Cannot Reach the DirectAccess Server with Teredo

  • Article

Updated: April 5, 2010

Applies To: Windows Server 2008 R2

If the DirectAccess client is on the Internet Protocol version 4 (IPv4) Internet, is not on the Internet Protocol version 6 (IPv6) Internet, and has a private IPv4 address assigned to a local area network (LAN) interface, the DirectAccess client attempts to use Teredo to encapsulate IPv6 traffic sent to the DirectAccess server.

If the DirectAccess server is on the IPv4 Internet (the DirectAccess tunnel endpoints are 6to4 addresses that have the form 2002:WWXX:YYZZ::WWXX:YYZZ, where WWXX:YYZZ is the colon hexadecimal representation of w.x.y.z, a public IPv4 address), the DirectAccess client encapsulates IPv6 traffic directly to the DirectAccess server. If the DirectAccess server is only on the IPv6 Internet (the DirectAccess tunnel endpoints are not 6to4 addresses), the DirectAccess client encapsulates IPv6 traffic and sends it to a Teredo relay. The Teredo relay then forwards the native IPv6 traffic across the IPv6 Internet to the DirectAccess server.

On the IPv4 Internet, there must be a routing path between the DirectAccess client and server that allows User Datagram Protocol (UDP) destination port 3544 traffic for Teredo-encapsulated traffic to the DirectAccess server and UDP source port 3544 traffic for Teredo-encapsulated traffic from the DirectAccess server.

If the traffic is also traveling on the IPv6 Internet, there must be a routing path between the DirectAccess client and server that allows the following types of traffic:

  • Internet Control Message Protocol for IPv6 (ICMPv6) (IPv6 Next Header value of 58)

  • Internet Key Exchange (IKE)/Authenticating Internet Protocol (AuthIP) (User Datagram Protocol [UDP] ports 500 and 4500)

  • Internet Protocol security (IPsec) Encapsulating Security Payload (ESP) (IPv6 Next Header value of 50)

To verify Teredo functionality and configuration on a DirectAccess client

  1. On the DirectAccess client, start a command prompt as an administrator.

  2. From the Command Prompt window, run the ipconfig command.

    You should see a Tunnel adapter Teredo Tunneling Pseudo-Interface with an IPv6 address that begins with 2001. If you do not, go to step 3.

  3. From the Command Prompt window, run the route print command.

    The IPv6 route table should have a ::/0 route with the interface index of the Microsoft Teredo Tunnel Adapter and the Gateway address set to On-link. If it does, see “To verify Teredo functionality and configuration on the DirectAccess server” in this topic.

  4. From the Command Prompt window, run the reg query HKLM\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters /v DisabledComponents command.

    If the DisabledComponents registry value is present, the command displays its value. If the DisabledComponents registry value is not present, the command displays ERROR: The system was unable to find the specified registry key or value.

    If DisabledComponents is present and it is not 0, convert it to a binary number. If the first or fourth bit from the right in the binary number is 1, DisabledComponents has disabled Teredo. You must change the first and fourth bit from the right to 0 to enable Teredo.

  5. From the Command Prompt window, run the reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition /v Teredo_ServerName command.

    This command should display the first consecutive public IPv4 address of the DirectAccess server’s Internet interface. If there is no IPv4 address, your DirectAccess client has not been properly configured with the Group Policy settings for DirectAccess clients.

  6. From the Command Prompt window, run the netsh interface teredo show state command.

    This command should display enterpriseclient or client in Type and the first consecutive public IPv4 address of the DirectAccess server’s Internet interface in Server Name. See the following table for information about the Teredo client state.

Teredo state Description

qualified

The Teredo tunnel interface has completed its negotiation with the Teredo server and has been used recently.

dormant

The Teredo tunnel interface has completed its negotiation with the Teredo server but has not been used recently.

probe

The Teredo tunnel interface has completed its negotiation with the Teredo server.

offline

An error or other condition has occurred and the Teredo interface is not active.

If the Teredo state is offline and the error state is Teredo server is unreachable over UDP, UDP port 3544 traffic may be blocked somewhere between the DirectAccess client and the DirectAccess server due to the following:

  • A third-party host firewall that is running on the DirectAccess client.

  • An intermediate router or network firewall between the DirectAccess client and the DirectAccess server. It is a common practice in organizations to block unexpected UDP traffic with their Internet firewalls.

Another possibility is that the DirectAccess server is not available. See “To troubleshoot connectivity from a Teredo-based DirectAccess client on the IPv4 Internet to the DirectAccess server” in this topic.

If the Teredo state is offline and the error state is Client is in a managed network, the DirectAccess client has detected a local Active Directory domain. In this case, the Teredo client will not bring up the Teredo tunnel adapter unless the Teredo client has been configured as an enterprise client. You can view the Teredo client type from the netsh interface teredo show state command. If set to client, a reachable domain controller will prevent Teredo from becoming active. If it set to enterpriseclient, Teredo will be active even when a domain controller is reachable. You can change a Teredo client from client to enterpriseclient with the Computer Configuration\Policies\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies\Teredo State setting of the Group Policy object for DirectAccess clients or for an individual DirectAccess client with the netsh interface teredo set state enterpriseclient command.

To verify Teredo functionality and configuration on the DirectAccess server

  1. On the DirectAccess server, start a command prompt as an administrator.

  2. From the Command Prompt window, run the route print command.

    The IPv6 route table should have a 2001::/32 route with the interface index of the Teredo Tunneling Pseudo-Interface and the Gateway address set to On-link.

  3. From the Command Prompt window, run the reg query HKLM\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters /v DisabledComponents command.

    If the DisabledComponents registry value is present, the command displays its value. If the DisabledComponents registry value is not present, the command displays ERROR: The system was unable to find the specified registry key or value.

    If DisabledComponents is present and it is not 0, convert it to a binary number. If the first or fourth bit from the right in the binary number is 1, DisabledComponents has disabled Teredo. You must change the first and fourth bit from the right to 0 to enable Teredo.

  4. From the Command Prompt window, run the netsh interface teredo show state command.

    This command should display server in Type and online in State.

  5. From the Command Prompt window, run the netsh interface ipv6 show global command.

    Note the number in the Neighbor Cache Limit field, which by default is 256.

  6. From the Command Prompt window, run the netsh interface ipv6 show neighbors command.

    Count the number of neighbor cache entries for the interface named Teredo Tunneling Pseudo-Interface. If there are a large number of them, run the netsh interface ipv6 show neighbors > neighbors.txt command, open the Neighbors.txt file in a Word processor or text editor that supports the display of line numbers, then delete all the lines except for the neighbor cache entries for the Teredo Tunneling Pseudo-Interface. If the number of entries in the neighbor cache is comparable to the value of the Neighbor Cache Limit field, you might have run out of space to store neighbor cache entries for additional Teredo-based DirectAccess clients. To increase the number of entries allowed in the neighbor cache, run the **netsh interface ipv6 set global neighborcachelimit=**Maximum command, in which Maximum is the maximum number of expected Teredo-based DirectAccess clients.

To troubleshoot connectivity from a Teredo-based DirectAccess client on the IPv4 Internet to the DirectAccess server

  1. On the DirectAccess client, start a command prompt as an administrator.

  2. From the Command Prompt window, run the netsh interface teredo show state command.

    This command should display the first consecutive public IPv4 address of the DirectAccess server’s Internet interface in Server Name.

  3. From the Command Prompt window, ping the IPv4 address from step 2. If there is a name in Server Name instead of an address, ping the name and ensure that it resolves to the first consecutive public IPv4 address of the DirectAccess server’s Internet interface.

    This step ensures that the DirectAccess can reach the first public IPv4 address of the DirectAccess server.

  4. From the Command Prompt window, ping the next consecutive IPv4 address from step 2.

    This step ensures that the DirectAccess can reach the second public IPv4 address of the DirectAccess server.

  5. From the Command Prompt window, run the netsh –c advfirewall command.

  6. From the netsh advfirewall prompt, run the set store gpo=”DomainName\DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}” command.

  7. From the netsh advfirewall prompt, run the consec show rule name=”DirectAccess Policy-ClientToDnsDc” command.

  8. From the netsh advfirewall prompt, run the consec show rule name=”DirectAccess Policy-ClientToCorp” command.

  9. From the netsh advfirewall prompt, run the exit command.

  10. From the Command Prompt window, ping the IPv6 address in RemoteTunnelEndpoint from the display in step 7. This is the IPv6 address of the DirectAccess server for the infrastructure tunnel.

    If the IPv6 address is not a 6to4 address and you cannot reach this IPv6 address, use the tracert –d IPv6Address command to trace the route to the destination.

  11. From the Command Prompt window, ping the IPv6 address in RemoteTunnelEndpoint from the display in step 8. This is the IPv6 address of the DirectAccess server for the intranet tunnel.

    If the IPv6 address is not a 6to4 address and you cannot reach this IPv6 address, use the tracert –d IPv6Address command to trace the route to the destination.

  12. If the DirectAccess client cannot connect to an intranet resource using a specific application, use the Windows Firewall with Advanced Security snap-in on the DirectAccess client to determine if there is an inbound rule for the application’s traffic. If there is, right-click the rule, click the Advanced tab, then check the Edge traversal setting. If it is set to Block edge traversal, change the setting to the appropriate level for the application.