IPHTTPS with DirectAccess Not working with F5

Hi Amit,

I have encountered some problems when switching from single server to loadbalancing and back. Please check the follwing setting and make sure the DNS 64 setup is complete after running the loadbalncing wizard.

run the following in the command prompt; netsh int ipv6 dump. Take note of the IPv6 address in the "Loopback Pseudo-Interface 1" This should be the IPv6 internal VIP configured during setup.

Run the following powershell command; get-NetDnsTransitionConfiguration Make sure the output contains the follwing; AcceptInterface : {Loopback Pseudo-Interface 1}

Check the local firewall on the server and make sure that DNS requests are allowed to the internal IPv6 VIP address that you got from the netsh dump under the Loopback Pseudo-Interface 1

F5 only needs to host the VIP that you configure clients to connect to. (External DNS name you configure during DA setup or config).

I presume the DA servers have their external interface configured with the DG to the F5 ? Do you use SNAT on the virtual server ?

Kind regards,

Martijn

Thank you for the response! Here is the Output...I could not find out what is mentioned in your Post. Can you please check?

pushd interface ipv6 reset set global groupforwardedfragments=disabled add route prefix=fd37:3bf2:a48c:1::/64 interface="isatap.{74A133D5-B0FC-4D28-A5E9-D847384C2E58}" nexthop=:: publish=Yes add route prefix=fd80:aea0:34a6:1::/64 interface="isatap.{CF3F733D-4E37-4E79-A80D-12041AA27A41}" nexthop=:: publish=Yes add route prefix=fd80:aea0:34a6:1000::/64 interface="IPHTTPSInterface" nexthop=:: publish=Yes add route prefix=fd80:aea0:34a6::/48 interface="BE-PROD (DMZ-L3)" nexthop=:: publish=Yes add route prefix=fd80:aea0:34a6:7777::/96 interface="BE-PROD (DMZ-L3)" nexthop=:: publish=Yes set interface interface="Local Area Connection* 9" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled set interface interface="isatap.{74A133D5-B0FC-4D28-A5E9-D847384C2E58}" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled advertisedefaultroute=enabled set interface interface="Teredo Tunneling Pseudo-Interface" forwarding=enabled advertise=enabled mtu=1280 nud=enabled ignoredefaultroutes=disabled set interface interface="BE-PROD (DMZ-L3)" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled set interface interface="isatap.{CF3F733D-4E37-4E79-A80D-12041AA27A41}" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled advertisedefaultroute=enabled set interface interface="DMZ-L2" forwarding=disabled advertise=enabled nud=enabled ignoredefaultroutes=disabled set interface interface="Loopback Pseudo-Interface 1" forwarding=enabled advertise=disabled metric=0 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled advertisedrouterlifetime=0 advertisedefaultroute=disabled currenthoplimit=0 forcearpndwolpattern=disabled enabledirectedmacwolpattern=disabled ecncapability=ecndisabled set interface interface="6TO4 Adapter" forwarding=enabled advertise=disabled metric=0 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled advertisedrouterlifetime=0 advertisedefaultroute=disabled currenthoplimit=0 forcearpndwolpattern=disabled enabledirectedmacwolpattern=disabled ecncapability=ecndisabled set interface interface="IPHTTPSInterface" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled advertisedefaultroute=disabled add address interface="BE-PROD (DMZ-L3)" address=fd80:aea0:34a6:3333::1/128 add address interface="IPHTTPSInterface" address=fd80:aea0:34a6:1000::1/128 add address interface="IPHTTPSInterface" address=fd80:aea0:34a6:1000::2/128 popd

pushd interface 6to4

reset set state state=enabled popd

One more thing...I am using Hyper-V Setup here. Do I need to enable MAC Spoofing? I was under the impression that it is only required if we are using Windows NLB.

This is the Output. I also noticed one more thing...The following error on the second server in the NLB.

"The system detected an address conflict for IP address fd80:aea0:34a6:3333::1 with the system having network hardware address 00-15-5D-08-33-0B. Network operations on this system may be disrupted as a result."

State : Enabled AcceptInterface : {Loopback Pseudo-Interface 1} SendInterface : {BE-PROD (DMZ-L3)} OnlySendAQuery : True LatencyMilliseconds : 300 AlwaysSynthesize : False ExclusionList : {0:0:0:0:0:ffff::/96} PrefixMapping : {fd80:aea0:34a6:7777::/96,0.0.0.0/0}

Right,

So please break the Loadbalancing. Then run GPupdate /force on the DA servers

Then set the first server IPv6 adress on the internal interface to fd80:aea0:34a6:3333::1 the second server to fd80:aea0:34a6:3333::3 third and fourth to ::4 and ::5

Run the enable loadbalancing again on the server you assigned ::1 to.

Configure fd80:aea0:34a6:3333::1 as the VIP and set the dip to fd80:aea0:34a6:3333::2 Make sure you define the IPHTTPS prefix to fd80:aea0:34a6:1000::/59 prefix in the config.

Run Gpupdate /force again on all servers.

Check afterwards if the output the netsh int ipv6 dump now sets the fd80:aea0:34a6:3333::1 as the address on the Loopback Pseudo-Interface 1. Also check the local firewall rules on all servers to make sure the DNS rule allows traffic to fd80:aea0:34a6:3333::1

Do not forget to run gpupdate /force on the DA servers after disabling the LB and again after enabling LB.

I understand all but this part "Configure fd80:aea0:34a6:3333::1 as the VIP and set the dip to fd80:aea0:34a6:3333::2 Make sure you define the IPHTTPS prefix to fd80:aea0:34a6:1000::/59 prefix in the config". How do I do it manually?

I can put the DIP but how about VIP? Also, the IPHTTPS prefix?

Thanks a ton for your help !:)

Configure the ::1 as the DIP on the first server (static IPv6 on the NIC). Then when running the LB wizard you will be asked to specify the new DIP. The ::1 will then automatically become the VIP. So as a DIP set ::2 while running the LB wizard, this address will be set on the NIC while the ::1 will automatically becomes the VIP and if everything goes right also the IP address for the 6to4 DNS server.

The IPHTTPS prefix is set in the DA config part in the remote access server part under prefixes and then IPv6 prefixes assigned to DA clients.

In the wizard, it only requests for IPv4 Address and not IPv6 so even if I can assign it in the TCP/IP Properties, I cannot set the VIP.

Ok...so Loopback Pseudo-Interface 1 is the problem...It is not getting the IP now in the third server. Two are working within NLB so that is the good news. Windows8-RT-KB2859347-x64 is the key here which is a Hotfix for this issue although, is there a way by which I can fix this issue without breaking NLB? I mean reset the adapters and then let the configuration Policy assign the correct IPs and all?

If not then I will have to break the NLB anyways which I am keeping as the last option?