none
Ping any server returns its IPv6 IP address RRS feed

  • Question

  • Hi,

    After I configured UAG DirectAccess, pinging any server or even machine returns IPv6 format, I think this is beacuse I enabled ISATAP in DNS. How can I fix this so that pinging any server returns only IPv4 IP?

    Thanks

    Sunday, May 1, 2011 7:49 AM

Answers

  • Configuring ISATAP is irrelevant; all communication between the DA client and UAG will occur over IPv6. Have a look at these:

    http://blogs.technet.com/b/tomshinder/archive/2010/06/22/uag-directaccess-and-client-application-compatibility-considerations.aspx

    http://blogs.technet.com/b/tomshinder/archive/2010/07/14/considerations-when-using-ping-to-troubleshoot-directaccess-connectivity-issues.aspx

    If you undo your ISATAP changes, you will force all inbound connections to use the NAT64 service and convert IPv6 into IPv4 as it passes through the gateway. By disabling ISATAP, you will prevent ISATAP machines from accessing the DA clients for outbound remote management as dicsussed here:

    http://blogs.technet.com/b/tomshinder/archive/2010/10/01/is-isatap-required-for-uag-directaccess.aspx

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, May 3, 2011 4:42 PM
    Moderator
  • What you'll find happening is that pinging servers from an IPv6 capable host inside your network (like a Win7 or Server 2008 machine) will return IPv6 addresses, but pinging these same servers from an IPv4 only client (like an XP or Server 2003) will reply with an IPv4 address. This is because when you configured ISATAP it told all of your IPv6 capable hosts inside the network to register themselves an IPv6 ISATAP address in your DNS. (you can think of ISATAP kind of like an IPv6 DHCP server) So if you look in DNS, you will see that each of your IPv6 capable hosts have both an IPv4 and an IPv6 address now. IPv6 addresses take priority, so when you ping from an IPv6 capable host, it recognizes that a quad-A record exists and responds as such. It won't make any difference to functionality, just a difference in what you see in the ping replies.

    As Jason mentioned you can remove ISATAP and DirectAccess will continue to function just fine with NAT64. ISATAP is completely optional, however also as mentioned if you remove your ISATAP host record and then remove all of the ISATAP IPv6 host records that got created in DNS so you are back to running IPv4 inside your network, then you will lose your ability to "manage-out" to the DirectAccess client computers. This is because DirectAccess client computers are IPv6 clients, and list themselves in DNS as IPv6 addresses. So to be able to contact them, you have to use IPv6. If you are sitting on a Win7 machine (helpdesk computer for instance) or a Server 2008 (SCCM server for instance) and try to contact a DirectAccess client computer for RDP or pushing an update, if the machine you are sitting on is connected with IPv6 via ISATAP (or native IPv6), your communication will be successful. However, if you have chosen not to use ISATAP, you will only have IPv4 level connectivity and your request will fail because you will not be able to communicate with the IPv6 address of the DA client computer.

    Basically, there is NAT64 on the DirectAccess server, but not NAT46. :)

    • Marked as answer by Erez Benari Wednesday, May 4, 2011 11:19 PM
    Wednesday, May 4, 2011 7:22 PM

All replies

  • I did the steps listed in this link http://technet.microsoft.com/en-us/library/ee649158(WS.10).aspx to enable ISATAP prior to UAG DirectAccess configuration. If I undo those changes in DNS, will UAG DirectAccess continue to work?

    Thanks

    Sunday, May 1, 2011 1:09 PM
  • Configuring ISATAP is irrelevant; all communication between the DA client and UAG will occur over IPv6. Have a look at these:

    http://blogs.technet.com/b/tomshinder/archive/2010/06/22/uag-directaccess-and-client-application-compatibility-considerations.aspx

    http://blogs.technet.com/b/tomshinder/archive/2010/07/14/considerations-when-using-ping-to-troubleshoot-directaccess-connectivity-issues.aspx

    If you undo your ISATAP changes, you will force all inbound connections to use the NAT64 service and convert IPv6 into IPv4 as it passes through the gateway. By disabling ISATAP, you will prevent ISATAP machines from accessing the DA clients for outbound remote management as dicsussed here:

    http://blogs.technet.com/b/tomshinder/archive/2010/10/01/is-isatap-required-for-uag-directaccess.aspx

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, May 3, 2011 4:42 PM
    Moderator
  • What you'll find happening is that pinging servers from an IPv6 capable host inside your network (like a Win7 or Server 2008 machine) will return IPv6 addresses, but pinging these same servers from an IPv4 only client (like an XP or Server 2003) will reply with an IPv4 address. This is because when you configured ISATAP it told all of your IPv6 capable hosts inside the network to register themselves an IPv6 ISATAP address in your DNS. (you can think of ISATAP kind of like an IPv6 DHCP server) So if you look in DNS, you will see that each of your IPv6 capable hosts have both an IPv4 and an IPv6 address now. IPv6 addresses take priority, so when you ping from an IPv6 capable host, it recognizes that a quad-A record exists and responds as such. It won't make any difference to functionality, just a difference in what you see in the ping replies.

    As Jason mentioned you can remove ISATAP and DirectAccess will continue to function just fine with NAT64. ISATAP is completely optional, however also as mentioned if you remove your ISATAP host record and then remove all of the ISATAP IPv6 host records that got created in DNS so you are back to running IPv4 inside your network, then you will lose your ability to "manage-out" to the DirectAccess client computers. This is because DirectAccess client computers are IPv6 clients, and list themselves in DNS as IPv6 addresses. So to be able to contact them, you have to use IPv6. If you are sitting on a Win7 machine (helpdesk computer for instance) or a Server 2008 (SCCM server for instance) and try to contact a DirectAccess client computer for RDP or pushing an update, if the machine you are sitting on is connected with IPv6 via ISATAP (or native IPv6), your communication will be successful. However, if you have chosen not to use ISATAP, you will only have IPv4 level connectivity and your request will fail because you will not be able to communicate with the IPv6 address of the DA client computer.

    Basically, there is NAT64 on the DirectAccess server, but not NAT46. :)

    • Marked as answer by Erez Benari Wednesday, May 4, 2011 11:19 PM
    Wednesday, May 4, 2011 7:22 PM