none
UAG 2010/DirectAccess - working but can't ping internal resources by IP

    Question

  • Hi all,

    Just set up DirectAccess with UAG 2010, and I can access all internal resources and resolve DNS names.

    However, I can't ping anything except the 6to4 IPv6 address on the DirectAccess server.  Even pinging the ISATAP address on the DirectAccess server fails. 

     Any thoughts where I should start?

    Thanks so much!

    Phil

    UPDATE:  I've verified the same result with a Teredo client behind a NAT network.  DirectAccess also worked fine, but can't ping anything at all.



    Thursday, February 23, 2012 1:03 AM

All replies

  • Hi

    Are you sure that ICMPv6 incoming rule is enabled on your internal hosts?


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, February 23, 2012 6:25 AM
  • Hi

    Are you sure that ICMPv6 incoming rule is enabled on your internal hosts?


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thanks for the quick reply.

    Yes, I'm able to ping the ISATAP and IPv6 addresses while internal to the network to all other hosts.  It looks like IPv6 Echo is enabled by default for the Domain rule..  Since the DirectAccess client IS authenticating to the domain, I can't imagine it would be using any other profile, but I can play with it tomorrow just in case.

    Thursday, February 23, 2012 6:47 AM
  • Internal firewalls do not seem to be the issue.

    Here is some more diagnostic information if that helps.  I've disabled 6to4, teredo, etc and the same result occurs with all 3 technologies.

    C:\Windows\system32>netsh advf consec sh rule name=all type=dynamic | find "RemoteTunnel"
    RemoteTunnelEndpoint:                 Any
    RemoteTunnelEndpoint:                 2002:42a1:3fe3::42a1:3fe3
    RemoteTunnelEndpoint:                 2002:42a1:3fe4::42a1:3fe4

    C:\Windows\system32>netsh namespace show effective

    DNS Effective Name Resolution Policy Table Settings


    Settings for nls.rc-corp.com
    ----------------------------------------------------------------------
    Certification authority                 : DC=com, DC=mydomain, CN=Company Root CA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (Proxy Settings)           : Use default browser settings

    Settings for .rcnllc.com
    ----------------------------------------------------------------------
    Certification authority                 : DC=com, DC=mydomain, CN=Company Root CA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              : 2002:42a1:3fe4::42a1:3fe4
    DirectAccess (Proxy Settings)           : Bypass proxy

    Settings for .rc-corp.com
    ----------------------------------------------------------------------
    Certification authority                 : DC=com, DC=mydomain, CN=Company Root CA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              : 2002:42a1:3fe4::42a1:3fe4
    DirectAccess (Proxy Settings)           : Bypass proxy

    C:\Windows\system32>ping 2002:42a1:3fe3::42a1:3fe3  (first tunnel endpoint responds)

    Pinging 2002:42a1:3fe3::42a1:3fe3 with 32 bytes of data:
    Reply from 2002:42a1:3fe3::42a1:3fe3: time=53ms
    Reply from 2002:42a1:3fe3::42a1:3fe3: time=52ms

    Ping statistics for 2002:42a1:3fe3::42a1:3fe3:
        Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 52ms, Maximum = 53ms, Average = 52ms

    C:\Windows\system32>ping 2002:42a1:3fe4::42a1:3fe4 (second does not, but returns DNS queries)

    Pinging 2002:42a1:3fe4::42a1:3fe4 with 32 bytes of data:
    Request timed out.
    Request timed out.

    Ping statistics for 2002:42a1:3fe4::42a1:3fe4:
        Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),

    C:\Windows\system32>ping nairvda01

    Pinging nairvda01.mydomain.com [2002:42a1:3fe3:8000:0:5efe:10.32.100.11] with 32
    bytes of data:
    Request timed out.

    <same for all names, they resolve but can't ping>

    C:\Windows\system32>netsh advfirewall monitor show mmsa

    Main Mode SA at 02/23/2012 12:59:13
    ----------------------------------------------------------------------
    Local IP Address:                     2002:42a1:3fe3:8100:15ac:6421:cb5c:7ba8
    Remote IP Address:                    2002:42a1:3fe3::42a1:3fe3
    Auth2 Local ID:                       DOMAIN\jsmoe
    Auth2 Remote ID:                      host/NAIRVDA01.mydomain.com
    Auth1:                                ComputerCert
    Auth2:                                UserKerb
    MM Offer:                             None-AES128-SHA256
    Cookie Pair:                          efaeb0882488e5db:89bea2b0aa1d5068
    Health Cert:                          No

    Main Mode SA at 02/23/2012 12:59:13
    ----------------------------------------------------------------------
    Local IP Address:                     2002:42a1:3fe3:8100:15ac:6421:cb5c:7ba8
    Remote IP Address:                    2002:42a1:3fe3::42a1:3fe3
    Auth2 Local ID:                       NT AUTHORITY\SYSTEM
    Auth2 Remote ID:                      host/NAIRVDA01.mydomain.com
    Auth1:                                ComputerCert
    Auth2:                                UserKerb
    MM Offer:                             None-AES128-SHA256
    Cookie Pair:                          e2004ea96edec42d:c561f425ddcc1b4d
    Health Cert:                          No

    Main Mode SA at 02/23/2012 12:59:13
    ----------------------------------------------------------------------
    Local IP Address:                     2002:4ce6:2b03::4ce6:2b03
    Remote IP Address:                    2002:42a1:3fe4::42a1:3fe4
    Auth1:                                ComputerCert
    Auth2:                                UserNTLM
    MM Offer:                             None-AES128-SHA256
    Cookie Pair:                          d50bb6ef30f2447a:8c25aebad787b03f
    Health Cert:                          No

    Main Mode SA at 02/23/2012 12:59:13
    ----------------------------------------------------------------------
    Local IP Address:                     2002:42a1:3fe3:8100:15ac:6421:cb5c:7ba8
    Remote IP Address:                    2002:42a1:3fe4::42a1:3fe4
    Auth1:                                ComputerCert
    Auth2:                                UserNTLM
    MM Offer:                             None-AES128-SHA256
    Cookie Pair:                          426e2ee96be1945b:b831e62128100a97
    Health Cert:                          No

    Main Mode SA at 02/23/2012 12:59:13
    ----------------------------------------------------------------------
    Local IP Address:                     2002:42a1:3fe3:8100:15ac:6421:cb5c:7ba8
    Remote IP Address:                    2002:42a1:3fe4::42a1:3fe4
    Auth1:                                ComputerCert
    Auth2:                                UserNTLM
    MM Offer:                             None-AES128-SHA256
    Cookie Pair:                          0c365e6b42af34b9:08c6931134f1b54e
    Health Cert:                          No
    Ok.

    Thursday, February 23, 2012 8:44 PM
  • Hi,

    Your assumption that the DA client is using the domain profile is not correct. The DA tunnel won't even come up when the Domain profile is active. This behaviour is by design. The DA client checks if it can reach a DC and your NLA server. If they are both reachable the Domain profile of the Client FW is made active and the Ipsec rules for DA are deativated.

    When the client cannot reach a DC or the NLA server either the private or public profile of the Client FW is activated and the Ipsec Rules kick in. Make sure you have the correct FW rules configured in the private and public FW profiles as well.

    Check out this article as well.

    http://blogs.technet.com/b/edgeaccessblog/archive/2010/09/14/how-to-enable-remote-desktop-sharing-rds-rdp-from-corporate-machines-to-directaccess-connected-machines.aspx


    • Edited by Martijn V Saturday, March 17, 2012 9:34 AM
    Saturday, March 17, 2012 9:34 AM
  • One other thought.

    Are you pinging native IPv6 ip addresses on the Internal network ? If so do you have internal Ipv6 routing setup so that the internal clients can route IPv6 traffic back to the DA server for your DA IPv6 ranges (teredo IPHTTPS 6to4) ?

    Martijn

    Saturday, March 17, 2012 9:45 AM