cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
770
Views
2
Helpful
6
Replies

asa5508 ipv6 autoconfiguration not working

jilse-iph
Level 1
Level 1

I have an asa5508-x firewall with firmware 9.12.4 running, and ipv6  autoconfiguration seems not to work on outside interface:

 

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 192.168.22.12 255.255.255.0
ipv6 address fe80::2 link-local
ipv6 address autoconfig
ipv6 enable
ipv6 nd suppress-ra

 

ilse-asa# sh ipv6 interface outside
outside is up, line protocol is up
IPv6 is enabled, link-local address is fe80::2
No global unicast address is configured

Joined group address(es):
ff02::2
ff02::1
ff02::1:ff00:2
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
Hosts use stateless autoconfig for addresses.

 

A  Windows10 computer located on the same network gets a gobal unicat ipv6 address with autoconfiguration. The router does not support ipv6 dhcp for address configuration (it is a Speedport 724W router from german Telekom). Any ideas, how i can get ipv6 autoconfiguration working on the asa?

1 Accepted Solution

Accepted Solutions

Harold Ritter
Spotlight
Spotlight

Hi @jilse-iph ,

Your outside interface configuration should allow it to auto configure itself.

Make sure you don't have some command such as "ipv6 icmp deny any outside" blocking icmpv6 packets on the outside interface. 

You can verify that you are indeed receiving the RA by doing a "debug ipv6 icmp" and checking that the router advertisement (icmpv6 type 134) is being received.

One more thing to keep in mind. When you use the auto configuration mode to configure the outside interface, you generally want to use the router from which you receive the router advertisement as the default gateway. To do this you would need to change the "ipv6 address autoconfig" as follow:

ipv6 address autoconfig default trust ignore

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

6 Replies 6

Harold Ritter
Spotlight
Spotlight

Hi @jilse-iph ,

Your outside interface configuration should allow it to auto configure itself.

Make sure you don't have some command such as "ipv6 icmp deny any outside" blocking icmpv6 packets on the outside interface. 

You can verify that you are indeed receiving the RA by doing a "debug ipv6 icmp" and checking that the router advertisement (icmpv6 type 134) is being received.

One more thing to keep in mind. When you use the auto configuration mode to configure the outside interface, you generally want to use the router from which you receive the router advertisement as the default gateway. To do this you would need to change the "ipv6 address autoconfig" as follow:

ipv6 address autoconfig default trust ignore

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México


@Harold Ritter wrote:

Hi @jilse-iph ,

Your outside interface configuration should allow it to auto configure itself.

I  hoped that,  but it sees not  to work ....

Make sure you don't have some command such as "ipv6 icmp deny any outside" blocking icmpv6 packets on the outside interface. 

I  have explicit  permit  statements  to allow  icmp6  on thhe interface:

ipv6 enforce-eui64 outside

and because i  saw, that autoconfiguration seems  not   to work, i added  also thhe following statements  (that  re redundant because thhe above statement  alred  exists):

ipv6 icmp permit any neighbor-advertisement outside
ipv6 icmp permit any neighbor-solicitation outside
ipv6 icmp permit any router-advertisement outside
ipv6 icmp permit any router-renumbering outside
ipv6 icmp permit any router-solicitation outside

Hi @jilse-iph ,

I am not sure why,  but it looks like the "ipv6 enforce-eui64 outside" command is likely breaking the router advertisement reception. Please remove it, do a "shut", "no shut" on the outside interface and it should fix the issue.

This command is not required anyway for autoconfiguration.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Thanks for your hep. At the  moent, the router seems tobe thhe   problem.  It  does not send router advertiseents  (but  i amm  shure, tat wasthe case  in past).

Thanks for the feedback @jilse-iph . Please let us know if the solution provided works for you once the router recovers.

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

The router was the reason  for  the issue.  I  repaced the od  router with a "digitallisierungsbox basic" (another type  of DSL router  used by  german telekom,  it is a  relabled  zyxell device) and the issue  disappeared.

Review Cisco Networking for a $25 gift card