Direct Access - further investigation and more questions...

[Kurt Buff]

I've rebuilt the UAG server, and have a semi-working client. By
semi-working I mean that while I can do pretty much everything I want
via DA, and can manage the machine from inside, I'm still seeing the
DCA in the systray, mocking me with an error message saying that name
resolution is broken.

So, I've looked at a lot of stuff, and it all comes back to the
Security event log on the UAG server. I'm seeing *lots* of 4653 IPSec
Main Mode failure audits in there.

So, I took a closer look at them, and looked over the data, which
mostly has this form:

An IPsec main mode negotiation failed.

Local Endpoint:
        Local Principal Name:   -
        Network Address:        2002:4332:7627::4332:7627
        Keying Module Port:     500

Remote Endpoint:
        Principal Name:         -
        Network Address:        2001:7c8:3:2::5
        Keying Module Port:     500

Additional Information:
        Keying Module Name:     IKEv1
        Authentication Method:  Unknown authentication
        Role:                   Initiator
        Impersonation State:    Not enabled
        Main Mode Filter ID:    0

Failure Information:
        Failure Point:          Local computer
        Failure Reason:         No policy configured

        State:                  No state
        Initiator Cookie:               f32da71f5c2f1fed
        Responder Cookie:       0000000000000000

Here are a couple of interesting points:
o- The Remote Endpoint IP address changes pretty much every time, and
cycles through a large number of different addresses
o- I looked up the addresses, and they seem to be exclusively name
servers - for instance, the one above resolves to auth02.ns.esat.net.
Others that I've seen include e.dns.kr, ns3.apnic.net, nn.uninett.no -
among many more.

That got me thinking, so I looked at the DNS settings for IPV6 on the
internal NIC for the UAG server - it was set to acquire it
automatically. On a hunch, I added the two 2008R2 DC IPv6 addresses
manually for name resolution, and updated the settings. Unfortunately,
that didn't seem to help. I'm still seeing lots of 4653 IPSec Main
Mode failure audits in the event log, and the DCA utility still says
name resolution is broken.

I have no idea what's happening here. Does anyone know why this
machine would be trying to initiate IPSec conversations with name
servers out in the world?

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin