The weird thing was that at the same time these clients (Windows 7 DirectAccess UAG clients) can ping and RDP/MSTSC any other Windows 2012 member server without any problem at all.
I did some intensive checks and research on the Internet but could not find anything regarding Server 2012 domain controllers issues with UAG based Direct Access, As per Microsoft Escalation team recommendation we did a full tracing scenario on both the UAG and Windows 7 client.
I tried to reproduce the problem while turning simultaneous capture on both the client and the UAG server using the below Scenario
Netsh wfp capture start
netsh trace start scenario=directaccess capture=yes report=yes
Tried both RDP and Ping to the Problematic Windows server 2012 domain Controller
Netsh trace stop
Netsh wfp capture stop
After Analyzing the captured logs, it was noticed that the DA client is using an Expired Security Association when it cannot access the 2012 server. Tracing from UAG server showing the RDP traffic dropped on UAG Server due to the following error.
“STATUS_IPSEC_WRONG_SA”
Resolution:
This problem was fixed by installing the hotfix for IKEEXT.dll on the UAG 2010 DA server and on the Windows 7 DA client. It should be noted that this fix is only for 2008R2 servers and Windows 7 Clients
2801453-Delay during IPsec renegotiation on a computer that is running Windows 7 or Windows Server 2008 R2
After installing this fix on both the UAG server and Windows 7 client, i was able to RDP/MSTSC the 2012 Domain Controller/DNS without any problems.
0 comments:
Post a Comment