Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1313
Views
0
Helpful
3
Replies

Firepower MGMT Interface no Unique Local IPv6 Address

sabienzia5500
Level 1
Level 1

‎01-17-2023 01:40 AM

Hi Guys , we are trying to replace some our ASAs by Firepower, our MGMT Interface is assigned with Unique Local IPv6 Address(Fd14:xx....), so if i try to setup the FTD MGMT Interface with our Unique Local IPv6 Address we get this Error :
ERROR: IPv6 address must be global unicast.
Failed to update IPv6 configuration.

Is there any fix for that problem ?
Thx a lot

0 Helpful
3 Replies 3

Harold Ritter
Cisco Employee
Cisco Employee

‎01-17-2023 05:59 AM - edited ‎01-17-2023 06:00 AM

Hi @sabienzia5500 ,

Here's an extract from the "Firepower Management Center" configuration guide:

IPv6 Addressing

You can configure two types of unicast addresses for IPv6:

  • Global—The global address is a public address that you can use on the public network. For a bridge group, this address needs to be configured for the BVI, and not per member interface. You can also configure a global IPv6 address for the management interface in transparent mode.

  • Link-local—The link-local address is a private address that you can only use on the directly-connected network. Routers do not forward packets using link-local addresses; they are only for communication on a particular physical network segment. They can be used for address configuration or for the Neighbor Discovery functions such as address resolution. In a bridge group, only member interfaces have link-local addresses; the BVI does not have a link-local address.

If you have a strong requirement for unique local addresses (ULA) support, I would suggest you discuss it with your Cisco account team.

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/interfaces_for_firepower_threat_defense.html#concept_3EF4939CE1144BF482515C4E939A708F

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful

sabienzia5500
Level 1
Level 1
In response to Harold Ritter

‎01-17-2023 01:04 PM

Hi Harold,
thank you very much, i don't get understanding why we have to set up public ipv6 address on a "management" Interface , can you please tell me the idea behind that .
Regards

0 Helpful

Harold Ritter
Cisco Employee
Cisco Employee
In response to sabienzia5500

‎01-17-2023 03:15 PM

Hi @sabienzia5500 ,

I think this restriction came from the UCS. Please refer to the UCS IPv6 compliance section in the following document:

https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/sw/gui/config/guide/2-2/b_UCSM_GUI_Configuration_Guide_2_2.pdf

I found another customer who had the same issue and the workaround was to use the diagnostic interface instead. The diagnostic interface does not have that restriction and will accept the ULA configuration.

Regards,

 

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful
Customers Also Viewed These Support Documents