Curious situation - not urgent, but I'd like to know more

Kurt Buff kurt.buff at gmail.com
Sat Mar 5 02:15:53 CET 2016 

I may have implemented DA for the company, but that doesn't mean I'm
an expert at it.

But, I will try this on my test laptop, and if that seems to work,
I'll try it on the user's laptop.

If that fixes her problem,then I'll likely roll out a GPO to all of
the DA client machines.

I'll post back to the list with what I find. I'm looking at several
entries from Richard Hick's blog on the subject now.

With any luck, this will become moot in a month or so, as we'll be
migrating to the 2012R2 version of DA.

Kurt

On Fri, Mar 4, 2016 at 4:35 PM, Brian E Carpenter
<brian.e.carpenter at gmail.com> wrote:
> I would suggest:
>
> netsh interface ipv6 6to4 set state state=disabled
>
> You don't want to go near 6to4 these days (http://tools.ietf.org/html/rfc7526).
> Use real IPv6 or no IPv6.
>
> Regards
>    Brian (co-author of 6to4, but that was 15 years ago)
>
> On 05/03/2016 13:06, Kurt Buff wrote:
>> Reviving an old thread, with a new twist.
>>
>> I've currently got a similar problem with another user, but with two
>> differences:
>>      - The connection in this case is ATT, not Comcast
>>      - The machine this time is running Win8.1 and not Win7
>>
>> What I've zeroed in on is two stanzas from ipconfig /all:
>>
>> On my test machine (Also Win8.1), sitting outside of my corporate
>> firewall on a public IP address, I see the following:
>>
>> Tunnel adapter 6TO4 Adapter:
>>
>>    Connection-specific DNS Suffix  . :
>>    Description . . . . . . . . . . . : Microsoft 6to4 Adapter
>>    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
>>    DHCP Enabled. . . . . . . . . . . : No
>>    Autoconfiguration Enabled . . . . : Yes
>>    IPv6 Address. . . . . . . . . . . : 2002:4332:7632::4332:7632(Preferred)
>>    Default Gateway . . . . . . . . . : 2002:4332:7626::4332:7626
>>    DHCPv6 IAID . . . . . . . . . . . : 268435456
>>    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-45-38-94-00-26-2D-FA-9F-EF
>>    DNS Servers . . . . . . . . . . . : 8.8.8.8
>>    NetBIOS over Tcpip. . . . . . . . : Disabled
>>
>> Tunnel adapter Teredo Tunneling Pseudo-Interface:
>>
>>    Connection-specific DNS Suffix  . :
>>    Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
>>    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
>>    DHCP Enabled. . . . . . . . . . . : No
>>    Autoconfiguration Enabled . . . . : Yes
>>    IPv6 Address. . . . . . . . . . . :
>> 2001:0:4332:7626:2803:8c2:bccd:89cd(Preferred)
>>    Link-local IPv6 Address . . . . . : fe80::2803:8c2:bccd:89cd%9(Preferred)
>>    Default Gateway . . . . . . . . . :
>>    DHCPv6 IAID . . . . . . . . . . . : 285212672
>>    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-45-38-94-00-26-2D-FA-9F-EF
>>    NetBIOS over Tcpip. . . . . . . . : Disabled
>>
>> On her machine, which is on a wireless connection at her home on ATT,
>> I see this:
>>
>> Tunnel adapter 6TO4 Adapter:
>>
>>    Connection-specific DNS Suffix  . : attlocal.net
>>    Description . . . . . . . . . . . : Microsoft 6to4 Adapter
>>    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
>>    DHCP Enabled. . . . . . . . . . . : No
>>    Autoconfiguration Enabled . . . . : Yes
>>    IPv6 Address. . . . . . . . . . . : 2002:100:69::100:69(Preferred)
>>    Default Gateway . . . . . . . . . :
>>    DHCPv6 IAID . . . . . . . . . . . : 553648128
>>    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1D-CC-30-DE-34-E6-D7-13-7E-02
>>    DNS Servers . . . . . . . . . . . : 1.0.0.1
>>    NetBIOS over Tcpip. . . . . . . . : Disabled
>>
>> Tunnel adapter Teredo Tunneling Pseudo-Interface:
>>
>>    Media State . . . . . . . . . . . : Media disconnected
>>    Connection-specific DNS Suffix  . :
>>    Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
>>    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
>>    DHCP Enabled. . . . . . . . . . . : No
>>    Autoconfiguration Enabled . . . . : Yes
>>
>>
>>
>> She's able to get an IPv4 connection at her location using our SSL
>> VPN, and she states that when at her local coffee shop her
>> DirectAccess connection works, though I haven't been able to confirm
>> that yet.
>>
>> I'm going to see next week if I can take a peek at her router/firewall
>> configuration and glean any clues from it, and also see if she's
>> willing to make a trip to the coffee shop to do some work with me from
>> there.
>>
>> I'm not certain if prefix policies have anything to do with this
>> problem, as I'm not seeing the relevant IPv6 addresses for
>> DirectAccess anywhere in her ipoconfig output.
>>
>> Any thoughts or comments would be appreciated.
>>
>> Kurt
>>
>> On Sat, Dec 19, 2015 at 1:37 PM, Kurt Buff <kurt.buff at gmail.com> wrote:
>>> All,
>>>
>>> I ran into an interesting situation some months ago which still
>>> baffles me, and though I was able to work around it, I expect it will
>>> happen again.
>>>
>>> We implemented MSFT DirectAcess at our company quite some time ago
>>> (using 2008R2 and Forefront 2010), and it works extremely well.
>>>
>>> At least it worked well for everyone until one of the employees got
>>> his Comcast connection upgraded, and then DirectAccess didn't work for
>>> that employee any more.
>>>
>>> We proved that if he tethered to his cell phone, that would work, and
>>> if he used an SSL VPN client while on his Comcast connect that would
>>> work, but DirectAccess would not work at home.
>>>
>>> Finally, I discovered that his Comcast-installed router was handing
>>> our IPv6 addresses on his home LAN. Turning that off enabled
>>> DirectAccess to work again.
>>>
>>> We do not have an assigned IPv6 block from our ISP, though of course
>>> MSFT OSes use it, and auto-assign themselves addresses, but for now
>>> we're ignoring it.
>>>
>>> Has anyone run into this problem and solved it - not by turning off
>>> iIPv6 address assignment for the home LAN, but really solved it? If
>>> so, how did you do that?
>>>
>>> Would getting and implementing an IPv6 assignment from our ISP cure
>>> the problem, or make it worse?
>>>
>>> I've found little guidance from MSFT about DirectAccess in an IPv6
>>> environment, though I admit I haven't been terribly diligent in my
>>> searches.
>>>
>>> Kurt
>>

More information about the ipv6-ops mailing list