DirectAccess – Route advertisement is disabled on the IP-HTTPS adapter

This is a fairly rare issue that I have only encountered a couple of times, but seemingly for no reason at all one of your DirectAccess servers that has been up and running for years may suddenly report an issue with the IP-HTTPS interface. In this circumstance, IP-HTTPS connections are actually broken, so chances are that if you are reading this, you have users complaining that they cannot connect. Fortunately Teredo connections still work just fine when this happens, but more and more DA deployments are going the way of “IP-HTTPS only”, with Teredo being disabled, and in that case it would affect your entire DirectAccess client base.

Opening up the Remote Access Management Console and checking the Operations Status screen displays a red X on the IP-HTTPS adapter, with the following message:

Error: Route advertisement is disabled on the IP-HTTPS adapter.

(you can see in the screenshot that the error also says something about Forwarding, which is also required to be enabled for DirectAccess to work properly)

In order to confirm this is indeed the cause of your trouble, there is a simple netsh command that you can run which displays the settings associated with your DA server’s IP-HTTPS adapter:

netsh interface ipv6 show interface IPHTTPSInterface

Sure enough, both Forwarding and Advertising are set to disabled. While we aren’t sure what caused this behavior in the first place, the resolution to this problem seems simple enough, and it is. Simply run the following command to re-enable both route advertisement and forwarding on the IP-HTTPS adapter, and voila – your Operations Status console switches back to all green, and clients are once again able to successfully connect.

netsh interface ipv6 set interface IPHTTPSInterface forwarding=enabled advertise=enabled

Jordan Krause
Security Engineer