Solved

direct access client

Posted on 2014-02-06
12
1,108 Views
Last Modified: 2014-04-05
I have two issues. My VPN works just fine but my direct access clients sit on connecting forever. Not sure where to begin troubleshooting. Also, my dashboard for clients say "Maximum client connections: 1". Is this my limit? if so, how do I increase this? or is this the maximum that has connection at once so far?
0
Comment
Question by:jsgrosskopf
  • 7
  • 5
12 Comments
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 39841322
Maximum client connections are the peak in clients connected at the same time

if its sat on "Connecting...." then you have another issue with the infrastructure
0
 

Author Comment

by:jsgrosskopf
ID: 39841709
Thanks for the answer regarding max connections. The other issue is I realize there is an infrastructure issue but I don't know what. All my icons are green in the direct access dashboard. I can't ping anything on my domain on my client and it is stuck at connecting
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 39841798
are you running windows 7 or wndows 8?

either way you can run the diagnostics from the Direct Access client or the Direct Access connectivity assistant and then start on troublshooting

the first step is making sure you can resolve and ping your DA connection URL

then check the certificate thats being presented and make sure you can validate that.

if you are running windows 8 then there are less things to have to sort out
With windows 7 there are some extra complications

you can use these two commands to show potential issues

Netsh int httpstunnel show int

and

Get-DAConnectionstatus

if you post them up then we can start troubleshooting
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 

Author Comment

by:jsgrosskopf
ID: 39842232
I found another issue that may tie both together. I did not realize but none of my VPN clients can connect to external sites (google.com, msn.com etc.) when they are on VPN. They can connect to everything in house. This is the case whether I use forced tunneling or not. I have tried about 50 other changes and suggestions browsing through websites but none fix the problem. Does anyone have any ideas? I'm thinking if I fix this, maybe the direct access will start working.
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 39842719
well the VPN client will be down to routing, leave it with no split tunneling and first do a DNS lookup on google or something similar to check DNS is working, then do a trace route to see if you can the network path to it is correct.
 
Do you have a proxy server on your network? is that configured to allow connections from vpn clients

the direct access won't have anything to do with at. you need to run through the basic checks to see if you can resolve the DirectAccess server URL, check to see if you get to it
0
 

Author Comment

by:jsgrosskopf
ID: 39842731
OK, I'll put the forced tunneling back in place. The last time I believe I could resolve the IP for google and espn.com. We do not use a proxy, I have an internal firewall setup as my gateway. My external connection on the DA server is connected directly to my cable modem. My internal is connection to the internal switch / internal gateway. I have a gateway configured on the external card and no gateway on the internal card. I attempted to install NAT but that did not work, I saw no traffic between internal and external. I figured with forced tunneling, the client would get our internal gateway however the address is blank when they connect.
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 39842936
thats why it doesn't work if its hasn't picked up any network topology.
what is doing you VPN - what kind of firewall/vpn client

To help with the DA status can you confirm these

have you put static routes on the DA server to point to the internal network.
did you do simple setup or manual setup
Win7 or Win8 Client
can you run the two command i gave before and put the output up here
0
 

Author Comment

by:jsgrosskopf
ID: 39847231
Sorry it took so long to respond. I have to attend a camping trip with my son and left the office early Friday

Our firewall is a PFSense firewall but this DA server is not connected to this firewall. The DA server is connected directly to the modem. The only firewall is the Windows firewall running on the DA server. As for the Internal connection, it is connected to our switch with the gateway pointing to our PFSense firewall. The VPN client is the built in Microsoft VPN client.

2nd question, I put a static IP of 192.168.0.105 on the internal connection. In the Windows 7 client, all of my users are using the simple setup. I have read that you can go into manual setup and select some option to use local gateway but that does not work either, then the situation is reversed (can get google, but no VPN resources.

I put forced tunneling back into place and ran the DNS lookup and tracert on google.com and compared to my workstation at work. The results are:

Client via DA: (This my lead some insight).
server: attunite.lan (AT&T wireless router client is connecting to)
address: 192.168.0.101

Name: google.com.(ourdomain).com
Address: 66.223.17.5

Client with VPN:
server: (our internal DNS server) internaldnsserver.ourdomain.com
address: 192.168.0.101

name: google.com
address: 2607.f8b0.4006.807::100e
74.125.228.73
74.125.228.68
etc.

Workstation:
Same as VPN yet VPN will not access google and workstation does. VPN Client says cannot display page

Tracert DA:
google.com: unable to resolve target

Tracert VPN:

google.com 74.125.228.70
internalDAservername.domain.com (192.168.1.193) (not the ip I assigned to the server)
Request timed out forever

TraceRT Workstation
google.com 74.125.228.70
serveral hops...Washington, Comcast etc.

Hope this gives some insight. I'm a little lost at the moment.
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 39849497
what is the VPN connecting to is that the DirectAccess Server as well?

might need to start from scratch and run through the DA setup.

First thing - network setup
Direct Access server should have 2 NIC's
the External NIC should have a default gateway and no DNS
the Internal NIC should have no default gateway and DNS (which points at you internal DNS Servers)

the two addresses on each server should have IP addresses on different subnets i.e.
external 192.168.1.35
internal 192.168.2.35

then you would put static routes on to point it at the internal subnet
route add 192.168.2.0 mask 255.255.255.0 192.168.2.1 -p

the above assumes its a /24 subnet and the default gateway is the start of the range.


As you are using windows 7 certificates become important.
What have you used for the Direct Access Server certificate and what have you used for the client certificate that installs on the Windows 7 machine.

also can you run the command i gave you on the Direct access client (the top one being more useful on windows 7)

Netsh int httpstunnel show int

and

Get-DAConnectionstatus
0
 

Author Comment

by:jsgrosskopf
ID: 39863558
Sorry I took so long to reply. I finally gave in and opened up an incident with Microsoft. After three days, this setup is in worse shape than ever. Now I can't even get the direct access client to install with group policy. They will continue to work on it this week and I'll report what they did when they finally get it working. thanks
0
 

Accepted Solution

by:
jsgrosskopf earned 0 total points
ID: 39966490
Ended up getting Microsoft to help. The issue ended up being a problem with two different dhcp scopes. My servers are on 192.168.0 and my clients are 192.168.1. We use a subnet mask of 255.255.254.0. With VPN, the clients are assigned 255.255.255.0 (can't change this apparently) so the clients where connecting with 192.168.1.0 network and 255.255.255.0 address and could not get to any servers, firewall, gateway anything. I ended up with a specific dhcp for my vpn clients that assigns them a 192.168.0. address and all is well.
0
 

Author Closing Comment

by:jsgrosskopf
ID: 39979830
Microsoft solved it
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question