none
Multiple DirectAccess tunnels (and protocols) per DirectAccess Client (production) RRS feed

  • Question

  • I have built two new UAG DirectAccess environments at a customer. The first in a test environment without firewalls around a single UAG single server, and a production environment with an external and internal firewall around a UAG array. With both of them I have noticed weird session and protocol behaviors. This post focuses on the production environment.

    As mentioned the production environment does has firewall around UAG DirectAccess Servers. All protocols (e.g. 6to4, Teredo and IP-HTTPS) are available. Although there is still an ongoing discussion with the firewall administrator that 6to4 and Teredo would apparently also needs inbound and outbound connectivity on the external firewall. When a mobile DirectAccess Client connect from behind a private IPv4 network (NAT device) it nicely creates an infrastructure tunnel using Teredo. But during usage on the client the numbers of DirectAccess tunnels seem to build up. Sometimes I have around six tunnels, most of them infrastructure tunnels, only one intranet tunnel. And… sometimes different protocols. It is as if there a new tunnel created randomly. I can see clearly in UAG Web Monitor that it takes a very long time before a tunnel is cleared. Even when the client is already shutdown.

    Something does not seem ok. What might cause this issue?

    Also... can somebody explain me why occording TechNet and serveral blogs firewalls also need outbound 6to4 and Teredo connectivity? We don't see any outbound connectivity in the firewall logging.


    Boudewijn Plomp, BPMi Infrastructure & Security

    Wednesday, August 1, 2012 3:02 PM

All replies

  • Hi

    From my own experience, tunnel termination (AKA IPSEC association end) is quicker in the Firewall console than in the UAG Web Monitor. if your enable IPSEC Main loging in Advanced Audit Policy Configuration. you will ne event of IPSEC termination when your clients computer shutdown.

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, August 2, 2012 7:48 AM
  • Ok. But can you explain why we get so many tunnels for one single DirectAccess Client?

    As if it creates another one, and another one, and another one, and aonther one during its usage.


    Boudewijn Plomp, BPMi Infrastructure & Security


    Friday, August 3, 2012 10:22 AM
  • Ok, because I did not get a solution yet allow me to describe two scenario's...

    DirectAccess Client (connected with mobile provider, which should use 6to4):
    The DirectAccess Client connects using a mobile provider (WWAN), gets a public IPv4 address and successfully established an infrastructure tunnel by using 6to4. If you connect to an intranet server the infrastructure tunnel changes to an intranet tunnel. Everything works as expected.

    Now the client reboots. During reboot, if you look in UAG Web Monitor the infrastructure/intranet tunnel is still there. And IPsec monitor still shows a one or more Main/Quick Mode connections as well. Testing has shown us that it takes a long time before those are cleared. Once the client has finished reboot it has established an infrastructure tunnel, but this time by using IP-HTTPS. If you reboot, and reboot it keeps getting a tunnel by using IP-HTTPS. I assume this is because the DirectAccess Server still thinks the client has a 6to4 connection. To make things worse; sometimes you get more 6to4 connections according UAG Web Monitor.

    DirectAccess Client (connected with NAT device, which should use Teredo):
    The DirectAccess Client connects using internet connection sharing or another NAT device, gets a private IPv4 address and successfully established an infrastructure tunnel by using Teredo. If you connect to an intranet server the infrastructure tunnel changes to an intranet tunnel. The weird thing is sometimes the infrastructure tunnel is not changed to an intranet tunnel, instead a new intranet tunnel is created next to the infrastructure tunnel. Although, the DirectAccess client works just fine. Now the client reboots. During reboot, if you look in UAG Web Monitor the infrastructure/intranet tunnel is still there. And IPsec monitor still shows a one or more Main/Quick Mode connections as well. Testing has shown us that it takes a long time before those are cleared. Once the client has finished reboot it has established an infrastructure tunnel, but this time by using Teredo or IP-HTTPS. If you reboot, and reboot it keeps getting an extra tunnel by using Teredo. We have situation where the UAG Web Monitor shows at least 5 tunnel per single DirectAccess Client.


    With both scenario's I am surprised that is takes a very long time before UAG DirectAccess sees the infrastructure/intranet tunnels as disconnected. They are kept alive far to long. This is probably why a tunnel is established using another protocol after a reboot or such.

    Is this a normal behavior or what might be wrong?


    Boudewijn Plomp, BPMi Infrastructure & Security


    Monday, August 6, 2012 11:29 AM
  • Hi,

    That you have IPSec tunnels from disconnected clients doesn't seem very strange to me.

    There is default timeout values for main mode and quick mode IPSec SA's.
    If they were shutdown prior to this, a client would have to reauthenticate if it had been quiet to long.

    But the issue with clients not beeing able to reconnect over the same protocol after a restart sounds like a bigger issue.
    Have you tried disabling IPHTTPS to verify that the client really cannot connect over 6to4/Teredo.
    It could just be that it manages to establish the IPHTTPS connection first and therefore stops connecting over the other protocol.

    (For info on how to disable the IPHTTPS interface, read http://blogs.technet.com/b/tomshinder/archive/2011/02/15/how-to-disable-ip-https-for-testing-and-troubleshooting.aspx )

    Best wishes,
    Jonas Blom


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Monday, August 6, 2012 12:58 PM
  • Hi,

    That you have IPSec tunnels from disconnected clients doesn't seem very strange to me.

    There is default timeout values for main mode and quick mode IPSec SA's.
    If they were shutdown prior to this, a client would have to reauthenticate if it had been quiet to long.

    But the issue with clients not beeing able to reconnect over the same protocol after a restart sounds like a bigger issue.
    Have you tried disabling IPHTTPS to verify that the client really cannot connect over 6to4/Teredo.
    It could just be that it manages to establish the IPHTTPS connection first and therefore stops connecting over the other protocol.

    (For info on how to disable the IPHTTPS interface, read http://blogs.technet.com/b/tomshinder/archive/2011/02/15/how-to-disable-ip-https-for-testing-and-troubleshooting.aspx )

    Best wishes,
    Jonas Blom


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Thanks you for your information. I think you put me in the right track. I did some testing by disabling IP-HTTPS. Apparently it does not (re-)connect at all anymore. xDSL connection is not present right now. I currently use a Windows Phone with internet sharing enabled. I then tested an iPhone (another provider as well) with internet sharing. Hmmm... that one seems to connect and re-connect with Teredo everytime! Apparently there is an issue with some providers or specific phones and (re-)connection with the Teredo protocol.  The 3G WWAN adapter inside the DELL laptop has the same issue. That one uses 6to4 only. Any re-connect falls back to IP-HTTPS unless UAG DirectAccess has already flushed the previous session.

    I now use that very iPhone with internet sharing, and enabled IP-HTTPS on the DirectAccess. What happens is this. If you quickly do ipconfig on the client two times you first see IPv6 settings at IP-HTTPS and then in a split-second it re-connects to Teredo everytime!!! And according UAG Web Monitor it uses the same session.

    I will take the DirectAccess Client to my home and my ADSL connection to test Teredo re-connection over and over.

    I don't know if I can consider this good news or bad news. I hope the provider or specific devices are to fault. But the downside is, you can't be sure that all your DirectAccess Clients use the right protocol everytime. IP-HTTPS is also much slower.


    Boudewijn Plomp, BPMi Infrastructure & Security
    Monday, August 6, 2012 2:24 PM
  • I the meantime I did some more testing with the 3G WWAN adapter inside the DELL laptop. This ISP connection gives us a public IP Address, the DirectAccess Client should use a 6to4 tunnel. I first rebooted both our UAG DirectAccess Servers (array) to start with clean sessions.

    When I connect I get an infrastructure tunnel using 6to4. But... also an intranet tunnel using Teredo. I didn't disconnect the 3G connection this time, but simply restart the IP Helper service. The DirectAccess Client then re-connects to these two tunnels.

    Why not only one 6to4 infrastructure/intranet tunnel?


    Boudewijn Plomp, BPMi Infrastructure & Security



    Monday, August 6, 2012 3:02 PM
  • To be honest I normally disable 6to4 early in the setups and only have client connect with IPHTTPS/Teredo.

    But you should still only see one of the techniques in my opinion.
    There isn't any chance that the IP address you get actually is NAT'ed but still a non-RFC1918 address?

    If you run ipconfig, do you actually see one 6to4 and one Teredo interface that are active/connected?


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Tuesday, August 7, 2012 7:38 AM
  • To be honest I normally disable 6to4 early in the setups and only have client connect with IPHTTPS/Teredo.

    But you should still only see one of the techniques in my opinion.
    There isn't any chance that the IP address you get actually is NAT'ed but still a non-RFC1918 address?

    If you run ipconfig, do you actually see one 6to4 and one Teredo interface that are active/connected?


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    I have just checked it to make sure, there is no NAT in between.

    If I run ipconfig I can see 6to4 and Teredo. Not sure which one is active.

    The fact is, it is a random behavior. Sometimes it works fine, the other moment it doesn't. En when I disconnect a DirectAccess Client it takes at least 1 hour before UAG Web Monitor has flushed the tunnels.


    Boudewijn Plomp, BPMi Infrastructure & Security

    Tuesday, August 7, 2012 9:01 AM