Win7 client with UAG server, doesn't like IPv6 served by home router/firewall

All,

I have mitigated the problem, but wanted to understand it. The mitigation is to reconfigure his home router/firewall to stop serving IPv6. He had to reboot his machine to get rid of the served IPv6 address, but then DA started working again.

So, here's the description of the problem - anyone who can tell me what the problem is will have my gratitude. If necessary, I can share DCA logs offline.

A remote worker recently upgraded his ATT Uverse connection at home. DirectAccess stopped working for him. When at home, he had to resort to using our SSL VPN (Aventail), but when he did so, external company resources (we have split brain DNS) were unavailable.

I went through these two links to troubleshoot:

http://directaccessguide.com/2014/02/18/directaccess-client-troubleshooting-guide/

and

http://www.microsoft.com/en-us/download/details.aspx?id=41938

Both passed with flying colors.

o- He sent the DCA (DirectAccess Connectivity Assitant) logs to me, and I worked through them to see if anything was amiss, and I used http://join.me to walk through the above links as well.

o- GPOs are applied and group memberships for the computer are correct (gpresult /h)

o- When not connected via the Aventail client, could ping external company resources (split brain DNS) and couldn't ping internal resources by name (e.g. usdc4.example.com), but can ping internal resources via IPv6 address if manually entered (!?! - very odd).

o- When connected via the Aventail client, could ping internal resources (gets name resolution, returns IPv4 address), but couldn't ping external resources (name resolves to IPv4 address but ping doesn't return (!?! - again, very odd).

o- Tethering to his Verizon phone proved that DA was working fine.

March 3rd, 2015 12:13am
What transition protocols are enabled for the client (6to4/Teredo/IP-HTTPS)?
Free Windows Admin Tool Kit Click here and download it now
March 4th, 2015 12:19am

I accepted the install defaults, so can't say from memory, but by examination of the log he sent while IPv6 was still being served on his network, and examination of my Win8.1 machine while external, I believe Teredo and NAT64 only. The httpstunnel interface shows as deactivated, and ISATAP is not present in our environment.

This is what I show on my Win8.1 machine outside the firewall:

C:\Users\kbuff>netsh int httpstunnel sho interfaces

 

Interface IPHTTPSInterface (Group Policy)  Parameters

------------------------------------------------------------

Role                       : client

URL                        : https://outside.zetron.com:443/IPHTTPS

Last Error Code            : 0x0

Interface Status           : IPHTTPS interface not installed.

                             Other corporate connectivity available.

 

C:\Users\kbuff>netsh int teredo sho state Teredo Parameters

---------------------------------------------

Type                    : client

Server Name             : 67.50.118.38 (Group Policy)

Client Refresh Interval : 30 seconds

Client Port             : unspecified

State                   : qualified

Client Type             : teredo host-specific relay

Network                 : unmanaged

NAT                     : none (global connectivity)

NAT Special Behaviour   : UPNP: No, PortPreserving: No

Local Mapping           : 67.50.118.50:64004

External NAT Mapping    : 67.50.118.50:64004

 

C:\Users\kbuff>netsh int 6to4 show state

6to4 Service State     : default

Undo on Service Stop   : default

 

C:\Users\kbuff>netsh int isatap show state

ISATAP State           : default

March 4th, 2015 1:18am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics