Windows Server pairing failures caused by DirectAccess policy

Topic

How do I troubleshoot agent pairing failures caused by DirectAccess policy on Windows Server?

Environment

  • Windows Server 2008 or newer

Description

This article discusses the following errors:

  • Errors during Agent Pairing
  • Agent Unreachable or Service not running errors.
  • Despite properly configured anti-virus exceptions and Windows Firewall, port 25566 or 25568 appears as 'filtered'.

Cause

  • The issue is linked to Group Policy settings for the device network, specifically DirectAccess Server (DAS) settings listening on ports 25566 or 25568, preventing the Datto agent software from communicating with the Datto appliance.

Validation

  • When trying to pair an agent that is failing due to DirectAccess Policy, the error will look like this.

11:10:13 EDT ASC0006 fb7d2cfbc01b4092bbb15149279690e7 AgentConnectivityService.php(2) : eval()'d code:148 Checking connectivity for new agent at 10.10.10.100:25566
11:10:14 EDT ACS0003 fb7d2cfbc01b4092bbb15149279690e7 AgentConnectivityService.php(2) : eval()'d code:181 domain name [10.10.10.100] is NOT responding on port [25566]
11:10:14 EDT ASC0006 fb7d2cfbc01b4092bbb15149279690e7 AgentConnectivityService.php(2) : eval()'d code:148 Checking connectivity for new agent at 10.10.10.100:25568
11:10:15 EDT ACS0003 fb7d2cfbc01b4092bbb15149279690e7 AgentConnectivityService.php(2) : eval()'d code:181 domain name [10.10.10.100] is NOT responding on port [25568]
11:10:15 EDT ASC0006 fb7d2cfbc01b4092bbb15149279690e7 AgentConnectivityService.php(2) : eval()'d code:148 Checking connectivity for new agent at 10.10.10.100:25567
11:10:16 EDT ACS0003 fb7d2cfbc01b4092bbb15149279690e7 AgentConnectivityService.php(2) : eval()'d code:181 domain name [10.10.10.100] is NOT responding on port [25567]
11:10:16 EDT ASC0006 fb7d2cfbc01b4092bbb15149279690e7 AgentConnectivityService.php(2) : eval()'d code:148 Checking connectivity for new agent at 10.10.10.100:25569
11:10:17 EDT ACS0003 fb7d2cfbc01b4092bbb15149279690e7 AgentConnectivityService.php(2) : eval()'d code:181 domain name [10.10.10.100] is NOT responding on port [25569]
11:10:17 EDT PHD0001 fb7d2cfbc01b4092bbb15149279690e7 PairHandler.php(2) : eval()'d code:417 Could not connect to the agent.
11:10:18 EDT PHD0004 fb7d2cfbc01b4092bbb15149279690e7 PairHandler.php(2) : eval()'d code:276 Agent pairing failed with an Exception: Could not connect to the agent.
11:10:18 EDT AGT3009 fb7d2cfbc01b4092bbb15149279690e7 PairHandler.php(2) : eval()'d code:292 Cannot add agent.

  • Despite properly configured antivirus exceptions and Windows Firewall, port 25566/25568 appear as 'filtered'

root@backupdevice:~# nmap -p25566,25567,25568,25569 10.10.10.100
Starting Nmap 7.01 ( https://nmap.org ) at 2018-04-08 11:07 EDT
Nmap scan report for 10.10.10.100
Host is up (0.00011s latency).
PORT STATE SERVICE
25566/tcp filtered unknown
25567/tcp filtered unknown
25568/tcp filtered unknown
25569/tcp filtered unknown

  • To check the service and the ports being used on the protected system:
    • Navigate to the Start menu.
    • In the search box, type "powershell" until Windows Powershell is found in the results.
    • Right click Windows Powershell and click Run as Administrator
    • In Powershell, type the following:

      Get-NetNatTransitionConfiguration

    • IPv4AddressPortPool will show the IP that the service is using and the port range that is being reserved for it. If the range includes ports 25566-25568, like in the example here, this article may be describing your issue.

    Get-NetNatTransitionConfiguration.png

Solution

  • Ensure that firewall and antivirus exceptions are properly configured for target machine.

  • Ensure that the agent services are running.

  • Once the requirements are validated, to change the port range used by DirectAccess, and to disable DirectAccess entirely, if desired:

    1. Change the port range being used for the DirectAccess service by typing the following into PowerShell, replacing <ipAddress> with the IP in the IPv4AddressPortPool:

      Set-NetNatTransitionConfiguration -IPv4AddressPortPool @("<ipAddress>, 25570-47000")

    2. Disable the service. In PowerShell, run the command:

      Set-NetNatTransitionConfiguration -state disabled