none
Teredo not working and cannot ping IPv4 addresses RRS feed

  • Question

  • I recently got UAG working but it only works over IPHTTPS - no Teredo.

    When I do a port scan on the WAN of the UAG server it doesn't show port 3544 as being open. Is this normal for UAG, can someone check a working Teredo setup to see can they see that port as being open on the WAN NIC ? I plug into the same VLAN as the WAN NIC on the UAG so no other firewall couls be preventing this.

    Also, I cannot ping any IPv4 addresses on my LAN behind the UAG server. All devices behind the UAG server are running IPv4 and can access them by name only. I would like to be able to ping for troubleshooting.

    I presume that any network the UAG server can reach, the remote clients should be able to ?? I have several other networks that must be accessible and are on the LAN side of the UAG server.

     

     

    Teredo Parameters
    ---------------------------------------------
    Type                    : server
    Virtual Server Ip       : x.x.x.x (first real IP address on WAN NIC)
    Client Refresh Interval : 30 seconds
    State                   : online

    Server Packets Received : 2191
    Success                 : 2188 (Bubble 560, Echo 343, RS1 1207 RS2 78)
    Failure                 : 3 (Hdr 3, Src 0, Dest 0, Auth 0)

    Relay Packets Received  : 204
    Success                 : 123 (Bubble 123, Data 0)
    Failure                 : 58 (Hdr 0, Src 0, Dest 58)

    Relay Packets Sent      : 1032
    Success                 : 1612 (Bubble 594, Data 1018)
    Failure                 : 4 (Hdr 0, Src 4, Dest 0)

    Packets Received in the last 30 seconds:
    Bubble 0, Echo 0, RS1 0, RS2 0
    6to4 source address 0, native IPv6 source address 0
    6to4 destination address 0, native IPv6 destination address 0


    Estimated Bandwidth consumed in the last 30 seconds (in BPS):
    Bubble 0, Echo 0, Primary 0, Secondary 0
    6to4 source address 0, native IPv6 source address 0
    6to4 destination address 0, native IPv6 destination address 0


    C:\Windows\system32>netstat -an


      UDP    x.x.x.x:3544    *:*   (first real IP)
     
      UDP    x.x.x.x:3544    *:* (second real IP)
     

     

    Friday, August 20, 2010 7:56 AM

Answers

  • Hi MrShannon,

    As Yaniv pointed out, if this is a UAG deployment, the TMG component is going to block pings to the IPv4 addresses on the UAG server.

    However, if you do a netsh name show eff

    to see the IPv6 address of the UAG server, you can ping that.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    • Marked as answer by Erez Benari Thursday, September 2, 2010 8:19 PM
    Tuesday, August 31, 2010 2:56 PM
    Moderator

All replies

  • If I remember Teredo is triggered only when the DirectAccess client is directly connected to Internet with an NAT client without any Firewall is it the case?


    Follow me on Twitter http://www.twitter.com/liontux
    My Blog (French) : http://security.sakuranohana.fr/search/label/FR
    My Blog (English) : http://security.sakuranohana.fr/search/label/EN

    Friday, August 20, 2010 11:50 AM
  • You cannot ping using IPv4 address, you have to use names or IPv6 addresses.

    You can predict the IPv6 address based upon the IPv4 NAT64 behaviour if you need to as discussed here: http://blogs.technet.com/b/tomshinder/archive/2010/07/14/considerations-when-using-ping-to-troubleshoot-directaccess-connectivity-issues.aspx

    You will need to consider your static routes on UAG to ensure return packets can reach DA clients from remote subnets.

    Have you tried running a diagnotic log using a the DirectAccess Connectivity Assistant (DCA tool) from a DA client?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, August 20, 2010 12:57 PM
    Moderator
  • Hi Kins,

    What tests are you doing to determine that Teredo is not working for you?

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Friday, August 20, 2010 1:04 PM
    Moderator
  • Hi Lionel,

    Teredo is used when 6to4 can't be used - typically when the DirectAccess client is located behind a NAT device.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Friday, August 20, 2010 1:04 PM
    Moderator
  • Thanks for the responses

     

    It is not working as when I ping servers on the LAN I see thebytes increase on the IPHTTPS adapter

    netsh int ipv6 show sub

       MTU  MediaSenseState   Bytes In  Bytes Out  Interface
    ------  ---------------  ---------  ---------  -------------
    4294967295                1          0        152  Loopback Pseudo-Interface 1
      1280                1       1012       2082  Teredo Tunneling Pseudo-Interface

      1280                1          0      54576  6TO4 Adapter
      1280                1     320960     169762  iphttpsinterface
      1280                5          0          0  isatap.home.local

    I am running a continuous ping to a server on the LAN and enter netsh interface teredo set state disabled and the ping doesn't drop. When I enter netsh interface teredo set state client it drops 3 packets and resumes pinging.

    With the IPHTTPS interface deacvitated I cannot ping anything on the LAN:

    C:\>netsh interface httpstunnel show interfaces

    Interface IPHTTPSInterface (Group Policy)  Parameters
    ------------------------------------------------------------
    Role                       : client
    URL                        : https://server.domain.com:443/IPHTTPS
    Last Error Code            : 0x0
    Interface Status           : IPHTTPS interface deactivated

     

    I can ping and connect to everything with IPHTTPS enabled

    C:\Windows\system32>netsh interface httpstunnel show interfaces

    Interface IPHTTPSInterface (Group Policy)  Parameters
    ------------------------------------------------------------
    Role                       : client
    URL                        : https://server.domain.com:443/IPHTTPS
    Last Error Code            : 0x0
    Interface Status           : IPHTTPS interface active

     


     

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

     

       Connection-specific DNS Suffix  . :

       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface

       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

       DHCP Enabled. . . . . . . . . . . : No

       Autoconfiguration Enabled . . . . : Yes

       IPv6 Address. . . . . . . . . . . : ipv6 address(Prefer

    red)

       Link-local IPv6 Address . . . . . : ipv6 address(Preferred)

       Default Gateway . . . . . . . . . :

       NetBIOS over Tcpip. . . . . . . . : Disabled

     

    Tunnel adapter 6TO4 Adapter:

     

       Connection-specific DNS Suffix  . : home.local

       Description . . . . . . . . . . . : Microsoft 6to4 Adapter

       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

       DHCP Enabled. . . . . . . . . . . : No

       Autoconfiguration Enabled . . . . : Yes

       IPv6 Address. . . . . . . . . . . : ipv6 address(Preferred)

       Default Gateway . . . . . . . . . : ipv6 address

       DNS Servers . . . . . . . . . . . : 89.101.160.4

                                           89.101.160.5

       NetBIOS over Tcpip. . . . . . . . : Disabled

     

    Tunnel adapter iphttpsinterface:

     

       Connection-specific DNS Suffix  . :

       Description . . . . . . . . . . . : Microsoft IP-HTTPS Platform Adapter

       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

       DHCP Enabled. . . . . . . . . . . : No

       Autoconfiguration Enabled . . . . : Yes

       IPv6 Address. . . . . . . . . . . : ipv6 address(P

    referred)

       Temporary IPv6 Address. . . . . . : ipv6 address(P

    referred)

       Link-local IPv6 Address . . . . . : ipv6 address (Preferred)

       Default Gateway . . . . . . . . . : ipv6 address

       NetBIOS over Tcpip. . . . . . . . : Disabled

     

    Tunnel adapter isatap.home.local:

     

       Media State . . . . . . . . . . . : Media disconnected

       Connection-specific DNS Suffix  . : home.local

       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2

       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

       DHCP Enabled. . . . . . . . . . . : No

       Autoconfiguration Enabled . . . . : Yes

     

     

     

     

    The connectivity assistant is not much use and doesn't have any errors in it, except for the fact I am not getting any address on the teredo interface. The built in troubleshooter in Windows 7 "couldn't identify the problem" - no surprises there :)

     

    Any ideas on how to focus my attention on the Teredo issue ? I understand re the IPv4 pinging and was wondering had you any ideas on why the Teredo port is not up when I port scan the WAN on the UAG box ?

     

     

     

    Friday, August 20, 2010 4:52 PM
  • Hi,

    As mentioned, Teredo comes into play when 6to4 cannot be used, because the computer is behind a NAT device. However, there are several types of NAT, and Teredo cannot be used with all. If the NAT type is Symmteric, Teredo won't work, and the system will fall-back into IPHTTPS. You typically  don't have control over the type of NAT in use, but to narrow things down, I would recommend you check with other clients to verity that:

    1. 6to4 CAN work, if a client is connected to the internet directly.

    2. Teredo CAN work with at least SOME NAT scenarios (home router, vs some company NAT)

     


    Ben Ari
    Microsoft CSS UAG/IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Sunday, August 22, 2010 8:37 AM
    • Unmarked as answer by kins Sunday, August 22, 2010 12:49 PM
    Sunday, August 22, 2010 8:36 AM
  • I have a Cisco router at home doing PAT so Teredo should be working. All traffic is allowed out.
    Monday, August 23, 2010 6:28 AM
  • Can you check the teredo state on the client?

    Also, start a packet capture on the UAG server and filter all the UDP 3544 packets.

    Then you'll have a better clue of whether UAG is receiving and responding to the teredo packets

    Monday, August 23, 2010 8:46 AM
  • If you disable the IP-HTTPS interface, does Teredo come up?

    Tom

    Monday, August 23, 2010 1:56 PM
  • Can you ping the external IPv4 addressess of the UAG server?  I had that break Teredo for me.
    MrShannon | TechNuggets Blog | Concurrency Blogs
    Tuesday, August 24, 2010 12:06 PM
  • Do a:

    netsh interface teredo show state

    from the command prompt.

    Also, do you show that both the Teredo and IP-HTTPS interfaces come up at the same time?

    If so, check out:

    http://blogs.technet.com/b/tomshinder/archive/2010/08/24/why-are-both-the-teredo-and-ip-https-interfaces-active.aspx

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Wednesday, August 25, 2010 2:23 PM
    Moderator
  • Can you ping the external IPv4 addressess of the UAG server?  I had that break Teredo for me.
    MrShannon | TechNuggets Blog | Concurrency Blogs


    Hi Shanon,

    the external IPv4 address of the UAG server shouldn't be pingable. Ping is blocked by default, and teredo should work nonetheless

    Thursday, August 26, 2010 1:59 PM
  • Hi MrShannon,

    As Yaniv pointed out, if this is a UAG deployment, the TMG component is going to block pings to the IPv4 addresses on the UAG server.

    However, if you do a netsh name show eff

    to see the IPv6 address of the UAG server, you can ping that.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    • Marked as answer by Erez Benari Thursday, September 2, 2010 8:19 PM
    Tuesday, August 31, 2010 2:56 PM
    Moderator