April 30, 2012 7:37 PM
  • That makes sense. I am not very familiar with CA stuff, having just implemented this recently and not having fiddled with it much after getting it up and running.

    I'll do a bit of research on how to fix the custom template and reissue the certs and get back with results ASAP.

    Thanks for the info.

    Kurt

    Monday, April 30, 2012 8:06 PM
  • OK - I've fixed that issue, as you can see from the output of 'certutil -store my' below.

    However, I still see problems in the Security event log.

    Specifically, I performed a test as follows (my laptop is configured to shut off WiFi when it gets a wired connection, and the wired NIC is configured with one of my public IP addresses)

    I was on WiFi on the production LAN during bootup and logging in. I started Wireshark capturing on the wired NIC, then inserted an Ethernet cable into my machine's NIC. I then see two failure audits of 4653 IPSec Main Mode that have a failure reason of "No policy configured". This time, I then saw a different entry in the Security event log - 4984 IPSec Extended Mode, with a failure reason of "IKE authentication credentials are unacceptable" - and finally another 4653 IPSec Main Mode.

    The only Application Policies for the issued machine certs are Server and Client Authentication. Do I need anything else?

    ================ Certificate 1 ================
    Serial Number: 5bef62a7000000000166
    Issuer: CN=example-Issuing-CA-1, DC=example, DC=com
     NotBefore: 2012-04-30 14:17
     NotAfter: 2013-04-30 14:17
    Subject: CN=IT-KBUFF7.example.com
    Non-root Certificate
    Template: exampleWorkstationAuthentication, example Workstation Authentication
    Cert Hash(sha1): 7c ec 00 5d ed d7 27 da 1c 31 eb cc 65 91 61 98 79 d0 24 04
      Key Container = le-exampleWorkstationAuthentication-b72b0035-b39a-4c19-9aeb-f67d1248447c
      Unique container name: 8eb8b507517037e00a9116daff0c1139_f330131e-0b2e-4b73-8b3d-1126da8ecac3
      Provider = Microsoft Software Key Storage Provider
    Private key is NOT exportable
    Encryption test passed
    CertUtil: -store command completed successfully.

    Monday, April 30, 2012 10:32 PM
  • Intended purposes of Client Authentication and Server Authentication are the two that you need. I do see that your Subject is now the FQDN of the machine which is perfect. How about the SAN? Do you have the SAN also set to use "DNS Name" which will then issue the FQDN into that field as well?
    Tuesday, May 1, 2012 1:03 PM
  • Yes - Subject Alternate Name field value is "DNS Name=it-kbuff.example.com".

    I revoked the old cert after updating the CA template and rebooted my machine to make it pick up the new cert - the old cert now shows as archived on my laptop.

    Kurt

    Tuesday, May 1, 2012 5:21 PM
  • BTW - at the same time I rebooted my laptop, I also revoked the cert on the UAG server, and rebooted it so that it would get an updated cert as well.

    I then manually installed the root and intermediate certs from our CA onto my laptop this morning and tried it again. with the same results.

    I also have mined the event logs on the UAG server for this morning's attempt, and see the reciprocal audit failure "4984 IPSec Extended Mode":

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          2012-05-01 11:41:19
    Event ID:      4984
    Task Category: IPsec Extended Mode
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      G1.example.com
    Description:
    An IPsec extended mode negotiation failed. The corresponding main mode security association has been deleted.

    Local Endpoint:
        Principal Name:        host/G1.example.com
        Network Address:    2002:4332:7627::4332:7627
        Keying Module Port:    500

    Remote Endpoint:
        Principal Name:        -
        Network Address:    2002:4332:7632::4332:7632
        Keying Module Port:    500

    Additional Information:
        Keying Module Name:    AuthIP
        Authentication Method:    NTLM V2
        Role:            Responder
        Impersonation State:    Enabled
        Quick Mode Filter ID:    95750

    Failure Information:
        Failure Point:        Remote computer
        Failure Reason:        IKE authentication credentials are unacceptable

        State:            Sent second (SSPI) payload

    Tuesday, May 1, 2012 7:30 PM
  • Any more hints here, or should I be opening a case with MSFT?

    Kurt

    Friday, May 4, 2012 5:26 PM
  • Hey Kurt, sorry for the delay. I know you have made changes so that your machine certificates now seem to align with the requirements DA is looking for, but ultimately you are still using a custom template correct? The next thing I would try is replacing your machine certificates again, this time using the default "Computer" template to issue them. I have experienced "strange" issues a few times when custom templates are used, including intermittent connectivity, or infrastructure tunnels establishing but intranet tunnels not, that kind of thing. I have been able to resolve these issues more than once by replacing the certs with certs issued from that default template.
    Thursday, May 10, 2012 1:45 PM
  • Yes, I have been using a custom template.

    I'm out of the office until Tuesday, and will try it then.

    Can I use a copy of the default Computer template, in case we need to modify it later, or should I just use it as provided?

    Thanks,

    Kurt

    Thursday, May 10, 2012 4:15 PM
  • You can certainly try it out with a copy of the template, but if you still have problems after that to be able to completely rule this out as a potential problem spot you will need to try the real template.
    Thursday, May 10, 2012 5:24 PM
  • Thanks again. I'll try with the default, and see what that gets me.

    Kurt

    Thursday, May 10, 2012 5:46 PM
  • OK - I'm back in the office, and trying this out, but having difficulties.

    I have a two-tier architecture, with the Issuing CA running on Win2k8 R2 Enterprise as a member of the domain.

    In Sever Manager, I have drilled down to Roles\ADCS\{computername}\Certificate Templates, and have the Computer template, and can view the properties for it, or delete it, but can't seem to do anything with it.

    If instead I drill down to Roles\ADCS\CertificateTemplates(DC-Name)\ I see the template there, but again can view properties or delete it, but can't seem to do anything with it.

    So I've made a copy of the Computer template, and when prompted I made it a 2008 CA template, and set it for RSA 2048, and selected to publish it in AD. I otherwise left it untouched.

    I then deleted the custom template from Roles\ADCS\{computername}\Certificate Templates and imported the new duplicate into that container, and revoked the certs issued under the old template.

    I'm now trying to get a test machine to get a new cert, and am so far unsuccessful.

    Any thoughts on this?

    Tuesday, May 15, 2012 11:36 PM
  • You shouldn't have to create a duplicate off of the Computer template, you should be able to use that default template to issue certs. Probably all you have to do is adjust permissions on the template to allow the enrollment to happen. It sounds like you might be in the same boat with the new template you just created, did you set enroll permissions?
    Wednesday, May 16, 2012 12:29 PM
  • Good call.

    On the duplicate of the Computer template there are two permission: Enroll and Autoenroll. For Domain Computers, the Autoenroll permission was not checked, so I've updated that and I'm now seeing issued certs.

    However, on the original Computer template, there is no Autoenroll permission - just Enroll, and that is checked. And, all fields on all tabs that would allow me to adjust things (such as the "Publish certificate in Active Directory" checkbox) are grayed out - whereas the duplicate that I created has all of them available.

    Wednesday, May 16, 2012 4:23 PM
  • For the built-in template, all you should have to do is enable autoenrollment like so:

    http://technet.microsoft.com/en-us/library/ee649166(WS.10).aspx

    Wednesday, May 16, 2012 6:00 PM
  • OK - I don't know how I missed this document.

    I've done what needs to be done in the page you pointed out. I'm going to work through the rest of the document to make sure I haven't missed some other things as well.

    Perhaps the most annoying thing is that I can't RDP to the UAG server. I've checked the firewall rules, and they seem to be correct.

    More on this tomorrow - heading into a meeting on a *completely* unrelated subject just now.

    Thanks!

    Kurt

    Wednesday, May 16, 2012 7:02 PM
  • On a UAG server, you have to define inside TMG who you want to be able to RDP into it. Open up TMG Management, click on Firewall Policy, and then over on the right find your Remote Management Computers group. Go into the properties of that group and add your IP address, that should let you in.

    Wednesday, May 16, 2012 7:25 PM
  • Been tied up in a Rightfax installation, and am just now getting back to this. Finding the Remote Management Computers group was momentarily frustrating. I figured out why I lost the ability though - the IP address on my laptop had changed from when I was installing the system. So, I gave a reservation to my laptop for my current address, added that address in, and that problem is now fixed. However, I have started working through the document to which you linked, and don't see any other issues after a quick read through it. So, now that the Computers cert template is active and certs from it have been issued to both the UAG server and my laptop (along with all of the other machines in the domain, I've done a couple of test connections, and I'm still seeing the problems with IPSec Main Mode audit failures.
    Friday, May 18, 2012 8:51 PM