Hi,

Did the host acquire its address via SLAAC, DHCPv6 or was it manually configured? Could you please share a bit more information about the host and FW configuration. Have you tried pinging the FW link-local address from the host?

Regards

Hi Harold,

I assign manual configured IPv6. I tried pinging the FW link-local address from host and the result the same.

Hosts is  Windows 7 Professional Computer. I don't install any firewall or antivirus software. I turn off windows FW and Pinging beetween hosts in the same switch is good.

Here is FWSM configuration

interface Vlanx

description TEST

nameif TEST

security-level 40

ip address 192.168.0.1 255.255.255.0

ipv6 address 2001:xxx:0:x::1/64

ipv6 enable 

ipv6 nd suppress-ra

Regards

Hi,

Have you tried connecting the host directly to the 6500 hosting the FWSM? This would rule out any issues with the switches configuration.

Regards

Hi Harold

I have hosts from PC-SW2950-crosscable-SW6509(FWSM) ping is good. But I ping from PC-SW6509--trunking---SW6509--crosscable--SW6509(FWSM) is not good. Ping IPv4 is good. I don't setup any rule on the switchs.

Regards,

It looks like the issue is at layer 2 if you can ping from the host to the FW in some scénarios but not in others. Is the L3 configuration the same in both scenarios?

Sent from Cisco Technical Support iPhone App

I test it another VLAN, It's the same. I think it maybe the issue is at layer 2. Note that I configured IPv6 address on SW that connected to PC. I tried pinging, it is good. but PC is not. I use wireshark for capture packet, It seem problem with NDP packet from PC to FWSM. PC send Neighbor Sociltation to FWSM, but FWSM cannot received this message.

So the FW sends NA in some scenarios and not in others? Could you be more specific about when when it does and when it doesn't.

Regards

You are right, FW send NA some scenarios and not in others. When ping  was good, i saw RA message, and when it could not ping, RA message  didn't appear during this time. I guest that there is a problem with NDP  message, but I don't understand reason.

Regards

In the scenario where the FW does not reply with the NA, do you at least see the ND being received by the FW?

Regards

I don't see the ND being received by FW, Host cannot see the FW and when It send ND solicitation, It seem the message lost in the connection

It looks like one of the switches in between is not passing the ND traffic. Are the switches in between configured for L2 only? Has any of the switches been configured for L3 at some point? If so, make sure that ipv6 unicast-routing is disabled on the L2 switches.

Regards

I checked, all the switches has been configured for L2 only, and IPv4, IPv6 unicast-routing is disabled.

I have configured for trunking between switch:

!

interface TenGigabitEthernet3/15

description Trunking

switchport

switchport trunk allowed vlan 1-40

switchport mode trunk

and crosscable and client

interface GigabitEthernet x/x

switchport

switchport access vlan 5

switchport mode access

Regards

Hi,

If the ipv6 configuration on the PC and on the FW does not change between

PC-SW2950-crosscable-SW6509(FWSM)

and

PC-SW6509--trunking---SW6509--crosscable--SW6509(FWSM)

And only the first one works but not the other, it has to be some kind of layer2 issue.

So the host send the ND to the FW but the ND does not make it to the FW, right? How did you verify that?

Can you check the mac-address-table on the two 6509 in the middle to see if the ND passes through with the following command:

sh mac-address-table address 3333.ff00.0001 (multicast address for solicited node multicast address of FW ipv6 address)
Regards