none
DA client cannot ping any intranet resources including DC RRS feed

  • Question

  • Hi All,

    I have deployed UAG/DA with external ISATAP router. I have implemented all servers as per the Technet Test Lab Guide.

    All intranet servers can communicate each other including UAG and DC, returning ISATAP IPs.

    But Client cannot ping to DC/Intranet servers over 6to4 IP (client is in public network and not behind NAT router or Firewall)

    I did all troubleshooting steps and found below points.

    Client can ping to UAG's link local IP

    Client can ping to remote end point of 6to4 Tunnel which is UAG server's 6to4 IP .But client cannot ping to UAG's Internal native IPv6 returning "Destination Port Unreachable".

    I observed IPsec tunnel is not establishing between Client and UAG which may caused to fail infrastructure tunnel.

    Client has Connection Security Rules applied but no Main mode or Quick Mode Security Association  applied. (it is blanked)

    Below is the IP configuration of Client.

    ipconfig /all
    ================================================================
    Windows IP Configuration

       Host Name . . . . . . . . . . . . : CLIENT1
       Primary Dns Suffix  . . . . . . . : corp.contoso.com
       Node Type . . . . . . . . . . . . : Mixed
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : corp.contoso.com
                                           isp.example.com
       System Quarantine State . . . . . : Not Restricted


    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . : isp.example.com
       Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter
       Physical Address. . . . . . . . . : 00-15-5D-01-50-5C
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::d1d0:66c9:e71e:bb16%11(Preferred)
       IPv4 Address. . . . . . . . . . . : 131.107.0.100(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : Sunday, March 25, 2012 9:02:15 AM
       Lease Expires . . . . . . . . . . : Monday, April 02, 2012 9:02:07 AM
       Default Gateway . . . . . . . . . : 131.107.0.1
       DHCP Server . . . . . . . . . . . : 131.107.0.1
       DHCPv6 IAID . . . . . . . . . . . : 234886493
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-8E-96-0E-00-15-5D-01-50-5C
       DNS Servers . . . . . . . . . . . : 131.107.0.1
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.isp.example.com:

       Connection-specific DNS Suffix  . : isp.example.com
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::200:5efe:131.107.0.100%12(Preferred)
       Default Gateway . . . . . . . . . :
       DNS Servers . . . . . . . . . . . : 131.107.0.1
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter 6TO4 Adapter:

       Connection-specific DNS Suffix  . : isp.example.com
       Description . . . . . . . . . . . : Microsoft 6to4 Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2002:836b:64::836b:64(Preferred)
       Default Gateway . . . . . . . . . : 2002:836b:2::836b:2
       DNS Servers . . . . . . . . . . . : 131.107.0.1
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter iphttpsinterface:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : iphttpsinterface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    .

    IPv6 Route Table
    =========================================
    Active Routes:
     If Metric Network Destination      Gateway
     14   1105 ::/0                     2002:836b:2::836b:2
      1    306 ::1/128                  On-link
     14   1005 2002::/16                On-link
     14    261 2002:836b:64::836b:64/128
                                        On-link
     11    261 fe80::/64                On-link
     12    261 fe80::200:5efe:131.107.0.100/128
                                        On-link
     11    261 fe80::d1d0:66c9:e71e:bb16/128
                                        On-link
      1    306 ff00::/8                 On-link
     11    261 ff00::/8                 On-link


    netsh dnsclient show state
    ======================================

    Name Resolution Policy Table Options
    --------------------------------------------------------------------

    Query Failure Behavior                : Always fall back to LLMNR and NetBIOS
                                            if the name does not exist in DNS or
                                            if the DNS servers are unreachable
                                            when on a private network

    Query Resolution Behavior             : Resolve only IPv6 addresses for names

    Network Location Behavior             : Let Network ID determine when Direct
                                            Access settings are to be used

    Machine Location                      : Outside corporate network

    Direct Access Settings                : Configured and Enabled

    DNSSEC Settings                       : Not Configured

    .
    ==============================================================
    netsh namespace show policy
    ==============================================================
    DNS Name Resolution Policy Table Settings

    Settings for nls.corp.contoso.com
    ----------------------------------------------------------------------
    Certification authority                 : DC=com, DC=contoso, DC=corp, CN=corp-DC1-CA
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Use default browser settings



    Settings for .corp.contoso.com
    ----------------------------------------------------------------------
    Certification authority                 : DC=com, DC=contoso, DC=corp, CN=corp-DC1-CA
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              : 2002:836b:3::836b:3
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Bypass proxy


    ==============================================================
    netsh namespace show effectivepolicy
    ====================================================================

    DNS Effective Name Resolution Policy Table Settings


    Settings for nls.corp.contoso.com
    ----------------------------------------------------------------------
    Certification authority                 : DC=com, DC=contoso, DC=corp, CN=corp-DC1-CA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (Proxy Settings)           : Use default browser settings



    Settings for .corp.contoso.com
    ----------------------------------------------------------------------
    Certification authority                 : DC=com, DC=contoso, DC=corp, CN=corp-DC1-CA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              : 2002:836b:3::836b:3
    DirectAccess (Proxy Settings)           : Bypass proxy



    .
    ==================================================
    netsh interface 6to4 show relay
    =====================================================
    Relay Name             : 131.107.0.2 (Group Policy)
    Use Relay              : default
    Resolution Interval    : default

    .
    ===================================================
    netsh interface teredo show state
    =====================================================
    Teredo Parameters
    ---------------------------------------------
    Type                    : client (Group Policy)
    Server Name             : 131.107.0.2 (Group Policy)
    Client Refresh Interval : 30 seconds
    Client Port             : unspecified
    State                   : offline
    Error                   : primary teredo server unreachable over UDP

    .
    =========================================
    netsh interface httpstunnel show interfaces
    =============================================

    Interface IPHTTPSInterface (Group Policy)  Parameters
    ------------------------------------------------------------
    Role                       : client
    URL                        : https://uag1.contoso.com:443/IPHTTPS
    Last Error Code            : 0x80190194
    Interface Status           : failed to connect to the IPHTTPS server. Waiting to reconnect

    .
    ===================================
    ===================================
    ISATAP State           : default

    .
    =======================================
    netsh interface ipv6 isatap show router
    ========================================
    Router Name            : default
    Use Relay              : default
    Resolution Interval    : default

    .
    =================================
    netsh advfirewall monitor show mmsa
    =====================================

    No SAs match the specified criteria.

    .
    ====================================
    netsh advfirewall monitor show qmsa
    ==========================================

    No SAs match the specified criteria.

    .
    =========================================================
    netsh advfirewall monitor show consec rule name=all
    ======================================================

    Connection Security Rules:

    Rule Name:                            UAG DirectAccess Client - Exempt NLA
    ----------------------------------------------------------------------
    Enabled:                              Yes
    Profiles:                             Private,Public
    Type:                                 Dynamic
    Mode:                                 Tunnel
    LocalTunnelEndpoint:                  Any
    RemoteTunnelEndpoint:                 Any
    Endpoint1:                            2002:836b:2:8000::/49
    Endpoint2:                            2002:836b:2:8000:0:5efe:10.0.0.3-2002:836b:2:8000:0:5efe:10.0.0.3
    Port1:                                Any
    Port2:                                443
    Protocol:                             TCP
    Action:                               NoAuthentication
    ExemptIPsecProtectedConnections:      No
    ApplyAuthorization:                   No

    Rule Name:                            UAG DirectAccess Client - Clients Corp Tunnel
    ----------------------------------------------------------------------
    Enabled:                              Yes
    Profiles:                             Private,Public
    Type:                                 Dynamic
    Mode:                                 Tunnel
    LocalTunnelEndpoint:                  Any
    RemoteTunnelEndpoint:                 2002:836b:2::836b:2
    Endpoint1:                            Any
    Endpoint2:                            2002:836b:2:8000::/49
    Protocol:                             Any
    Action:                               RequireInRequireOut
    Auth1:                                ComputerCert
    Auth1CAName:                          DC=com, DC=contoso, DC=corp, CN=corp-DC1-CA
    Auth1CertMapping:                     No
    Auth1ExcludeCAName:                   No
    Auth1CertType:                        Root
    Auth1HealthCert:                      No
    Auth2:                                UserKerb
    MainModeSecMethods:                   DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
    QuickModeSecMethods:                  ESP:SHA1-AES192+60min+100000kb
    ExemptIPsecProtectedConnections:      No
    ApplyAuthorization:                   No

    Rule Name:                            UAG DirectAccess Client - Clients Access Enabling Tunnel - All
    ----------------------------------------------------------------------
    Enabled:                              Yes
    Profiles:                             Private,Public
    Type:                                 Dynamic
    Mode:                                 Tunnel
    LocalTunnelEndpoint:                  Any
    RemoteTunnelEndpoint:                 2002:836b:3::836b:3
    Endpoint1:                            Any
    Endpoint2:                            2002:836b:2:8001::a00:1-2002:836b:2:8001::a00:1,2002:836b:3:8000:0:5efe:10.0.0.1-2002:836b:3:8000:0:5efe:10.0.0.1,2002:836b:3::836b:3-2002:836b:3::836b:3
    Protocol:                             Any
    Action:                               RequireInRequireOut
    Auth1:                                ComputerCert
    Auth1CAName:                          DC=com, DC=contoso, DC=corp, CN=corp-DC1-CA
    Auth1CertMapping:                     No
    Auth1ExcludeCAName:                   No
    Auth1CertType:                        Root
    Auth1HealthCert:                      No
    Auth2:                                UserNTLM
    MainModeSecMethods:                   DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
    QuickModeSecMethods:                  ESP:SHA1-AES192+60min+100000kb
    ExemptIPsecProtectedConnections:      No
    ApplyAuthorization:                   No

    Ok.

    .
    ===========================================
    netsh advfirewall monitor show currentprofile
    ====================================================

    Public Profile:
    ----------------------------------------------------------------------
    Network
    Ok.


    I suspect something wrong with My TMG rules on UAG server.I have no clue to Identify it.

    I have attached necessary logs for easy understanding (Sorry if the question got long :) )

    Any thoughts on what I should be checking to fix this?

    Thanks!

    Ahmed.

    Monday, March 26, 2012 3:26 PM

Answers

  • Just to follow up, DirectAccess does not require the Windows Firewall to be active on your internal servers. The Windows Firewall must be active on the UAG server and on the DirectAccess client machines (because it handles the IPsec connectivity rules), but there is no requirement that the firewall must be present on the endpoint application servers.
    • Marked as answer by TecHHecT Friday, August 31, 2012 3:25 AM
    Thursday, August 16, 2012 7:25 PM

All replies

  • Looks like you are following a TLG exactly, I would go back over the documentation and the steps and make sure you didn't miss anything. I know that with the public IP test you are doing now you should be able to utilize 6to4, but I also see in your output that both Teredo and IP-HTTPS are both attempting to connect and are failing. You may have something misconfigured with your "fake internet" that the TLG walks you through creating.

    Also, if you are setting up UAGDA from scratch for the first time, I recommend not doing anything with ISATAP, at least not at first. Make sure you have DirectAccess working successfully before you try to do anything with ISATAP, it'll be less complicated to troubleshoot as you go.

    Monday, March 26, 2012 5:50 PM
  • Hi

    I agree with Jordan. Deploying an ISATAP router is not a common scenario. For example, it's a requirement in a Hardward Load Balancing scenario. If you want to keep your ISATAP router, let start to see if you can reach some ISATAP ressources deom your UAG box. This must be possible because you added an IPv6 with your internal ISATAP prefix and condigure your UAG to allow IPv6 routing withe the ConfigureLocalhostToIPv6Policy.vbs script : http://technet.microsoft.com/fr-FR/library/ee921439.aspx.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Monday, March 26, 2012 6:56 PM
  • Thanks Jordan and BenoitS ,

    I have deployed ISATAP router, since my internal resources are running on IPv4. I hope to extend my lab for array deployment and multi site capability in future.Hence I deployed External ISATAP router by following "supporting-business-continuity-disaster-recovery-and-multi-site-scenarios-with-uag-2010-rtm-and-uag-2010-service-pack-1" blog post.

    I can ping to UAG's 6to4 tunnel adapter IP from client over internet. but I cannot go beyond that (i.e : ping to UAG server's internal interface native IPv6 from client returns " Destination port Unreachable". My internal connectivity is success.I can ping all intranet resources from UAG box and vice versa.

    I have attached UAG server's interface state logs below.

    netsh interface 6to4 show relay
    ==============================

    Relay Name             : default
    Use Relay              : default
    Resolution Interval    : default

    .
    ===============================

    netsh interface teredo show state
    ================================

    Teredo Parameters
    ---------------------------------------------
    Type                    : server
    Virtual Server Ip       : 131.107.0.2
    Client Refresh Interval : 30 seconds
    State                   : online

    Server Packets Received : 874
    Success                 : 874 (Bubble 3, Echo 0, RS1 870 RS2 1)
    Failure                 : 0 (Hdr 0, Src 0, Dest 0, Auth 0)

    Relay Packets Received  : 3
    Success                 : 3 (Bubble 3, Data 0)
    Failure                 : 0 (Hdr 0, Src 0, Dest 0)

    Relay Packets Sent      : 9
    Success                 : 14 (Bubble 3, Data 11)
    Failure                 : 3 (Hdr 0, Src 3, Dest 0)

    Packets Received in the last 30 seconds:
    Bubble 0, Echo 0, RS1 1, RS2 0
    6to4 source address 0, native IPv6 source address 0
    6to4 destination address 0, native IPv6 destination address 0

     
    Estimated Bandwidth consumed in the last 30 seconds (in BPS):
    Bubble 0, Echo 0, Primary 3, Secondary 0
    6to4 source address 0, native IPv6 source address 0
    6to4 destination address 0, native IPv6 destination address 0

    .
    ===================================================

    netsh interface httpstunnel show interfaces
    ===================================================

    Interface IPHTTPSInterface Parameters
    ------------------------------------------------------------
    Role                       : server
    URL                        : https://uag1.contoso.com:443/IPHTTPS
    Client authentication mode : certificates
    Last Error Code            : 0x0
    Interface Status           : IPHTTPS interface active

    .
    ======================================================

    netsh interface ipv6 isatap show state
    ============================================

    ISATAP State           : enabled

    .
    ================================================

    netsh interface ipv6 isatap show router
    ================================================

    Router Name            : default
    Use Relay              : default
    Resolution Interval    : default

    It seems all interface configuration are fine from UAG server side.

    I assume below screen shot of Client's Connection Security Rules would help to recognize the issue.

    Clients Connection Security Rules

    I failed to identify the issue so far :(  If any thoughts of above screen shot would be very helpful. under Authentication Mode it says Something "require inbound and outbound"

    Please help me out to recognize the problem with your expert thoughts..

    Thanks.

    Ahmed.

    Tuesday, March 27, 2012 5:29 AM
  • Hi,

    I understand the need for an ISATAP router for multi site scenario. Note that ISATAP is not required because of your internal IPv4 network. DNS64/NAT64 will handle that.

    In your situation, i think it's might be a routing problem. Run the ConfigureLocalhostToIPv6Policy.vbs to allow IPv6 on your internal interface (http://technet.microsoft.com/fr-FR/library/ee921439.aspx) with the 'AllowAllLocalhost' argument. This will create some tules in TMG and then activate a new UAG configuration.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Tuesday, March 27, 2012 7:53 AM
  • Also, at this point since it appears that DirectAccess is not working at all, unless you come to a resolution by following Benoit's advice I would still get rid of ISATAP to simplify the environment. First make sure you can get DA working, then you can move back into configuring ISATAP. As Benoit said, ISATAP is not necessary to make DA work. Even in multi-site, I have multiple multi-site environments running with no ISATAP at all. The only time you need ISATAP is when you are IPv4 inside the network and you need the ability to initiate outbound requests from your corporate network to your DA clients, if you do not have that need you do not need ISATAP.
    Tuesday, March 27, 2012 1:36 PM
  • Hi,

    Multi-site scenario look great but it would be painfull to set it up for four first DirectAccess deployment. Moving from a standard deployment to multi-site deployment is technically possible. You can also envision to use GSLB to cover your Multi-site need. Configuring UAG DirectAccess with a Global Server Local Banancing appliance is a better approach from my point of view.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Tuesday, March 27, 2012 1:49 PM
  • Hi

    I connected the client in to corpnet for GPO update and lost the total coonectivyt to DNS. Client is not resolving name DC1 or APP1. DNS record is in place on DNS. Nslookup working fine but no ping working to DC1. other resources can ping internally and to client. seems my lab got messed up. ;( interiment issues raised and working on it to resolve now. any clue why client cannot ping to DC1 when it is inside the corpnet ? gpupdate /force faild on client. NSlookup is success. other resources pings working perfect in and out. will be fixing on these intermittent issue to address the main issue.

    Thanks again.


    • Edited by TecHHecT Wednesday, March 28, 2012 4:41 AM typo error
    Wednesday, March 28, 2012 4:35 AM
  • If your NLS server is having a problem (this goes for TLG or a production environment) your DirectAccess client machines will continue to leave their NRPT turned on even when inside the network, which will try to route name resolution requests through the UAG server and not through your local DNS. This can obviously cause resolution and connectivity problems. Check out the NLS website and make sure it's running properly. Also then on your DA client, run netsh dns show state and make sure that when you are connected to CorpNet that it shows "Inside corporate network" and that DirectAccess settings are "Configured and Disabled"
    Wednesday, March 28, 2012 1:12 PM
  • Hi Jordan,

    Yes.. there were some NRPT problem and I pushed NRPT rules from GPO and started to work.Thanks

    Now again client is back to internet and I faced same issue which I mentioned top of the tread. (cannot ping intranet resources). I fixed that issue by disabling ISATAP interfaces on UAG server. Now client can ping all internal resources returning ISATAP IP (My External ISATAP server is still alive).

    Now I have two problem which need to be addressed.

    1) my UAG has native IPv6 assigned to Corpnet interface. I cannot ping to native IPv6 of UAG box from Client in internet. returning "destination port unreachable". If I do trace to the native IP from client I'm getting "Destination protocol unreachable". I have checked all TMG rules and Firewalls are pretty fine. ICMPv6 allowed inbound and outbound.

    c:\>ping uag1

    Pinging uag1.corp.contoso.com [2002:836b:20:8000::1] with 32 bytes of data:
    Destination port unreachable.
    Destination port unreachable.
    Destination port unreachable.

    c:\>tracert 2002:836b:20:8000::1

    Tracing route to 2002:836b:20:8000::1 over a maximum of 30 hops

      1  Destination protocol unreachable.

    Trace complete.

    2) I cannot do net view \\app1  returning error code "System error 53 has occurred-
    The network path was not found" but I can successfully ping to App1 and checked the Certificate that also valid.

    Any thoughts of where I missed any steps will be very helpful.

    Thanks experts.. :)

    Sunday, April 1, 2012 5:13 AM
  • Hi,

    If you are sure that there is no ICMPv6 frames comming into your internal network, it is a routing problem. Active IPv6 routing with the ConfigureLocalhostToIPv6Policy.vbsto allow IPv6 on your internal interface (http://technet.microsoft.com/fr-FR/library/ee921439.aspx) with the 'AllowAllLocalhost' argument. This will create some tules in TMG and then activate a new UAG configuration.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Sunday, April 1, 2012 4:51 PM
  • Hi,

    I checked the TMG it has ICMPv6 allowed already.I ran the script and confirmed it has enabled. but still I cannot ping to internal interface netive IPv6. May be traffic is flow inside the 6to4 tunnel ?   I can reach to my internal resources from ISATAP IP.

    i.e - client1 ping to app1 - returning isatap IP -success

           client1 ping to DC1 - returning isatap IP -success

           Client ping to UAG1 - returning native IP - Destination port unreachable.

    More over even though I can ping to App1 I cannot open http://app1.corp.contoso.com or https://app1.corp.contoso.com on IE. all certificate and IIS parameters are fine as per the TLG.

    I havent get a clue as all seems fine from TLG perspective.

    any thoughts..  

    Monday, April 2, 2012 7:29 AM
  • Hi,

    I know I´m late on this topic, but I have the exact same Problems while deploying direct Access

    I can Ping Domaincontrollers - isatap IP -Success

    I can Ping APP Server - isatap IP -Success

    I can Ping Fileserver -isatap IP -Success

    I can´t ping Exchange - Destination Port unreachable

    nslookup correctly shows up isatap adress on exchange server.

    and also I can´t get to the Intranet Site on application server.

    Tuesday, August 14, 2012 7:44 AM
  • I solved it.

    In my case it was the Windows Internal Firewall wich I disabled on the Exchange Server for Troubleshooting was the Problem.

    Direct Acces Requirers the Windows Firewall to be activated.

    Firewall activated

    Inbound icmpv6 echo request allowed.

    Ping Exchange - successful.

    • Proposed as answer by Stephan Loetz Wednesday, August 15, 2012 10:03 AM
    Wednesday, August 15, 2012 10:03 AM
  • Just to follow up, DirectAccess does not require the Windows Firewall to be active on your internal servers. The Windows Firewall must be active on the UAG server and on the DirectAccess client machines (because it handles the IPsec connectivity rules), but there is no requirement that the firewall must be present on the endpoint application servers.
    • Marked as answer by TecHHecT Friday, August 31, 2012 3:25 AM
    Thursday, August 16, 2012 7:25 PM