locked
DirectAccess connection issue when outside of the corporate network (error 0x2745 with Teredo) RRS feed

  • Question

  • Hello everybody,

    I am writing this message as one of our end users in my company suddenly lost his ability to connect to our company network via the DirectAccess technology.
    This end user is based in Asia and works outside our main company premises all year.

    Obviously, the problem started happening right after he changed his password.
    I searched the Web before posting this message and I could find some troubleshooting guides.

    We are using an IP-HTTPS tunnel and sometimes, Teredo is used when the end user is behind NAT or not.

    Here are the tests I could do (by the way, the end user is having the DirectAccess Connectivity Assistant version 2.0 installed on his PC at the moment) :

    - Generated logs from the DirectAccess Connectivity Assistant :

    The main error message is stating (some addresses were changed for security reasons) :

    RED: Corporate connectivity is not working. 
    Your computer cannot connect to the DirectAccess server. If the problem persists, contact your administrator. 
    28/9/2016 14:50:28 (UTC) 

    Probes List 
    FAIL - HTTP: http://mycompanywebsite

    DTE List 
    FAIL - The server name resolved successfully, but failed to access PING: fd2b:xxxx:xxxx:xxxx::1 
    FAIL - The server name resolved successfully, but failed to access PING: fd2b:xxxx:xxxx:xxxx::2

    Here is the rest of the log and different tests :

    ***************************************************************************
    ipconfig /all
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
    C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>ipconfig /all
    Windows IP Configuration
       Host Name . . . . . . . . . . . . : hostname   Primary Dns Suffix  . . . . . . . : corp.mycompany
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : corp.mycompany
                                          

    Ethernet adapter Bluetooth Network Connection:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Bluetooth (PAN)
       Physical Address. . . . . . . . . : DC-53-60-DE-50-5C
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
    Wireless LAN adapter Wireless Network Connection:
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-N 7265
       Physical Address. . . . . . . . . : DC-53-60-DE-50-58
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::xxxx:xxxx:xxxx:xxxx%12(Preferred) 
       IPv4 Address. . . . . . . . . . . : 192.168.1.103(Preferred) 
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : Wednesday, September 28, 2016 10:35:52 PM
       Lease Expires . . . . . . . . . . : Thursday, September 29, 2016 12:43:48 AM
       Default Gateway . . . . . . . . . : 192.168.1.1
       DHCP Server . . . . . . . . . . . : 192.168.1.1
       DHCPv6 IAID . . . . . . . . . . . : 215765856
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-21-2D-42-DC-4A-3E-5F-2B-E2
       DNS Servers . . . . . . . . . . . : 192.168.1.1
                                           8.8.8.8
       NetBIOS over Tcpip. . . . . . . . : Enabled
    Ethernet adapter Local Area Connection:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Intel(R) Ethernet Connection (3) I218-LM
       Physical Address. . . . . . . . . : DC-4A-3E-5F-2B-E2
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
    Tunnel adapter iphttpsinterface:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : iphttpsinterface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    Tunnel adapter isatap.{33420098-E978-49D4-99F8-803C726FAC4A}:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    Tunnel adapter isatap.{36D48669-8A75-483C-B2B7-F42F6B3806FC}:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    Tunnel adapter Teredo Tunneling Pseudo-Interface:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    --------------------------------------------------------

    ***************************************************************************
    netsh int teredo show state
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
    C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh int teredo show state
    Teredo Parameters
    ---------------------------------------------
    Type                    : client
    Server Name             : teredo.ipv6.microsoft.com.
    Client Refresh Interval : 30 seconds
    Client Port             : unspecified

    --------------------------------------------------------

    ***************************************************************************
    netsh int httpstunnel show interfaces
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
    C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh int httpstunnel show interfaces
    Interface IPHTTPSInterface (Group Policy)  Parameters
    ------------------------------------------------------------
    Role                       : client
    URL                        : https://mycompanyportal:443/IPHTTPS
    Last Error Code            : 0x2745
    Interface Status           : failed to connect to the IPHTTPS server. Waiting to reconnect

    --------------------------------------------------------

    ***************************************************************************
    netsh dns show state
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
    C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh dns show state
    Name Resolution Policy Table Options 
    --------------------------------------------------------------------
    Query Failure Behavior                : Always fall back to LLMNR and
                                            NetBIOS for any kinds of errors
    Query Resolution Behavior             : Resolve only IPv6 addresses for names
    Network Location Behavior             : Let Network ID determine when Direct
                                            Access settings are to be used
    Machine Location                      : Outside corporate network
    Direct Access Settings                : Configured and Enabled
    DNSSEC Settings                       : Not Configured

    --------------------------------------------------------

    ***************************************************************************
    netsh name show policy
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
    C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh name show policy
    DNS Name Resolution Policy Table Settings

    I cannot disclose the entries here but I can confirm that I see all items for the NRPT table listed with IPv6 address for each of them.

    --------------------------------------------------------

    ***************************************************************************
    netsh name show effective
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
    C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh name show effective
    DNS Effective Name Resolution Policy Table Settings

    Same as above here. I cannot disclose the full list but all the items are listed with their IPv6 addresses (I can confirm that after having compared values on a working PC).

    --------------------------------------------------------

    ***************************************************************************
    netsh adv mon show mmsa
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
    C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh adv mon show mmsa
    No SAs match the specified criteria.

    --------------------------------------------------------

    ***************************************************************************
    netsh nap client show state
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
    C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh nap client show state
    The "Network Access Protection Agent" service is not running.

    --------------------------------------------------------

    ***************************************************************************
    wevtutil query-events Microsoft-Windows-NetworkAccessProtection/Operational /count:20 /format:text /rd:true
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
    C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>wevtutil query-events Microsoft-Windows-NetworkAccessProtection/Operational /count:20 /format:text /rd:true

    Same thing here where I cannot list the full certificate détails.

    I can see all the details related to the certificate and after checking the MMC console, I can find the certificate (PKI) for the personal store like any working PC for DirectAccess.

    --------------------------------------------------------

    ***************************************************************************
    netsh int ipv6 show int level=verbose
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
    C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh int ipv6 show int level=verbose
    Interface Loopback Pseudo-Interface 1 Parameters
    ----------------------------------------------
    IfLuid                             : loopback_0
    IfIndex                            : 1
    State                              : connected
    Metric                             : 50
    Link MTU                           : 4294967295 bytes
    Reachable Time                     : 21000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : disabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    Interface Wireless Network Connection Parameters
    ----------------------------------------------
    IfLuid                             : wireless_0
    IfIndex                            : 12
    State                              : connected
    Metric                             : 20
    Link MTU                           : 1500 bytes
    Reachable Time                     : 36500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : enabled
    Other Stateful Configuration       : enabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    Interface Local Area Connection Parameters
    ----------------------------------------------
    IfLuid                             : ethernet_6
    IfIndex                            : 11
    State                              : disconnected
    Metric                             : 5
    Link MTU                           : 1468 bytes
    Reachable Time                     : 44000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    Interface iphttpsinterface Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_7
    IfIndex                            : 17
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 22000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : enabled
    Other Stateful Configuration       : enabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    Interface Bluetooth Network Connection Parameters
    ----------------------------------------------
    IfLuid                             : ethernet_9
    IfIndex                            : 14
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1500 bytes
    Reachable Time                     : 39500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    Interface isatap.{33420098-E978-49D4-99F8-803C726FAC4A} Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_10
    IfIndex                            : 21
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 17000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    Interface isatap.{36D48669-8A75-483C-B2B7-F42F6B3806FC} Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_11
    IfIndex                            : 20
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 26000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    Interface Teredo Tunneling Pseudo-Interface Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_16
    IfIndex                            : 18
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 31000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : enabled
    Other Stateful Configuration       : enabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    --------------------------------------------------------

    ***************************************************************************
    netsh advf show currentprofile
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
    C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh advf show currentprofile
    Public Profile Settings: 
    ----------------------------------------------------------------------
    State                                 ON
    Firewall Policy                       BlockInbound,AllowOutbound
    LocalFirewallRules                    N/A (GPO-store only)
    LocalConSecRules                      N/A (GPO-store only)
    InboundUserNotification               Enable
    RemoteManagement                      Disable
    UnicastResponseToMulticast            Enable
    Logging:
    LogAllowedConnections                 Disable
    LogDroppedConnections                 Disable
    FileName                              %systemroot%\system32\LogFiles\Firewall\pfirewall.log
    MaxFileSize                           4096
    Ok.

    --------------------------------------------------------

    ***************************************************************************
    netsh advfirewall monitor show consec
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
    C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh advfirewall monitor show consec
    Global Settings: 
    ----------------------------------------------------------------------
    IPsec:
    StrongCRLCheck                        0:Disabled
    SAIdleTimeMin                         5min
    DefaultExemptions                     ICMP
    IPsecThroughNAT                       Never
    AuthzUserGrp                          None
    AuthzComputerGrp                      None
    StatefulFTP                           Enable
    StatefulPPTP                          Enable
    Main Mode:
    KeyLifetime                           480min,0sess
    SecMethods                            DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
    ForceDH                               No
    Categories:
    BootTimeRuleCategory                  Windows Firewall
    FirewallRuleCategory                  Windows Firewall
    StealthRuleCategory                   Windows Firewall
    ConSecRuleRuleCategory                Windows Firewall

    Quick Mode:
    QuickModeSecMethods                   ESP:SHA1-None+60min+100000kb,ESP:SHA1-AES128+60min+100000kb,ESP:SHA1-3DES+60min+100000kb,AH:SHA1+60min+100000kb
    QuickModePFS                          None
    Security Associations:
    No SAs match the specified criteria.
    --------------------------------------------------------

    ***************************************************************************
    Certutil -store my
    ***************************************************************************
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
    C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>Certutil -store my
    my

    I cannot disclose information here but I can guarantee that all the relevant information for the certificate is present in this section.

    --------------------------------------------------------

    Systeminfo and whoami /groups are returning normal information and I can see the relevant security group listed as well.

    ---------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------

    As you may have noticed, the "netsh int httpstunnel show interfaces" is returning error 0x2745 and I do not understand why (I searched the Web for this exact error code but could not find anything similar).

    Anyway, I can confirm that after having checked manually, both DirectAccess Connectivity Assistant and related services are set correctly, checking the "gpedit.msc" is returning all the NRPT entries, DirectAccess firewall rules are in place in the Windows Firewal configuration and that IPv6 is enabled and returning a valid address.

    Also, the end user has a working connection on the Internet and has the same symptoms when trying a connection behind a router or a mobile hotspot.

    The "Registry.pol" for Global Policies is still present as well.

    Have you already seen such an issue in the past ?

    Do you know if it is possible to extract a full DirectAccess configuration from a working PC to the one impacted by this issue (considering it is outside the company and that the end user will not have the opportunity to come back on site immediately) ?
    I know there is a guide to do this on the Technet but this does not solve my issue, should I move the teredo status from client to enterprise client for instance.

    Thanks in advance.

    Julien


    Thursday, September 29, 2016 10:38 PM