none
Direct Access 2012 through NAT - Stuck on Connecting RRS feed

  • Question

  • Hi,

    I have setup DA 2012 R2 with 2 nics (one on LAN one on DMZ) behind a Juniper NAT edge firewall. I tested it successfully with a couple of Windows 8.1 clients. However upon trying to roll this out to a pilot group I am seeing the clients stuck on Connecting. I am still able to connect using the original test clients. I have run Network Monitor on the DA server and get the following.

     586 11:06:52 31/07/2014 48.4880776  10.0.0.254 10.0.0.21 ARP ARP:Response, 10.0.0.254 at 00-10-DB-FF-10-03 
    50344 (0xC4A8) 587 11:06:52 31/07/2014 48.4880965 System 10.0.0.21 123.123.123.123 TCP TCP:Flags=...A..S., SrcPort=HTTPS(443), DstPort=50344, PayloadLen=0, Seq=2368893217, Ack=1506169700, Win=8192 ( Scale factor not supported ) = 2097152 {TCP:2, IPv4:1}
     588 11:06:52 31/07/2014 48.4960366  10.0.0.254 10.0.0.21 ARP ARP:Response, 10.0.0.254 at 00-10-DB-FF-10-03 
    50344 (0xC4A8) 625 11:06:55 31/07/2014 51.4875730 System 10.0.0.21 123.123.123.123 TCP TCP:Flags=...A..S., SrcPort=HTTPS(443), DstPort=50344, PayloadLen=0, Seq=2368893217, Ack=1506169700, Win=8192 ( Scale factor not supported ) = 2097152 {TCP:2, IPv4:1}
    50344 (0xC4A8) 699 11:07:01 31/07/2014 57.4888575 System 10.0.0.21 123.123.123.123 TCP TCP:Flags=...A..S., SrcPort=HTTPS(443), DstPort=50344, PayloadLen=0, Seq=2368893217, Ack=1506169700, Win=65535 ( Scale factor not supported ) = 16776960 {TCP:2, IPv4:1}
     756 11:07:06 31/07/2014 62.2536401  10.0.0.21 10.0.0.254 ARP ARP:Request, 10.0.0.21 asks for 10.0.0.254 
     757 11:07:06 31/07/2014 62.2547702  10.0.0.254 10.0.0.21 ARP ARP:Response, 10.0.0.254 at 00-10-DB-FF-10-03 
    50344 (0xC4A8) 845 11:07:13 31/07/2014 69.4900573 System 10.0.0.21 123.123.123.123 TCP TCP:Flags=.....R.., SrcPort=HTTPS(443), DstPort=50344, PayloadLen=0, Seq=2368893218, Ack=1506169700, Win=0 (scale factor 0x8) = 0 {TCP:2, IPv4:1}
     984 11:07:25 31/07/2014 81.0412127  10.0.0.254 10.0.0.21 ARP ARP:Response, 10.0.0.254 at 00-10-DB-FF-10-03 
     986 11:07:25 31/07/2014 81.0495575  10.0.0.254 10.0.0.21 ARP ARP:Response, 10.0.0.254 at 00-10-DB-FF-10-03 

    EdgeFW DMZ Address - 10.0.0.254
    DAServer DMZ Address - 10.0.0.21
    DAClient Router Internet IP - 123.123.123.123

    I keep seeing ( Scale factor not supported ) in the output and then a Reset flag which I believe is the problem.

    Does anyone have any idea what may be causing this?

    Thanks,

    Jez

    Thursday, July 31, 2014 11:07 AM

All replies

  • How is the client connecting? IPHTTPS? 

    If so on the client, run "netsh int https show int" and report back what it says on the client.

    Also do an ipconfig on the client and see if the IPHTTPS adapter obtained an IP address

    It could be that its all working but the Corporate Connectivity verifiers are not configured correctly. 


    Friday, August 1, 2014 3:33 AM
  • Hi There - have you created static entries in DNS for directaccess-WebProbeHost and directaccess-CorpConnectivityHost replacing the DirectAccess Auto Created ones - have seen this when scavenging has removed them and it is also recommended to make them static.

    John Davies

    Monday, August 4, 2014 11:01 AM