locked
A few DirectAcess Questions RRS feed

  • Question

  • We have deployed DirectAccess for a couple of our remote sales users and for the most part it has worked great. There are 2 problems that we have experienced:

    1.   While connected using DirectAccess and the internet connection is lost, DirectAccess is not automatically reconnecting. A restart of the computer is required to establish the DirectAccess connection.

    2.   Sometimes the laptop isn't used for a number of days. I'm not sure on the exact number of days it's not used, but lets say 1 week. When the laptop is used again remotely DirectAccess will not reconnect. The laptop has to be connected to the domain and then DirectAccess will work again.

    I've started going through the logs and doing some troubleshooting, so any advice is appreciated.

    Thanks

    Wednesday, May 18, 2011 2:25 PM

All replies

  • Do you actually need to cause the computer to dis-join and re-join the domain or just plug it into the network and "check-in" with a domain controller?

    It almost sounds like a problem with NTLM somewhere.


    MrShannon | Concurrency Blogs | UAG SP1 DirectAccess Configuration Guide
    Thursday, May 19, 2011 4:44 AM
  • We just plug it in to the network and have the user log in and that fixes the issue.

    Thursday, May 19, 2011 1:41 PM
  • You could put together a little script that does the following:

    net stop iphlpsvc

    net start iphlpsvc

     

    that seems to get things back on track for most of my users. 

     

    It would be helpful if the DCA were to include some kind of 'reset the tunnel' type of option when things don't seem to be working.

    Thursday, May 19, 2011 8:21 PM
  • Thanks for the tip John, I'll give that a try tonight when I am doing my testing and let you know how it goes.
    Friday, May 20, 2011 2:42 PM
  • The dca does include the option to run your own script(s) when doing the "advanced diagnostics".  It's meant to allow you to collect additional data but you could try using that to restart the ip helper service...

    Keep in mind that the DCA will only run scripts for a certain length of time so if it exceeds that limit the commands might not ever run.  For that reason I would also recommend that you issue the stop and start command to ensure that if the service is stopped it will be started too.  You can chain commands together with '&&' so it would look like this:

    net stop iphlpsvc && net start iphlpsvc


    MrShannon | Concurrency Blogs | UAG SP1 DirectAccess Configuration Guide
    Monday, May 23, 2011 3:05 AM
  • Ultimately, something is wrong here as reconnection should be automatic and completely seamless to the end user...I agree the above workarounds are valid, but I would probably try and solve the core problem...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, May 23, 2011 1:05 PM
  • Jason,

    I have seen varrying response from DA on machines that are very consistently put into sleep and hibernate, some that are not booted every day, and that seems to affect DA at times.  The best example I can think of is this...  My personal machine connects with DA perfectly, 49 times out of 50.  I connect in church buildings with strict firewalls (HTTTPS), and at home, and the homes of friends, etc.... On 2 occasions since going live, my DA has not connected immediately, instead of restarting iphlpsvc, I waited to see what would happen (to duplicate what I've heard from others).  It took about 15 minutes, but eventually, it just Started.  I was testing connectivity with pings along the way, so it wasn't just a matter of the DCA not reporting back correctly.  It is hard for me to track down what this might be... as you say, the core problem?

    Monday, May 23, 2011 2:36 PM
  • There is an issue with IPHTTPS reconnection timeouts which can sometime cause that sort of delay...maybe you hit that?

    http://social.technet.microsoft.com/Forums/nl-NL/forefrontedgeiag/thread/33dc27c0-0382-40a5-8c7e-14b2402762cc

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, May 23, 2011 2:52 PM
  • Good information on iphttps not reconnecting guys. I've documented the commands and we'll give them a try the next time we have the problem.

    The big problem is DA not connecting after a laptop has not been connected to the domain for a number of days. I have a laptop that I haven't used on the domain since Friday afternoon. I just tried to connect remotely using DA and it will not connect. I am tethering over my phone which connects using IPHTTPS. My first thought is some kind of a certificate problem, but I can browse to the https website without any certificate errors. I have run the DA troubleshooter and it just days it can't connect to the Teredo server. Which I know because it always connects using IPHTTPS when I am tethering. I can try to test Teredo tonight from my home network, but it should connect using IPHTTPS as it normally does.

    Thanks for your help so far guys, any further tips or suggestions are appreciated.

     

    Thanks

    Tuesday, May 24, 2011 3:00 PM
  • I was using an internal cert and Microsoft suggested that this could be causing a problem. I have since purchased a public cert and have issued it for Directaccess. I have updated Forefront to SP1 also. I'll see if the problem appears again.

    Thanks

    Wednesday, June 8, 2011 7:00 PM