DirectAccess Issues and new ISP equipment

Hello Everyone

We have DA setup in a cluster using 2012 R2.  Servers are multihomed with NIC on external and NIC on internal networks.

In the last few months we have run into problems with ISPs enable IPV6.  What happens is the clients say successful connection but cannot get anywhere.  On the server under client connectivity they say Native IPV6.  

To fix this issue we have disabled V6 on client machines.  What i mean by disable is uncheck box so the IPv6 stack is there but is disabled.  Amazingly this works.  It does say IPV6 disabled please contact administrator.

Now we seem to be getting ISPs using IPv6 on for public IPs which creates yet another problem.

First question is: Is disabling IPV6 an OK work around for the native IPv6 issue?  Is there another way?

Second question is:  What do we do if the ISP is using IPV6 on for public IP.  This seems to create problem as well.  Someone just got a new Comcast router and it disabled DA.

January 5th, 2015 9:57pm

Yes, I have seen this many times. If the DA client computer gets a native IPv6 address on the internet (sometimes from a home router, more often from a cell phone card) - it causes the DirectAccess IPsec tunnels to attempt to build themselves using the 2600:whatever address instead of using the DA transition tunnels to build the IPsec connections.

Most folks simply uncheck the TCP/IPv6 box from their NIC properties to solve this. Another way is to play around with the DisabledComponents regkey. Depending on how you set this key, it could disable IPv6 and DirectAccess completely, so proceed with caution. But I believe that if you set it to 0x20 it will cause the machine to prefer IPv4 over v6. You will want to test this on a few machines first before rolling it out to everyone, of course. :)

HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters
DisabledComponents is the name of the value

Free Windows Admin Tool Kit Click here and download it now
February 2nd, 2015 2:58pm

Thanks for reply

This is exactly what we are doing and seems to work but was just wondering if that was the right way to do this.   The thing that is disconcerting is that when you connect successfully it does say IPv6 is disabled.

I will have to try the registry key method and see if that will accomplish the same thing without making the machine think that IPv6 is disabled.

March 18th, 2015 7:09pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics