When troubleshooting DirectAccess client connectivity issues, you may encounter a scenario where clients are unable to connect using the IP-HTTPS IPv6 transition technology. Running ipconfig shows that the tunnel adapter IPHTTPSInterface media state is Media disconnected.
Running the Get-NetIpHttpsState PowerShell command shows that the LastErrorCode is 0x2af9 (WSAHOST_NOT_FOUND) and the InterfaceStatus is Failed to connect to the IPHTTPS server; waiting to reconnect.
The 0x2af9 error differs slightly from the more common 0x274c IP-HTTPS connection time out error (WSAETIMEDOUT). In this scenario the DirectAccess client can successfully resolve the DirectAccess public hostname to an IPv4 address, and if ICMP echo requests are allowed on the DirectAccess server’s public IPv4 address it will respond to ping.
The DirectAccess client is also able to establish a TCP connection to the DirectAccess server using the Test-NetConnection PowerShell command.
So, why is the IP-HTTPS interface unable to establish a transition tunnel connection when the DirectAccess server’s public hostname resolves correctly via DNS and the client can establish a TCP connection on port 443? Commonly this is caused by proxy server settings configured in the web browser on the DirectAccess client computer. Disabling the proxy server in the client’s web browser should restore DirectAccess client connectivity over IP-HTTPS.
If clearing the proxy server settings in the client machine’s web browser still does not restore IP-HTTPS connectivity, it may be that a proxy server is also configured for winhttp. You can confirm this by opening an elevated PowerShell command window and running the netsh winhttp show proxy command.
To clear the winhttp proxy server settings run the netsh winhttp reset proxy command.
Additional Resources
DirectAccess Expired IP-HTTPS Certificate and Error 0x800b0101
DirectAccess IP-HTTPS Preauthentication
DirectAccess SSL Offload and IP-HTTPS Preauthentication with Citrix NetScaler
DirectAccess SSL Offload using F5 BIG-IP
DirectAccess IP-HTTPS Preauthentication with F5 BIG-IP
DirectAccess and Multi-SAN SSL Certificates for IP-HTTPS
SSL Certificate Considerations for DirectAccess IP-HTTPS
Implementing DirectAccess with Windows Server 2016 Book
Vanja Ferhatovic
/ February 6, 2017Great tip, but what if one wants to use a proxy. Will an exemption in a wpad proxy file do the trick?
Richard M. Hicks
/ February 8, 2017I believe so, yes. Just make sure the DirectAccess public hostname is set to bypass the proxy server.
Dennis Potenberg
/ July 18, 2017I had the same problem with one notebook. We are currently testing with wpad / proxy settings due to a new Firewall system. In this case automatic configuration was enabled but a connection could not be established (IP-HTTPS error 0x2af9). Proxy was disabled and netsh winhttp show Proxy said “no proxy server”. Even though Proxy was disabled, the entries for the proxy server and also for the Bypass local adresses are still recorded but greyed out. What finally did the trick was (apparently for us) to remove these settings from registry (https://directaccessguide.com/2013/08/05/getting-ip-https-error-code-0x2af9/) and restart. After that the connection was flawlessly made.
William Clay (@williamtclay)
/ January 10, 2018Thanks Richard. This is the the second time you helped me out. In my case there was no ProxyMgr key in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\ but the reset proxy command cleared the proxy address