locked
Can't ping internal IPv6 resources from the outside RRS feed

  • Question

  • I'm troubleshooting a new DA installation and I think I've finally got most of it up and running.  But, I'm having trouble with one final detail.  I can't reach internal resources from the outside.  Specifically, I can't ping my internal machines including DNS from the outside via IPv6.  But I can ping the outside interface of the DA (ISATAP) server.  If I RDP into the DA server I can ping the internal DNS servers using their IPv6 addresses.

    I've followed the steps listed at: http://technet.microsoft.com/en-us/library/ee844184(WS.10).aspx and everything was configured correctly so that didn't help.

    In these instructions: http://technet.microsoft.com/en-us/library/ee624058(WS.10).aspx step 10 failed.

    I'm not sure where to turn next to troubleshoot this issue.  It appears to me that the DA server isn't routing IPv6 traffic between the two NIC's.  If anyone has any advice or references that they could point me towards, I'd appreciate it.

    Thanks,

    J Eskew

    Friday, April 2, 2010 1:46 AM

Answers

All replies

  • Hi J,

    When you do a ipconfig /all do you see that you're assigned a 6to4, Teredo, or IP-HTTPS address?

    If so, check the Windows Firewall with Advanced Security Console. Do you see that there are Connection Security Rules for your DA client?

    Check the Monitoring node - do you have quick and main mode sessions with the UAG DA server?

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Friday, April 2, 2010 10:31 AM
  • When you do a ipconfig /all do you see that you're assigned a 6to4, Teredo, or IP-HTTPS address?

    If so, check the Windows Firewall with Advanced Security Console. Do you see that there are Connection Security Rules for your DA client?

    Check the Monitoring node - do you have quick and main mode sessions with the UAG DA server?


    1.  Using ipconfig /all on the DA server I see an ISATAP and two 6to4 addresses (cooresponding to my two consecutive public IP addresses.)  I also see one IP-HTTPS but I can't ping it from the outside. 

    As a matter of fact, I can only ping ONE of the two 6to4 addresses from the outside and I can't ping the ISATAP address remotely.

    2.  I see three Connection Security Rules on the DA server.  One rule is DaServerToCorp and endpoint1 covers the entire /64 address range.  Another is DaServerToDnsDc and endpoint1 shows both of my internal DNS servers IPv6 ISATAP addresses.

    There are four Connection Security Rules on the client.  Three that match the ones on the server but using endpoint2 and a fourth, clientToNlaExempt that points to the internal Intranet web server which is used as the NLA resource.  That one requires SSL but is set for no authentication.

    All of the other rules on both systems use Custom authentication.

    3. I'm not using UAG.  I'm only using DA on a W2K8R2 server.  The monitoring node of the DA control panel indicates everything is working correctly (previously, ISATAP wasn't working but came online after I added the ISATAP host record in DNS.

    Thanks,

    J Eskew

    Saturday, April 3, 2010 12:25 AM
  • Hi J,

    OK, just for your information, this is for the UAG DA server discussions. The reason for that is that UAG DA is implemented a little differenly than that used by the Windows DA.

    If you can't ping by names, can you ping by IPv6 addresses on the internal network?

    Remember - ICMP is exempt from IPsec, so even if your IPsec negotiations fail, you should still be able to ping.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Monday, April 5, 2010 1:42 PM
  • Hi J,

    OK, just for your information, this is for the UAG DA server discussions. The reason for that is that UAG DA is implemented a little differenly than that used by the Windows DA.

    If you can't ping by names, can you ping by IPv6 addresses on the internal network?

    Remember - ICMP is exempt from IPsec, so even if your IPsec negotiations fail, you should still be able to ping.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team

    I'd be happy to move the thread, this was the only DA forum I found.

    No, I'm not able to ping by IPv6 from outside the network.  If I log into the DA server via Remote Desktop, then I AM able to ping internal resources via IPv6.

    So, the air-gap seems to be within the DA server itself.  I'm assuming that it's not allowing IPv6 traffic to pass between the two NIC's.  Maybe a routing issue?  But, I don't have any clue on how to view or define IPv6 routes on this box.

    J Eskew

    Monday, April 5, 2010 1:59 PM
  • The proper forum for DirectAccess for Windows Server (without UAG) is here:

    http://social.technet.microsoft.com/Forums/en-us/windowsserver2008r2networking/threads

     


    Ben Ari
    Microsoft CSS IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Wednesday, April 14, 2010 12:01 AM
    Wednesday, April 14, 2010 12:01 AM