I have not had the chance to troubleshoot this issue but I strongly suspect that clients using Comcast which is now giving out routing working ipv6 addresses are failing to connect because of it.  Has anyone else experienced the same?

Hi there,

I know this is an old thread with no replies, but I am starting to see this issue myself. Comcast hands out native ipv6 addresses even on the internal network. DirectAccess does not work. Even if I disable ipv6 on the PC itself, DA still doesn't work. It shows as "configured and enabled" but the client is not assigned a 2002 address on the IPHTTPS interface.

The DA server is on IPv4 only with only 1 public IP and no NAT. Plenty of connected clients, but there seem to be these comcast users that have issues.

Were you able to reach a conclusion on your issue? Just wondering.

I've encountered this issue on clients connecting via a cellular Wi-Fi hotpots before, so it may be a similar issue. You can't disable IPv6 because it is required for DirectAccess connectivity. However, I have seen issues with IPv6 transition protocols that prevent this from working.

Can you try disabling the IPv6 transition protocol and testing again?

Set-Net6to4Configuration -State Disabled <- Windows 8.x and later
netsh interface 6to4 set state disable <-Windows 7

Let me know what happens. :)

Richard,

Thanks much for the prompt response. I've been lurking your blog for a long time now. Some very good content there. Thanks for shedding some light on he black magic that DA is for some of us sometimes.

Your point about not being able to disable IPv6 because it is required by DA is interesting and something I am surprised hadn't thought about. Indeed, you will need an IPv6 address on your IPHTTPS interface to be able to connect to the corp network.

However, I have read a handful of posts that mention disabling the IPv6 stack on the client as a solution for this. This is the only one I was able to quickly dig off my favorites:

http://www.ivonetworks.com/news/2011/11/client-side-ipv6-and-directaccess-dont-always-get-along/

Why do you think they are getting away with it in this case? I wish I could find some of the other posts I read but I promise they are out there.

I will try to get another troubleshooting session with the user and try your suggestion. I will re-enable the IPv6 stack and try these commands.

Thanks much!

Hey Richard,

I'll try this again as my previous reply was deleted by the forum powers to be as it contained links.

In any case. I have been following your blog for some time now. Very good reads on there. Thanks for shedding some light on the black magic that is DA for some of us.

You're bringing up an interesting point about not disabling IPv6 as that breaks DA. After all, your IPHTTPS interface does need an IPv6 address to be able to talk to the corp network.

However, I have seen many posts out there mentioning that disabling ipv6 on their PC's was the solution for situations where their ISP was dishing out native IPv6 addresses. One post that I was able to quickly find is the first link in Bing if you type this search query. Which is also the title of the article:

"CLIENT-SIDE IPV6 AND DIRECTACCESS DONT ALWAYS GET ALONG"

Why do you think these users are able to get away with disabling IPv6 on their machines and still get DA to work?

I will try to get another troubleshooting session with the affected user and give your suggestion a try. I'll make sure to enable IPv6 on the adapter.

Thanks again for your input!

OK. I am trying this for a third time. Apparently I need to get verified if I post something more than just plain text. Will see if this works:

Richard, thanks much for your prompt response. I've been following your thread for some time now. Very good reads on there. Thanks for shedding some light into the black magic of DA for the rest of us.

You're bringing up a very good point regarding not being able to disable IPv6 as that would break DA. I don't know why I hadn't thought of that before. However, I have seen several posts out there with folks that are able to get away with their ISP assigning native IPv6 address by doing exactly that to get DA to work. Why do you think they're getting away with that there and DA indeed works. I would post a link here but I don't want this post to get deleted too.

I'll try to get another troubleshooting session with the user and give your suggestions a try.

Thanks again!