Solved: Re: Comcast 6RD configuration? - Page 2

glgersc · ‎02-27-2011

Hi,

I have a new 881 router loaded with the latest 15.1.3T software, and I'm trying to get it connected to the Comcast 6RD IPv6 routers. (I'm on a Comcast cable modem.)

I've been trying to follow the directions from these links:

http://docwiki.cisco.com/wiki/6rd_Configuration_Example
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-tunnel.html

I am getting a delegated prefix from Comcast, so I know I'm connecting to their BR routers.

RouterA-new#sho tun 6rd pref 69.252.80.66 tu6
Interface: Tunnel6
Destination: 69.252.80.66
6RD Prefix: 2001:55C:45FC:5042::

But, that doesn't seem to be properly following the general-prefix on the tunnel (it's missing the ::45FC:5042::):

RouterA-new#sho ipv int brie tun 6
Tunnel6                    [up/up]
    FE80::A14:DE01
    2001:55C:A14:DE01::A14:DE01

I think the problem is just some stupid wrong/missing config in my tunnel setup. Or an ipv6 noob issue. This is the current state of what I have so far, cobbled from the links above, and with several shotgun troubleshooting tweaks:

ipv6 general-prefix Comcast6RD 6rd Tunnel6

interface Tunnel6
description Comcast 6RD IPv6 tunnel.
no ip address
no ip redirects
ipv6 address Comcast6RD ::/64 eui-64
ipv6 enable
tunnel source Vlan1
tunnel mode ipv6ip 6rd
tunnel 6rd prefix 2001:55C::/32
tunnel 6rd br 69.252.80.66

interface Vlan1
description Inside$FW_INSIDE$
ip address 10.20.222.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1452
ipv6 enable

I've tried putting the ipv6 address on the Vlan1 interface, as in the docwiki link, but then I get the overlapping address error listed in the link. But, when I try just putting the 'ipv6 enable' command on the tunnel, then I don't get any 2001:55C:: addresses assigned.

Feb 28 04:16:38.622: %IPV6_ADDRESS-3-ADDRESS_CFG: 2001:55C:A14:DE01::/64 can not be configured on Vlan1, 2001:55C:A14:DE01::/64 is overlapping with 2001:55C:A14:DE01::/128 on Tunnel6

So, does anyone have a working 6RD config for Comcast? Or can you point out what I'm doing wrong?

Thanks.

Phillip Remaker · ‎03-05-2011

Please feel free to post your complete Comcast sample config in the Documents Section of this community!

glgersc · ‎03-06-2011

I've posted the example config, complete with diagrams and copious notes.

Please let me know if I've missed anything, or have details wrong.

glgersc · ‎03-06-2011

Wen, on the 6RD docwiki link, I think the key thing that's still off is the IPv6 addresses in the picture. The last chunk has too many zero's.

For example: 2001:db80:0000a:: /52

Also, if the BR IPv4 address is 10.0.0.1, shouldn't the CE default route next hop be '2001:db80:a000:001::' or maybe ''2001:db80:a000:1::' ?

Not '2001:db80:a000:0010::' ?

The next thing I'm working on is getting zone rules working. I thought I had it. Basically letting the tunnel traffic in/out from Self and Outside, and then creating a simple inspect rule set from Inside to Tunnel6. Like this:

class-map type inspect match-any IPv6-Out-class
match protocol icmp
match protocol tcp
match protocol udp

policy-map type inspect IPv6-Out
class type inspect IPv6-Out-class
inspect
class class-default
drop log

zone security TunnelZone

zone-pair security Inside-to-Tunnel source in-zone destination TunnelZone
service-policy type inspect IPv6-Out

int tun 6
zone-member security TunnelZone

This worked great. I was seeing the audit logs getting built for the outbound connections, and using an external scan tool, scans were getting properly blocked.

Worked, as in past tense. 24 hours later, the inspect operations appeared to have failed for IPv6. (Still working/logging for IPv4.) They are still passing traffic out, but the audit logs are no longer being created, and the packets are getting dropped on return due to no inbound path. If the rule was completely dead/wrong, it shouldn't be able to pass traffic out at all. The dynamic inspect return path is gone with the oubound logging. (I'm seeing this on a sniffer on the outside interface as well.)

I can create an inbound Tunnel-to-Inside pass rule, and get traffic flowing, but then I'm not blocking anymore.

I tried your tip about turning off IPv6 CEF, no luck.

I'm still learning about ZBF, and could have had this really boogered up and in a fragile state. But it was working.

Does anyone have any working ZBF rules/configs for this type of tunneled IPv6 traffic?

One step forward, two to the side.....

wzhang · ‎03-06-2011

Hi, Greg:

>>Wen, on the 6RD docwiki link, I think the key thing that's still off is the IPv6 addresses in the picture. The last chunk has too many zero's.

>>For example: 2001:db80:0000a:: /52

You are right, it should be 2001:db80:0000:a000::/52. Technically it's still correct, it just doesn't conform to the standard v6 address representation ;-) The tricky part with this configuration is the 28 bit 6rd prefix, which means the ipv4 address that comes after won't fall on the full byte address boundary. I'd still argue it's a good ipv6 addressing exercise though :-)

>>Also, if the BR IPv4 address is 10.0.0.1, shouldn't the CE default route next hop be '2001:db80:a000:001::' or maybe ''2001:db80:a000:1::' ?

>>Not '2001:db80:a000:0010::' ?

Yes, the BR address is indeed wrong, it should be 2001:db80:0000:1000::. Note since the 6rd ipv4 prefix length is 8, only the last 3 octet of an ipv4 address is embedded in the ipv6 address (the first octet of 10 decimal is omitted). Thanks for catching these errors, I will get them corrected.

For the ZBF configuration, the problem that I had ran into had to do with ipv4 firewall inspection on the ipv4 traffic (prior to tunnel decapsulation) from the outside to the self zone. Since you are actually doing ipv6 inspection, it shouldn't apply. At first glance, your firewall config looks to be correct, so I'm inclined to agree with you that this looks like some sort of a bug. So when the problem happens, if you were to look at the firewall sessions for the inside-to-tunnel zone pair, do you see any active sessions at all? What about packets that matches the ipv6-out-class in the firewall stats?

Thanks,

Wen

glgersc · ‎03-07-2011

OK, I'm going crazy here. My outbound IPv6 inspect was working perfectly, and then stopped for no reason. Packets still go out (watching on an external sniffer), but because the inspect rule was never built (as seen by the lack of log entry), they get dropped on return. I figured I had just done something goofy and would start over.

But, I noticed something funky in the sniffer trace the next time I looked. Two other PC's on my network are still working perfectly. Outbound IPv6 builds/logs the inspect sessions, and traffic returns correctly.

Hmm. Maybe the router was stuck. Reload the router. Still the same.

What would cause the router to skip building inspect sessions for one PC, but keep doing it for others on the same subnet?

I'm also thinking it might be time to move this thread over to the security/firewalling forum. What's the etiquette for that here?

Any insight appreciated.

------------------------ update ----------------------

Before posting this I tried one more thing. I killed and restarted the IPv6 stack on my PC. (running Vista 64)

Now it works. The only difference is that I generated a new address.

The router still had both addresses in it's neighbor cache:

RouterA#sho ipv6 nei
IPv6 Address                              Age Link-layer Addr State Interface
2001:55C:1876:E7C5:3C8C:839C:5CC7:EE61      1 0050.8d9f.710c STALE Vl1   !<== Works great.
2001:55C:1876:E7C5:EC09:7D51:E508:D6CC      5 0050.8d9f.710c STALE Vl1   !<== Won't create an inspect rule.

And now that I think back, the only thing that did change between the rules working and not working is that I rebooted my PC, so again, getting a different address.

What on earth would make the router totally mishandle one IPv6 address on a host, and work perfectly for a different equally valid address on the same host? This behavior survived a router reload, and several clearings of neighbors, CEF, etc., so it's unlikely to be memory related.

Any ideas?

wzhang · ‎03-08-2011

Hi, Greg:

This looks like a bug with IOS. I tested your config in my lab and saw the same thing. It appears that if leading nibble in the interface-id is 0xE in the source ipv6 address, then the FW somehow will not create an inspect sessions for it. Strange indeed... as I can't quite see any significance in this half byte for an EUI-64 encoded interface-id. I'm going to try to do some research on this and see what I can find. Stay tuned...

Thanks,

Wen

glgersc · ‎05-01-2011

Hi Wen,

Did you ever have any luck tracking this down as a new or existing bug? Any bug ID I can track against?

I am still observing this behavior.

Thx,

Greg

wzhang · ‎05-01-2011

Hi, Greg:

I apologize for not posting an update on this - had too many things going on. I was not able to find an existing defect for this issue, so I opened a new bug for this. See:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtn84802

It's currently still under engineering investigation. You may want to open a Service Request and link it to the bug so that you can get a better idea on an ETA for the fix.

Thanks,

Wen