none
DirectAccess IPSEC Main Mode 4653 Errror RRS feed

  • Question



  • Hello Everyone.

    I am having an issue related with Direct Access without UAG, Direct Access runing with Windows Server 2008 R2. Currently I have a ticked at Microsoft Premier Support but i'm writing here because maybe some of you have ideas :)

    My clients are running Windows 7 Enterprise SP1, they can access to some resources like RDP but cannot access to SMB Resources when they are located outside the network and connected by Direct Access. I have ping to the internal resources, and in some cases rdp, but "net view \\server" says Denied Access.

    It's not a permisions issue. Inside the network I have access to the shared folder but not when i am outside.

     

    Digging depth it seems like and IPSec Main Mode Negocation Issue. I have the translation technologies from IPv4 to IPv6 working well. I have the right certificates and policies deployed to the clients. The Direct Access Infraestructure Tunnel its working perfectly (as example i have DNS resolution), but the Intranet Tunnel cannot be established. In the Security Log i can see that there is good authentication to the Quick Mode of IPSec but not to the Main Mode.

    There is this event while clients are creating the tunnel:

    Nombre de registro:Security
    Origen:    Microsoft-Windows-Security-Auditing
    Fecha:     20/06/2011 10:12:29 a.m.
    Id. del evento:4653
    Categoría de la tarea:Modo principal de IPsec
    Nivel:     Información
    Palabras clave:Error de auditoría
    Usuario:    No disponible
    Equipo:    Infraestractura.corp.canalcaracol.com
    Descripción:
    Error de negociación de modo principal de IPsec.
    
    Extremo local:
     Nombre de entidad de seguridad local: -
     Dirección de red: 2002:ba67:3cc6::ba67:3cc6
     Puerto de módulo de generación de claves: 500
    
    Extremo remoto:
     Nombre de entidad de seguridad: -
     Dirección de red: 2002:404c:bf98::404c:bf98
     Puerto de módulo de generación de claves: 500
    
    Información adicional:
     Nombre de módulo de generación de claves: IKEv1
     Método de autenticación: Autenticación desconocida
     Rol:  Iniciador
     Estado de suplantación: No habilitado
     Id. de filtro de modo principal: 0
    
    Información de error:
     Punto de error: Equipo local
     Motivo del error: No hay ninguna directiva configurada
    
     Estado:  Sin estado
     Cookie de iniciador: 7ca2374308a6f9a0
     Cookie de respondedor: 0000000000000000
    XML de evento:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
     <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
      <EventID>4653</EventID>
      <Version>0</Version>
      <Level>0</Level>
      <Task>12547</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8010000000000000</Keywords>
      <TimeCreated SystemTime="2011-06-20T15:12:29.383898300Z" />
      <EventRecordID>15028</EventRecordID>
      <Correlation />
      <Execution ProcessID="564" ThreadID="3248" />
      <Channel>Security</Channel>
      <Computer>Infraestractura.corp.canalcaracol.com</Computer>
      <Security />
     </System>
     <EventData>
      <Data Name="LocalMMPrincipalName">-</Data>
      <Data Name="RemoteMMPrincipalName">-</Data>
      <Data Name="LocalAddress">2002:ba67:3cc6::ba67:3cc6</Data>
      <Data Name="LocalKeyModPort">500</Data>
      <Data Name="RemoteAddress">2002:404c:bf98::404c:bf98</Data>
      <Data Name="RemoteKeyModPort">500</Data>
      <Data Name="KeyModName">%%8222</Data>
      <Data Name="FailurePoint">%%8199</Data>
      <Data Name="FailureReason">No hay ninguna directiva configurada
    </Data>
      <Data Name="MMAuthMethod">%%8194</Data>
      <Data Name="State">%%8201</Data>
      <Data Name="Role">%%8205</Data>
      <Data Name="MMImpersonationState">%%8217</Data>
      <Data Name="MMFilterID">0</Data>
      <Data Name="InitiatorCookie">7ca2374308a6f9a0</Data>
      <Data Name="ResponderCookie">0000000000000000</Data>
     </EventData>
    </Event> 
    

    Thank you very much for your help. If you have any ideas about what's happening or where shoul I look for, I'll be really happy.

    Regards!!

    Ricardo Polo

    Monday, June 20, 2011 4:04 PM

Answers

  • This issue is handled by Microsoft CSS.


    Ben Ari
    Microsoft CSS UAG/IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Friday, August 26, 2011 11:55 PM
    Friday, August 26, 2011 11:55 PM
  • Hello. I was working in this issue with the professional support with the enginner Krishna Kumar and the IPSec SME team for almost a month thinking that it was a driver issue.

    And not. The issue was really simple but we start to look antoher things and didnt try.

     

    We had the IPSec issue when try to connect to \\Server but when did not try \\Server.Domain.local

    When we try to access using the FQDN we had access but only the ServerName dont.

     

    The issue was due a bad entry in the Windows 7 Credential Manager. In our case the software use to connect to Internet using a 3G modem create that entry in the Credential Manager and that makes that direct access does not work as expected.

    Thank you very much for your help.

    Ricardo Polo

     

     

    • Marked as answer by Ricardo Polo Saturday, August 27, 2011 12:42 AM
    Saturday, August 27, 2011 12:42 AM

All replies

  • This issue is handled by Microsoft CSS.


    Ben Ari
    Microsoft CSS UAG/IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Friday, August 26, 2011 11:55 PM
    Friday, August 26, 2011 11:55 PM
  • Hello. I was working in this issue with the professional support with the enginner Krishna Kumar and the IPSec SME team for almost a month thinking that it was a driver issue.

    And not. The issue was really simple but we start to look antoher things and didnt try.

     

    We had the IPSec issue when try to connect to \\Server but when did not try \\Server.Domain.local

    When we try to access using the FQDN we had access but only the ServerName dont.

     

    The issue was due a bad entry in the Windows 7 Credential Manager. In our case the software use to connect to Internet using a 3G modem create that entry in the Credential Manager and that makes that direct access does not work as expected.

    Thank you very much for your help.

    Ricardo Polo

     

     

    • Marked as answer by Ricardo Polo Saturday, August 27, 2011 12:42 AM
    Saturday, August 27, 2011 12:42 AM