Cannot Reach the DirectAccess Server with 6to4

Updated: November 18, 2009

Applies To: Windows Server 2008 R2

If the DirectAccess client is on the Internet Protocol version 4 (IPv4) Internet, is not on the Internet Protocol version 6 (IPv6) Internet, and has a public IPv4 address assigned to a local area network (LAN) or wireless LAN interface, the DirectAccess client attempts to use 6to4 to encapsulate IPv6 traffic sent to the DirectAccess server.

If the DirectAccess server is on the IPv4 Internet (the DirectAccess tunnel endpoints are 6to4 addresses that have the form 2002:WWXX:YYZZ::WWXX:YYZZ, where WWXX:YYZZ is the colon hexadecimal representation of w.x.y.z, a public IPv4 address), the DirectAccess client encapsulates IPv6 traffic directly to the DirectAccess server. If the DirectAccess server is only on the IPv6 Internet (the DirectAccess tunnel endpoints are not 6to4 addresses), the DirectAccess client encapsulates IPv6 traffic and sends it to a 6to4 relay. The 6to4 relay then forwards the native IPv6 traffic across the IPv6 Internet to the DirectAccess server.

On the IPv4 Internet, there must be a routing path between the DirectAccess client and server that allows IPv4 protocol 41 traffic. If the traffic is also traveling on the IPv6 Internet, there must be a routing path between the DirectAccess client and server that allows the following types of traffic:

  • Internet Control Message Protocol for IPv6 (ICMPv6) (IPv6 Next Header value of 58)

  • Internet Key Exchange (IKE)/Authenticating Internet Protocol (AuthIP) (User Datagram Protocol [UDP] ports 500 and 4500)

  • Internet Protocol security (IPsec) Encapsulating Security Payload (ESP) (IPv6 Next Header value of 50)

Note

6to4 addresses can also take the form 2002:WWXX:YYZZ:SubnetID:InterfaceID. In this form, 6to4 is being used to generate a 48-bit global IPv6 address prefix based on a public IPv4 address (w.x.y.z). When 6to4 is used this way, hosts use the 6to4-derived address prefix for native IPv6 addressing and the 6to4-based address is assigned to a LAN interface, not the Tunnel Adapter 6TO4 Adapter. This type of 6to4-based addressing can be used on an intranet or used for native IPv6 addressing of a single-subnet home or small office network, in which the local Internet router is providing 6to4 router functionality.

To verify 6to4 functionality and configuration on a DirectAccess client

  1. On the DirectAccess client, start a command prompt as an administrator.

  2. From the Command Prompt window, run the reg query HKLM\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters /v DisabledComponents command.

    If the DisabledComponents registry value is present, the command displays its value. If the DisabledComponents registry value is not present, the command displays ERROR: The system was unable to find the specified registry key or value.

    If DisabledComponents is present and it is not 0, convert it to a binary number. If the first or second bit from the right in the binary number is 1, DisabledComponents has disabled 6to4. You must change the first and second bit from the right to 0 to enable 6to4.

  3. From the Command Prompt window, run the reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition /v 6to4_RouterName command.

    This command should display the first consecutive public IPv4 address of the DirectAccess server’s Internet interface.

  4. From the Command Prompt window, run the netsh interface 6to4 show relay command.

    This command should display the first consecutive public IPv4 address of the DirectAccess server’s Internet interface in Relay Name.

  5. From the Command Prompt window, run the netsh interface 6to4 show state command.

    This command should display default or enabled in 6to4 Service State.

    The 6to4 service state should not show disabled. A value of disabled means that the DirectAccess client will never bring up a 6to4 interface. A value of default means that the DirectAccess client will bring up a 6to4 interface if it does not have a global IPv6 address assigned already and it has a public IPv4 address. A value of enabled means that the DirectAccess client will bring up a 6to4 interface whenever it has a public IPv4 address assigned.

  6. From the Command Prompt window, run the netsh –c advfirewall command.

  7. From the netsh advfirewall prompt, run the set store gpo=”DomainName\DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}” command.

  8. From the netsh advfirewall prompt, run the consec show rule name=”DirectAccess Policy-ClientToDnsDc” command.

  9. From the netsh advfirewall prompt, run the exit command.

  10. From the Command Prompt window, note the IPv6 address in RemoteTunnelEndpoint from the display in step 8.

  11. From the Command Prompt window, run the route print command.

    The IPv6 route table should have ::/0 route with the Gateway address set to the IPv6 address in step 8. The IPv6 route table should also have 2002::/16 route with the Gateway address set to On-link.

To verify 6to4 functionality and configuration on the DirectAccess server

  1. On the DirectAccess server, start a command prompt as an administrator.

  2. From the Command Prompt window, run the ipconfig command.

    This command should display a interface named Tunnel adapter 6TO4 Adapter that has the Domain Name System (DNS) suffix configured on the Internet interface and with two IPv6 addresses of the form 2002:WWXX:YYZZ::WWXX:YYZZ, corresponding to the two consecutive public IPv4 addresses assigned to the Internet interface.

  3. From the Command Prompt window, run the reg query HKLM\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters /v DisabledComponents command.

    If the DisabledComponents registry value is present, the command displays its value. If the DisabledComponents registry value is not present, the command displays ERROR: The system was unable to find the specified registry key or value.

    If DisabledComponents is present and it is not 0, convert it to a binary number. If the first or second bit from the right in the binary number is 1, DisabledComponents has disabled 6to4. You must change the first and second bit from the right to 0 to enable 6to4.

  4. From the Command Prompt window, run the netsh interface 6to4 show state command.

    This command should display enabled in 6to4 Service State. The 6to4 service state should not show disabled. A value of disabled means that the DirectAccess server will never bring up a 6to4 interface. A value of default means that the DirectAccess server will bring up a 6to4 interface if it does not have a global IPv6 address assigned already and it has a public IPv4 address. A value of enabled means that the DirectAccess server will bring up a 6to4 interface whenever it has a public IPv4 address assigned.

  5. From the Command Prompt window, run the route print command.

    The IPv6 route table should have 2002::/16 route with the interface index of the Microsoft 6to4 Adapter and the Gateway address set to On-link.

To troubleshoot connectivity from a 6to4-based DirectAccess client on the IPv4 Internet to the DirectAccess server

  1. On the DirectAccess client, start a command prompt as an administrator.

  2. From the Command Prompt window, run the netsh interface 6to4 show relay command.

    This command should display the first consecutive public IPv4 address of the DirectAccess server’s Internet interface in Relay Name.

  3. From the Command Prompt window, ping the IPv4 address from step 2.

    This step ensures that the DirectAccess client can reach the first public IPv4 address of the DirectAccess server.

  4. From the Command Prompt window, ping the next consecutive IPv4 address from step 2.

    This step ensures that the DirectAccess can reach the second public IPv4 address of the DirectAccess server.

  5. From the Command Prompt window, run the netsh –c advfirewall command.

  6. From the netsh advfirewall prompt, run the set store gpo=”DomainName\DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}” command.

  7. From the netsh advfirewall prompt, run the consec show rule name=”DirectAccess Policy-ClientToDnsDc” command.

  8. From the netsh advfirewall prompt, run the consec show rule name=”DirectAccess Policy-ClientToCorp” command.

  9. From the netsh advfirewall prompt, run the exit command.

  10. From the Command Prompt window, ping the IPv6 address in RemoteTunnelEndpoint from the display in step 7. This is the IPv6 address of the DirectAccess server for the infrastructure tunnel.

    If the IPv6 address is not a 6to4 address and you cannot reach this IPv6 address, use the tracert –d IPv6Address command to trace the route to the destination.

  11. From the Command Prompt window, ping the IPv6 address in RemoteTunnelEndpoint from the display in step 8. This is the IPv6 address of the DirectAccess server for the intranet tunnel.

    If the IPv6 address is not a 6to4 address and you cannot reach this IPv6 address, use the tracert –d IPv6Address command to trace the route to the destination.