Interesting situation indeed :-) As we all known, Microsoft DirectAccess uses IPsec over IPv6 (and potentially over Teredo or SSL-VPN if the host does not have native IPv6). So, if your DirectAccess head-end is dual-stack, it now receives Ipsec packets over IPv6 rather than HTTLS or Teredo over IPv4, so, firewall settings must be tuned for that.
Now, I am really puzzled by your sentence "his Comcast-installed router was handing our IPv6 addresses on his home LAN", is it a typo in 'our' rather than 'out' ? It would be interesting to see the addresses/prefixes/routes of the failing DirectAccess client as well as which IPv6 address.prefix is used by DirectAccess for the normally-functionning clients. -éric On 19/12/15 22:37, "ipv6-ops-bounces+evyncke=cisco....@lists.cluenet.de on behalf of Kurt Buff" <ipv6-ops-bounces+evyncke=cisco....@lists.cluenet.de on behalf of kurt.b...@gmail.com> wrote: >All, > >I ran into an interesting situation some months ago which still >baffles me, and though I was able to work around it, I expect it will >happen again. > >We implemented MSFT DirectAcess at our company quite some time ago >(using 2008R2 and Forefront 2010), and it works extremely well. > >At least it worked well for everyone until one of the employees got >his Comcast connection upgraded, and then DirectAccess didn't work for >that employee any more. > >We proved that if he tethered to his cell phone, that would work, and >if he used an SSL VPN client while on his Comcast connect that would >work, but DirectAccess would not work at home. > >Finally, I discovered that his Comcast-installed router was handing >our IPv6 addresses on his home LAN. Turning that off enabled >DirectAccess to work again. > >We do not have an assigned IPv6 block from our ISP, though of course >MSFT OSes use it, and auto-assign themselves addresses, but for now >we're ignoring it. > >Has anyone run into this problem and solved it - not by turning off >iIPv6 address assignment for the home LAN, but really solved it? If >so, how did you do that? > >Would getting and implementing an IPv6 assignment from our ISP cure >the problem, or make it worse? > >I've found little guidance from MSFT about DirectAccess in an IPv6 >environment, though I admit I haven't been terribly diligent in my >searches. > >Kurt