Joe Grosskopf
asked on
direct access client
I have two issues. My VPN works just fine but my direct access clients sit on connecting forever. Not sure where to begin troubleshooting. Also, my dashboard for clients say "Maximum client connections: 1". Is this my limit? if so, how do I increase this? or is this the maximum that has connection at once so far?
ASKER
Thanks for the answer regarding max connections. The other issue is I realize there is an infrastructure issue but I don't know what. All my icons are green in the direct access dashboard. I can't ping anything on my domain on my client and it is stuck at connecting
are you running windows 7 or wndows 8?
either way you can run the diagnostics from the Direct Access client or the Direct Access connectivity assistant and then start on troublshooting
the first step is making sure you can resolve and ping your DA connection URL
then check the certificate thats being presented and make sure you can validate that.
if you are running windows 8 then there are less things to have to sort out
With windows 7 there are some extra complications
you can use these two commands to show potential issues
Netsh int httpstunnel show int
and
Get-DAConnectionstatus
if you post them up then we can start troubleshooting
either way you can run the diagnostics from the Direct Access client or the Direct Access connectivity assistant and then start on troublshooting
the first step is making sure you can resolve and ping your DA connection URL
then check the certificate thats being presented and make sure you can validate that.
if you are running windows 8 then there are less things to have to sort out
With windows 7 there are some extra complications
you can use these two commands to show potential issues
Netsh int httpstunnel show int
and
Get-DAConnectionstatus
if you post them up then we can start troubleshooting
ASKER
I found another issue that may tie both together. I did not realize but none of my VPN clients can connect to external sites (google.com, msn.com etc.) when they are on VPN. They can connect to everything in house. This is the case whether I use forced tunneling or not. I have tried about 50 other changes and suggestions browsing through websites but none fix the problem. Does anyone have any ideas? I'm thinking if I fix this, maybe the direct access will start working.
well the VPN client will be down to routing, leave it with no split tunneling and first do a DNS lookup on google or something similar to check DNS is working, then do a trace route to see if you can the network path to it is correct.
Do you have a proxy server on your network? is that configured to allow connections from vpn clients
the direct access won't have anything to do with at. you need to run through the basic checks to see if you can resolve the DirectAccess server URL, check to see if you get to it
Do you have a proxy server on your network? is that configured to allow connections from vpn clients
the direct access won't have anything to do with at. you need to run through the basic checks to see if you can resolve the DirectAccess server URL, check to see if you get to it
ASKER
OK, I'll put the forced tunneling back in place. The last time I believe I could resolve the IP for google and espn.com. We do not use a proxy, I have an internal firewall setup as my gateway. My external connection on the DA server is connected directly to my cable modem. My internal is connection to the internal switch / internal gateway. I have a gateway configured on the external card and no gateway on the internal card. I attempted to install NAT but that did not work, I saw no traffic between internal and external. I figured with forced tunneling, the client would get our internal gateway however the address is blank when they connect.
thats why it doesn't work if its hasn't picked up any network topology.
what is doing you VPN - what kind of firewall/vpn client
To help with the DA status can you confirm these
have you put static routes on the DA server to point to the internal network.
did you do simple setup or manual setup
Win7 or Win8 Client
can you run the two command i gave before and put the output up here
what is doing you VPN - what kind of firewall/vpn client
To help with the DA status can you confirm these
have you put static routes on the DA server to point to the internal network.
did you do simple setup or manual setup
Win7 or Win8 Client
can you run the two command i gave before and put the output up here
ASKER
Sorry it took so long to respond. I have to attend a camping trip with my son and left the office early Friday
Our firewall is a PFSense firewall but this DA server is not connected to this firewall. The DA server is connected directly to the modem. The only firewall is the Windows firewall running on the DA server. As for the Internal connection, it is connected to our switch with the gateway pointing to our PFSense firewall. The VPN client is the built in Microsoft VPN client.
2nd question, I put a static IP of 192.168.0.105 on the internal connection. In the Windows 7 client, all of my users are using the simple setup. I have read that you can go into manual setup and select some option to use local gateway but that does not work either, then the situation is reversed (can get google, but no VPN resources.
I put forced tunneling back into place and ran the DNS lookup and tracert on google.com and compared to my workstation at work. The results are:
Client via DA: (This my lead some insight).
server: attunite.lan (AT&T wireless router client is connecting to)
address: 192.168.0.101
Name: google.com.(ourdomain).com
Address: 66.223.17.5
Client with VPN:
server: (our internal DNS server) internaldnsserver.ourdomai
address: 192.168.0.101
name: google.com
address: 2607.f8b0.4006.807::100e
74.125.228.73
74.125.228.68
etc.
Workstation:
Same as VPN yet VPN will not access google and workstation does. VPN Client says cannot display page
Tracert DA:
google.com: unable to resolve target
Tracert VPN:
google.com 74.125.228.70
internalDAservername.domai
Request timed out forever
TraceRT Workstation
google.com 74.125.228.70
serveral hops...Washington, Comcast etc.
Hope this gives some insight. I'm a little lost at the moment.
Our firewall is a PFSense firewall but this DA server is not connected to this firewall. The DA server is connected directly to the modem. The only firewall is the Windows firewall running on the DA server. As for the Internal connection, it is connected to our switch with the gateway pointing to our PFSense firewall. The VPN client is the built in Microsoft VPN client.
2nd question, I put a static IP of 192.168.0.105 on the internal connection. In the Windows 7 client, all of my users are using the simple setup. I have read that you can go into manual setup and select some option to use local gateway but that does not work either, then the situation is reversed (can get google, but no VPN resources.
I put forced tunneling back into place and ran the DNS lookup and tracert on google.com and compared to my workstation at work. The results are:
Client via DA: (This my lead some insight).
server: attunite.lan (AT&T wireless router client is connecting to)
address: 192.168.0.101
Name: google.com.(ourdomain).com
Address: 66.223.17.5
Client with VPN:
server: (our internal DNS server) internaldnsserver.ourdomai
address: 192.168.0.101
name: google.com
address: 2607.f8b0.4006.807::100e
74.125.228.73
74.125.228.68
etc.
Workstation:
Same as VPN yet VPN will not access google and workstation does. VPN Client says cannot display page
Tracert DA:
google.com: unable to resolve target
Tracert VPN:
google.com 74.125.228.70
internalDAservername.domai
Request timed out forever
TraceRT Workstation
google.com 74.125.228.70
serveral hops...Washington, Comcast etc.
Hope this gives some insight. I'm a little lost at the moment.
what is the VPN connecting to is that the DirectAccess Server as well?
might need to start from scratch and run through the DA setup.
First thing - network setup
Direct Access server should have 2 NIC's
the External NIC should have a default gateway and no DNS
the Internal NIC should have no default gateway and DNS (which points at you internal DNS Servers)
the two addresses on each server should have IP addresses on different subnets i.e.
external 192.168.1.35
internal 192.168.2.35
then you would put static routes on to point it at the internal subnet
route add 192.168.2.0 mask 255.255.255.0 192.168.2.1 -p
the above assumes its a /24 subnet and the default gateway is the start of the range.
As you are using windows 7 certificates become important.
What have you used for the Direct Access Server certificate and what have you used for the client certificate that installs on the Windows 7 machine.
also can you run the command i gave you on the Direct access client (the top one being more useful on windows 7)
Netsh int httpstunnel show int
and
Get-DAConnectionstatus
might need to start from scratch and run through the DA setup.
First thing - network setup
Direct Access server should have 2 NIC's
the External NIC should have a default gateway and no DNS
the Internal NIC should have no default gateway and DNS (which points at you internal DNS Servers)
the two addresses on each server should have IP addresses on different subnets i.e.
external 192.168.1.35
internal 192.168.2.35
then you would put static routes on to point it at the internal subnet
route add 192.168.2.0 mask 255.255.255.0 192.168.2.1 -p
the above assumes its a /24 subnet and the default gateway is the start of the range.
As you are using windows 7 certificates become important.
What have you used for the Direct Access Server certificate and what have you used for the client certificate that installs on the Windows 7 machine.
also can you run the command i gave you on the Direct access client (the top one being more useful on windows 7)
Netsh int httpstunnel show int
and
Get-DAConnectionstatus
ASKER
Sorry I took so long to reply. I finally gave in and opened up an incident with Microsoft. After three days, this setup is in worse shape than ever. Now I can't even get the direct access client to install with group policy. They will continue to work on it this week and I'll report what they did when they finally get it working. thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Microsoft solved it
if its sat on "Connecting...." then you have another issue with the infrastructure