3

I put this question on SuperUser, but judging from the lack of response I think I picked the wrong place, so I'm cross-posting here.

I'm trying to get DA set up and it is being a major pain. I have the DA server set up (computer with single adapter behind Edge device) and everything is green on the monitor, everything seems to be working there. I have successfully deployed the GPO to the client, and the client is trying to connect. However, it will not connect and "Get-DaConnectionStatus" is saying "NameResolutionFailure".

So I'm working through this guide (https://technet.microsoft.com/en-us/library/ee844114%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396) to try and sort out the connection issue. The client creates an IP-HTTPS tunnel and I am able to ping the IPHTTPSInterface on the DA server from the client, so it can reach the server (Note: I cannot ping the client from the server though).

Where I'm running into problems is on step 6 of the first part of that guide, where it says to use the command "netsh advfirewall monitor show mmsa". The result of that command is "No SAs match the specified criteria".

Any ideas on why this issue is coming up, and how to fix it?

Jordan
  • 117
  • 2
  • 7
  • What version and edition of Windows is running on the client? From a command prompt, type systeminfo and paste the OS Name: field here for us. – mfinni Feb 21 '15 at 02:08
  • Is the Windows Firewall service running on the client? Is the IKE and AuthIP IPsec Keying Modules service running on the client? – mfinni Feb 21 '15 at 02:12
  • @mfinni The client is running Windows 8.1 Enterprise. The firewall service is running, as well as the IKE and AuthIP service. – Jordan Feb 21 '15 at 02:59
  • [This general troubleshooting Direct Access page might be helpful](https://technet.microsoft.com/en-us/library/ee624058%28WS.10%29.aspx). More specifically, this error can also result from [the IKE and AuthIP IPsec Keying Modules service on the client not being started](http://setspn.blogspot.com/2014/08/direct-access-no-security-associations.html). – HopelessN00b Feb 26 '15 at 09:47

1 Answers1

1

Unfortunately I have seen many people struggle with trying to get single-NIC mode working on a DirectAccess server. This was really only intended for quick POC setups, and for a production (or any) environment, you should really go with dual-NIC installation. You will have fewer issues this way. In fact, I have seen more than a couple cases where I have worked with folks trying to troubleshoot some issue or another, and when we couldn't get to the core of the problem quickly, we just redid the setup as two-NIC, and everything worked fine, with no additional tweaks. I'm not saying you won't be able to get it to work, but I would cut my losses on the current system and change gears for a better overall solution.

Jordan Krause
  • 11
  • 1
  • While I appreciate the advice, unfortunately that is not possible in my deployment and it does not address the question being asked. Thank you though. – Jordan Feb 25 '15 at 22:01