none
DirectAccess Windows 10 Cellular issues RRS feed

  • Question

  • Hi, 

    Another weird direct access issue :) Hopefully someone can help sorry for the long winded post. 

    Direct access multi site setup and working great SERVER 2016 WINDOWS 10.... except when switching to a cellular connection the iphttps profile is only active for 1 minute. All ipsec tunnels are up, all apps work pings work and then the IP-HTTPS Adaptor turns off like something has cancelled the connection. A restart of the IP helper service brings the connection back again for 1 minute but then goes again. 

    All DA commands show that the iphttps profile is not active. The firewall profile does not change, Antivirus and third party applications have been removed, tried different sim vendors, vodafone, three, O2 all the same. 

    This only happens when connecting to cellular or tethering and it is repeatable. WIFI Connections work fine no issue. 

    We have found if the laptop is cold booted straight to a cellular connection the direct access connection stays online until the connection is removed and then retried at which point we have the same issue. 

    I noticed on a cold boot the internet connectivity warning exclamation mark was gone. I found 2 fixes 

    1 - disabled the internet connection probe Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\NoActiveProbe=0

    2 - Change the DNS entry on the cellular connection to 8.8.8.8. 

    So the issue appears to be something to do with the NCSI tests and split tunnelling. 

    To add to this we have another direct access setup that uses forced tunnelling, clients using this direct access solution have all the same polices applied and NCSI does not seem to cause an issue, in fact the NCSI seems to fail for the first 5 minutes of the connection as the warning exclamation mark about no internet access hangs around. 

    Could anyone shed any what direct access is doing when performing the NCSI test and why this may be different when using the cellular connection?

    Should I add an NRPT Exemption for the NCSI Websites? www.MSFTNCSI.COM?

    Why would the connection be ok when cold booting what am I missing?

    Hopefully someone on tech net has seen something like this before its driving me mad. 

    Thursday, October 31, 2019 10:13 AM

All replies

  • Was hoping someone would have a light bulb moment :) I guess not. We are hoping to pay for support from Microsoft on this one so i will update on the fix if they find one. 
    Wednesday, November 6, 2019 11:31 AM
  • ok so no microsoft support yet. I have found this does not happen using forced tunneling. Just googling best practices around the NRPT table. 
    Monday, November 11, 2019 12:10 PM
  • I'm wondering if you ever found a solution for this. I'm facing a similar issue, and have been scratching my head over it for days now. Thanks.
    Tuesday, March 24, 2020 4:58 PM
  • Hi, 

    The fix for us was to create a GPO with the below setting. We have a group policy in the domain configured to turn the active probe on which was causing issues. This worked ok on the POC Direct access solution. It only caused us issues when we implemented direct access again on 2016 servers. It was really odd, the old POC solution works with the reg key set to 1 and not with it set to 0. The new solution requires it setting to 0. Clients are the same but the server OS's are different. All other settings are the same.  

    \HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\NoActiveProbe=0

    This was definitely the cause. We also witnessed the Wifi connection going up and down over and over again until the setting was changed. 

    The active probe setting was conflicting with something another active probe check but I cannot remember what that was. If you need me to I will dig it out.

    Hope this helps. 

    Tuesday, March 24, 2020 5:16 PM