Cannot Reach the DirectAccess Server from the IPv6 Internet

Updated: November 18, 2009

Applies To: Windows Server 2008 R2

If the DirectAccess client is on the Internet Protocol version 6 (IPv6) Internet (it has been assigned a globally routable IPv6 address by the local Internet service provider), it can reach the DirectAccess server in the following ways:

  • If the DirectAccess server is also on the IPv6 Internet, the routing infrastructure of the IPv6 Internet forwards IPv6 traffic directly to the DirectAccess server (IPv6 reachability end-to-end).

  • If the DirectAccess server is on the Internet Protocol version 4 (IPv4) Internet and using 6to4, the routing infrastructure of the IPv6 Internet forwards the traffic to a 6to4 relay, which forwards the encapsulated IPv6 traffic across the IPv4 Internet to the DirectAccess server (IPv6 reachability from DirectAccess client to the 6to4 relay, IPv4-encapsulated IPv6 reachability from the 6to4 relay to the DirectAccess server).

In either case, there must be a routing path between the DirectAccess client and server that allows the following types of IPv6 traffic:

  • Internet Control Message Protocol for IPv6 (ICMPv6) (IPv6 Next Header value of 58)

  • Internet Key Exchange (IKE)/Authenticating Internet Protocol (AuthIP) (User Datagram Protocol [UDP] ports 500 and 4500)

  • Internet Protocol security (IPsec) Encapsulating Security Payload (ESP) (IPv6 Next Header value of 50)

To ensure that your DirectAccess server is on the IPv6 Internet, run the ipconfig command at a Command Prompt. There should be an IPv6 address assigned to your network adapter that starts with 2 or 3 but is not based on the 2002::/16 or 2001:0::/32 prefixes.

To troubleshoot connectivity from a DirectAccess client on the IPv6 Internet to the DirectAccess server

  1. On the DirectAccess client, start a command prompt as an administrator.

  2. From the Command Prompt window, run the netsh –c advfirewall command.

  3. From the netsh advfirewall prompt, run the set store gpo=”DomainName\DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}” command.

  4. From the netsh advfirewall prompt, run the consec show rule name=”DirectAccess Policy-ClientToDnsDc” command.

  5. From the netsh advfirewall prompt, run the consec show rule name=”DirectAccess Policy-ClientToCorp” command.

  6. From the netsh advfirewall prompt, run the exit command.

  7. From the Command Prompt window, ping the IPv6 address in RemoteTunnelEndpoint from the display in step 4. This is the IPv6 address of the DirectAccess server for the infrastructure tunnel.

    If you cannot reach this IPv6 address, use the tracert –d IPv6Address command to trace the route to the destination.

  8. From the Command Prompt window, ping the IPv6 address in RemoteTunnelEndpoint from the display in step 5. This is the IPv6 address of the DirectAccess server for the intranet tunnel.

    If you cannot reach this IPv6 address, use the tracert –d IPv6Address command to trace the route to the destination.