none
Direct Access will not Connect for Some Users when using Home Wireless RRS feed

  • Question

  • Direct Access is usually pretty solid for my company but for some users they can not connect using their home wireless.  What setting on their home wireless is blocking them from connecting?  Is there a change on my UAG servers that could be made to allow them to connect? Does anyone else have a similar issue?
    Wednesday, February 6, 2013 2:30 PM

Answers

  • Setting Teredo to EnterpriseClient is one thing that comes to mind immediately for me as well. Also, I have had numerous cases now where home routers (and cell cards) are starting to hand out native IPv6 addresses to computers. Sometimes this interferes with DirectAccess connectivity. If the user's home router hands their client computer an IPv6 address, you may see in your log file that the IPsec tunnels attempt to build themselves over the native IPv6 address instead of the Teredo or IP-HTTPS address like they should.

    In these cases, you need to stop the native IPv6 address from being assigned to the client computer. You can either open up the NIC properties on that laptop and uncheck the TCP/IPv6 box (this will not break DirectAccess), or you can get into the router settings at their house and stop it from handing out IPv6 addresses.

    So far Microsoft has not been able to give me an answer as to why this happens, but I have seen it at least a couple dozen times over the past year.

    • Marked as answer by dirkbucket Thursday, February 7, 2013 5:24 PM
    Thursday, February 7, 2013 4:38 PM

All replies

  • Hi,

    We need more information to analyze the situation. Do you have DCA logs generated by clients experiencing the problem you can share?


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, February 6, 2013 8:01 PM
  • Yeah, need more information. But have a look at configuring the Teredo client as an Enterprise Client as per this article.

    Hth, Anders Janson Enfo Zipper

    Thursday, February 7, 2013 10:51 AM
  • Setting Teredo to EnterpriseClient is one thing that comes to mind immediately for me as well. Also, I have had numerous cases now where home routers (and cell cards) are starting to hand out native IPv6 addresses to computers. Sometimes this interferes with DirectAccess connectivity. If the user's home router hands their client computer an IPv6 address, you may see in your log file that the IPsec tunnels attempt to build themselves over the native IPv6 address instead of the Teredo or IP-HTTPS address like they should.

    In these cases, you need to stop the native IPv6 address from being assigned to the client computer. You can either open up the NIC properties on that laptop and uncheck the TCP/IPv6 box (this will not break DirectAccess), or you can get into the router settings at their house and stop it from handing out IPv6 addresses.

    So far Microsoft has not been able to give me an answer as to why this happens, but I have seen it at least a couple dozen times over the past year.

    • Marked as answer by dirkbucket Thursday, February 7, 2013 5:24 PM
    Thursday, February 7, 2013 4:38 PM
  • K, thanks guys.  I will change the GPO setting to EnterpirseClient and also uncheck IPv6 on client NIC.

    Thursday, February 7, 2013 5:24 PM
  • This solution worked great for us.  It resolved both Direct Access Connectivity, along with Outlook Web Access issues.  Either disabling Ipv6 on the client wifi adapter, or disabling IPv6 DHCP servers from the hotspot/router fixed the issue.  Thanks for the post!
    Thursday, June 20, 2013 10:11 PM
  • Setting Teredo to EnterpriseClient is one thing that comes to mind immediately for me as well. Also, I have had numerous cases now where home routers (and cell cards) are starting to hand out native IPv6 addresses to computers. Sometimes this interferes with DirectAccess connectivity. If the user's home router hands their client computer an IPv6 address, you may see in your log file that the IPsec tunnels attempt to build themselves over the native IPv6 address instead of the Teredo or IP-HTTPS address like they should.

    In these cases, you need to stop the native IPv6 address from being assigned to the client computer. You can either open up the NIC properties on that laptop and uncheck the TCP/IPv6 box (this will not break DirectAccess), or you can get into the router settings at their house and stop it from handing out IPv6 addresses.

    So far Microsoft has not been able to give me an answer as to why this happens, but I have seen it at least a couple dozen times over the past year.

    Is there a way to prevent the IPsec tunnel from being created via the unicast IPv6 address?  

    I just came across this issue. I get a working IPv6 address from my ISP and I couldn't access the internal resources. Confirmed that the IPsec tunnel was created via my anycast (2601:...) address. Had to restart the "IKE and AuthIP IPsec Keying Modules" service so that the IPsec tunnels would get re-created over the IPHTTPS interface (2002:...)and not the unicast/routable IPv6 from my ISP.

    Wednesday, March 5, 2014 3:13 AM
  • I had an issue where my home router SSD name was the same as my work SSD name and it prevented DirectAccess from connecting.  I renamed my home SSD name to something different and that solved my problem
    Sunday, November 4, 2018 12:40 AM