none
Direct Access Monitor Network Security Not Heathly RRS feed

  • Question

  •  

    why is my Direct Access Monitor saying that the Network Security is Not Heathly?

    Does this have to do with the malware inspection not being up-to-date?

    thanks, John

    Saturday, February 12, 2011 5:52 PM

Answers

  • Yes, I would remove any 6TO4 adapters listed in device manager (click on Show Hidden Devices under View first), reboot, and then activate UAG.

    Thanks,
    Ken

    • Marked as answer by JohnDBE Friday, February 18, 2011 8:18 AM
    Thursday, February 17, 2011 10:58 AM

All replies

  • I have seen this before as well and it has to do with IPSec DOS protection.

    I saw that one of the servers in my array showed as Not Healthy.  I ran the "netsh ipsecdos show int" from the command line and got an "Element not Found" error.  What had happened was one of the IPv6 tunneling interfaces had changed names, like the Teredo Tunneling interface was now "Local Area Connection* 10".  I'm not sure why this happens, but I have seen it on several different UAG DirectAccess servers.

    What I did to fix it was run the "netsh int ipv6 show int" command and figure out the names of all of the interfaces.  Then I ran "netsh ipsecdos reset" and manually added the interfaces back like this:

    netsh ipsecdos add interface isatap.contoso.com internal
    netsh ipsecdos add interface External public
    netsh ipsecdos add interface "6TO4 Adapter" public
    netsh ipsecdos add interface IPHTTPSInterface public
    netsh ipsecdos add interface "Local Area Connection* 10" public

    I've also seen the 6TO4 Adapter change names, so you might have to do an "ipconfig /all" along with the "netsh int ipv6 show int" to match the names up.

    Thanks,
    Ken

    • Edited by Ken Carvel Monday, February 14, 2011 1:39 PM
    Monday, February 14, 2011 1:29 PM
  • Hi Ken,

    Very nice tip!!!!

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Monday, February 14, 2011 1:35 PM
    Moderator
  • Hi Ken,

    Thanks for your reply.
    I do not see any problem with the interfaces.

    This is the output of the commands

    C:\>netsh ipsecdos show int
    Public interfaces: PUBLIC, 6TO4 Adapter, Local Area Connection* 11, IPHTTPSInterface
    Internal interfaces: isatap.{DC944005-BCFF-4098-B635-B81A87D62EA7}
    Ok.

    C:\>netsh int ipv6 show int

    Idx     Met         MTU          State                Name
    ---  ----------  ----------  ------------  ---------------------------
      1          50  4294967295  connected     Loopback Pseudo-Interface 1
     15          50        1280  disconnected  6TO4 Adapter
     11          20        1500  connected     PUBLIC
     12          50        1280  connected     Local Area Connection* 11
     16          25        1280  connected     isatap.{AA86194C-0067-49F9-8613-DE867A9F1861}
     17          10        1280  connected     isatap.{DC944005-BCFF-4098-B635-B81A87D62EA7}
     18          50        1280  connected     IPHTTPSInterface
     13          10        1500  connected     PRIVATE
     20          50        1280  disconnected  Local Area Connection* 9
     34          25        1280  connected     Local Area Connection* 12

     

     

    Tuesday, February 15, 2011 7:30 PM
  • It seems like there might be an issue with the 6TO4 Adapter, although I'm also not sure about the names on the ISATAP adapters either.  The 6TO4 Adapter is listed in the netsh ipsecdos show int command, but it shows disconnected.  It could be that one of those other Local Area Connection interfaces is really the active 6TO4 Adapter.  You should be able to tell from an ipconfig.  Then use the netsh ipsecdos command to delete the 6TO4 adpater and add the active one in its place.  Another thing that has worked for me would be to go into device mananger and delete all of the 6TO4 Adapters, then reboot and re-activate UAG. 

    I had a similar problem where I got a new 6TO4 Adapter every time the server rebooted until I removed them all.

    Thanks,
    Ken

    Tuesday, February 15, 2011 7:43 PM
  • Ken,

     

    Ipconfig below. I scrambled some numbers for obvious reasons.

    I guess the 6to4 is on LAC12? Those addresses start with 2002, and iphttpsinterface is clearly listed elsewhere?

    The thing is that the DA Monitor only show Network Security Not Healty.
    The 6to4 Router is showing healthy!

    Is it still your advise to remove the 6to4 adapters?
    I would use device manager to remove them as you suggest.

    Tunnel adapter 6TO4 Adapter:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :

    Tunnel adapter Local Area Connection* 11:

       Connection-specific DNS Suffix  . :
       Link-local IPv6 Address . . . . . : fe80::8000:f227:3db1:####%12
       Default Gateway . . . . . . . . . :

    Tunnel adapter isatap.{AA86194C-0067-49F9-8613-DE867A9F####}:

       Connection-specific DNS Suffix  . :
       Link-local IPv6 Address . . . . . : fe80::200:5efe:###.78.142.###%16
       Link-local IPv6 Address . . . . . : fe80::200:5efe:###.78.142.###%16
       Default Gateway . . . . . . . . . :

    Tunnel adapter isatap.{DC944005-BCFF-4098-B635-B81A87D6####}:

       Connection-specific DNS Suffix  . :
       IPv6 Address. . . . . . . . . . . : 2002:c24e:8eaa:8000:0:####:172.16.##.##
       Link-local IPv6 Address . . . . . : fe80::5efe:172.16.##.##%17
       Default Gateway . . . . . . . . . :

    Tunnel adapter IPHTTPSInterface:

       Connection-specific DNS Suffix  . :
       IPv6 Address. . . . . . . . . . . : 2002:c24e:8eaa:8100:7549:f745:2ee8:####
       Link-local IPv6 Address . . . . . : fe80::7549:f745:2ee8:####%18
       Default Gateway . . . . . . . . . :

    Tunnel adapter Local Area Connection* 9:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :

    Tunnel adapter Local Area Connection* 12:

       Connection-specific DNS Suffix  . :
       IPv6 Address. . . . . . . . . . . : 2002:c24e:8eaa::c24e:####
       IPv6 Address. . . . . . . . . . . : 2002:c24e:8eab::c24e:####
       Default Gateway . . . . . . . . . : 2002:c058:6301::c058:####

     

    Thursday, February 17, 2011 8:05 AM
  • Yes, I would remove any 6TO4 adapters listed in device manager (click on Show Hidden Devices under View first), reboot, and then activate UAG.

    Thanks,
    Ken

    • Marked as answer by JohnDBE Friday, February 18, 2011 8:18 AM
    Thursday, February 17, 2011 10:58 AM
  • Ken,

    Yep, yep problem solved! The monitor is showing healthy on all counts!
    You rock! A big thank you!

    There is one more ISATAB at the end of the ipconfig list.
    I assume i can do the same procedure in device manager for the ISATAP interfaces?

    ipconfig

    Tunnel adapter 6TO4 Adapter:

       Connection-specific DNS Suffix  . :
       IPv6 Address. . . . . . . . . . . : 2002:c24e:8eaa::c24e:####
       IPv6 Address. . . . . . . . . . . : 2002:c24e:8eab::c24e:####
       Default Gateway . . . . . . . . . : 2002:c058:6301::c058:####

    Tunnel adapter Local Area Connection* 11:

       Connection-specific DNS Suffix  . :
       Link-local IPv6 Address . . . . . : fe80::8000:f227:3db1:####%12
       Default Gateway . . . . . . . . . :

    Tunnel adapter isatap.{AA86194C-0067-49F9-8613-DE867A9F####}:

       Connection-specific DNS Suffix  . :
       Link-local IPv6 Address . . . . . : fe80::200:5efe:194.78.###.###%15
       Link-local IPv6 Address . . . . . : fe80::200:5efe:194.78.###.###%15
       Default Gateway . . . . . . . . . :

    Tunnel adapter isatap.{DC944005-BCFF-4098-B635-B81A87D6####}:

       Connection-specific DNS Suffix  . :
       IPv6 Address. . . . . . . . . . . : 2002:c24e:8eaa:8000:0:5efe:172.16.##.##
       Link-local IPv6 Address . . . . . : fe80::5efe:172.16.##.##%16
       Default Gateway . . . . . . . . . :

    Tunnel adapter IPHTTPSInterface:

       Connection-specific DNS Suffix  . :
       IPv6 Address. . . . . . . . . . . : 2002:c24e:8eaa:8100:7549:f745:2ee8:####
       Link-local IPv6 Address . . . . . : fe80::7549:f745:2ee8:####%17
       Default Gateway . . . . . . . . . :

    Tunnel adapter isatap.{10A57E75-8BB7-4224-AACE-F524743A####}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :

    Friday, February 18, 2011 8:26 AM
  • Yay!!!

    Two big thumbs up for Ken! Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Friday, February 18, 2011 4:54 PM
    Moderator
  • That is good to hear.  I'm not sure about the ISATAP interfaces.  I have just left those alone in the past.

    Thanks,
    Ken

    Monday, February 21, 2011 11:19 AM
  • I don't think the ISATAP interfaces need to be changed.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Monday, February 21, 2011 2:09 PM
    Moderator
  • I am having a similar issue, in my DirectAccess Monitor I am showing not healthy on one of my array members for Network Security, and Isatap Router (The Array Member is is currently suspended).  Using the information from this thread I have figured out that my isatap entry being seen as the internal interface is the interface that shows disconnected.  All of my other servers correctly show the internal address as connected.  Where do I go from here?

    when I issue 

    C:\>netsh int ipv6 sho int

    Idx     Met         MTU          State                Name

    ---  ----------  ----------  ------------  ---------------------------

      1          50  4294967295  connected     Loopback Pseudo-Interface 1

     12          10        1280  connected     isatap.{4DC347E5-4B87-42A2-B5DD-858B2AF67258}

     19          10        1280  connected     6TO4 Adapter

     20          50        1280  connected     IPHTTPSInterface

     15          50        1280  disconnected  isatap.{B7B2198C-798B-4541-BF5C-E2EF2BBA031C}

     16          50        1280  connected     Teredo Tunneling Pseudo-Interface

     11          10        1500  connected     WAN

     22          10        1280  connected     isatap.{20093134-F1D9-43C6-B576-8CFAAB5704BB}

     13          10        1500  connected     LAN

     

    When I issue:

    c:\>netsh ipsecdosprotection sho int

    Public interfaces: WAN, 6TO4 Adapter, Teredo Tunneling Pseudo-Interface, IPHTTPSInterface

    Internal interfaces: isatap.{B7B2198C-798B-4541-BF5C-E2EF2BBA031C}

    Thursday, May 12, 2011 3:51 PM
  • Well, I thought I'd share what I did to bring my server back from the Not Healthy status for Network Security and ISATAP Router

    First, since I noticed that the Internal Interface for ipsecdosprotection was a disconnected ISATAP address, I completed an add interface command and labeled it Internal, this then showed 2 different isatap addresses for the Internal interfaces.  Immediately the Monitor showed network security was ok.  i then removed the older isatap entry that was disconnected using the delete interface command. - Rebooted the server to make sure the setting took.

    The Isatap Router, was a similar issue, and I followed directions to create an ISATAP Router on Windows 2008 http://www.windowsnetworking.com/articles_tutorials/configuring-isatap-router-windows-server-2008-r2-part2.html , and got the routing table looking very similar to the other array members, however, I still was missing a route for the /49.  We ended up needing to add an entry to our NRPT table, so an activation was performed.  I think the route was added in at that point.  But, the ISATAP router was back to healthy.

    What I don't know, is if an activation would've fixed all of these issues or not.  One thing I made sure of is that on a reboot both settings remained after the reboot, so the changes took.  

     

    Does anyone out there know if the Activation would've done all that manual work that I did?

     

     

    Thursday, May 12, 2011 8:35 PM
  • I have reviewed the posts and I have the same issue as to "network security - Unhealthy"

     

    C:\Windows\system32>netsh ipsecdos show int
    Public interfaces: Element not found.

    Which interefaces should I put as internal and which ones should I make external?

     

    C:\Windows\system32>netsh int ipv6 show int

    Idx     Met         MTU          State                Name
    ---  ----------  ----------  ------------  ---------------------------
      1          50  4294967295  connected     Loopback Pseudo-Interface 1
     29          50        1280  connected     isatap.{6E06F030-7526-11D2-BAF4-00600
    815A4BD}
     11           5        1500  connected     InternalNet
     13           5        1280  connected     isatap.{4D01CE57-07D8-4F76-97EC-3BE6E
    D110E21}
     14           5        1280  connected     isatap.{A2EC8300-1908-4ED1-B479-94E7A
    0D6F4D7}
     15          50        1280  connected     IPHTTPSInterface
     12           5        1500  connected     PublicNet
     17          50        1280  connected     Teredo Tunneling Pseudo-Interface
     18           5        1280  connected     Local Area Connection* 12

     

    C:\Windows\system32>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : ***********
       Primary Dns Suffix  . . . . . . . : ***********
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : Yes
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : ***********
       System Quarantine State . . . . . : Not Restricted


    PPP adapter RAS (Dial In) Interface:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : RAS (Dial In) Interface
       Physical Address. . . . . . . . . :
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : ***********(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.255
       Default Gateway . . . . . . . . . :
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter InternalNet:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
       Physical Address. . . . . . . . . : ***********
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : ***********%11(Preferred)
       IPv4 Address. . . . . . . . . . . : ***********(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.254.0
       Default Gateway . . . . . . . . . :
       DHCPv6 IAID . . . . . . . . . . . : 251678806
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-E3-D2-8D-00-50-56-82-00-23

       DNS Servers . . . . . . . . . . . : ***********
                                           ***********
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter PublicNet:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #2
       Physical Address. . . . . . . . . : ***********
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : ***********(Preferred)
       IPv4 Address. . . . . . . . . . . : ***********(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.248
       IPv4 Address. . . . . . . . . . . : ***********(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.248
       IPv4 Address. . . . . . . . . . . : ***********(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.248
       IPv4 Address. . . . . . . . . . . : ***********(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.248
       IPv4 Address. . . . . . . . . . . : ***********(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.248
       Default Gateway . . . . . . . . . : ***********
       DHCPv6 IAID . . . . . . . . . . . : 318787670
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-E3-D2-8D-00-50-56-82-00-23

       DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                           fec0:0:0:ffff::2%1
                                           fec0:0:0:ffff::3%1
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter isatap.{6E06F030-7526-11D2-BAF4-00600815A4BD}:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . :***********(Preferred)
       Default Gateway . . . . . . . . . :
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter isatap.{4D01CE57-07D8-4F76-97EC-3BE6ED110E21}:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : ***********(Pr
    eferred)
       Link-local IPv6 Address . . . . . : ***********(Preferred)
       Default Gateway . . . . . . . . . :
       DNS Servers . . . . . . . . . . . : ***********
                                           ***********
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter isatap.{A2EC8300-1908-4ED1-B479-94E7A0D6F4D7}:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : ***********(Preferred)

       Link-local IPv6 Address . . . . . : ***********(Preferred)

       Link-local IPv6 Address . . . . . : ***********(Preferred)

       Link-local IPv6 Address . . . . . : ***********(Preferred)

       Link-local IPv6 Address . . . . . : ***********(Preferred)

       Default Gateway . . . . . . . . . :
       DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                           fec0:0:0:ffff::2%1
                                           fec0:0:0:ffff::3%1
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter IPHTTPSInterface:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : IPHTTPSInterface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : ***********(P
    referred)
       Link-local IPv6 Address . . . . . : ***********(Preferred)
       Default Gateway . . . . . . . . . :
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : ***********(Preferred)
       Default Gateway . . . . . . . . . :
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter Local Area Connection* 12:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft 6to4 Adapter #3
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : ***********Preferred)
       IPv6 Address. . . . . . . . . . . : ***********(Preferred)
       IPv6 Address. . . . . . . . . . . : ***********Preferred)
       IPv6 Address. . . . . . . . . . . : ***********(Preferred)
       IPv6 Address. . . . . . . . . . . : ***********(Preferred)
       Default Gateway . . . . . . . . . : ***********
       DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                           fec0:0:0:ffff::2%1
                                           fec0:0:0:ffff::3%1
       NetBIOS over Tcpip. . . . . . . . : Disabled

     

    Monday, November 28, 2011 9:26 PM