Example: Troubleshooting an Expired Server Certificate
Updated: December 23, 2009
Applies To: Windows 7, Windows Server 2008 R2
In the NDF section, we saw a case in which Inside-Outside detection had failed on a DirectAccess client, preventing the client from accessing any network resource. NDF identified that the failure was with Inside-Outside detection, but was unable to resolve or further identify the issue. In this example, we use Network Tracing to further diagnose this problem.
Using advanced network tracing
This is the trace file collected from the computer experiencing the connectivity failure. There are over 76,000 events in this trace; far too many to search through manually.
Instead, you can use NetMon’s built-in filter options to target only the error events. Errors are ETW level 2, so you can use the Level filter, as shown in the following figure,
and then reduce the view to errors only. There are still quite a few errors in this trace – 360 – but significantly reduced from the initial 76,000. Incorrect detection of Inside-Outside status would apply the wrong set of IPsec rules to the client, causing many connections to fail. Many of these errors reflect the symptom, rather than the cause, so let’s filter out some of the more common errors. This is shown in the following figure.
Filtering out DNS failures and failed socket connections, both expected results of incorrect IPsec rules, renders a much more manageable list of 64 failures. Reviewing the list of failures that are still visible, you can see SSL errors. SSL errors are not logical results of incorrect IPsec rules, so you can explore an SSL error to get a better understanding.
By selecting this event, you can see that the SSL failure is due to an expired certificate. This is suspicious, but thus far, not obviously related. You can perform a deeper investigation, as shown in the following figure,
By finding all the events in the same activity, then removing the filter.
Now you can see that the SSL certificate error occurred on a connection between the Inside-Outside server and the client. The certificate is expired. Although you now know what the basic problem is, you can open an earlier section of the SSL exchange to try to find the certificate in question.
Backing up a few frames in the transaction shows the certificate that was sent by the server. It was issued for only one year, and it’s now been more than a year since the DirectAccess server was deployed. With the certificate expired, clients can’t authenticate the Inside-Outside server that tells them whether they are inside the corporate network. As a result, the client has lost access to the network.
Issue a new SSL certificate to the Inside-Outside server. Once the server-side problem is corrected, clients can restore connectivity by running the network troubleshooter, disconnecting and reconnecting the network interface, or rebooting.