Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2479
Views
0
Helpful
4
Replies

IPv6 LAN traffic stops passing - no neighbor seen

the-lebowski
Level 4
Level 4

‎01-03-2019 10:02 AM - edited ‎03-01-2019 05:56 PM

I have a strange issue with a new ipv6 configuration.  

 

3850 (core )  > Transparent ASA > LAB environment

 

I assume after no IPv6 traffic is passing it goes stale but the only way I can get it to start passing again is by initiating traffic from the 3850.  If a lab device tries to it gets no response and times out.   The ASA is allowing all IPv6 in both directions and when it isn't working I can see that their is no LAB neighbor on the 3850.  If I send some traffic in that direction then the adjacency forms.  Any idea what could be causing this?  

 

 Working:

1-3850#
!
interface Vlan16
ip address 10.15.99.1 255.255.255.0
ip access-group deny-254 in
ipv6 address 2404:9500:80CF:E10C:1000::1/68
ipv6 enable
ipv6 nd prefix default no-advertise
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
no ipv6 redirects
!
1-3850#show ipv6 neighbors
IPv6 Address                              Age Link-layer Addr State Interface
2404:9500:80CF:E10C:1000::2               124 c444.a00d.88e4  STALE Vl196
2404:9500:80CF:E100:2000::3                 0 006b.f1f9.f5e4  STALE Vl2
FE80::26B:F1FF:FEF9:F5E4                    0 006b.f1f9.f5e4  STALE Vl2

 

 NOT WORKING:

 

1-3850-blr#show ipv6 neighbors
IPv6 Address                              Age Link-layer Addr State Interface
2404:9500:80CF:E100:2000::3                 0 006b.f1f9.f5e4  STALE Vl2
FE80::26B:F1FF:FEF9:F5E4                    0 006b.f1f9.f5e4  STALE Vl2

 

 

1-3850#show ipv6 neighbors statistics
IPv6 ND Statistics
 Entries 1, High-water 3, Gleaned 2, Scavenged 6, Static 0
 Entry States
   INCMP 0  REACH 0  STALE 1  GLEAN 0  DELAY 0  PROBE 0
 Resolutions
   Requested 32, timeouts 78, resolved 6, failed 26
   In-progress 0, High-water 2, Throttled 0, Data discards 7
 NUD
   Requested 16, timeouts 3, resolved 15, failed 1
   in-progress 0, high-water 1, throttled 0, current queue 0, queue high-water 0
 Delayed Queue 0, Delayed Queue High-water 4
1-3850#

 

Labels:
0 Helpful
4 Replies 4

Peter Paluch
Cisco Employee
Cisco Employee

‎01-03-2019 04:44 PM

Hello,

The STALE state of an ICMPv6 ND entry is normal. It just says that the entry has not been used for some time since there was not traffic being sent to that IPv6 address, and so there is no guarantee that the entry is still valid.

Either way, the behavior described by you casts a shadow of doubt on the ASA. Even though you say it allows the IPv6 traffic bidirectionally, I still wonder if there can be something on the ASA that plays tricks on us. The behavior appears to be strongly unidirectional which is typical of firewalls.

  • Do you think you could share the configuration of the ASA box here? What would be sufficient would be the configuration of the relevant interfaces, and any ACLs or related objects that are relevant to those interfaces.
  • Does the ASA bidirectionally allow also multicast IPv6 traffic? This is required for IPv6 ND in particular.
  • Is there any chance of bypassing the ASA for test purposes?
  • By any chance, do you run VTP Pruning? If so, can you make the VLAN 196 ineligible for VTP pruning using the switchport trunk pruning vlan except 196 on the interfaces toward the ASA?

Thank you!

Best regards,
Peter

0 Helpful

the-lebowski
Level 4
Level 4
In response to Peter Paluch

‎01-03-2019 06:30 PM

I would lend towards the ASA as well and I can share the configuration tomorrow. But like I said I am allowing ANY ANY IPV6 in bot directions.

It’s L3 between the 3850 and the LAB with the ASA in-line, not a trunk.
0 Helpful

the-lebowski
Level 4
Level 4
In response to the-lebowski

‎01-04-2019 08:00 AM 

interface BVI1
 ip address 10.xx.xx.xx 255.255.255.0
 ipv6 enable

access-list LAB_access_in line 3 extended permit ip any6 any6 (hitcnt=0) 0x912a122b
access-list LAN_access_in line 1 extended permit ip any6 any6 (hitcnt=119) 0xd9648078

Transparent ASA does show ipv6 neighbors correctly:

fw-5525# show ipv6 neighbor lab
IPv6 Address                              Age Link-layer Addr State Interface
fe80::c644:a0ff:fe0d:88e4                 259 c444.a00d.88e4  STALE LAB
fw-5525# show ipv6 neighbor lan
IPv6 Address                              Age Link-layer Addr State Interface
fe80::259:dcff:fe7c:d1db                  262 0059.dc7c.d1db  STALE LAN

Pretty basic and working elsewhere in my environment with an almost identical configuration except different hardware in the path (still cisco).   But the LAB side is not able to bring up the adjacency.  

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to the-lebowski

‎01-07-2019 12:13 PM

Hello,

I admit I am not an ASA specialist. However, while you have shown us a BVI interface config and two lines from an ACL, I still do not see the interfaces where the ACL is applied. Do you think you could add this part of the ASA config?

Also, you have mentioned that the LAB side is unable to bring up the adjacency. Please let me ask you: Can you run any kind of debug or trace on the ASA box when the LAN side is trying to bring up the adjacency to see if the ASA is truly dropping the packets? Ultimately, we need to either implicate or exonerate the ASA, but we need a proof that we're truly looking in the correct direction.

Thank you!

Best regards,
Peter

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents