none
IPSec failure in UAG DirectAccess RRS feed

  • Question

  • Hi, I've deployed UAG RTM and configured Direct Access using the wizard.

    The working bits:
    Clients are running Windows 7 RTM, and are successfully connecting over the Teredo and IPHTTPS tunnels, and are able to ping the UAG IPv6 addresses. CRL's are published on the Internet and are remotely accessible.

    The broken bits:
    Client attempts to negotiate the initial IPSec Access Enabling Tunnel and fails.

    I have enabled IPsec tracing, the client log reports failures as follows

    Additional Information:
     Keying Module Name: IKEv1
     Authentication Method: Unknown authentication
     Role:   Initiator
     Impersonation State: Not enabled
     Main Mode Filter ID: 0

    Failure Information:
     Failure Point:  Local computer
     Failure Reason:  No policy configured

     State:   No state
     Initiator Cookie:  d07acb74b30b43c4
     Responder Cookie: 0000000000000000

    On the server, the corresponding IPSec log entries are as follows

    Additional Information:
     Keying Module Name: AuthIP
     Authentication Method: Unknown authentication
     Role:   Responder
     Impersonation State: Not enabled
     Main Mode Filter ID: 0

    Failure Information:
     Failure Point:  Local computer
     Failure Reason:  No policy configured

     State:   No state
     Initiator Cookie:  98c67e3747913448
     Responder Cookie: 55a33f66b330a6c2

    I have captured a network trace on the client, the client sends an AuthIP offer offering the SSL authentication method, but the server never responds.
    Certificate exchange is never performed, so I know its not an issue with the CDP, or the OID's and EKU's on the server and client certs.
    I have verified that the GPO's applied to client and server set the same Key Exchange options.

    Any other ideas of what to investigate would be appreciated

    Cheers

    Monday, February 22, 2010 3:05 PM

Answers

  • Fixed it - whoever put the OS on the box had disabled the Windows firewall, therefore the IPSec rules, which are implemented by the Windows Firewall and not UAG, were never active.
    Wednesday, March 3, 2010 11:47 AM

All replies

  • Hi Simon,

    can you please make sure that the IPsec rules on the UAG server are active?
    use the command: netsh advfirewall monitor show consec

    Are you trying to deploy an array or a single node? (In NLB array you must configure the servers to accept traffic by using UAG's Web Monitor)
    Monday, February 22, 2010 7:42 PM
  • Yes, the IPSec rules are active.

    I'm deploying a single server, nothing complicated or fancy.
    Tuesday, February 23, 2010 3:28 PM
  • Hi Simon,

    Did you confirm that the DA server group policy object settings were applied?

    Thanks!
    Tom
    MS ISDUA Anywhere Access Team
    Tuesday, February 23, 2010 5:02 PM
    Moderator
  • Oh - did you "activate" the configuration after the GPOs were deployed?

    Thanks!
    Tom
    MS ISDUA Anywhere Access Team
    Tuesday, February 23, 2010 5:03 PM
    Moderator
  • yes, the GPO's are applied and the config has been activated.

    Thanks

    Simon
    • Proposed as answer by webbone Monday, August 25, 2014 6:02 PM
    Tuesday, February 23, 2010 5:39 PM
  • Sounds odd.
    I'd suggest contacting CSS and sending them the wfp capture
    Tuesday, February 23, 2010 8:34 PM
  • Wednesday, February 24, 2010 2:49 AM
  • Ok, rewind

    When I said the rules were active, what I didnt do was check the rules were active.

    (how many years have I been telling people to read the manual, and  I cant even follow a simple command line? Grrrr )

    The server is getting the GPO, the rules are in the firewall, but windows firewall is not applying them.
    Windows Firewall says both Domain and Public profiles are active, the consec rules from the GPO are (apparently) configured for the Private and Public profiles.
    Thursday, February 25, 2010 5:40 PM
  • Hi Simon,

    Are both tunnels failing?

    Thanks!
    Tom
    • Proposed as answer by Erez Benari Monday, March 1, 2010 9:22 PM
    • Unproposed as answer by Simon Winterborn Wednesday, March 3, 2010 11:44 AM
    Monday, March 1, 2010 1:08 PM
  • Have you disabled IPV6 on the external interface?
    Tuesday, March 2, 2010 12:49 AM
  • Fixed it - whoever put the OS on the box had disabled the Windows firewall, therefore the IPSec rules, which are implemented by the Windows Firewall and not UAG, were never active.
    Wednesday, March 3, 2010 11:47 AM
  • Hi Simon,

    Ha! That would do it! :)

    Unfortunately, this is not an uncommon problem. Often people will turn off the Windows Firewall as part of a troubelshooting process. The problem is that when you turn it off, you also turn off the Connection Security Rules and therefore you can't establish the tunnels.

    Good to hear you got it working and thanks for the follow up!

    Tom
    MS ISDUA/UAG DA Anywhere Access Team
    Friday, March 5, 2010 2:39 PM
    Moderator