none
Traffic between two internal ISATAP hosts routed through UAG

    Question

  • Hi,

    I have UAG with Direct Access enabled. I read ISATAP deployment whitepaper and http://social.technet.microsoft.com/Forums/en/forefrontedgeiag/thread/ab432e78-73b2-40b9-aed0-5202f4d97a82. I is stated that: "If both machines are clients of the same ISATAP router, then they will talk to each other directly using IPv4. meaning the IPv4 router will be used by the machines A and B."

    But on my installation, tracert from A to B goes through UAG. Is this normal for UAG? Probably UAG advertieses wrong routes to ISATAP hosts because the internal network is /8, but network on internal interface of UAG is /24?

    Best regards,

    Petko Stoyanov

    i-Gram

     

    Details on my configuration:

    Internal Network consists ot 3 network segments liked by IPv4 routers: 10.1.1.0/24 containing DCs, 10.2.2.0/24 containing 2 Workstations, 10.1.3.0/24 containing the UAG server. UAG has internal IP 10.1.3.3/24 and the internal network is 10.0.0.0/8.

    --- TRACERT to Workstation B

    Tracing route to usr1-ws-012.usr1.i-net [2002:5e9c:a08:8000:0:5efe:10.2.2.31]
    over a maximum of 30 hops:

      1     1 ms     *        1 ms  2002:5e9c:a08:8000:0:5efe:10.1.3.3
      2     9 ms     6 ms     5 ms  2002:5e9c:a08:8000:0:5efe:10.2.2.31

    Trace complete.

    ---- Workstation A Configuration

    Windows IP Configuration

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . : usr1.i-net
       Link-local IPv6 Address . . . . . : fe80::c81d:3ed8:e8b8:12b7%11
       IPv4 Address. . . . . . . . . . . : 10.2.2.46
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 10.2.2.1

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :

    Tunnel adapter isatap.usr1.i-net:

       Connection-specific DNS Suffix  . : usr1.i-net
       IPv6 Address. . . . . . . . . . . : 2002:5e9c:a08:8000:0:5efe:10.2.2.46
       Link-local IPv6 Address . . . . . : fe80::5efe:10.2.2.46%14
       Default Gateway . . . . . . . . . : fe80::5efe:10.1.3.3%14

    Tunnel adapter isatap.{D1900090-12EC-4EB3-9E55-2CD560AE15FF}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :

    --- ROUTING TABLE

    ===========================================================================
    Interface List
     13...00 12 5a 59 c7 7a ......Bluetooth Device (Personal Area Network)
     11...00 1f d0 4c db 6a ......Intel(R) 82567LM-3 Gigabit Network Connection
      1...........................Software Loopback Interface 1
     17...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
     14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
     16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
    ===========================================================================

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0         10.2.2.1        10.2.2.46     20
             10.2.2.0    255.255.255.0         On-link         10.2.2.46    276
            10.2.2.46  255.255.255.255         On-link         10.2.2.46    276
           10.2.2.255  255.255.255.255         On-link         10.2.2.46    276
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link         10.2.2.46    276
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link         10.2.2.46    276
    ===========================================================================
    Persistent Routes:
      None

    IPv6 Route Table
    ===========================================================================
    Active Routes:
     If Metric Network Destination      Gateway
     14    281 ::/0                     fe80::5efe:10.1.3.3
      1    306 ::1/128                  On-link
     14   4121 2002::/16                fe80::5efe:10.1.3.3
     14    281 2002:5e9c:a08::/64       fe80::5efe:10.1.3.3
     14     33 2002:5e9c:a08:8000::/49  fe80::5efe:10.1.3.3
     14     33 2002:5e9c:a08:8000::/64  fe80::5efe:10.1.3.3
     14    281 2002:5e9c:a08:8000:0:5efe:10.2.2.46/128
                                        On-link
     14    281 2002:5e9c:a08:8100::/64  fe80::5efe:10.1.3.3
     14    281 2002:5e9c:a09::/64       fe80::5efe:10.1.3.3
     11    276 fe80::/64                On-link
     14    281 fe80::5efe:10.2.2.46/128 On-link
     11    276 fe80::c81d:3ed8:e8b8:12b7/128
                                        On-link
      1    306 ff00::/8                 On-link
     11    276 ff00::/8                 On-link
    ===========================================================================
    Persistent Routes:
      None

     

    Tuesday, April 27, 2010 1:35 PM

Answers

  •   0 4294967295 2002:5e9c:a08:8000::/64  On-link
      0 4294967295 2002:5e9c:a08:8001::/96  On-link
      0 4294967295 2002:5e9c:a08:8000::/49  On-link
      0 4294967295 2002:5e9c:a08::/64       On-link
      0 4294967295 2002:5e9c:a09::/64       On-link
      0 4294967295 2002:5e9c:a08:8000::/64  On-link

    This route exists twice, so this might be an issue.

    Not both of the routes are active, so there might be too many ISATAP interface and one of them is not connected.

    Please try the following:

    * Manually remove all of the persistent routes on the UAG server (using route delete)

      0 4294967295 2002:5e9c:a08:8000::/64  On-link
      0 4294967295 2002:5e9c:a08:8001::/96  On-link
      0 4294967295 2002:5e9c:a08:8000::/49  On-link
      0 4294967295 2002:5e9c:a08::/64       On-link
      0 4294967295 2002:5e9c:a09::/64       On-link
      0 4294967295 2002:5e9c:a08:8000::/64  On-link
      0 4294967295 2002:5e9c:a08:8001::/96  On-link
      0 4294967295 2002:5e9c:a08:8000::/49  On-link
      0 4294967295 2002:5e9c:a08:8100::/64  On-link

    * Go to Device Manager on the UAG server, show hidden devices, and under Network Adapters, uninstall all of the 3 ISATAP adapters.

    * Reactivate UAG


    Wednesday, April 28, 2010 11:00 AM

All replies

  • When you try to establish a connection to a host on another network ID, does Network Monitor show the connection request moving through the UAG's internal interface?

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Tuesday, April 27, 2010 2:19 PM
    Moderator
  • Yes, I can see the traffic with Network Monitor 3.3.

    Workstations A and B are on 1GBit Ports, while UAG is on 100Mbit. I can see a huge difference when copying files using the \\IPv4 and dns name.

    Any opened RDP session between A and B terminates on UAG restart.

    Regards,

    Petko

     

    Tuesday, April 27, 2010 2:59 PM
  • That is strange, I've never seen anything like it.

    The ISATAP router on the UAG server actually published the ISATAP prefix, and we can see in IPConfig that you have the ISATAP address,

    but in the route table the ISATAP route is not assigned to the same link...

    14     33 2002:5e9c:a08:8000::/64  fe80::5efe:10.1.3.3
    It actually points all ISATAP traffic to the next hop address of the UAG server. Which shouldn't happen.

    It should look like this

    14     33 2002:5e9c:a08:8000::/64  On-link

    Try to understand whether this is a client issue or a server issue:

    Does this route appear this way on other ISATAP hosts?

    If not, this is probably a client issue, and I'd try going to Device Manager, show hidden devices and uninstall the ISATAP network adapter.

    If this issue appears on other clients as well, the this is probably something wrong with the route configuration on the UAG server.

    Can you please send out the route table on your UAG server?

    Thanks,

    Yaniv

    Wednesday, April 28, 2010 8:54 AM
  • Hi,

    I've checked all ISATAP hosts, and they all have the same routing table.

    I've configured UAG as ISATAP using the Direct Access Wizard only.

    Do you need the UAG configuration?

    Regards,

    Petko

    Routing table of UAG:

    ===========================================================================
    Interface List
     16...00 ff 08 01 19 47 ......SSL Network Tunneling
     12...00 15 5d 00 48 8f ......Microsoft Virtual Machine Bus Network Adapter #2
     11...00 15 5d 00 48 90 ......Microsoft Virtual Machine Bus Network Adapter
      1...........................Software Loopback Interface 1
     17...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
     13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
     18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
     19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
     14...00 00 00 00 00 00 00 e0 IPHTTPSInterface
     15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
    ===========================================================================

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0      94.156.10.1      94.156.10.8    261
             10.0.0.0        255.0.0.0         10.1.3.1         10.1.3.3      6
             10.1.3.0    255.255.255.0         On-link          10.1.3.3    261
             10.1.3.3  255.255.255.255         On-link          10.1.3.3    261
           10.1.3.255  255.255.255.255         On-link          10.1.3.3    261
          94.156.10.0    255.255.255.0         On-link       94.156.10.8    261
          94.156.10.8  255.255.255.255         On-link       94.156.10.8    261
          94.156.10.9  255.255.255.255         On-link       94.156.10.8    261
         94.156.10.12  255.255.255.255         On-link       94.156.10.8    261
        94.156.10.255  255.255.255.255         On-link       94.156.10.8    261
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link          10.1.3.3    261
            224.0.0.0        240.0.0.0         On-link       94.156.10.8    261
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link          10.1.3.3    261
      255.255.255.255  255.255.255.255         On-link       94.156.10.8    261
    ===========================================================================
    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
             10.0.0.0        255.0.0.0         10.1.3.1       1
              0.0.0.0          0.0.0.0      94.156.10.1  Default
    ===========================================================================

    IPv6 Route Table
    ===========================================================================
    Active Routes:
     If Metric Network Destination      Gateway
     17   1105 ::/0                     2002:c058:6301::c058:6301
      1    306 ::1/128                  On-link
     13     58 2001::/32                On-link
     17   1005 2002::/16                On-link
     17    261 2002:5e9c:a08::/64       On-link
     17    261 2002:5e9c:a08::5e9c:a08/128
                                        On-link
     18    261 2002:5e9c:a08:8000::/49  On-link
     18    261 2002:5e9c:a08:8000::/64  On-link
     18    261 2002:5e9c:a08:8000::/128 On-link
     18    261 2002:5e9c:a08:8000:0:5efe:10.1.3.3/128
                                        On-link
     18    261 2002:5e9c:a08:8001::/96  On-link
     14    306 2002:5e9c:a08:8100::/64  On-link
     14    306 2002:5e9c:a08:8100::/128 On-link
     14    306 2002:5e9c:a08:8100:85c1:9f32:ecad:4c87/128
                                        On-link
     17    261 2002:5e9c:a09::/64       On-link
     17    261 2002:5e9c:a09::5e9c:a09/128
                                        On-link
     17    261 2002:5e9c:a0c::5e9c:a0c/128
                                        On-link
     12    261 fe80::/64                On-link
     11    261 fe80::/64                On-link
     13    306 fe80::/64                On-link
     14    306 fe80::/64                On-link
     18    261 fe80::5efe:10.1.3.3/128  On-link
     15    261 fe80::200:5efe:94.156.10.8/128
                                        On-link
     15    261 fe80::200:5efe:94.156.10.9/128
                                        On-link
     15    261 fe80::200:5efe:94.156.10.12/128
                                        On-link
     11    261 fe80::4d11:34e5:d45f:2956/128
                                        On-link
     13    306 fe80::8000:f227:a163:f5f7/128
                                        On-link
     14    306 fe80::85c1:9f32:ecad:4c87/128
                                        On-link
     12    261 fe80::b1c2:e074:6e9c:8ea8/128
                                        On-link
      1    306 ff00::/8                 On-link
     14    306 ff00::/8                 On-link
     13    306 ff00::/8                 On-link
     12    261 ff00::/8                 On-link
     11    261 ff00::/8                 On-link
    ===========================================================================
    Persistent Routes:
     If Metric Network Destination      Gateway
      0 4294967295 2002:5e9c:a08:8000::/64  On-link
      0 4294967295 2002:5e9c:a08:8001::/96  On-link
      0 4294967295 2002:5e9c:a08:8000::/49  On-link
      0 4294967295 2002:5e9c:a08::/64       On-link
      0 4294967295 2002:5e9c:a09::/64       On-link
      0 4294967295 2002:5e9c:a08:8000::/64  On-link
      0 4294967295 2002:5e9c:a08:8001::/96  On-link
      0 4294967295 2002:5e9c:a08:8000::/49  On-link
      0 4294967295 2002:5e9c:a08:8100::/64  On-link
    ===========================================================================

     

    Wednesday, April 28, 2010 9:42 AM
  •   0 4294967295 2002:5e9c:a08:8000::/64  On-link
      0 4294967295 2002:5e9c:a08:8001::/96  On-link
      0 4294967295 2002:5e9c:a08:8000::/49  On-link
      0 4294967295 2002:5e9c:a08::/64       On-link
      0 4294967295 2002:5e9c:a09::/64       On-link
      0 4294967295 2002:5e9c:a08:8000::/64  On-link

    This route exists twice, so this might be an issue.

    Not both of the routes are active, so there might be too many ISATAP interface and one of them is not connected.

    Please try the following:

    * Manually remove all of the persistent routes on the UAG server (using route delete)

      0 4294967295 2002:5e9c:a08:8000::/64  On-link
      0 4294967295 2002:5e9c:a08:8001::/96  On-link
      0 4294967295 2002:5e9c:a08:8000::/49  On-link
      0 4294967295 2002:5e9c:a08::/64       On-link
      0 4294967295 2002:5e9c:a09::/64       On-link
      0 4294967295 2002:5e9c:a08:8000::/64  On-link
      0 4294967295 2002:5e9c:a08:8001::/96  On-link
      0 4294967295 2002:5e9c:a08:8000::/49  On-link
      0 4294967295 2002:5e9c:a08:8100::/64  On-link

    * Go to Device Manager on the UAG server, show hidden devices, and under Network Adapters, uninstall all of the 3 ISATAP adapters.

    * Reactivate UAG


    Wednesday, April 28, 2010 11:00 AM
  • Thanks!!!

    This solved the issue.

    Workstation Routing table looks like:

    IPv6 Route Table
    ===========================================================================
    Active Routes:
     If Metric Network Destination      Gateway
     21    286 ::/0                     fe80::5efe:10.1.3.3
      1    306 ::1/128                  On-link
     21   4126 2002::/16                fe80::5efe:10.1.3.3
     21    286 2002:5e9c:a08::/64       fe80::5efe:10.1.3.3
     21     38 2002:5e9c:a08:8000::/49  On-link
     21     38 2002:5e9c:a08:8000::/64  On-link
     21    286 2002:5e9c:a08:8000:0:5efe:10.2.3.129/128
                                        On-link
     21    286 2002:5e9c:a08:8100::/64  fe80::5efe:10.1.3.3
     21    286 2002:5e9c:a09::/64       fe80::5efe:10.1.3.3
     12    281 fe80::/64                On-link
     21    286 fe80::5efe:10.2.3.129/128
                                        On-link
     12    281 fe80::e04e:4331:26e:1734/128
                                        On-link
      1    306 ff00::/8                 On-link
     12    281 ff00::/8                 On-link
    ===========================================================================
    Persistent Routes:
      None

    Wednesday, April 28, 2010 11:56 AM
  • Hi there,

    I'm also experiencing this in our environment. 2 x Win7 laptops in a branch office, both on the same switch, will communicate with each other via the UAG isatap box in the head office - thus a round trip over the WAN.

    I've followed the advice here, and whilst it does solve the problem initially, it comes back. I'm guessing that GP refresh or something recreates the isatap adapters, and the laptops start talking via the UAG box again.

    On one laptop there were 2 hidden isatap adapters - on the other laptop, 7.

    Is there anything else I can try to resolve this? We're about to start upgrading our laptop fleet to Win7 to take advantage of DirectAccess, but this is a bit of a show-stopper for us. Please let me know if there's anything else that anyone can suggest?

    Kind Regards,

    Matt Russell,

    Queensland, Australia

    • Edited by Matto-FNQ Tuesday, May 25, 2010 7:52 AM spelling
    Tuesday, May 25, 2010 7:51 AM
  • Hi Matto,

    Are you seeing the same symptoms where the routes on the UAG DirectAccess servers are duplicated? do you also see several hidden ISATAP adapters on the server or only on laptops?

    I'm currently investigating this issue so we can fix this for SP1 and I'd really like to know more about your deployment. Can you please contact me at yanivn@microsoft.com

    Thanks,

    Yaniv

    Tuesday, May 25, 2010 1:59 PM
  • Hi there,

    I'm also experiencing this in our environment. 2 x Win7 laptops in a branch office, both on the same switch, will communicate with each other via the UAG isatap box in the head office - thus a round trip over the WAN.

    I've followed the advice here, and whilst it does solve the problem initially, it comes back. I'm guessing that GP refresh or something recreates the isatap adapters, and the laptops start talking via the UAG box again.

    On one laptop there were 2 hidden isatap adapters - on the other laptop, 7.

    Is there anything else I can try to resolve this? We're about to start upgrading our laptop fleet to Win7 to take advantage of DirectAccess, but this is a bit of a show-stopper for us. Please let me know if there's anything else that anyone can suggest?

    Kind Regards,

    Matt Russell,

    Queensland, Australia


    Hi Matt,

    Are you also seeing the hidden adapters on the UAG server as well?

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Tuesday, May 25, 2010 2:18 PM
    Moderator
  • Hi Yaniv & Tom ,

    My apologies Yaniv - I misread your earlier answer, and in my rush didn't realise that I needed to delete the hidden isatap interfaces on the UAG server, not the laptops.Thanks very much to both of you for offering to help so quickly.

    Looking at the UAG server, there are currently 5 hidden ISATAP adapters.

    In case it's of any help, below is the output of "route print" on our UAG server. I noticed that there are a number of duplicate (and triplicate) routes in the persistent route section, which seems to line up against Petko's setup as well.

    Again, my apologies for misreading the instructions - let me know if you would like any further information. Yaniv - let me know if you would like me to go ahead and work through your earlier resolution directions. Yaniv - I'll email you a copy of this post now.

    Thanks very much for your help,

    Matt Russell :)

     

    <<config info removed>>

    Wednesday, May 26, 2010 2:31 AM
  • Hi Yaniv,

    Thanks so much for this solution. We had the exact same problem, and it was also causing mayhem with our Exchange 2010 server and local domain controller.

    All fixed up now.

    Thanks.
    Justin

    Tuesday, June 21, 2011 8:48 AM
  • Hi Justin,

    I'm glad it helped.

     

    Cheers

    Tuesday, June 21, 2011 9:31 AM