IPv6 Neighbor Discovery problem

tgusset · ‎12-07-2014

Hi

a few days ago I detected an IPv6 outage in Internet connectivity.

I finaly found that the Problem occurs between the ASA 5550 (9.1.1) and the core Switch (Cat 6500 VSS (12.2(17r)SX7)).

As soon the Problem occours the neighbor discovery for the core Switch Interface (IPv6 addr: 2001:620:d:c00::4) where ASA is connected does no longer work.

EEFW/pri# sh ipv6 neighbor
IPv6 Address Age Link-layer Addr State Interface
...
2001:620:d:c00::4 0 - INCMP inside
...

When I enable debug ipv6 nd I see

on ASA:

ICMPv6-ND: Sending NS for 2001:620:d:c00::4 on inside

--> no received NA is logged

on core Switch:

Dec 7 12:15:32.658: [IPv6 Input]ICMPv6-ND: Received NS for 2001:620:D:C00::4 on Vlan2 from FE80::222:90FF:FEFE:F98
Dec 7 12:15:32.662: [IPv6 Input]ICMPv6-ND: Sending NA for 2001:620:D:C00::4 on Vlan2

As soon I do a ping on ASA to 2001:620:D:C00::4 everything works again.

I this case the ipv6 nd debug on core Switch Looks a bit different:

Dec 7 12:26:42.328: [IPv6 Input]ICMPv6-ND: Received NS for 2001:620:D:C00::4 on Vlan2 from 2001:620:D:C00::1
Dec 7 12:26:42.328: [IPv6 Input]ICMPv6-ND: Sending NA for 2001:620:D:C00::4 on Vlan2

also on the ASA:

ICMPv6-ND: Sending NS for 2001:620:d:c00::4 on inside
...

ICMPv6-ND: Received NA for 2001:620:d:c00::4 on inside from 2001:620:d:c00::4
ICMPv6-ND: INCMP -> REACH: 2001:620:d:c00::4
ICMPv6-ND: ND LU sent addition: 2001:620:d:c00::4, 0064.403b.c880

The only difference I can see is that in one case link-local address is used and in the other case unicast address is used.

After running the 'repair ping' everything works fine for many hours.

Configs:

ASA:

interface Port-channel1.2
description inside
vlan 2
nameif inside
security-level 100
ip address 152.88.2.1 255.255.255.0 standby 152.88.2.101
ipv6 address 2001:620:d:c00::1/64 standby 2001:620:d:c00::1001
ipv6 address 2001:620:d:c00::2001/64
ipv6 enable

EEFW/pri# sh ipv6 interface inside
inside is up, line protocol is up
IPv6 is enabled, link-local address is fe80::222:90ff:fefe:f98
Global unicast address(es):
    2001:620:d:c00::1, subnet is 2001:620:d:c00::/64
    2001:620:d:c00::2001, subnet is 2001:620:d:c00::/64
Joined group address(es):
    ff02::1:ff00:1
    ff02::1:ff00:2001
    ff02::2
    ff02::1:fffe:f98
    ff02::1
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 1000 milliseconds
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
Hosts use stateless autoconfig for addresses.

core Switch:

interface Vlan2
description firewall inside
bandwidth 10000000
ip address 152.88.2.4 255.255.255.0
ip flow ingress
ipv6 address 2001:620:D:C00::4/64
ipv6 enable
end

core-emp-eaw#sh ipv6 interface vlan2
Vlan2 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::264:40FF:FE3B:C880
No Virtual link-local address(es):
Description: firewall inside
Global unicast address(es):
    2001:620:D:C00::4, subnet is 2001:620:D:C00::/64
Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:4
    FF02::1:FF3B:C880
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
Output features: HW Shortcut Installation
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.

The config worked for years without any Problems.

Any idea what's going wrong?

Thanks in advance

Thomas

divanko · ‎01-08-2016

We're running into a similar situation, did you every find a fix? I ended up statically defining the neighbors for the subnet joining the 65ks with the FW.

Roman Polyachkov · ‎01-18-2016

Hi, divanko!

I guess I've found the source of this case. I'll show you on the example of tgusset configs.

First, look at the output "sh ipv6 interface inside" on ASA,

EEFW/pri# sh ipv6 interface inside

// output omitted

ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 1000 milliseconds
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds

Then, we'll compare the ND timers on switch:

core-emp-eaw#sh ipv6 interface vlan2

//output omitted

ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds

So as you can see the ND advertised retransmit intervals are different on the ASA and connected switch. In order to avoid the case of ND problem you have to change the ND retransmit timer on L3 interface on the switch. Unfortunatly the ASA doesn't allow to change ND advertised retransmit timer so on switch timer have to change to 1000ms.

For Cat65 (for examle, IOS 15.1(2)SY5):

interface TenGigabitEthernet2/1/2

//output omitted

ipv6 nd ns-interval 1000

Without this option the timer was:

sh ipv6 int ten2/1/2

TenGigabitEthernet2/1/2 is up, line protocol is up

//output omitted

ND advertised retransmit interval is 0 (unspecified)

but after adding:

sh ipv6 int ten2/1/2

TenGigabitEthernet2/1/2 is up, line protocol is up

// output omitted

ND advertised retransmit interval is 1000 milliseconds

I hope it'll help.