none
External DA client cannot resolve internal addresses after adding a dedicated ISATAP router to the network RRS feed

  • Question

  • Using the Tom Shinder UAG DA lab as a base, we've modified the lab by moving the ISATAP function from the UAG server to a dedicated W2008 R2 server.  We've configured the UAG DA and ISATAP servers to use native IPv6 to communicate with each other and applied the proper routes (hopefully).  Everything appears to be configured correctly on the internal net (ping results appear to be correct). 

    We used http://www.windowsnetworking.com/articles_tutorials/Configuring-ISATAP-Router-Windows-Server-2008-R2-Part2.html as a guide.

    Our DA Client worked perfectly (could resolve/PING all internal resources from the virtual internet) before making the ichanges noted above.  Now, the DA client cannot resolve the internal server addresses.

    The question is - What else needs to be done when the ISATAP role is moved from the UAG DA server to a dedicated ISATAP server.  TMG rules?  Additional routing?  GPO changes?

    Please let me know if additional information is required to help solve this.

    Don Adams
    USEast Technologies

    Tuesday, January 17, 2012 3:08 PM

Answers

  • Hi,

    Your configuration looks pretty good. However, there are 2 issues that I see:

     1. Your UAG server has an ISATAP interface

    Your desire was to configure native IPv6 connectivity between the ISATAP router and the UAG server. However, since your UAG server is acting as an ISATAP host, it will forward traffic to the ISATAP subnet directly, without going through the ISATAP router. This traffic will be dropped on the internal servers because the UAG server is not in the PRL (not an ISATAP router).

    To fix this, just disable ISATAP on the UAG server using 'netsh int isatap set state disabled'. Also make sure that in the DirectAccess wizard you have selected the native IPv6 address for the internal address.

    I'm actually puzzled how this happened, since I'm pretty sure UAG activation disables ISATAP automatically when a native IPv6 is selected as the internal address. Did you enable ISATAP manually?

     

    2. The ISATAP prefix is not routed to the ISATAP router's native IPv6 address

    You highlighted the following route on the UAG server:

    12 261 ::/0 2002:836b:20:8000::2

    While this route contains the ISATAP prefix and routes traffic to the ISATAP router native IPv6 address, there is actually a more specific route 2002::/16 on the 6to4 interface which contains your ISATAP prefix as well. You will need to create an even more specific route with the ISATAP prefix 2002:836b:3:8000::/64 and route it to 2002:836b:20:8000::2 as well.

    Let me know if that helps.

    Monday, January 30, 2012 5:21 PM

All replies

  • Make sure you did the following:

    • Selected the native IPv6 address of the UAG DA server as an internal address in the interfaces page
    • Configured the ISATAP prefix as the Corp IPv6 prefix in the Prefixes page
    • Have a route on the DirectAccess server that contains the ISATAP prefix and routes the traffic to the native IPv6 address of the ISATAP router
    • On the ISATAP router, configured the native IPv6 address of the UAG DA server as a default IPv6 gateway
    • On the ISATAP router, enabled forwarding on both the ISATAP and native IPv6 interfaces
    Tuesday, January 17, 2012 3:38 PM
  • Hi Yaniv;

    Thanks for answering... unfortunately, I am a neophyte at IPv6 routing.  Could you take a look at the IP Config and Routing info for the UAG and the ISATAP server to see if you spot any problems? 

    I'm specifically worried about your third point:

  • Have a route on the DirectAccess server that contains the ISATAP prefix and routes the traffic to the native IPv6 address of the ISATAP router

    It's very hard to find info on how to configure UAG DA for use with an external ISATAP router.

    Thanks;

    Don Adams
    USEast Technologies

    UAG Config / Routing info

    Windows IP Configuration for UAG1


    Windows IP Configuration for UAG1

       Host Name . . . . . . . . . . . . : UAG1
       Primary Dns Suffix  . . . . . . . : corp.contoso.com
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : Yes
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : corp.contoso.com
                                           isp.example.com

    Ethernet adapter Local Area Connection* 9:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : SSL Network Tunneling
       Physical Address. . . . . . . . . : 00-FF-08-01-19-47
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes

    Ethernet adapter Corpnet:

       Connection-specific DNS Suffix  . : corp.contoso.com
       Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter #2
       Physical Address. . . . . . . . . : 00-15-5D-01-50-58
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2002:836b:20:8000::1(Preferred)
       Link-local IPv6 Address . . . . . : fe80::99c6:cad:b460:f93a%12(Preferred)
       IPv4 Address. . . . . . . . . . . : 10.0.0.2(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 2002:836b:20:8000::2
       DHCPv6 IAID . . . . . . . . . . . : 301995357
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-8E-91-8F-00-15-5D-01-50-59
       DNS Servers . . . . . . . . . . . : 10.0.0.1
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter Internet:

       Connection-specific DNS Suffix  . : isp.example.com
       Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter
       Physical Address. . . . . . . . . : 00-15-5D-01-50-59
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::3546:c8b9:7d01:ac59%11(Preferred)
       IPv4 Address. . . . . . . . . . . : 131.107.0.2(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       IPv4 Address. . . . . . . . . . . : 131.107.0.3(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . :
       DHCPv6 IAID . . . . . . . . . . . : 234886493
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-8E-91-8F-00-15-5D-01-50-59
       DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                           fec0:0:0:ffff::2%1
                                           fec0:0:0:ffff::3%1
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter 6TO4 Adapter:

       Connection-specific DNS Suffix  . : isp.example.com
       Description . . . . . . . . . . . : Microsoft 6to4 Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2002:836b:2::836b:2(Preferred)
       IPv6 Address. . . . . . . . . . . : 2002:836b:3::836b:3(Preferred)
       Default Gateway . . . . . . . . . :
       DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                           fec0:0:0:ffff::2%1
                                           fec0:0:0:ffff::3%1
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::8000:f227:7c94:fffd%15(Preferred)
       Default Gateway . . . . . . . . . :
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter isatap.isp.example.com:

       Connection-specific DNS Suffix  . : isp.example.com
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::200:5efe:131.107.0.2%17(Preferred)
       Link-local IPv6 Address . . . . . : fe80::200:5efe:131.107.0.3%17(Preferred)
       Default Gateway . . . . . . . . . :
       DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                           fec0:0:0:ffff::2%1
                                           fec0:0:0:ffff::3%1
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter isatap.corp.contoso.com:

       Connection-specific DNS Suffix  . : corp.contoso.com
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2002:836b:3:8000:0:5efe:10.0.0.2(Preferred)
       Link-local IPv6 Address . . . . . : fe80::5efe:10.0.0.2%18(Preferred)
       Default Gateway . . . . . . . . . : fe80::5efe:10.0.0.20%18
       DNS Servers . . . . . . . . . . . : 10.0.0.1
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter IPHTTPSInterface:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : IPHTTPSInterface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2002:836b:2:8100:b53a:3653:9032:80dd(Preferred)
       Link-local IPv6 Address . . . . . : fe80::b53a:3653:9032:80dd%16(Preferred)
       Default Gateway . . . . . . . . . :
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter isatap.{A2723D03-D943-4F22-8536-5867C33CDEB8}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    ===========================================================================
    Interface List
     13...00 ff 08 01 19 47 ......SSL Network Tunneling
     12...00 15 5d 01 50 58 ......Microsoft Virtual Machine Bus Network Adapter #2
     11...00 15 5d 01 50 59 ......Microsoft Virtual Machine Bus Network Adapter
      1...........................Software Loopback Interface 1
     14...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
     15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
     17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
     18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
     16...00 00 00 00 00 00 00 e0 IPHTTPSInterface
     31...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
    ===========================================================================

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
             10.0.0.0    255.255.255.0         On-link          10.0.0.2    261
             10.0.0.2  255.255.255.255         On-link          10.0.0.2    261
           10.0.0.255  255.255.255.255         On-link          10.0.0.2    261
             10.0.1.0    255.255.255.0        10.0.0.30         10.0.0.2      6
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
          131.107.0.0    255.255.255.0         On-link       131.107.0.2    261
          131.107.0.2  255.255.255.255         On-link       131.107.0.2    261
          131.107.0.3  255.255.255.255         On-link       131.107.0.2    261
        131.107.0.255  255.255.255.255         On-link       131.107.0.2    261
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link          10.0.0.2    261
            224.0.0.0        240.0.0.0         On-link       131.107.0.2    261
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link          10.0.0.2    261
      255.255.255.255  255.255.255.255         On-link       131.107.0.2    261
    ===========================================================================
    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
             10.0.1.0    255.255.255.0        10.0.0.30       1
    ===========================================================================

    IPv6 Route Table
    ===========================================================================
    Active Routes:
     If Metric Network Destination      Gateway
     12    261 ::/0                     2002:836b:20:8000::2
     18    261 ::/0                     fe80::5efe:10.0.0.20
      1    306 ::1/128                  On-link
     15     58 2001::/32                On-link
     18    261 2001:0:836b:2::/64       fe80::5efe:10.0.0.20
     14   1005 2002::/16                On-link
     14    261 2002:836b:2::/64         On-link
     18    261 2002:836b:2::/64         fe80::5efe:10.0.0.20
     14    261 2002:836b:2::836b:2/128  On-link
     12    261 2002:836b:2:8001::/96    On-link
     16    306 2002:836b:2:8100::/64    On-link
     18    261 2002:836b:2:8100::/64    fe80::5efe:10.0.0.20
     16    306 2002:836b:2:8100::/128   On-link
     16    306 2002:836b:2:8100:b53a:3653:9032:80dd/128
                                        On-link
     14    261 2002:836b:3::/64         On-link
     14    261 2002:836b:3::836b:3/128  On-link
     18     13 2002:836b:3:8000::/64    On-link
     18    261 2002:836b:3:8000:0:5efe:10.0.0.2/128
                                        On-link
     12    261 2002:836b:20::/48        On-link
     12    261 2002:836b:20:8000::1/128 On-link
     12    261 fe80::/64                On-link
     11    261 fe80::/64                On-link
     15    306 fe80::/64                On-link
     16    306 fe80::/64                On-link
     18    261 fe80::5efe:10.0.0.2/128  On-link
     17    261 fe80::200:5efe:131.107.0.2/128
                                        On-link
     17    261 fe80::200:5efe:131.107.0.3/128
                                        On-link
     11    261 fe80::3546:c8b9:7d01:ac59/128
                                        On-link
     15    306 fe80::8000:f227:7c94:fffd/128
                                        On-link
     12    261 fe80::99c6:cad:b460:f93a/128
                                        On-link
     16    306 fe80::b53a:3653:9032:80dd/128
                                        On-link
      1    306 ff00::/8                 On-link
     16    306 ff00::/8                 On-link
     15    306 ff00::/8                 On-link
     12    261 ff00::/8                 On-link
     11    261 ff00::/8                 On-link
    ===========================================================================
    Persistent Routes:
     If Metric Network Destination      Gateway
      0 4294967295 2002:836b:2:8001::/96    On-link
      0 4294967295 2002:836b:2::/64         On-link
      0 4294967295 2002:836b:3::/64         On-link
      0 4294967295 2002:836b:2:8100::/64    On-link
      0 4294967295 ::/0                     2002:836b:20:8000::2
    ===========================================================================

    IPConfig / Routing info for ISATAP1

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : ISATAP1
       Primary Dns Suffix  . . . . . . . : corp.contoso.com
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : corp.contoso.com

    Ethernet adapter Corpnet:

       Connection-specific DNS Suffix  . : corp.contoso.com
       Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter
       Physical Address. . . . . . . . . : 00-15-5D-01-50-74
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2002:836b:20:8000::2(Preferred)
       Link-local IPv6 Address . . . . . : fe80::388d:bfbf:250e:a274%11(Preferred)
       IPv4 Address. . . . . . . . . . . : 10.0.0.20(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 2002:836b:20:8000::1
                                           10.0.0.2
       DHCPv6 IAID . . . . . . . . . . . : 234886493
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-41-FC-C6-00-15-5D-01-50-74
       DNS Servers . . . . . . . . . . . : 10.0.0.1
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.corp.contoso.com:

       Connection-specific DNS Suffix  . : corp.contoso.com
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2002:836b:3:8000:0:5efe:10.0.0.20(Preferred)
       Link-local IPv6 Address . . . . . : fe80::5efe:10.0.0.20%12(Preferred)
       Default Gateway . . . . . . . . . :
       DNS Servers . . . . . . . . . . . : 10.0.0.1
       NetBIOS over Tcpip. . . . . . . . : Disabled
    ===========================================================================
    Interface List
     11...00 15 5d 01 50 74 ......Microsoft Virtual Machine Bus Network Adapter
      1...........................Software Loopback Interface 1
     12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
    ===========================================================================

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0         10.0.0.2        10.0.0.20    261
             10.0.0.0    255.255.255.0         On-link         10.0.0.20    261
            10.0.0.20  255.255.255.255         On-link         10.0.0.20    261
           10.0.0.255  255.255.255.255         On-link         10.0.0.20    261
             10.0.1.0    255.255.255.0        10.0.0.30        10.0.0.20      6
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link         10.0.0.20    261
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link         10.0.0.20    261
    ===========================================================================
    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
             10.0.1.0    255.255.255.0        10.0.0.30       1
              0.0.0.0          0.0.0.0         10.0.0.2  Default
    ===========================================================================

    IPv6 Route Table
    ===========================================================================
    Active Routes:
     If Metric Network Destination      Gateway
     11    261 ::/0                     2002:836b:20:8000::1
      1    306 ::1/128                  On-link
     11    261 2001:0:836b:2::/64       2002:836b:20:8000::1
     11    261 2002:836b:2::/64         2002:836b:20:8000::1
     11    261 2002:836b:2:8100::/64    2002:836b:20:8000::1
     12    261 2002:836b:3:8000::/64    On-link
     12    261 2002:836b:3:8000::/128   On-link
     12    261 2002:836b:3:8000:0:5efe:10.0.0.20/128
                                        On-link
     11    261 2002:836b:20::/48        On-link
     11    261 2002:836b:20:8000::2/128 On-link
     11    261 fe80::/64                On-link
     12    261 fe80::5efe:10.0.0.20/128 On-link
     11    261 fe80::388d:bfbf:250e:a274/128
                                        On-link
      1    306 ff00::/8                 On-link
     11    261 ff00::/8                 On-link
    ===========================================================================
    Persistent Routes:
     If Metric Network Destination      Gateway
      0 4294967295 2002:836b:3:8000::/64    On-link
      0 4294967295 2001:0:836b:2::/64       2002:836b:20:8000::1
      0 4294967295 2002:836b:2::/64         2002:836b:20:8000::1
      0 4294967295 2002:836b:2:8100::/64    2002:836b:20:8000::1
      0 4294967295 ::/0                     2002:836b:20:8000::1
    ===========================================================================

     

Tuesday, January 24, 2012 7:13 PM
  • Hi,

    Your configuration looks pretty good. However, there are 2 issues that I see:

     1. Your UAG server has an ISATAP interface

    Your desire was to configure native IPv6 connectivity between the ISATAP router and the UAG server. However, since your UAG server is acting as an ISATAP host, it will forward traffic to the ISATAP subnet directly, without going through the ISATAP router. This traffic will be dropped on the internal servers because the UAG server is not in the PRL (not an ISATAP router).

    To fix this, just disable ISATAP on the UAG server using 'netsh int isatap set state disabled'. Also make sure that in the DirectAccess wizard you have selected the native IPv6 address for the internal address.

    I'm actually puzzled how this happened, since I'm pretty sure UAG activation disables ISATAP automatically when a native IPv6 is selected as the internal address. Did you enable ISATAP manually?

     

    2. The ISATAP prefix is not routed to the ISATAP router's native IPv6 address

    You highlighted the following route on the UAG server:

    12 261 ::/0 2002:836b:20:8000::2

    While this route contains the ISATAP prefix and routes traffic to the ISATAP router native IPv6 address, there is actually a more specific route 2002::/16 on the 6to4 interface which contains your ISATAP prefix as well. You will need to create an even more specific route with the ISATAP prefix 2002:836b:3:8000::/64 and route it to 2002:836b:20:8000::2 as well.

    Let me know if that helps.

    Monday, January 30, 2012 5:21 PM
  • Well ... you've answered one important question that I had which is "should ISATAP be enabled on the UAG server?"  Your answer is "NO". 

    Yes, I did manually enable ISATAP on the UAG server (set it to default) because if I disable ISATAP I cannot ping any of the internal resources.  I get:

    C:\Users\user1>ping dc1

    Pinging DC1.corp.contoso.com [2002:836b:3:8000:0:5efe:10.0.0.1] with 32 bytes of data:
    General failure.
    General failure.
    General failure.
    General failure.

    Is this result due to your second point that The ISATAP prefix is not routed to the ISATAP router's native IPv6 address?

    If yes, I will work on the routing. 

    Should I delete the 12 261 ::/0 2002:836b:20:8000::2 route before adding the 2002:836b:3:8000::/64 route?

    Thanks again for answering ... almost there I think.

    Don Adams
    USEast Technologies

    Monday, January 30, 2012 6:37 PM
  • Yes, the general failure is due to the missing route.

    Don't delete the ::/0 route, just add another more specific route.

    Let me know how this works for you.

    Monday, January 30, 2012 8:03 PM
  • That did the trick! 

    UAG1 can now PING the internal resources and Client1 can now connect to internal resources from the virtual internet using an off UAG ISATAP router.

    Thanks!

    Don Adams
    USEast Technologies

    Monday, January 30, 2012 10:30 PM
  • Glad this helped :)
    Monday, January 30, 2012 10:45 PM