Why are both the Teredo and IP-HTTPS Interfaces Active?

 imageA common question I see on the message boards and in conversations with our DirectAccess customers relates to the IPv6 transition technology interfaces that are active on the DirectAccess client at any point in time. Most often, the question comes up about why both the Teredo and IP-HTTPS interfaces are active at the same time. And when they are both active, which one is actually being used to transfer information between the DirectAccess client and UAG DirectAccess server?

I wondered the same thing for a long time – but the answer was available in the TechNet library and I didn’t even know it. The following is from the TechNet entry DirectAccess Client Connection is Slow which you can find at https://technet.microsoft.com/en-us/library/ee844161(WS.10).aspx :

“The DirectAccess client needs to determine which of these two transition technologies to use. IP-HTTPS and Teredo both attempt qualification of their interface state at the same time. If the Teredo interface is qualified, the IP-HTTPS client waits in an offline state for a computed delay for the DirectAccess client to detect corporate connectivity. The computed delay is either ten seconds or a network delay larger than ten seconds based on the round trip time of TCP packets from the client to the public IPv4 address of the DirectAccess server. If the DirectAccess client detects corporate connectivity within this network delay, the IP-HTTPS client will remain in an offline state. If the DirectAccess client does not detect corporate connectivity within this network delay, the IP-HTTPS client will attempt to qualify again.

Using IP-HTTPS for DirectAccess connectivity has higher overhead and lower performance than Teredo. If the DirectAccess client is using IP-HTTPS instead of Teredo, the DirectAccess client will have a lower performance connection.

However, due to network timing issues, it is possible for the DirectAccess client to have both Teredo and IP-HTTPS interfaces active, but use only the IP-HTTPS interface for traffic to the intranet. This condition occurs when the DirectAccess client takes more than the computed delay for the DirectAccess client to determine corporate connectivity over the Teredo interface. To test for this condition, run the ipconfig command at a command prompt. If you have global addresses on both the Teredo and IP-HTTPS tunnel interfaces, this condition has occurred.”

So there you have it. The Teredo and IP-HTTPS interfaces will both come up if corporate connectivity isn’t detected within the specified time interval. And when you see both interfaces active, it’s the IP-HTTPS adapter that’s passing the traffic.

For more information about Corporate Connectivity checking, see:

https://technet.microsoft.com/en-us/library/ee382273(WS.10).aspx

https://blogs.technet.com/b/edgeaccessblog/archive/2010/05/09/the-mystery-of-the-ip-https-listener-an-outlook-client-and-an-ipv4-only-network.aspx

HTH,

Tom

Tom Shinder
tomsh@microsoft.com
Microsoft DAIP iX/SCD iX
UAG Direct Access/Anywhere Access Group (AAG)
The “Edge Man” blog (DA all the time):
https://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: https://twitter.com/tshinder
Facebook: https://www.facebook.com/tshinder

Comments

  • Anonymous
    April 29, 2013
    nice article, now it would be good to say how to avoid this. Teredo outperforms IPHTTPS so there should be a fix which will prevent this to happen. If its possible to use Teredo it must be used.