Solved: Re: asa5508 ipv6 autoconfiguration not working

jilse-iph · ‎08-22-2024

I have an asa5508-x firewall with firmware 9.12.4 running, and ipv6 autoconfiguration seems not to work on outside interface:

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 192.168.22.12 255.255.255.0
ipv6 address fe80::2 link-local
ipv6 address autoconfig
ipv6 enable
ipv6 nd suppress-ra

ilse-asa# sh ipv6 interface outside
outside is up, line protocol is up
IPv6 is enabled, link-local address is fe80::2
No global unicast address is configured

Joined group address(es):
ff02::2
ff02::1
ff02::1:ff00:2
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
Hosts use stateless autoconfig for addresses.

A Windows10 computer located on the same network gets a gobal unicat ipv6 address with autoconfiguration. The router does not support ipv6 dhcp for address configuration (it is a Speedport 724W router from german Telekom). Any ideas, how i can get ipv6 autoconfiguration working on the asa?

Harold Ritter · ‎08-22-2024

Hi @jilse-iph ,

Your outside interface configuration should allow it to auto configure itself.

Make sure you don't have some command such as "ipv6 icmp deny any outside" blocking icmpv6 packets on the outside interface.

You can verify that you are indeed receiving the RA by doing a "debug ipv6 icmp" and checking that the router advertisement (icmpv6 type 134) is being received.

One more thing to keep in mind. When you use the auto configuration mode to configure the outside interface, you generally want to use the router from which you receive the router advertisement as the default gateway. To do this you would need to change the "ipv6 address autoconfig" as follow:

ipv6 address autoconfig default trust ignore

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

Harold Ritter · ‎08-22-2024

Hi @jilse-iph ,

Your outside interface configuration should allow it to auto configure itself.

Make sure you don't have some command such as "ipv6 icmp deny any outside" blocking icmpv6 packets on the outside interface.

You can verify that you are indeed receiving the RA by doing a "debug ipv6 icmp" and checking that the router advertisement (icmpv6 type 134) is being received.

One more thing to keep in mind. When you use the auto configuration mode to configure the outside interface, you generally want to use the router from which you receive the router advertisement as the default gateway. To do this you would need to change the "ipv6 address autoconfig" as follow:

ipv6 address autoconfig default trust ignore

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

jilse-iph · ‎08-23-2024

@Harold Ritter wrote:
Hi @jilse-iph ,
Your outside interface configuration should allow it to auto configure itself.

I hoped that, but it sees not to work ....

Make sure you don't have some command such as "ipv6 icmp deny any outside" blocking icmpv6 packets on the outside interface.

I have explicit permit statements to allow icmp6 on thhe interface:

ipv6 enforce-eui64 outside

and because i saw, that autoconfiguration seems not to work, i added also thhe following statements (that re redundant because thhe above statement alred exists):

ipv6 icmp permit any neighbor-advertisement outside
ipv6 icmp permit any neighbor-solicitation outside
ipv6 icmp permit any router-advertisement outside
ipv6 icmp permit any router-renumbering outside
ipv6 icmp permit any router-solicitation outside

Harold Ritter · ‎08-23-2024

Hi @jilse-iph ,

I am not sure why, but it looks like the "ipv6 enforce-eui64 outside" command is likely breaking the router advertisement reception. Please remove it, do a "shut", "no shut" on the outside interface and it should fix the issue.

This command is not required anyway for autoconfiguration.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

jilse-iph · ‎08-23-2024

Thanks for your hep. At the moent, the router seems tobe thhe problem. It does not send router advertiseents (but i amm shure, tat wasthe case in past).

Harold Ritter · ‎08-23-2024

Thanks for the feedback @jilse-iph . Please let us know if the solution provided works for you once the router recovers.

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

jilse-iph · ‎08-29-2024

The router was the reason for the issue. I repaced the od router with a "digitallisierungsbox basic" (another type of DSL router used by german telekom, it is a relabled zyxell device) and the issue disappeared.