Troubleshooting IPv6

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Troubleshooting

What problem are you having?

  • A router is not advertising itself as a default router.

  • A default route is not present on the host.

  • Address has unexpected interface identifier.

  • Internet Explorer is not connecting when literal IPv6 addresses are used in the URL.

  • Off-link routes are in the routing table.

  • Ping fails Echo Request messages when specifying a link-local destination.

  • IPSec traffic is not encrypted.

  • IPSec in IPv6 is not operating according to local or domain-based IPSec policies.

  • Tunneled traffic is not reaching the destination.

  • No IPv4-compatible address is configured on my Automatic Tunneling Pseudo-Interface.

  • Unable to reach other 6to4 sites or the IPv6 Internet by using the 6to4 router.

A router is not advertising itself as a default router.

Cause:  A computer running a member of the Windows Server 2003 family that is being used as an IPv6 router will not advertise itself as a default router unless it is configured with a default route (::/0) that is configured to be published.

Solution:  Add a default route to the router computer and configure it to be published with the netsh interface ipv6 add route command.

See also:  Netsh commands for Interface IPv6; Add an IPv6 route; IPv6 utilities; Setting up an IPv6 Test Lab

A default route is not present on the host.

Cause:  A computer running a member of the Windows Server 2003 family that is being used as an IPv6 router will not advertise itself as a default router unless it is configured with a default route (::/0) that is configured to be published.

Solution:  Add a default route to the router computer and configure it to be published with the netsh interface ipv6 add route command.

See also:  Netsh commands for Interface IPv6; Add an IPv6 route; IPv6 utilities; Setting up an IPv6 Test Lab

Address has unexpected interface identifier.

Cause:  A local router is configured to advertise a global prefix. By default, a temporary address that is based on the global prefix is automatically configured.

Solution:  Use the netsh interface ipv6 set privacy state=disabled command to disable temporary addresses.

See also:  Netsh commands for Interface IPv6; IPv6 interface identifiers; IPv6 utilities

Internet Explorer is not connecting when literal IPv6 addresses are used in the URL.

Cause:  The version of the Internet Explorer provided with Windows Server 2003 family does not support the format for literal IPv6 addresses in URLs that is described in RFC 2732, "Format for Literal IPv6 Addresses."

Solution:  Create DNS AAAA resource records that resolve Web server names to an IPv6 address and then use Web server names in the URL.

See also:  IPv6 applications; IPv6 Name resolution

Cause:  When a router running a member of the Windows Server 2003 family sends a Router Advertisement message, it includes Route Information options for directly attached subnets.

Solution:  None. This is intended.

See also:  IPv6 routing

Cause:  The zone ID is not specified.

Solution:  This is a common problem when a link-local destination address is used. Link-local addresses are often configured automatically for multiple interfaces. To specify the exact interface over which to send Echo Request messages, use the pingAddress**%**ZoneID syntax where ZoneID is the interface index for the interface over which the ping traffic is sent.

See also:  Single subnet with link-local addresses; IPv6 utilities

IPSec traffic is not encrypted.

Cause:  The IPv6 protocol for Windows Server 2003 family does not support the use of IPSec Encapsulating Security Payload (ESP) encryption. However, the use of ESP with NULL encryption is supported. Although NULL encryption uses the ESP header, only data origin authentication and data integrity services are provided.

Solution:  None. This is a current limitation of the IPv6 protocol for Windows Server 2003 family and Windows XP.

See also:  Security features for IPv6; Using IPSec between two local link hosts

IPSec in IPv6 is not operating according to local or domain-based IPSec policies.

Cause:  IPSec support for IPv4 traffic is separate from IPSec support for IPv6 traffic. Local or domain-based IPSec policies configured with the IP Security Policies or Group Policy snap-ins are for IPv4 traffic only. These policies have no effect on IPv6 traffic.

Solution:  None. This is a current limitation of the IPv6 protocol for Windows Server 2003 family and Windows XP.

See also:  Security features for IPv6; Using IPSec between two local link hosts

Tunneled traffic is not reaching the destination.

Cause:  Routers or firewalls are dropping IPv4 traffic that has the IP Protocol field value set to 41.

Solution:  All IPv6 traffic that is encapsulated (tunneled) inside of an IPv4 header has the IPv4 Protocol field in the header set to 41. IPv6 tunneled traffic includes traffic that uses IPv4-compatible addresses, 6over4 addresses, ISATAP addresses, and 6to4 addresses. To allow IPv6 tunneled traffic to be forwarded, configure your routers or firewalls to pass IPv4 traffic that has the Protocol field set to 41.

See also:  Security features for IPv6; Using IPSec between two local link hosts

No IPv4-compatible address is configured on my Automatic Tunneling Pseudo-Interface.

Cause:   You do not have a public IPv4 address assigned to any of your interfaces or IPv4-compatible addresses are not enabled.

Solution:  Because IPv4-compatible addresses have a global scope and are globally unique, IPv4-compatible addresses that are derived from private addresses are not allowed. Private addresses for the IPv6 protocol for Windows Server 2003 family and Windows XP are defined by the following ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 169.254.0.0/16. Configure a public IPv4 address on one of your interfaces using the netsh interface ipv6 set state command.

See also:  Netsh commands for Interface IPv6

Unable to reach other 6to4 sites or the IPv6 Internet by using the 6to4 router.

Cause:  Your firewall or Internet router is dropping IPv4 traffic that has the IP Protocol field value set to 41.

Solution:  All IPv6 traffic that is encapsulated (tunneled) inside of an IPv4 header has the IPv4 Protocol field in the header set to 41. IPv6 tunneled traffic includes traffic that uses IPv4-compatible addresses, 6over4 addresses, and 6to4 addresses. To allow IPv6 tunneled traffic to be forwarded, configure your firewall or Internet router to pass IPv4 traffic that has the Protocol field set to 41.

Cause:  You are unable to resolve the DNS name 6to4.ipv6.microsoft.com.

Solution:  By default, the IPv6 Helper service attempts to first resolve the name 6to4.ipv6.microsoft.com to its IPv4 addresses and then choose a relay router. If you cannot resolve the name 6to4.ipv6.microsoft.com, a relay router is not configured and you cannot reach any locations on the IPv6 Internet. Type ping 6to4.ipv6.microsoft.com to determine whether you can resolve the name 6to4.ipv6.microsoft.com.

Cause:  You do not have the correct route.

Solution:  View the display of the netsh interface ipv6 show routes command. You should see a 2002::/16 route that uses the 6to4 Tunneling Pseudo-Interface to send all traffic.

Cause:  You do not have the correct address.

Solution:  Verify that you have a 6to4 address assigned before attempting to reach a destination. For example, without a 6to4 address, you might be using a link-local address to reach a 6to4 global address. Use the display of the netsh interface ipv6 show interface command to determine your address configuration.