It Calls

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 19 December 2011

Teredo with UAG SP1 Direct Access not working

Posted on 14:54 by Unknown
This problem was reported on a standard DirectAccess implementation scenario where all clients aren’t able to connect using Teredo and they all fall back to IPHTTPS which is the last resort for any DirectAccess connection.

Symptoms:
1.       When checking the Teredo Interface state, the following was displayed.
Netsh int teredo show state
Client Type             : teredo host-specific relay
The Client type should have been Teredo Client for a successful Teredo connection.
2.       I disabled the IPHTTPS interface to ensure it won’t fall back to the IPHTTPS option, opened wf.msc (windows Firewall with advanced security mmc) and navigate to monitoring – Security associations – Main Mode and Quick Mode. Both displayed nothing as shown in the figure below. This indicated IPSEC connection failure
Windows Firewall with advanced Security

3.       After capturing both server and client logs and with the help of a Microsoft senior engineer we noticed the following error
 Windows error 13887(ERROR_IPSEC_IKE_CERT_CHAIN_POLICY_MISMATCH)


Resolution:
1.       A recent KB was released from Microsoft to address this specific Certificate problem with a recommended fix. This fix needs to be applied on both the DirectAccess Server and Client.
 http://support.microsoft.com/default.aspx?scid=kb;EN-US;2615847

2.       It turned out that the DirectAccess server has an Antivirus solution which seems to load several modules like NAC and others although it was configured to run normal AV file protection.

 After applying the Fix and removing the AV from the UAG server the clients were able to connect normally using Teredo.

Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in DirectAccess, UAG | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Error 0x803100B7 Group Policy settings require the creation of a startup PIN, but a pre-boot keyboard is not available on this device
    I Purchased few weeks ago the Microsoft Surface Pro tablet, its a very nice production tablet that really enables remote users to run their ...
  • How to Publish New Certificate Revocation List (CRL) from Offline Root CA to Active Directory and Inetpub
    Its highly recommended when building your Microsoft PKI (Public Key Infrastructure) to have your Root CA offline after issuing the Enterpris...
  • WMI Unhealthy on 2008R2 Domain Controllers - WBEM_E_QUOTA_VIOLATION
    Windows Management Instrumentation (WMI) is a key core windows management technology. It provides a consistent approach to carry day to day ...
  • The Card Supplied Requires Drivers that are not present on this System
    I recently started getting the above mentioned Logon warning Message (Check below screen shot) while logging on my old 2003 and 2003R2 serve...
  • Manual Install of UAG 2010/Remote App and RDS Portal Components
    Microsoft UAG 2010 main functions are Application Publishing and Enhanced DirectAccess deployment. The Application publishing allows you to ...
  • Microsoft Hyper-V VMMS & System services stop after December 2012 Updates (KB2506143)
    I had an issue recently with some Hyper-V servers where it was noticed that the Hyper-V system services (VMMS, VHDSVC & NVSPWMI) gets st...
  • Troubleshooting Event ID 1058, Group Policy gpt.ini
    Event ID: 1058 Source: Group Policy "The Processing of Group Policy failed. Windows attempted to read the file \\domain\sysvol\domain\p...
  • Microsoft Update List for Hyper-V
    A lot of IT Professionals are moving to Hyper-V and they need to keep updated with all Hyper-V hotfixes, updates and Service Packs. The Belo...
  • How to Clean Microsoft WSUS Content Folder from Old and unneeded Products
    Microsoft WSUS administrators sometimes tend to select all given Products (Options - Products and Classifications) and by time the WSUS cont...
  • The Active Directory integrated DNS zone _msdcs.domain.com was not found
    Error Reported in Event Viewer or DNS Best Practices Analyzer. "The Active Directory integrated DNS zone _msdcs.domain.com was not foun...

Categories

  • Active Directory
  • Bitlocker
  • DirectAccess
  • Hyper-V
  • Lync
  • PKI
  • SQL
  • System Center
  • UAG
  • WSUS

Blog Archive

  • ►  2014 (1)
    • ►  January (1)
  • ►  2013 (27)
    • ►  December (5)
    • ►  November (4)
    • ►  October (2)
    • ►  September (1)
    • ►  August (4)
    • ►  July (4)
    • ►  May (1)
    • ►  April (2)
    • ►  March (3)
    • ►  February (1)
  • ►  2012 (25)
    • ►  December (2)
    • ►  November (3)
    • ►  October (3)
    • ►  September (2)
    • ►  August (2)
    • ►  July (2)
    • ►  May (2)
    • ►  April (1)
    • ►  March (3)
    • ►  February (2)
    • ►  January (3)
  • ▼  2011 (5)
    • ▼  December (2)
      • Passed EC-Council CHFI (Computer Hacking Forensics...
      • Teredo with UAG SP1 Direct Access not working
    • ►  November (3)
Powered by Blogger.

About Me

Unknown
View my complete profile