Direct Access - IPHTTP yes, Teredo and 6to4 no RRS feed

  • General discussion

  • I have direct access working with teredo and 6to4 disabled but would like to get it working with those protocols.

    Thursday, September 17, 2009 8:55 PM

All replies

  • Hi,

    You could use Netsh command to enable Teredo and 6to4 protocols.

    For more information, please refer to the following articles:

    Netsh commands for Interface 6to4

    Netsh commands for Interface Teredo

    Hope this helps.
    Tuesday, September 22, 2009 1:54 PM
  • I actually know how to enable them but when I do - DA quits working. That is the problem. Thanks for the info though.
    Tuesday, September 22, 2009 2:51 PM
  • I'm guessing it's a routing problem.  When you enable 6to4 or Teredo, DA traffic might be getting routed through those and the other end of the tunnel doesn't know how to route it after that.  Hope thats's helpful.
    • Edited by S English Monday, October 12, 2009 4:25 PM clarification
    Monday, October 12, 2009 4:25 PM
  • Teredo uses UDP encapsulation over port 3544.  Make sure that this port is not blocked at an edge firewall.  For 6to4 you need to allow IPv4 protocol 41.

    If you have Teredo enabled on the client, you can check Teredo's status using the command "netsh interface teredo show state".  If the Teredo client is unable to contact the Teredo server on port 3544, you will see the error "primary server unreachable" or "secondary server unreachable".  If the Teredo state is "qualified", then the next thing to look at is IPv6 routing.

    I find packet captures to be an invaluable tool for discovering routing errors.  You can download Microsoft's Network Monitor tool from http://www.microsoft.com/downloads/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f&displaylang=en.  This how to guide gives a good starting point: http://support.microsoft.com/kb/148942.

    The DirectAccess Troubleshooting guide shows how to use Windows' built in logging to help diagnose the issue.  It is available here: http://technet.microsoft.com/en-us/library/ee624056(WS.10).aspx.

    Please update the thread once you've tried this so we can continue to help.

    Monday, October 12, 2009 6:02 PM
  • those ports are available and not blocked. There is a rule in the firewall for them. When I run the teredo show state command I get the below -

    C:\Users\DScott>netsh interface teredo show state
    Teredo Parameters
    Type                    : enterpriseclient (Group Policy)
    Server Name             : public ip here (Group Policy)
    Client Refresh Interval : 60 seconds
    Client Port             : 34567
    State                   : probe (primary server)
    Client Type             : teredo host-specific relay
    Network                 : managed

    I can ping the direct access server and gain access to files and folders with Teredo on but not 6to4, as soon as I enable 6to4 - I cannot get to anything. It is also a bit flaky. Sometimes I can ping and it replies and then 2 seconds later nothing and 2 seconds after that it is reachable. I am guessing that it is intended to be more stable than what I am seeing.

    So after running through the troubleshooting guide, I can successfully complete all the steps as long as 6to4 is not enabled. The connectivity is still not terribly stable see example above about pingability. I am not sure if it would be better if 6to4 was enabled? Ideas?
    • Edited by Debi Scott Friday, October 16, 2009 7:22 PM
    Friday, October 16, 2009 6:19 PM
  • Hello Debi,

    It sounds like your DirectAccess client is on an IPv4 network which does not allow 6to4 traffic.  We are seeing this fairly often with WWAN networks.  Would you mind letting us know if you are on a WWAN link?

    The 6to4 protocol provides no way of discovering if it is blocked on a network: the interface comes online whenever a global IPv4 address is present.  In the output you've linked above, Teredo is in "host-specific-relay" mode.  This means 6to4 will be preferred for sending traffic and Teredo will be essentially unused.  In this scenario, IPHTTPS may come on line as a “last resort” method of connecting.  Please do let us know if IPHTTPS is online in these circumstances.  You may check by running the command “netsh interface https show interface”.

    DirectAccess is designed to work with any IPv6 provider, including 6to4.  However, if you find 6to4 is not working you may choose to disable it in the DirectAccess client group policy object.  The 6to4 group policy control is under Computer Configuration -> Administrative Templates -> Network -> TCPIP Settings -> IPv6 Transition Technologies -> 6to4 State – double click to open the settings page.  Enable group policy control of this object by selecting the “Enabled” radio button.  Under the control “Select from the following states:” choose “Disabled State”.


    Friday, October 16, 2009 7:20 PM
  • Thanks Sam - that it the case. I am using an At&T air card and it will not function with 6to4 enabled. Once I plug into a DSL line, the it will.
    thank you for your help on this.
    Question - I can ask in a different forum if this is not the appropriate place.
    When I log in or any of my users, how are they supposed to get their drives mapped? They do not show up as it stands.
    Friday, October 16, 2009 8:07 PM
  • hey there,
    same prob here. w2008r2 da server with uag rtm. we banged our heads against the wall because all our wwan road warriors were unable to reach the corpnet via da. when examining this problem we saw it brought up 6to4 AND teredo but it used only 6to4 and as this was blocked by our isp it was very ugly because the da clint stuck to 6to4 and wouldnt use teredo instead. we had to force 6to4 to disbled using netsh.

    now my problem: the uag wizard don´t take care of these scenarios. So when you guys actually know, 6to4 makes problems with wwan, why don´t you disable it in the assistant?

    or (and that would be even better) why can´t you implement a mechanism which is able to detect if 6to4 is actually working and if not, drop back to teredo or ip-https. That is the whole idea of da, i thougt???!!! Any idea how to get the da client to actually RECOGNIZE when 6to4 can´t reach the relay and then drop back to teredo or ip-http/s?

    If there is no better solution I have to disable 6to4 in the client GPO for ALL machines!!! Now that would be a really bad solution, wouldnt it?

    Saturday, January 23, 2010 10:49 PM
  • Hey guys,

    Just to be clear -- the 6to4 client should come up *only* if the client is assigned a public IPv4 address. If the client has a public IP address, it should be using only 6to4 and NOT Teredo. If the client is behind a NAT device, then it should be using Teredo or IP-HTTPS.

    So, when you're on the WWAN, are you assigned a public or private address?


    MS ISDUA Anywhere Access Team
    Monday, January 25, 2010 11:48 AM
  • Public for me.

    Monday, January 25, 2010 6:18 PM
  • Yes, a public address!!!!! EVERY wwan provider in germany assigns a public address.
    Tuesday, January 26, 2010 7:50 AM
  • This check already exists.
    If your client machine is able to do a successful specific DNS query to corporate resources, then it won't fall back to IP-HTTPS.
    but since the DNS you are using is UAG DNS64 and it has a 6to4 IP address, it is possible that you are able to reach it using 6to4, but not able to reach other corp resources.

    Can you please check if that's the case.. Do name resolution for corp resources work for you?
    Tuesday, January 26, 2010 1:24 PM
  • This is not a thread that involves UAG (although it looks like someone jumped in with that) I am not using UAG. I am using Direct Access, using windows 2008. If 6to4 is disabled I can access my network. If it is enabled I cannot. Same for Teredo.
    Tuesday, January 26, 2010 4:52 PM
  • same for me (even if i use uag). if i disable 6to4, it works like charm. any idea about a solution or should i turn off 6to4 via gpo in general? but that´s not the idea, right? ;-)
    Monday, February 1, 2010 12:55 PM