Example: Troubleshooting an Expired Server Certificate

Updated: December 23, 2009

Applies To: Windows 7, Windows Server 2008 R2

In the NDF section, we saw a case in which Inside-Outside detection had failed on a DirectAccess client, preventing the client from accessing any network resource.  NDF identified that the failure was with Inside-Outside detection, but was unable to resolve or further identify the issue.  In this example, we use Network Tracing to further diagnose this problem.

This is the trace file collected from the computer experiencing the connectivity failure. There are over 76,000 events in this trace; far too many to search through manually.

A trace file from computer with connectivity error

Instead, you can use NetMon’s built-in filter options to target only the error events. Errors are ETW level 2, so you can use the Level filter, as shown in the following figure,

Using NetMon filtering capabilities

and then reduce the view to errors only. There are still quite a few errors in this trace – 360 – but significantly reduced from the initial 76,000. Incorrect detection of Inside-Outside status would apply the wrong set of IPsec rules to the client, causing many connections to fail. Many of these errors reflect the symptom, rather than the cause, so let’s filter out some of the more common errors. This is shown in the following figure.

Using NetMon filtering to render errors only

Filtering out DNS failures and failed socket connections, both expected results of incorrect IPsec rules, renders a much more manageable list of 64 failures. Reviewing the list of failures that are still visible, you can see SSL errors. SSL errors are not logical results of incorrect IPsec rules, so you can explore an SSL error to get a better understanding.

Filtering out DNS and socket connection errors

By selecting this event, you can see that the SSL failure is due to an expired certificate. This is suspicious, but thus far, not obviously related. You can perform a deeper investigation, as shown in the following figure,

Investigating SSL errors

By finding all the events in the same activity, then removing the filter.

Finding all events in the same activity

Now you can see that the SSL certificate error occurred on a connection between the Inside-Outside server and the client. The certificate is expired. Although you now know what the basic problem is, you can open an earlier section of the SSL exchange to try to find the certificate in question.

The SSL error occurred between server and client

Backing up a few frames in the transaction shows the certificate that was sent by the server. It was issued for only one year, and it’s now been more than a year since the DirectAccess server was deployed. With the certificate expired, clients can’t authenticate the Inside-Outside server that tells them whether they are inside the corporate network. As a result, the client has lost access to the network.

The server certificate is expired

Issue a new SSL certificate to the Inside-Outside server.  Once the server-side problem is corrected, clients can restore connectivity by running the network troubleshooter, disconnecting and reconnecting the network interface, or rebooting.

Community Additions