none
DirectAccess setup: Can't connect RRS feed

  • Question

  • Hi,

    I'm using UAG to setup direct access, and can't seem to get it to work. I have combed through the MS troubleshooting documents to no avail. I'm wondering if TMG is blocking things. I walked through the wizard, have two consecutive external IPs, internal IP does not have a gateway. I also added isatap A record to my DNS. I also manually added a AAAA record for isatap as well.

    Doing a netsh interface teredo show state on the client give me a "probe" state, and then a few minutes later, throws an error the teredo server can't connect over UDP. I manually opened up UDP 3544 on TMG. It appears it's trying to use IP-HTTPS, however, even though it says it's connected, access to resources isn't possible.

    ipconfig on the client shows the iphttpsinterface as having the public IPv6 address starting with 2002. It's also showing a temporary ipv6 address. Is this normal?

    I can ping my external DA nic, reach the IPHTTPS via a web browser, and netsh interface httpstunnel show interfaces shows it active. I'm not sure what else to check for. Some more info...

    I do have two isatap.{hex} adapters on both the client and server. None of them are labeled isatap.fqdn.com, is this normal? The hex strings do not match between client and server.

    Also - I do not have an internet accessible CRL available. I wasn't clear, if using a third-party SSL cert as I am, if this was needed. In the MS docs, CRL was mentioned under using private certificates.

    What am I missing? Will be glad to post some output if you'd like...

    Thanks!

    Thursday, May 13, 2010 3:54 PM

Answers

  • Hi,

    I think I see the problem.

    On the client side everything looks good. You have IP-HTTPS up and activate, all the required routes are pointing back to the UAG DA server.

    However, on the UAG DA server, there is a misconfiguration of the routes.

     17...00 00 00 00 00 00 00 e0 IPHTTPSInterface
     18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
     18    281 2002:44d8:a37:8100::/64  On-link
     17    306 2002:44d8:a37:8100::/64  On-link

    the route 2002:44d8:a37:8100::/64 is used for IP-HTTPS clients. This route should only exist on the IP-HTTPS interface, so traffic destined to IP-HTTPS clients will know to be routed back to them through the appropriate interface. The problem is this route is duplicate on your server. As you can see, it also exists on interface 18, which is the ISATAP adapter, which even has a lower metric!

    In order to fix this issue, you need to manually delete all of these duplicate routes using the command "route delete", and then re-Activate UAG.

    The reason ping worked for 10 seconds and then stopped, is because the client teredo interface works correctly and as soon as IP-HTTPS went up (takes 10 seconds exactly) and took precedence, your connection stopped working.

    I'm not sure what is the root cause for this issue, but I've seen it more than once. I believe something is causing windows to set-up the different transition technologies interfaces with GUIDs of other interfaces, causing the routes to mess up. I will open a bug about it and we'll try to investigate.

    Can you please tell me of anything unusual that you might have done with the network interfaces that could cause this? Any information will help us reproduce the problem and find a fix.

    Thanks,

    Yaniv

     

    Monday, May 17, 2010 8:25 AM
  • Yaniv,

    When I ran auditpol on the server, it gave me the permission error in the CLI. I was able, however, to run this on the client.

    I'm happy to report everything is working great now. In addition to the routing table issue, I found a few major prerequisites missing...I had one DC running 2008 SP2, the other was on SP1. Also, the windows firewall was OFF on the DAS. Once that was turned on, and the other DC upgraded to SP2, I can verify 6to4, teredo, and IPhttps are all working.

    Thank you very much for your help! I appreciate it.

     

    Tuesday, May 18, 2010 12:45 PM

All replies

  • Have you unblocked isatap from the global query block list?

    Is the windows firewall on ?? IPSEC uses the windows firewall.

     

    Friday, May 14, 2010 12:09 AM
  • Hi,

    I'm using UAG to setup direct access, and can't seem to get it to work. I have combed through the MS troubleshooting documents to no avail. I'm wondering if TMG is blocking things. I walked through the wizard, have two consecutive external IPs, internal IP does not have a gateway. I also added isatap A record to my DNS. I also manually added a AAAA record for isatap as well.

    Doing a netsh interface teredo show state on the client give me a "probe" state, and then a few minutes later, throws an error the teredo server can't connect over UDP. I manually opened up UDP 3544 on TMG. It appears it's trying to use IP-HTTPS, however, even though it says it's connected, access to resources isn't possible.

    ipconfig on the client shows the iphttpsinterface as having the public IPv6 address starting with 2002. It's also showing a temporary ipv6 address. Is this normal?

    I can ping my external DA nic, reach the IPHTTPS via a web browser, and netsh interface httpstunnel show interfaces shows it active. I'm not sure what else to check for. Some more info...

    I do have two isatap.{hex} adapters on both the client and server. None of them are labeled isatap.fqdn.com, is this normal? The hex strings do not match between client and server.

    Also - I do not have an internet accessible CRL available. I wasn't clear, if using a third-party SSL cert as I am, if this was needed. In the MS docs, CRL was mentioned under using private certificates.

    What am I missing? Will be glad to post some output if you'd like...

    Thanks!

    Hi DS,

    You only need an A record for ISATAP - no need for a AAAA record.

    Never configure TMG manually on the UAG server unless you are using a procedure documented on TechNet or on the UAG Team blog. There is no need to create a rule for UDP 3544 on the TMG firewall.

    CRL is required for both the IP-HTTPS certificate and the Network Location Certificate. If you are using a commercial certificate for the IP-HTTPS listener, then the commercial provider has a CRL that's already highly available. The Network Location Server CRL must be available to internal clients, and you'll likely use a private CA for that.

    Check your main mode and quick mode IPsec status in the Windows Firewall with Advanced Security console. Do you see an NTLMv2 connection but not a Kerberos connection?

    Also, check out the troubleshooting quick start guide over at http://blogs.technet.com/edgeaccessblog/archive/2010/04/07/basic-troubleshooting-steps-for-uag-directaccess.aspx

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Friday, May 14, 2010 12:11 PM
    Moderator
  • Guys,

    Thanks for your replies, I was able to make some progress. Confirming the Windows firewall is on, a netsh interface teredo show state reveals:

    C:\Windows\system32>netsh interface teredo show state
    Teredo Parameters
    ---------------------------------------------
    Type                    : client
    Server Name             : 68.216.10.55 (Group Policy)
    Client Refresh Interval : 30 seconds
    Client Port             : unspecified
    State                   : qualified
    Client Type             : teredo host-specific relay
    Network                 : unmanaged
    NAT                     : restricted
    NAT Special Behaviour   : UPNP: No, PortPreserving: No
    Local Mapping           : 10.0.1.5:61271
    External NAT Mapping    : 68.216.10.57:40832

    Looking in the windows firewall console on the client, there are no entries of any kind for both main mode and quick mode.

    netsh name sh eff outputs:

    DNS Effective Name Resolution Policy Table Settings


    Settings for nls.gsba.com
    ----------------------------------------------------------------------
    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (Proxy Settings)           : Bypass proxy

     

    Settings for da.gsba.com
    ----------------------------------------------------------------------
    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (Proxy Settings)           : Bypass proxy

     

    Settings for .gsba.com
    ----------------------------------------------------------------------
    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              : 2002:44d8:a38::44d8:a38
    DirectAccess (Proxy Settings)           : Bypass proxy

    Is IPsec supposed to be disabled? This looked odd. Also, on the referenced troubleshooting document, I was able to get down to the pinging DNS IPv6 server IP step. Running ping -6 2002:44d8:a38::44d8:a38 timed out.

    One additional oddity regarding certificates. I'm using a third party CA (GoDaddy) for the NLS and DA IPHTTPS URL. The CAs listed above, however, uses my PKI's root cert. Is this normal?

     

    Thanks for your insight - I'm looking forward to getting this working.

    Saturday, May 15, 2010 9:21 PM
  • IPsec settings are supposed to be disabled in NRPT, but not in windows firewall.

    In your logs teredo is connected, but IP-HTTPS is in use (teredo is in host-specific relay, which means it is used only to access other teredo clients).

    Anyway, a few days ago you said you can ping the DA server's external IPv6 address, but now it times out.

    This is a critical step, if "ping 2002:44d8:a38::44d8:a38" doesn't work for you, then the issue is basic IPv6 connectivity. If it does work, then it might be an IPsec authentication issue.

    Please let us know if the ping works,

    if it doesn't, send us the output of "ipconfig" and "route print"

    if it does, enable IPsec event log auditing on the UAG server "auditpol.exe /set /SubCategory:"IPsec Main Mode","IPsec Extended Mode" /failure:enable" and check the security event log for failures. (most common issue is that you don't have a valid IPsec certificate on the client machine)

    Sunday, May 16, 2010 9:11 PM
  • Yaniv,


    Thanks for joining the thread. When I mentioned in the first post about pinging the DA, I was able to ping the IPv4 address (after adding a rule in TMG to do so. I know Tom said to leave TMG alone, but it wouldn't accept a ping otherwise.)

     

    Consistently, if I disabled and reenabled the NIC on the client, I could ping the ipv6 DNS address for about 10 seconds, and then it would stop responding (almost as if the DA connection kicked in).

     

    Below is ipconfig /all and route print for both the client and server. Sorry for the long post...

    CLIENT OUTPUT:

    Version:1.0 StartHTML:0000000149 EndHTML:0000012003 StartFragment:0000000199 EndFragment:0000011969 StartSelection:0000000199 EndSelection:0000011969 C:\Windows\system32>ipconfig /all
    Windows IP Configuration
       Host Name . . . . . . . . . . . . : WSLTPCT66JVM
       Primary Dns Suffix  . . . . . . . : gsba.com
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : gsba.com
                                           localdomain
    Ethernet adapter Local Area Connection:
       Connection-specific DNS Suffix  . : localdomain
       Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
       Physical Address. . . . . . . . . : 00-0C-29-70-93-56
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::516e:db76:327:d858%11(Preferred)
       IPv4 Address. . . . . . . . . . . : 172.16.99.159(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : Sunday, May 16, 2010 6:12:21 PM
       Lease Expires . . . . . . . . . . : Sunday, May 16, 2010 6:42:21 PM
       Default Gateway . . . . . . . . . : 172.16.99.2
       DHCP Server . . . . . . . . . . . : 172.16.99.254
       DHCPv6 IAID . . . . . . . . . . . : 234884137
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-42-F1-E0-00-0C-29-70-93-56
       DNS Servers . . . . . . . . . . . : 172.16.99.2
       NetBIOS over Tcpip. . . . . . . . : Enabled
    Tunnel adapter isatap.localdomain:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : localdomain
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    Tunnel adapter Local Area Connection* 11:
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2001:0:44d8:a37:1891:a34:ba4b:e260(Prefer
    red)
       Link-local IPv6 Address . . . . . : fe80::1891:a34:ba4b:e260%13(Preferred)
       Default Gateway . . . . . . . . . :
       NetBIOS over Tcpip. . . . . . . . : Disabled
    Tunnel adapter iphttpsinterface:
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : iphttpsinterface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2002:44d8:a37:8100:2c15:9f93:f5f:7699(Pre
    ferred)
       Temporary IPv6 Address. . . . . . : 2002:44d8:a37:8100:b189:af11:aff5:7389(Pr
    eferred)
       Link-local IPv6 Address . . . . . : fe80::2c15:9f93:f5f:7699%18(Preferred)
       Default Gateway . . . . . . . . . : fe80::e802:f51b:8651:3b68%18
       NetBIOS over Tcpip. . . . . . . . : Disabled
    C:\Windows\system32>route print
    ===========================================================================
    Interface List
     11...00 0c 29 70 93 56 ......Intel(R) PRO/1000 MT Network Connection
      1...........................Software Loopback Interface 1
     12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
     13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
     18...00 00 00 00 00 00 00 e0 iphttpsinterface
    ===========================================================================
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0      172.16.99.2    172.16.99.159     10
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
          172.16.99.0    255.255.255.0         On-link     172.16.99.159    266
        172.16.99.159  255.255.255.255         On-link     172.16.99.159    266
        172.16.99.255  255.255.255.255         On-link     172.16.99.159    266
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link     172.16.99.159    266
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link     172.16.99.159    266
    ===========================================================================
    Persistent Routes:
      None
    IPv6 Route Table
    ===========================================================================
    Active Routes:
     If Metric Network Destination      Gateway
     18   4146 ::/0                     fe80::e802:f51b:8651:3b68
      1    306 ::1/128                  On-link
     13     58 2001::/32                On-link
     13    306 2001:0:44d8:a37:3019:b3:ba4b:e260/128
                                        On-link
     18   4146 2002::/16                fe80::e802:f51b:8651:3b68
     18    306 2002:44d8:a37::/64       fe80::e802:f51b:8651:3b68
     18    306 2002:44d8:a37:8000::/49  fe80::e802:f51b:8651:3b68
     18    306 2002:44d8:a37:8000::/64  fe80::e802:f51b:8651:3b68
     18     58 2002:44d8:a37:8100::/64  fe80::e802:f51b:8651:3b68
     18    306 2002:44d8:a37:8100:2c15:9f93:f5f:7699/128
                                        On-link
     18    306 2002:44d8:a37:8100:b189:af11:aff5:7389/128
                                        On-link
     18    306 2002:44d8:a38::/64       fe80::e802:f51b:8651:3b68
     18    306 fe80::/64                On-link
     11    266 fe80::/64                On-link
     13    306 fe80::/64                On-link
     18    306 fe80::2c15:9f93:f5f:7699/128
                                        On-link
     13    306 fe80::3019:b3:ba4b:e260/128
                                        On-link
     11    266 fe80::516e:db76:327:d858/128
                                        On-link
      1    306 ff00::/8                 On-link
     18    306 ff00::/8                 On-link
     13    306 ff00::/8                 On-link
     11    266 ff00::/8                 On-link
    ===========================================================================
    Persistent Routes:
      None

    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    SERVER OUTPUT:

    C:\Windows\system32>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : <<redacted>>
       Primary Dns Suffix  . . . . . . . : gsba.com
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : Yes
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : gsba.com

    Ethernet adapter Local Area Connection:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : SSL Network Tunneling
       Physical Address. . . . . . . . . : 00-FF-08-01-19-47
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes

    Ethernet adapter Internal:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
       Physical Address. . . . . . . . . : 00-13-72-63-C1-60
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::7466:cf80:ad58:262b%11(Preferred)
       IPv4 Address. . . . . . . . . . . : <<redacted>>
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . :
       DHCPv6 IAID . . . . . . . . . . . : 234886002
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-71-01-84-00-13-72-63-C1-60

       DNS Servers . . . . . . . . . . . : <<redacted>>
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter External:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #
    2
       Physical Address. . . . . . . . . : 00-13-72-63-C1-61
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::7d9f:d57c:2647:8476%12(Preferred)
       IPv4 Address. . . . . . . . . . . : 68.216.10.55(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.224
       IPv4 Address. . . . . . . . . . . : 68.216.10.56(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.224
       Default Gateway . . . . . . . . . : 68.216.10.33
       DHCPv6 IAID . . . . . . . . . . . : 301994866
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-71-01-84-00-13-72-63-C1-60

       DNS Servers . . . . . . . . . . . : 8.8.8.8
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::8000:f227:bb27:f5c8%13(Preferred)
       Default Gateway . . . . . . . . . :
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter 6TO4 Adapter:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft 6to4 Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2002:44d8:a37::44d8:a37(Preferred)
       IPv6 Address. . . . . . . . . . . : 2002:44d8:a38::44d8:a38(Preferred)
       Default Gateway . . . . . . . . . : 2002:c058:6301::c058:6301
       DNS Servers . . . . . . . . . . . : 8.8.8.8
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter isatap.{F605535B-E3CE-4EBB-B74C-E376FEFB6E42}:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2002:44d8:a37:8000:0:5efe:192.168.0.8(Pre
    ferred)
       Link-local IPv6 Address . . . . . : fe80::5efe:192.168.0.8%16(Preferred)
       Default Gateway . . . . . . . . . :
       DNS Servers . . . . . . . . . . . : 192.168.0.4
                                           192.168.0.6
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter IPHTTPSInterface:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : IPHTTPSInterface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2002:44d8:a37:8100:e802:f51b:8651:3b68(Pr
    eferred)
       Link-local IPv6 Address . . . . . : fe80::e802:f51b:8651:3b68%17(Preferred)
       Default Gateway . . . . . . . . . :
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter isatap.{39B5E566-2C84-4DD8-9F04-F8462FE2A254}:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2002:44d8:a37:8100:200:5efe:68.216.10.55(
    Preferred)
       Link-local IPv6 Address . . . . . : fe80::200:5efe:68.216.10.55%18(Preferred)

       Link-local IPv6 Address . . . . . : fe80::200:5efe:68.216.10.56%18(Preferred)

       Default Gateway . . . . . . . . . :
       DNS Servers . . . . . . . . . . . : 8.8.8.8
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter isatap.{3E68342A-2B45-43B0-9BB7-08BED7E2C392}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    C:\Windows\system32>route print
    ===========================================================================
    Interface List
     14...00 ff 08 01 19 47 ......SSL Network Tunneling
     11...00 13 72 63 c1 60 ......Intel(R) PRO/1000 MT Network Connection
     12...00 13 72 63 c1 61 ......Intel(R) PRO/1000 MT Network Connection #2
      1...........................Software Loopback Interface 1
     13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
     15...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
     16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
     17...00 00 00 00 00 00 00 e0 IPHTTPSInterface
     18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
     19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
    ===========================================================================

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0     68.216.10.33     68.216.10.55    266
         68.216.10.32  255.255.255.224         On-link      68.216.10.55    266
         68.216.10.55  255.255.255.255         On-link      68.216.10.55    266
         68.216.10.56  255.255.255.255         On-link      68.216.10.55    266
         68.216.10.63  255.255.255.255         On-link      68.216.10.55    266
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
          192.168.0.0    255.255.255.0         On-link       192.168.0.8    276
          192.168.0.8  255.255.255.255         On-link       192.168.0.8    276
        192.168.0.255  255.255.255.255         On-link       192.168.0.8    276
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link       192.168.0.8    276
            224.0.0.0        240.0.0.0         On-link      68.216.10.55    266
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link       192.168.0.8    276
      255.255.255.255  255.255.255.255         On-link      68.216.10.55    266
    ===========================================================================
    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
              0.0.0.0          0.0.0.0     68.216.10.33  Default
    ===========================================================================

    IPv6 Route Table
    ===========================================================================
    Active Routes:
     If Metric Network Destination      Gateway
     15   1125 ::/0                     2002:c058:6301::c058:6301
      1    306 ::1/128                  On-link
     13     58 2001::/32                On-link
     15   1025 2002::/16                On-link
     15    281 2002:44d8:a37::/64       On-link
     15    281 2002:44d8:a37::44d8:a37/128
                                        On-link
     16    266 2002:44d8:a37:8000::/49  On-link
     16    266 2002:44d8:a37:8000::/64  On-link
     16    266 2002:44d8:a37:8000::/128 On-link
     16    266 2002:44d8:a37:8000:0:5efe:192.168.0.8/128
                                        On-link
     16    266 2002:44d8:a37:8001::/96  On-link
     18    281 2002:44d8:a37:8100::/64  On-link
     17    306 2002:44d8:a37:8100::/64  On-link
     17    306 2002:44d8:a37:8100::/128 On-link
     18    281 2002:44d8:a37:8100::/128 On-link
     18    281 2002:44d8:a37:8100:200:5efe:68.216.10.55/128
                                        On-link
     17    306 2002:44d8:a37:8100:e802:f51b:8651:3b68/128
                                        On-link
     15    281 2002:44d8:a38::/64       On-link
     15    281 2002:44d8:a38::44d8:a38/128
                                        On-link
     11    266 fe80::/64                On-link
     12    276 fe80::/64                On-link
     13    306 fe80::/64                On-link
     17    306 fe80::/64                On-link
     16    266 fe80::5efe:192.168.0.8/128
                                        On-link
     18    281 fe80::200:5efe:68.216.10.55/128
                                        On-link
     18    281 fe80::200:5efe:68.216.10.56/128
                                        On-link
     11    266 fe80::7466:cf80:ad58:262b/128
                                        On-link
     12    276 fe80::7d9f:d57c:2647:8476/128
                                        On-link
     13    306 fe80::8000:f227:bb27:f5c8/128
                                        On-link
     17    306 fe80::e802:f51b:8651:3b68/128
                                        On-link
      1    306 ff00::/8                 On-link
     17    306 ff00::/8                 On-link
     13    306 ff00::/8                 On-link
     11    266 ff00::/8                 On-link
     12    276 ff00::/8                 On-link
    ===========================================================================
    Persistent Routes:
     If Metric Network Destination      Gateway
      0 4294967295 2002:44d8:a37:8100::/64  On-link
      0 4294967295 2002:44d8:a37:8000::/64  On-link
      0 4294967295 2002:44d8:a37:8001::/96  On-link
      0 4294967295 2002:44d8:a37:8000::/49  On-link
      0 4294967295 2002:44d8:a37::/64       On-link
      0 4294967295 2002:44d8:a38::/64       On-link
      0 4294967295 2002:44d8:a37:8000::/64  On-link
      0 4294967295 2002:44d8:a37:8001::/96  On-link
      0 4294967295 2002:44d8:a37:8000::/49  On-link
      0 4294967295 2002:44d8:a37:8100::/64  On-link
    ===========================================================================

    Sunday, May 16, 2010 10:26 PM
  • Hi,

    I think I see the problem.

    On the client side everything looks good. You have IP-HTTPS up and activate, all the required routes are pointing back to the UAG DA server.

    However, on the UAG DA server, there is a misconfiguration of the routes.

     17...00 00 00 00 00 00 00 e0 IPHTTPSInterface
     18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
     18    281 2002:44d8:a37:8100::/64  On-link
     17    306 2002:44d8:a37:8100::/64  On-link

    the route 2002:44d8:a37:8100::/64 is used for IP-HTTPS clients. This route should only exist on the IP-HTTPS interface, so traffic destined to IP-HTTPS clients will know to be routed back to them through the appropriate interface. The problem is this route is duplicate on your server. As you can see, it also exists on interface 18, which is the ISATAP adapter, which even has a lower metric!

    In order to fix this issue, you need to manually delete all of these duplicate routes using the command "route delete", and then re-Activate UAG.

    The reason ping worked for 10 seconds and then stopped, is because the client teredo interface works correctly and as soon as IP-HTTPS went up (takes 10 seconds exactly) and took precedence, your connection stopped working.

    I'm not sure what is the root cause for this issue, but I've seen it more than once. I believe something is causing windows to set-up the different transition technologies interfaces with GUIDs of other interfaces, causing the routes to mess up. I will open a bug about it and we'll try to investigate.

    Can you please tell me of anything unusual that you might have done with the network interfaces that could cause this? Any information will help us reproduce the problem and find a fix.

    Thanks,

    Yaniv

     

    Monday, May 17, 2010 8:25 AM
  • Hi Yaniv,

    Thanks! I haven't seen this problem before, but now I know what to do when I do see it.

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Monday, May 17, 2010 2:12 PM
    Moderator
  • Yaniv,

    Thanks - this solved the PING problem, however the connectivity issue still exists.

    Teredo's state is host-specific and IPHTTPS is in use using an Apple Airport as a NAT router connected directly to my public switch. I can consistently ping the DA server using ipv6 over IPhttps. I blew away the entire route table, readded the default route and re-activated UAG (with a box restart) to get that working - so it looks like connectivity is up.

    I'm trying to run the tool you suggested. Running into "A required privilege is not held by the client." So - I'm trying to troubleshoot that to get some more information...

    Monday, May 17, 2010 6:56 PM
  • Can you please elaborate?

    Do you see this in the Security Event Log?

    Can you type down the entire Event description.

    Is the tool you're refering to auditpol.exe /set /SubCategory:"IPsec Main Mode","IPsec Extended Mode" /failure:enable

    If so, make sure you run this command on the server.

    Tuesday, May 18, 2010 8:56 AM
  • Yaniv,

    When I ran auditpol on the server, it gave me the permission error in the CLI. I was able, however, to run this on the client.

    I'm happy to report everything is working great now. In addition to the routing table issue, I found a few major prerequisites missing...I had one DC running 2008 SP2, the other was on SP1. Also, the windows firewall was OFF on the DAS. Once that was turned on, and the other DC upgraded to SP2, I can verify 6to4, teredo, and IPhttps are all working.

    Thank you very much for your help! I appreciate it.

     

    Tuesday, May 18, 2010 12:45 PM
  • Yaniv,

    In response to your earlier question about the routing issue.

    I started with a clean install of 2008 R2, ran updates, then installed Forefront UAG/TMG from the ISO.

    I believe I did make the mistake of configuring the IPs and adapters after UAG was installed. I also did not have the isatap A record in DNS at the time of installation.

    Other than that, everything was pretty much by the book.

     

    Thanks again.

    Tuesday, May 18, 2010 12:48 PM
  • Great!

    Good to hear you got it working and thanks for the follow up!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Tuesday, May 18, 2010 2:49 PM
    Moderator