UAG 2010/DirectAccess - working but can't ping internal resources by IP
-
Thursday, February 23, 2012 1:03 AM
Hi all,
Just set up DirectAccess with UAG 2010, and I can access all internal resources and resolve DNS names.
However, I can't ping anything except the 6to4 IPv6 address on the DirectAccess server. Even pinging the ISATAP address on the DirectAccess server fails.
Any thoughts where I should start?
Thanks so much!
Phil
UPDATE: I've verified the same result with a Teredo client behind a NAT network. DirectAccess also worked fine, but can't ping anything at all.
- Edited by GrandmasterPhil Thursday, February 23, 2012 6:49 AM
- Edited by GrandmasterPhil Thursday, February 23, 2012 6:50 AM
All Replies
-
Thursday, February 23, 2012 6:25 AM
Hi
Are you sure that ICMPv6 incoming rule is enabled on your internal hosts?
BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
-
Thursday, February 23, 2012 6:47 AM
Hi
Are you sure that ICMPv6 incoming rule is enabled on your internal hosts?
BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
Thanks for the quick reply.
Yes, I'm able to ping the ISATAP and IPv6 addresses while internal to the network to all other hosts. It looks like IPv6 Echo is enabled by default for the Domain rule.. Since the DirectAccess client IS authenticating to the domain, I can't imagine it would be using any other profile, but I can play with it tomorrow just in case.
-
Thursday, February 23, 2012 8:44 PM
Internal firewalls do not seem to be the issue.
Here is some more diagnostic information if that helps. I've disabled 6to4, teredo, etc and the same result occurs with all 3 technologies.
C:\Windows\system32>netsh advf consec sh rule name=all type=dynamic | find "RemoteTunnel"
RemoteTunnelEndpoint: Any
RemoteTunnelEndpoint: 2002:42a1:3fe3::42a1:3fe3
RemoteTunnelEndpoint: 2002:42a1:3fe4::42a1:3fe4C:\Windows\system32>netsh namespace show effective
DNS Effective Name Resolution Policy Table Settings
Settings for nls.rc-corp.com
----------------------------------------------------------------------
Certification authority : DC=com, DC=mydomain, CN=Company Root CA
DNSSEC (Validation) : disabled
IPsec settings : disabled
DirectAccess (DNS Servers) :
DirectAccess (Proxy Settings) : Use default browser settingsSettings for .rcnllc.com
----------------------------------------------------------------------
Certification authority : DC=com, DC=mydomain, CN=Company Root CA
DNSSEC (Validation) : disabled
IPsec settings : disabled
DirectAccess (DNS Servers) : 2002:42a1:3fe4::42a1:3fe4
DirectAccess (Proxy Settings) : Bypass proxySettings for .rc-corp.com
----------------------------------------------------------------------
Certification authority : DC=com, DC=mydomain, CN=Company Root CA
DNSSEC (Validation) : disabled
IPsec settings : disabled
DirectAccess (DNS Servers) : 2002:42a1:3fe4::42a1:3fe4
DirectAccess (Proxy Settings) : Bypass proxyC:\Windows\system32>ping 2002:42a1:3fe3::42a1:3fe3 (first tunnel endpoint responds)
Pinging 2002:42a1:3fe3::42a1:3fe3 with 32 bytes of data:
Reply from 2002:42a1:3fe3::42a1:3fe3: time=53ms
Reply from 2002:42a1:3fe3::42a1:3fe3: time=52msPing statistics for 2002:42a1:3fe3::42a1:3fe3:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 52ms, Maximum = 53ms, Average = 52msC:\Windows\system32>ping 2002:42a1:3fe4::42a1:3fe4 (second does not, but returns DNS queries)
Pinging 2002:42a1:3fe4::42a1:3fe4 with 32 bytes of data:
Request timed out.
Request timed out.Ping statistics for 2002:42a1:3fe4::42a1:3fe4:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),C:\Windows\system32>ping nairvda01
Pinging nairvda01.mydomain.com [2002:42a1:3fe3:8000:0:5efe:10.32.100.11] with 32
bytes of data:
Request timed out.<same for all names, they resolve but can't ping>
C:\Windows\system32>netsh advfirewall monitor show mmsa
Main Mode SA at 02/23/2012 12:59:13
----------------------------------------------------------------------
Local IP Address: 2002:42a1:3fe3:8100:15ac:6421:cb5c:7ba8
Remote IP Address: 2002:42a1:3fe3::42a1:3fe3
Auth2 Local ID: DOMAIN\jsmoe
Auth2 Remote ID: host/NAIRVDA01.mydomain.com
Auth1: ComputerCert
Auth2: UserKerb
MM Offer: None-AES128-SHA256
Cookie Pair: efaeb0882488e5db:89bea2b0aa1d5068
Health Cert: NoMain Mode SA at 02/23/2012 12:59:13
----------------------------------------------------------------------
Local IP Address: 2002:42a1:3fe3:8100:15ac:6421:cb5c:7ba8
Remote IP Address: 2002:42a1:3fe3::42a1:3fe3
Auth2 Local ID: NT AUTHORITY\SYSTEM
Auth2 Remote ID: host/NAIRVDA01.mydomain.com
Auth1: ComputerCert
Auth2: UserKerb
MM Offer: None-AES128-SHA256
Cookie Pair: e2004ea96edec42d:c561f425ddcc1b4d
Health Cert: NoMain Mode SA at 02/23/2012 12:59:13
----------------------------------------------------------------------
Local IP Address: 2002:4ce6:2b03::4ce6:2b03
Remote IP Address: 2002:42a1:3fe4::42a1:3fe4
Auth1: ComputerCert
Auth2: UserNTLM
MM Offer: None-AES128-SHA256
Cookie Pair: d50bb6ef30f2447a:8c25aebad787b03f
Health Cert: NoMain Mode SA at 02/23/2012 12:59:13
----------------------------------------------------------------------
Local IP Address: 2002:42a1:3fe3:8100:15ac:6421:cb5c:7ba8
Remote IP Address: 2002:42a1:3fe4::42a1:3fe4
Auth1: ComputerCert
Auth2: UserNTLM
MM Offer: None-AES128-SHA256
Cookie Pair: 426e2ee96be1945b:b831e62128100a97
Health Cert: NoMain Mode SA at 02/23/2012 12:59:13
----------------------------------------------------------------------
Local IP Address: 2002:42a1:3fe3:8100:15ac:6421:cb5c:7ba8
Remote IP Address: 2002:42a1:3fe4::42a1:3fe4
Auth1: ComputerCert
Auth2: UserNTLM
MM Offer: None-AES128-SHA256
Cookie Pair: 0c365e6b42af34b9:08c6931134f1b54e
Health Cert: No
Ok.- Edited by GrandmasterPhil Thursday, February 23, 2012 8:54 PM
- Edited by GrandmasterPhil Thursday, February 23, 2012 9:01 PM
-
Saturday, March 17, 2012 9:34 AM
Hi,
Your assumption that the DA client is using the domain profile is not correct. The DA tunnel won't even come up when the Domain profile is active. This behaviour is by design. The DA client checks if it can reach a DC and your NLA server. If they are both reachable the Domain profile of the Client FW is made active and the Ipsec rules for DA are deativated.
When the client cannot reach a DC or the NLA server either the private or public profile of the Client FW is activated and the Ipsec Rules kick in. Make sure you have the correct FW rules configured in the private and public FW profiles as well.
Check out this article as well.
- Edited by Martijn V Saturday, March 17, 2012 9:34 AM
-
Saturday, March 17, 2012 9:45 AM
One other thought.
Are you pinging native IPv6 ip addresses on the Internal network ? If so do you have internal Ipv6 routing setup so that the internal clients can route IPv6 traffic back to the DA server for your DA IPv6 ranges (teredo IPHTTPS 6to4) ?
Martijn
.png)
