XP update KB978338 blocked Hurricane tunnel.

[ngjvjRbYM]

After installing this update (and a reboot) the tunnel didn't work anymore.
After uninstalling this update (and a reboot) the tunnel worked again.

Is it possible to install this update and keep a working Hurricane tunnel?
The update: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=9dc3e1c2-2e9d-4d86-9fce-446c409ad613

After this update tunnels using Teredo and Gogo6 where still possible (and working after configuration).

[lynredla]

Hello ngjvjRbYM,

I experienced the same problem and solution.

Hopefully, there is a permanent fix for the problem -- after all the update was issued for a good reason  ;)

Thanks for the tip.

[ngjvjRbYM]

Thanks for responding.
This confirms that this problem happens by multiple users.

[acidic]

I just wanted to say that this was my problem. I had done everything. DMZ'd, disabled win firewall, etc. I kept getting Request Timed Out when pinging ipv6 addresses. I eventually plugged right into the modem and knew something has to really be wrong. After uninstalling this update everything worked.

Thanks for figuring this out.

[DavidRabahy]

Hmm, removing this did not help me.  I created a tunnel and configured my NAT to forward TCP port 41.  I configured Windows XP as directed and even tried DMZing but no luck.

[cholzhauer]

Please keep in mind that port 41 does not equal protocol 41

[mlksoft]

I have solved this problem WITHOUT uninstalling the update.

This update enforces a requirement that tunnel endpoints are registered in DNS in order to prevent "rogue" packets from being accepted by the tunnel.

There are TWO ways to circumvent this issue:
1.  Remove the update.  Unfortunately, Windows Update may attempt to reinstall it.  You also open a potential security risk.

2.  Modify your DNS server.  The address isatmp.yourdomain.com is "magic".  If it resolves to your tunnelbroker endpoint, then packets are accepted, otherwise they are rejected.  In addition, you may have to edit the registry to remove isatap from the DNS server's globally blocked address list.  By default, Windows 2003/2008 block attempts to look up isatap.

If you don't control your DNS server, you might be able to add isatap.yourdomain.com to your local
\windows\system32\drivers\etc\hosts file.

[ngjvjRbYM]

I have tested option 2 but i couldn't get it to work.
I have edited the hosts file and added
"216.66.80.26      isatap.yourdomain.com" without the " ".
"216.66.80.26      www.isatap.yourdomain.com" without the " ".

"nslookup isatap.yourdomain.com" didn't go to this ipnumber (also mentioned by mlksoft).
"nslookup 127.0.0.1 isatap.yourdomain.com"  without " " did go to 216.66.80.26
"Tracert isatap.yourdomain.com" without " " did go to 216.66.80.26

I have searched with regedit for "isatap" but couldn't find this.

I have used the second workaround ("Disable the ISATAP IPv6 interface") mentioned by Microsoft.
On there site: netsh interface isatap set state disabled
I have used (xp sp3): netsh interface ipv6 isatap set state disabled

The Hurricane still works but KB978338 isn't installed.
After setting isatap to disabled the use of Teredo and Gogo6 where also still possible (and working after configuration).

[mlksoft]

On Windows 2003, DNS parameters are at

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

The list of addresses that are globally blocked is at

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\GlobalQueryBlockList

In my configuration, isatap was in the list by default, so I look it out.

Also, you will find

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\EnableGlobalQueryBlockList, which I suspect allows to to enable/disable the block list.

I don't recall if I needed to restart the DNS service after changing the GlobalQueryBlockList parameter.

[Ninho]

Just found this old thread which may apply to a new problem I am facing - can't seem to make IPv6 work in a new virtual machine w/ SP Pro SP3 (a Virtual PC downloaded from and preconfigured by Microsoft). The VM indeed had the Update in subj applied, which I simply can't uninstall lacking the Uninst folder.

That VM is a replacement for a previous version of that Microsoft VM (lost in a disk crash),  IPv6 worked without problem in the previous VM. All other things being unchanged I /conjecture/ the problem could come from the offending XP Update, which possibly the lost VM did not have applied.

Willing to try the "hosts" file approach : here is a (maybe dumb) question, in the domain name mentioned up-thread : " isatap.yourdomain.com",

is "yourdomain.com" a (magic) predefined litteral, to be entered as such in the Hosts, or is it rather a placeholder for "my(?)domain" or else again is it related to the tunnel broker ?

My home network is /not/ a "domain" (in the sense of MS), and I don't run a DNS server on the LAN, if this matters. As such I wonder what "mydomain" is if it isn't 'mydomain'   :)

The (virtual) XP machine is supposed to get its v6 configuration through RA. The IPv6 gateway is a (physical) computer  running Win 2k or sometimes Linux. Other than this new VM, I have IPv6 related problem on the (small) LAN here.

[Edit]
1. Problem solved by reapplying the solution that... /I/ provided way-back http://www.tunnelbroker.net/forums/index.php?topic=573.msg2477

and had the time to forget since...

2. Although the ISATAP on XP was /not/ the problem, finally (not used in this config indeed), I'm still interested in an answer to the clarification request I posted above, regarding the DNS or host.