none
DA client getting with error Main mode SA assumed to be invalid because peer stopped responding. RRS feed

  • Question

  • Facing one issue with only DA client , it connects to Direct access for few seconds and then get disconnected.

    Looking at error on Event viewer I see below error

    Any help appreciated certificate looks ok on client not sure why IPSEC is still failing.

    Main

    An IPsec main mode negotiation failed.

     

    Local Endpoint:

                    Local Principal Name:          -

                    Network Address: fd03:c8e4:6dc5:1000:65c3:ec29:19db:d27

                    Keying Module Port:            500

     

    Remote Endpoint:

                    Principal Name:                    -

                    Network Address: fd03:c8e4:6dc5:1000::1

                    Keying Module Port:            500

     

    Additional Information:

                    Keying Module Name:         IKEv1

                    Authentication Method:      Unknown authentication

                    Role:                                       Initiator

                    Impersonation State:            Not enabled

                    Main Mode Filter ID:            0

     

    Failure Information:

                    Failure Point:                         Local computer

                    Failure Reason:                      No policy configured

     

                    State:                                      No state

                    Initiator Cookie:                    9859f832aff8f6c2

                    Responder Cookie:               0000000000000000

     

     

    Quick

    An IPsec quick mode negotiation failed.

     

    Local Endpoint:

                    Network Address: ::

                    Network Address mask:       0

                    Port:                                        0

                    Tunnel Endpoint:                  fd03:c8e4:6dc5:1000:65c3:ec29:19db:d27

     

    Remote Endpoint:

                    Network Address: fd03:c8e4:6dc5:7777::405a:e2f2

                    Address Mask:                       0

                    Port:                                        0

                    Tunnel Endpoint:                  fd03:c8e4:6dc5:1000::1

                    Private Address:                    0.0.0.0

     

    Additional Information:

                    Protocol:                                0

                    Keying Module Name:         AuthIP

                    Virtual Interface Tunnel ID:  0

                    Traffic Selector ID: 0

                    Mode:                                     Tunnel

                    Role:                                       Initiator

                    Quick Mode Filter ID:           148975

                    Main Mode SA ID: 9

     

    Failure Information:

                    State:                                      Sent first (SA) payload

                    Message ID:                           3

                    Failure Point:                         Local computer

                    Failure Reason:                      Main mode SA assumed to be invalid because peer stopped responding.

     

     

    Monday, April 20, 2015 12:42 PM

All replies

  • Can you post DCA logs here?
    Monday, April 20, 2015 12:57 PM
  • Error: Corporate connectivity is not working. Windows is unable to contact the DirectAccess server. 2/4/2015 16:2:15 (

    DTE List 
    PING: fd03:c8e4:6dc5:1000::1 (Fail) 
    PING: fd03:c8e4:6dc5:1000::2 (Fail)

    6to4 Configuration (Get-Net6to4Configuration)


    Description               : 6to4 Configuration
    State                     : Default
    AutoSharing               : Default
    RelayName                 : 6to4.ipv6.microsoft.com.
    RelayState                : Default
    ResolutionIntervalSeconds : 1440

    Proxy Configuration (netsh winhttp show proxy)

    urrent WinHTTP proxy settings:

        Direct access (no proxy server).

    IP-HTTPs State (Get-NetIPHttpsState)
    LastErrorCode   : 0x0
    InterfaceStatus : IPHTTPS interface active

    Monday, April 20, 2015 1:06 PM
  • my "Personal"
    ================ Certificate 0 ================
    Serial Number: db275ae51a55dc55fbe5
    Issuer: CN=Communications Server
     NotBefore: 3/27/2015 5:16 PM
     NotAfter: 9/23/2015 5:16 PM
    Subject: CN=username@bentley.com
    Non-root Certificate
    Cert Hash(sha1): b3 1a 83 46 a7 3b 35 81 d5 b8 df 4a cf c7 b5 84 3d 16 4f 19
      Key Container = OC_KeyContainer_Lync_username@bentley.com
      Unique container name: c8d28464bd8e19954e01e055a437dac2_9a8ca7a5-b032-4abe-aa4f-78479e291b9e
      Provider = Microsoft Enhanced Cryptographic Provider v1.0
    Private key is NOT exportable
    Signature test passed

    ================ Certificate 1 ================
    Serial Number: acf56029651a29985555bc204feec2906e0e623c
    Issuer: CN=Token Signing Public Key
     NotBefore: 11/2/2014 1:10 PM
     NotAfter: 11/9/2014 1:10 PM
    Subject: CN=8cb8436c5273712d
    Non-root Certificate
    Cert Hash(sha1): 96 40 a0 e3 d8 d3 a1 83 3d 7d 53 89 78 13 ec ea 14 57 59 e2
      Key Container = IDENTITYCRL_CERT_CONTAINER_781dc55f-39ad-4acf-908b-077a9f0892c0
      Unique container name: fa2317742ecd4995840a96d529ded279_9a8ca7a5-b032-4abe-aa4f-78479e291b9e
      Provider = Microsoft Enhanced Cryptographic Provider v1.0
    Encryption test passed

    ================ Certificate 2 ================
    Serial Number: 1ecfdba10000000711f6
    Issuer: CN=certificates1.bentley.com, OU=IT, O=Bentley Systems Inc, L=Exton, S=PA, DC=bentley, DC=com, C=US
     NotBefore: 10/14/2014 3:00 PM
     NotAfter: 10/14/2015 3:00 PM
    Subject: E=username@bentley.com, CN= user name
    Non-root Certificate
    Template: 1.3.6.1.4.1.311.21.8.11654720.1572043.7097246.3836610.15498332.49.1051303.5974672, Bentley User
    Cert Hash(sha1): 34 b0 4d a3 c0 ea 3f 91 c4 e8 1f bf bc a3 eb 8d 0e 13 71 3b
      Key Container = le-BentleyUser-b08f3f78-54cf-490e-9778-24c8c7bb9c0e
      Unique container name: fe0554406294c67f04d3b9898a803d95_9a8ca7a5-b032-4abe-aa4f-78479e291b9e
      Provider = Microsoft Software Key Storage Provider
    Private key is NOT exportable
    Encryption test passed
    Monday, April 20, 2015 1:10 PM
  • Thanks for logs.

    Can you confirm, if you have any third party softwares/configurations which might be disturbing IPHLPSVC (IP Helper service which is essential for DA) or can you confirm, if you have persistent internet connection?

    And are you able to reach web sites when you are having issues.

    Monday, April 20, 2015 3:01 PM
  • Hello,

    Are you using Computer Certificates for IPsec tunnels?
    It seems that you don't have one a correct one for DirectAccess or this is only the User's certificates.

    Gerald


    Monday, April 20, 2015 3:06 PM
  • why do you think it is not correct I checked  on his box and looks like cert is correct one.

    we are using machine cert for authentication.

    Monday, April 20, 2015 3:41 PM
  • "certutil -store my" ==> This command would list the Computer certificates from machine.

    "certutil -store -user my" ==> This command would list the certificates from logged on user's store.

    In my opinion: the required certificates are there in place and thats why you are able to connect in first place.

    And ICMP is not included in IPSec traffic "This is true for all traffic except ICMP traffic. In a UAG DirectAccess scenario, IPsec policy is configured to exempt ICMP from IPsec authentication and encryption. Therefore when you ping a resource on the intranet, you are sending those pings outside of the infrastructure and intranet IPsec DirectAccess tunnels." ==> http://blogs.technet.com/b/tomshinder/archive/2010/07/14/considerations-when-using-ping-to-troubleshoot-directaccess-connectivity-issues.aspx

    In DCA logs, I could see, even ICMP is not working : so it looks more either like Network connectivity issue OR we have some software disabling IPHLPSVC or Windows Firewall intermittently

    Monday, April 20, 2015 4:12 PM
  • That is really helpful , lets say if any other third party software is disabling IPHLPSVC service when I check in services.msc IPhelper service is running fine there,

    Though If I restart that service DA works for 2 minutes and again gets dropped.

    How can we determine which service is disabling IPHLPSVC service ?

    thanks aagain.

    Monday, April 20, 2015 4:52 PM
  • First you might have to isolate if the issue is because of IPHLPSVC or any Network fluctuation. May be you could check in the eventvwr to see, if you have any evidence of IPHLPSVC getting restarted.

    If that is getting restarted you can use ProcMon or SYSMON from sysinternals to see who is restarting the service https://technet.microsoft.com/en-us/sysinternals/dn798348 - SYSMON

    https://technet.microsoft.com/en-us/library/bb896645.aspx - ProcMon

    Also can you please confirm, if we have the same issue happening for all the users?

    Tuesday, April 21, 2015 7:28 AM
  • only single user is facing this issue.

    Ok I will check event viewer logs , but when DA drops I checked IPhelper services is running just to give you clear idea.

    Then after I restart IP helper service it works for 3-4 minutes then again DA drops.

    Tuesday, April 21, 2015 7:46 AM
  • Did you ever fix this, we have the same issue!!
    Thursday, October 10, 2019 2:10 PM