locked
All points green, can ping but no application connectivity RRS feed

  • Question

  • Server : Directaccess, Server 2012 R2, Dual NIC (Intranet and DMZ)

    Client : Windows 8.1

    I've configured my DirectAccess server using several guides, in the configuration screen all points are coming up green. When connecting from a Windows 8.1 Client, the status is stuck at 'Connecting'.

    Even though it is 'connecting' I can still ping hosts on my local Intranet (which returns an IPv6 address, not IPv4) but I cannot access any shares or application resources (web sites, RDP etc).

    Running the DA client troubleshooting tool, all components come up green until Infrastructure and User tunnels, both of which fail when trying to access share resources.

    Running 'Get-DAConnectionStatus' returns 'RemoteNetworkAuthenticationError'.

    Running 'netsh interface httpstunnel show interfaces' shows that the IPHTTPS URL is correct and the status is 'IPHTTPS interface active'.

    I'm tearing my hair out at the moment, anybody have any advice for me?

    One other strange thing is that I never see any clients in the 'Remote access client status' tab in the management console.

    Perhaps this is a firewall issue?

    Wednesday, February 8, 2017 12:31 AM

Answers

  • Totally agree with Jordan, number one problem is the network configuration. You need to get better understanding on the setup of Multi Homed Network server (2 Nics or more). Not only the Gateway point which is true but also the below points:

    1. Order of NIC (Binding)

    2. Removing in necessary protocols from the internal NIC as QoS

    3. Removing all protocols (checkboxes) from external NIC and keeping IPV4 and IPV6 only.

    Also rule of thumb, if you will change any of the NIC properties after installing DA then you must uninstall/remove DA and install it again as its very sensitive to these changes.

    Sunday, March 5, 2017 3:16 PM
  • Ah, this is interesting information. From your ipconfig outputs it looks like you have a Default Gateway assigned to both the external and internal NICs. This will cause you all sorts of problems, and before troubleshooting anything else this needs to be addressed. In fact, it's possible that you will end up wiping out your DA config (which isn't really a big deal, you can just use the "Remove Configuration" button in the console), then make sure all your networking is completely squared away, and then re-run through the DA wizards to set it back up in the right fashion.

    Only the external NIC gets a Default Gateway, and only the internal NIC gets DNS server addresses defined. (so NO gateway on internal, and NO DNS servers defined on the external)

    Getting the networking "right" is very key to making DirectAccess work properly. Not having a default gateway on your internal NIC means you will have to add static routes in for your internal subnets, this is normal for every DirectAccess implementation. Unfortunately there isn't really anything in the wizards that tell you this, it's just something you have to know when you start. :)

    Not trying to self-promote, but if you're ever interested the first couple of chapters in this book lay out exactly what you need for doing these prerequisites on the DA server the right way, including other best practice NIC settings that you should put into place on your DA server that are probably not in place at the moment: https://www.amazon.com/Microsoft-DirectAccess-Best-Practices-Troubleshooting/dp/1782171061/ref=sr_1_4?ie=UTF8&qid=1488289571&sr=8-4&keywords=jordan+krause


    Tuesday, February 28, 2017 1:46 PM

All replies

  • Rather than using the DA client troubleshooting tool, I recommend sticking with some manual commands to really figure out what is and isn't working on the DA client while it tries to connect. This guide contains commands and descriptions of those commands, these are still the exact same ones that I use all day every day in order to troubleshoot DA connections: https://www.ivonetworks.com/news/2011/08/directaccess-connectivity-assistant-reading-the-log-file/

    Let me know if any of those don't steer you in the right direction, and we can certainly take them more one-by-one to figure out what is going on.

    Thursday, February 16, 2017 2:32 PM
  • Thanks I'll work my way though it when I pick it up this week. I forgot I didn't get notified from Technet when a reply happened!

    I'll get back hopefully by tomorrow

    Wednesday, February 22, 2017 3:17 AM
  • Ok so I've spent all day troubleshooting this issue and I believe the issue is related to the DNS configuration.

    When I run the wizard for Directaccess and get the DNS entry, if I use the 'detect' method, it detects the address:

    fd26:727e:e2d2:3333::1

    Which is (as far as I know) the DNS64 address on the DA server. The only problem is, after I 'detect', if I validate that address I get the warning:

    The specified DNS server is not responding. Ensure that the DNS server role is installed and running on the server.

    I'm guessing there is some mis-configuration of DNS. But if I just accept that, the DNS entry in the monitoring comes up 'green' still!

    Currently I have the two interfaces as:

    Ethernet adapter Ethernet1: EXTERNAL DMZ

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #2
       Physical Address. . . . . . . . . : 00-50-56-A4-3F-80
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::bced:24b8:9643:66cc%13(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.254.12(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.254.254 DMZ GATEWAY ADDRESS
       DHCPv6 IAID . . . . . . . . . . . : 385896534
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-20-07-2E-49-00-50-56-A4-17-76

       DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                           fec0:0:0:ffff::2%1
                                           fec0:0:0:ffff::3%1
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter Ethernet0: INTERNAL INTRANET

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
       Physical Address. . . . . . . . . : 00-50-56-A4-17-76
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : fd26:727e:e2d2:3333::1(Preferred)
       Link-local IPv6 Address . . . . . : fe80::6831:f51c:f6b4:3c31%12(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.10.61(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.10.254
       DHCPv6 IAID . . . . . . . . . . . : 302010454
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-20-07-2E-49-00-50-56-A4-17-76

       DNS Servers . . . . . . . . . . . : 192.168.10.9 PRIMARY INTERNAL DNS
                                           192.168.10.16 SECONDARY INTERNAL DNS
       NetBIOS over Tcpip. . . . . . . . : Enabled


    • Edited by mhouston100 Tuesday, February 28, 2017 2:37 AM
    Tuesday, February 28, 2017 2:36 AM
  • Ah, this is interesting information. From your ipconfig outputs it looks like you have a Default Gateway assigned to both the external and internal NICs. This will cause you all sorts of problems, and before troubleshooting anything else this needs to be addressed. In fact, it's possible that you will end up wiping out your DA config (which isn't really a big deal, you can just use the "Remove Configuration" button in the console), then make sure all your networking is completely squared away, and then re-run through the DA wizards to set it back up in the right fashion.

    Only the external NIC gets a Default Gateway, and only the internal NIC gets DNS server addresses defined. (so NO gateway on internal, and NO DNS servers defined on the external)

    Getting the networking "right" is very key to making DirectAccess work properly. Not having a default gateway on your internal NIC means you will have to add static routes in for your internal subnets, this is normal for every DirectAccess implementation. Unfortunately there isn't really anything in the wizards that tell you this, it's just something you have to know when you start. :)

    Not trying to self-promote, but if you're ever interested the first couple of chapters in this book lay out exactly what you need for doing these prerequisites on the DA server the right way, including other best practice NIC settings that you should put into place on your DA server that are probably not in place at the moment: https://www.amazon.com/Microsoft-DirectAccess-Best-Practices-Troubleshooting/dp/1782171061/ref=sr_1_4?ie=UTF8&qid=1488289571&sr=8-4&keywords=jordan+krause


    Tuesday, February 28, 2017 1:46 PM
  • I swear I didn't have that gateway previously!

    That was one of the first issues I had to correct. Just yesterday I actually blew the server away and stated from scratch, I must have missed that point unfortunately.

    After rebuilding and then fixing the NIC issue I can now get full connection! Thanks a bunch, I will def check that book out now to get a better understanding of the network side.

    Tuesday, February 28, 2017 9:42 PM
  • Totally agree with Jordan, number one problem is the network configuration. You need to get better understanding on the setup of Multi Homed Network server (2 Nics or more). Not only the Gateway point which is true but also the below points:

    1. Order of NIC (Binding)

    2. Removing in necessary protocols from the internal NIC as QoS

    3. Removing all protocols (checkboxes) from external NIC and keeping IPV4 and IPV6 only.

    Also rule of thumb, if you will change any of the NIC properties after installing DA then you must uninstall/remove DA and install it again as its very sensitive to these changes.

    Sunday, March 5, 2017 3:16 PM