topic Thank You Erik in Network Security

ASA 9.3 - Multiple Context - IPv6 between contexts

etamminga — Tue, 12 Mar 2019 05:03:04 GMT

Hi,

We have a ASA 5525 with multiple contexts running 9.3(1). We are having troubles routing IPv6 traffic between contexts.

Assume: Internet ---- <ASA "Internet" Context> --- <ASA "Customer A" Context> ---- End Host

We have configured static to route from internet to end host and the other way around.
We do not see IPv6 neighbors getting established between the two ASA contexts. IPv4 is working just fine.

Does anyone have an idea what I missed in the configuration? All interfaces (in all contexts) are using unique mac addresses.

Regards,

Erik Tamminga

Customer ASA:

interface CustomerAInside
nameif inside
security-level 100
ip address 172.29.10.10 255.255.255.0 standby 172.29.10.11
ipv6 address 2001:abcd:0:a::a/64 standby 2001:abcd:0:a::b
ipv6 enable
ipv6 nd suppress-ra
!
interface PublicDMZ
nameif outside
security-level 0
ip address 1.2.3.10 255.255.255.0
ipv6 address 2001:abcd:0:ff01::a/64 standby 2001:abcd:0:ff01::b
ipv6 enable
ipv6 nd suppress-ra
!

ipv6 route outside ::/0 2001:abcd:0:ff01::1
ipv6 route inside 2001:abcd::/48 2001:abcd:0:a::1

Internet ASA:

interface Outside
nameif outside
security-level 0
ip address 7.8.9.10 255.255.255.0
ipv6 address 2001:7890:1400:18::2/64
ipv6 enable
ipv6 nd suppress-ra
!
interface PublicDMZ
nameif public-dmz
security-level 50
ip address 1.2.3.10 255.255.255.0
ipv6 address 2001:abcd:0:ff01::1/64
ipv6 enable
ipv6 nd suppress-ra
!

ipv6 route outside ::/0 2001:7890:1400:18::1
ipv6 route public-dmz 2001:abcd::/48 2001:abcd:0:ff01::a

Hmm this is a bit of

Marvin Rhoads — Mon, 10 Nov 2014 13:08:22 GMT

Hmm this is a bit of speculation but IPv6 relies heavily on multicast. I know that when we tried to do OSPF routing (IPv4) between contexts it would not work since multicast is not supported between either shared or unshared interfaces in multiple context mode.

Hi,Thanks. I suspected

etamminga — Wed, 12 Nov 2014 14:31:50 GMT

Hi,

Thanks. I suspected something like this. All IPv6 manual pages say it is supported in multi-context but do not specifically mention shared interfaces.

I've created a TAC case to be sure.

Regards,

Erik

HiI have exactly the same

ol_th0001 — Sun, 30 Nov 2014 11:00:41 GMT

I have exactly the same problem.

Did you get it sorted and if what was the solution.

Thanks.

Hi,It turns out to be not

etamminga — Sun, 30 Nov 2014 11:18:50 GMT

Hi,

It turns out to be not supported on ASA 9.3. The IPv6 neighbor mechanism relies on multicasting and multicasting (ipv4 & ipv6) is not supported on shared interfaces.

Two ways to work around it:

- Define static neighbors. Works fine if you only have 2-3 contexts. Too much work if you need more contexts. You need to setup a full mesh of routes and static neighbors.

- Have some other device in the shared network do routing (router on a stick) for IPv6.

I did the last. I use one context for Internet->DMZ traffic and multiple other contexts (one per customer) to handle DMZ->Customer X traffic. The switch in the DMZ VLAN was able to do IPv6 routing and I now have all my routes from all contexts pointed to the L3 interface on the DMZ VLAN of the switch. And on the switch routes pointing to all Customers/contexts and a default.

Regards,

Erik

Thank You Erik

ol_th0001 — Sun, 30 Nov 2014 12:10:11 GMT

Thank You Erik