The “Edge Man” Tom Shinder discusses an interesting issue in his blog post on using ping to troubleshoot DirectAccess connections.
It had been my impression that if I could ping the UAG DirectAccess server and hosts behind the UAG DirectAccess server then everything was good in terms of the DirectAccess connectivity situation. However, what I learned from this article is that ping is only half of the story.
When you can ping the UAG DirectAccess server and resources behind it, it tells you that the IPv6 transition technologies are working fine and that routing for the IPv6 transition technologies is also working.
However, it doesn’t tell you anything about whether or not the DirectAccess tunnels are connected, since ICMP is exempt from IPsec protection. And since the infrastructure and intranet tunnels are IPsec tunnels, ping doesn’t provide any information about these.
Make sure to check out Tom’s article on this subject over at:
DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)