Are more ISPs blocking Teredo lately or do I have some other problem? RRS feed

  • Question

  • I've noticed that on my primary machine and my test machine, connections over Teredo are always failing lately (always falls back to IP-HTTPS, 15 out of 15 times when I tested).  At the time of connection, Teredo goes into the probe state, then eventually goes to the offline state, giving the error "primary teredo server unavailable over UDP".  On my primary machine, this is reproducable on both my cellular ISP (Sprint) and my home ISP (WOW Cable).  The test machine I've tested only with the cellular ISP.  These same clients both used to connect with Teredo regularly a few months back (I don't know how long this issue has been going on exactly).

    I did notice from a brief look at the logs that a couple other users had established Teredo sessions around the time I was testing yesterday... which makes me wonder if maybe my specific ISPs are doing something to block Teredo.  Also could be a client issue, but it seems strange it would be on both boxes that used to work fine with Teredo.  I did also notice they were connecting to the second server in my array and I was connecting to the first.  All health indicators look good in the UAG management site.

    Has anyone else noticed whether there's a trend toward ISPs blocking Teredo lately?  My firewall shows my teredo connection attempts on UDP 3544 are getting in and being passed to the DA servers... but as I recall, when my cable ISP blocked 6to4, the initial connection establishment traffic gets in too.

    Thanks in advance,


    Tuesday, January 17, 2012 1:32 PM

All replies

  • I have not noticed any trends, but that doesn't mean it's not happening in your area. Make sure to spend some time focusing on the client machine itself as well. The "unreachable over UDP" message typically points at a firewall (I doubt an ISP would actually block a UDP port, though I do recognize that some have blocked the Protocol 41 for 6to4). If it happens for all users then the firewall block usually lies on the datacenter side, but if only some machines it could be a firewall running on the client computer. Many antivirus softwares have firewalls now. One that I have seen trouble with is Symantec Endpoint Protection, more specifically the Network Threat Protection that comes with it. There is a default rule in there that blocks the UDP traffic necessary for Teredo to work.
    Thursday, January 19, 2012 4:14 PM
  • Wow, it turns out it was something really silly. When I recently applied TMG SP2, it errored out on the second box in the array, so my servers were out of sync. Once I got that update downloaded (it would only install without error locally on my second box, for some reason) everything was happy again in the Teredo world. Whoops.
    Friday, January 20, 2012 8:50 PM