locked
DA 2012 R2 - cant establist tunnel RRS feed

  • General discussion

  • Hi all,

             2012 R2/Windows 8.1 DA environment.

    - Windows firewall is on for both clients and server

    - KB 2975719, 2993100, 2995004 installed on both client and server - in addition to all updates available via windows update

    -Server is behind a firewall with a single nic

    - DNS is available externally

    - Green ticks across the board on the DA server

    - SSL logging enabled as per http://support.microsoft.com/en-au/kb/260729

    - Certs issued from internal CA, renovation info confirmed available externally using certutil

    - Certificates on the client are confirmed trusted and valid

    - Client logs show the client is "unable to contact the DA server", however the server does show the client as connected, but no traffic will flow over the tunnel

    -Every time the DA client attempts to connect, the following error is presented in the system event log on the DA server

    An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

    Using wireshark on the client, the client appeared to be using TLS_RSA_WITH_NULL_SHA256,TLS_RSA_WITH_NULL_SHA,TLS_RSA_WITH_NULL_MD5

    so I updated the policy for the DA server to utilise those ciphers first in the list - still no dice.

    I have a strong suspicion this is a cert issue - but im not sure how - as this is the same method I have used to setup DA quite a few (20+) times - but first time I have run into this issue.

    Any help much appreciated.

    Friday, March 13, 2015 1:28 AM

All replies

  • HI,

    With Windows Server 2012 R2 + Windows 8 you can use IP-HTTPS Null encapsulation. That what the cipher TLS_RSA_WITH_NULL_SHA256,TLS_RSA_WITH_NULL_SHA,TLS_RSA_WITH_NULL_MD5 means.So you should have an IPHTTPS interface configured on your DirectAccess client. Can you publish client logs. By default, Windows have 6to4 and Teredo protocols enabled by default witch can cause some issues with your DirectAccess configuration (single NIC=>IP-HTTPS only).


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Friday, March 13, 2015 7:50 PM
  • Thanks for the reply...

    Yep, I should have has a tunnel, but the DTE's were both reporting as failed.

    Last yesterday I ended up blowing away the config and re-creating it - with exactly the same settings - and it all worked immediately...

    No idea why - but issue is gone now.

    Saturday, March 14, 2015 3:47 AM