04-14-2011 04:06 AM - edited 03-01-2019 05:26 PM
Good day
We have a 7201 running IOS 12.4(4) with 2 ISPs connected, IPv4 conenctivity is working as is IPv4 BGP. To this router we've added IPv6 and have been able to establish a neighbour relationship as well as a IPv6 BGP session with one of the ISPs
On the router
- the internal interface use sub-interfaces and has IPv4 and IPv6 addresses bound to the same sub-interface, Gi0/2.50
- the external interface (Gi0/3) uses sub-interfaces as well, and both ISPs are on the same physical i/f but different sub-interfaces.
- Gi0/3.252 sub-interface is for ISP A and has IPv4 bound to it
- Gi0/3.752 sub-interface is for ISP A and has IPv6 bound to it
- Gi0/3.552 sub-interface is for ISP B and has both IPv6 and IPv4 bound to it
The connection to ISP A works fine for both IPv4 and IPv6. In IPv6 we can see the neighbour, ping it, setup BGP session and route IPv6 traffic
The connection to ISP B works fine for IPv4 but fails under IPv6.
If I watch the IPv6 neighbor table with repetitive "sho ipv6 nei" commands I see neighbour status change from PROBE, to DELAY, to INCMP, to not being in the table.
IPv6 Address Age Link-layer Addr State Interface
FE80::226:51FF:FECA:A4D3 0 0026.51ca.a4d3 REACH Gi0/3.752
2001:550:2:8::2:1 0 001d.e511.6000 DELAY Gi0/3.552 <------ sample entry in table
2607:FD78:302:1::1 0 0026.51ca.a4d3 REACH Gi0/3.752
FE80::250:56FF:FE80:3506 0 0050.5680.3506 STALE Gi0/2.50
2620:DD::250:56FF:FE80:3506 0 0050.5680.3506 REACH Gi0/2.50
While observing this I noted that the Gi0/3.552 sub interface never appears to have a link local adders. The staus then changes to PROBE, then INCMP, and then does not appear in the table.
The atatched IPv6 debug snippet refelcts this behaviour.
Any thoughts on why this is happening and how to correct? Shouldn't I see an local address in the neighbour table for the Gi0/3.552 sub-interface ?
Thanks
Steve
04-14-2011 04:43 AM
Hi,
Can you post :
-sh run | s bgp
--sh ipv int g0/3.552
-sh bgp ipv6 unicast summary
-sh ip bgp ipv6 unicast neigh
Regards.
Alain.
04-14-2011 05:28 AM
As suggested, please see the output from the various sho comamnds below
BA-B227-RO01#sho run | sec bgp
router bgp 19764
bgp log-neighbor-changes
neighbor 2001:550:2:8::2:1 remote-as 174
neighbor 2607:FD78:302:1::1 remote-as 26677
neighbor 38.107.139.89 remote-as 174
neighbor 38.107.139.89 description Cogent's A Peer to BA router
neighbor 38.107.139.89 password 7 xxxxxxxxxxxxxxxxxx
neighbor 66.97.23.205 remote-as 26677
neighbor 66.97.23.205 description ORION - Advanced R&E Peer
neighbor 66.97.23.205 password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxx
neighbor 66.209.49.13 remote-as 30147
neighbor 66.209.49.13 description ***Atria_Networks***
neighbor 66.209.49.13 password 7 xxxxxxxxxxxxxxxxxxxxxx
neighbor 66.209.49.13 timers 20 60
maximum-paths 6
!
address-family ipv4
redistribute static
no neighbor 2001:550:2:8::2:1 activate
no neighbor 2607:FD78:302:1::1 activate
neighbor 38.107.139.89 activate
neighbor 38.107.139.89 route-map COGENT-out out
neighbor 66.97.23.205 activate
neighbor 66.97.23.205 send-community
neighbor 66.97.23.205 prefix-list GC_Routes_out out
neighbor 66.97.23.205 route-map ORION-OUT out
neighbor 66.209.49.13 activate
neighbor 66.209.49.13 default-originate
neighbor 66.209.49.13 advertisement-interval 20
neighbor 66.209.49.13 prefix-list GC_Routes_out out
neighbor 66.209.49.13 route-map ATRIA-OUT out
maximum-paths 6
no auto-summary
no synchronization
network 192.139.153.16 mask 255.255.255.240
network 198.73.133.0
network 198.73.134.0
network 199.212.2.0
aggregate-address 192.139.153.0 255.255.255.0 summary-only
exit-address-family
!
address-family ipv6
neighbor 2001:550:2:8::2:1 activate
neighbor 2001:550:2:8::2:1 prefix-list GC_IPv6_routes_out out
neighbor 2607:FD78:302:1::1 activate
neighbor 2607:FD78:302:1::1 prefix-list GC_IPv6_routes_out out
network 2620:DD::/48
exit-address-family
!
address-family nsap
maximum-paths 6
no synchronization
exit-address-family
snmp-server enable traps bgp
BA-B227-RO01#
BA-B227-RO01#sho ipv6 int gi0/3.552
GigabitEthernet0/3.552 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::227:DFF:FE9A:A917
No Virtual link-local address(es):
Description: "Cogent Internet service"
Global unicast address(es):
2001:550:2:8::2:2, subnet is 2001:550:2:8::2:0/112
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF02:2
FF02::1:FF9A:A917
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
BA-B227-RO01#
BA-B227-RO01#sho bgp ipv6 uni sum
BGP router identifier 38.103.65.233, local AS number 19764
BGP table version is 101437, main routing table version 101437
5304 network entries using 790296 bytes of memory
5304 path entries using 403104 bytes of memory
66900/3881 BGP path/bestpath attribute entries using 8295600 bytes of memory
58695 BGP AS-PATH entries using 1590222 bytes of memory
186 BGP community entries using 5752 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 11084974 total bytes of memory
BGP activity 8971318/8617212 prefixes, 12341444/11976395 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
2001:550:2:8::2:1
4 174 0 0 0 0 0 never Active
2607:FD78:302:1::1
4 26677 98859 11064 101437 0 0 1w0d 5303
BA-B227-RO01#
BA-B227-RO01#sho ip bgp ipv6 unicast nei
BGP neighbor is 2001:550:2:8::2:1, remote AS 174, external link
BGP version 4, remote router ID 0.0.0.0
BGP state = Active
Last read 1w0d, last write 1w0d, hold time is 180, keepalive interval is 60 seconds
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 0 0
Notifications: 0 0
Updates: 0 0
Keepalives: 0 0
Route Refresh: 0 0
Total: 0 0
Default minimum time between advertisement runs is 30 seconds
For address family: IPv6 Unicast
BGP table version 101454, neighbor version 0/0
Output queue size : 0
Index 1, Offset 0, Mask 0x2
1 update-group member
Outgoing update prefix filter list is GC_IPv6_routes_out
Sent Rcvd
Prefix activity: ---- ----
Prefixes Current: 1 0
Prefixes Total: 0 0
Implicit Withdraw: 0 0
Explicit Withdraw: 0 0
Used as bestpath: n/a 0
Used as multipath: n/a 0
Outbound Inbound
Local Policy Denied Prefixes: -------- -------
Total: 0 0
Number of NLRIs in the update sent: max 0, min 0
Connections established 0; dropped 0
Last reset never
No active TCP connection
BGP neighbor is 2607:FD78:302:1::1, remote AS 26677, external link
BGP version 4, remote router ID 66.97.18.19
BGP state = Established, up for 1w0d
Last read 00:00:10, last write 00:00:00, hold time is 180, keepalive interval is 60 seconds
Neighbor capabilities:
Route refresh: advertised and received(old & new)
Address family IPv6 Unicast: advertised and received
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 1 1
Notifications: 0 0
Updates: 1 98866
Keepalives: 11064 11
Route Refresh: 0 0
Total: 11066 98878
Default minimum time between advertisement runs is 30 seconds
For address family: IPv6 Unicast
BGP table version 101454, neighbor version 101451/0
Output queue size : 0
Index 1, Offset 0, Mask 0x2
1 update-group member
Outgoing update prefix filter list is GC_IPv6_routes_out
Sent Rcvd
Prefix activity: ---- ----
Prefixes Current: 1 5301 (Consumes 402876 bytes)
Prefixes Total: 1 109971
Implicit Withdraw: 0 97857
Explicit Withdraw: 0 6813
Used as bestpath: n/a 5301
Used as multipath: n/a 0
Outbound Inbound
Local Policy Denied Prefixes: -------- -------
prefix-list 94493 0
Suppressed duplicate: 0 15332
AS_PATH loop: n/a 1
Bestpath from this peer: 5270 n/a
Total: 99763 15333
Number of NLRIs in the update sent: max 1, min 1
Connections established 1; dropped 0
Last reset never
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Connection is ECN Disabled
Local host: 2607:FD78:302:1::2, Local port: 32189
Foreign host: 2607:FD78:302:1::1, Foreign port: 179
Connection tableid (VRF): 0
Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)
Event Timers (current time is 0x5949ADC24):
Timer Starts Wakeups Next
Retrans 11066 1 0x0
TimeWait 0 0 0x0
AckHold 22948 17433 0x0
SendWnd 0 0 0x0
KeepAlive 0 0 0x0
GiveUp 0 0 0x0
PmtuAger 0 0 0x0
DeadWait 0 0 0x0
Linger 0 0 0x0
iss: 2274602483 snduna: 2274812833 sndnxt: 2274812833 sndwnd: 31856
irs: 3457516074 rcvnxt: 3467046155 rcvwnd: 15202 delrcvwnd: 1182
SRTT: 300 ms, RTTO: 303 ms, RTV: 3 ms, KRTT: 0 ms
minRTT: 0 ms, maxRTT: 1668 ms, ACK hold: 200 ms
Status Flags: active open
Option Flags: nagle
IP Precedence value : 6
Datagrams (max data segment is 1440 bytes):
Rcvd: 34705 (out of order: 0), with data: 23595, total data bytes: 9530080
Sent: 34487 (retransmit: 1, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 34487, total data bytes: 1589837
BA-B227-RO01#
12-01-2011 01:18 AM
Please caution on publishing parts of configs containing type 7 passwords.
These lines are easily decryptable
As a piece of advice, please edit your post and remove this info
04-14-2011 06:50 AM
Hello
In looking at the output of the sho ipv6 interface commands, is the issue that both of the sub-interfaces generated the same link-local address since they are on the same physical link ?
BA-B227-RO01#sho ipv6 nei
IPv6 Address Age Link-layer Addr State Interface
FE80::226:51FF:FECA:A4D3 0 0026.51ca.a4d3 REACH Gi0/3.752
2001:550:2:8::2:1 0 001d.e511.6000 PROBE Gi0/3.552
2607:FD78:302:1::1 0 0026.51ca.a4d3 REACH Gi0/3.752
FE80::250:56FF:FE80:3506 0 0050.5680.3506 DELAY Gi0/2.50
2620:DD::250:56FF:FE80:3506 0 0050.5680.3506 REACH Gi0/2.50
BA-B227-RO01#sho ipv6 int gi0/3.552
GigabitEthernet0/3.552 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::227:DFF:FE9A:A917
No Virtual link-local address(es):
BA-B227-RO01#sho ipv6 int gi0/3.752
GigabitEthernet0/3.752 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::227:DFF:FE9A:A917
No Virtual link-local address(es):
I never see a link local address in the neighbour table for the gi0/3.552 sub-i/f, only the gi0/3.752 sub-i/f
Is there a way to bind a virtual link local address to the i/f - or is it simply a regualr assignemnt with an fe80 address ?
what woudl happen if I bound an IPv6 address to the physical link, woudl I then possiby loose the assignemnt and operation on the gi0/3.752 since there woudl noe bw 3 i/fs trying to use same link-local address ?
thanks
steve
04-14-2011 07:02 AM
can you clear bgp peering with ISP B and then debug bgp ipv6 and post output
Regards.
Alain.
04-14-2011 07:46 AM
I've attached a larger about as a file, see atatched but the line of interest is this one I believe
Apr 14 14:39:27.508: BGP: 2001:550:2:8::2:1 open failed: Connection timed out; remote host not responding, open active delayed 32928ms (35000ms max, 28% jitter)
which I believe points back to the lack of IPv6 conenctivity to that site. I should mention that I can not ping the 2001:55:2:8::2:1 address on the other end which led me to the IPv6 neighbour issue. IPv4 is operatinal and fine on this same link and vlan.
in the previous debug'ing I can see the remote end and my end trying to establish ipv6 neighbour relationship but it never completes. It simply cycles from not being in the neighbour table, to status PROBE, DELAY or INCMP
thanks
steve
04-14-2011 08:25 AM
I tried forcing the link-local address with these two commands to see if that made a differnce
I tried this one first - ipv6 address fe80::227:dff:fe8a:a917 link-local
then I tried this one - ipv6 address fe80::227:dff:fe11:1111 link-local
in both cases the interface also had these two lines
ipv6 address 2001:550:2:8::2:2/112
ipv6 enable
after disabe and enable ipv6 on the interface the out of sho int was
BA-B227-RO01#sho ipv6 int brief
FastEthernet0/0 [up/up]
GigabitEthernet0/0 [administratively down/down]
GigabitEthernet0/1 [administratively down/down]
GigabitEthernet0/2 [up/up]
GigabitEthernet0/2.1 [administratively down/down]
GigabitEthernet0/2.50 [up/up]
FE80::227:DFF:FE9A:A919
2620:DD::1:0:0:1
GigabitEthernet0/3 [up/up]
GigabitEthernet0/3.252 [up/up]
unassigned
GigabitEthernet0/3.552 [up/up]
FE80::227:DFF:FE11:1111
2001:550:2:8::2:2
GigabitEthernet0/3.752 [up/up]
FE80::227:DFF:FE9A:A917
2607:FD78:302:1::2
FastEthernet1/0 [administratively down/down]
BA-B227-RO01#
and the sho ipv6 nei comamnd still shows no neibour relationship with the remote end
BA-B227-RO01#
BA-B227-RO01#sho ipv6 nei
IPv6 Address Age Link-layer Addr State Interface
FE80::226:51FF:FECA:A4D3 0 0026.51ca.a4d3 DELAY Gi0/3.752
2001:550:2:8::2:1 0 001d.e511.6000 DELAY Gi0/3.552
2607:FD78:302:1::1 0 0026.51ca.a4d3 REACH Gi0/3.752
FE80::250:56FF:FE80:3506 0 0050.5680.3506 REACH Gi0/2.50
2620:DD::250:56FF:FE80:3506 0 0050.5680.3506 DELAY Gi0/2.50
BA-B227-RO01#
attached is debug ipv6 nd output
04-14-2011 12:27 PM
I don't think this is a link-local problem because you can put the same link-local address on different interfaces and if you had a duplicate address problem then DAD would have detected it and put interface in a DUP state which is not the case here.
Gonna think your problem over and if I've got a solution I'll let you know.
Regards.
Alain.
04-14-2011 04:24 PM
Alain - thanks for giving this some thought - I've been scratching my head on this.
I'll update the link as we make progress on it
Steve
04-19-2011 01:49 PM
Cound this be a firewall issue?
It has all of the trappings of a unidirectional link. Can you ping the router at ISP B?
Apr 14 15:21:03.476: ICMPv6-ND: Received NS for 2001:550:2:8::2:2 on GigabitEthernet0/3.552 from 2001:550:2:8::2:1
Apr 14 15:21:03.476: ICMPv6-ND: DELETE -> INCMP: 2001:550:2:8::2:1
Apr 14 15:21:03.476: ICMPv6-ND: INCMP -> STALE: 2001:550:2:8::2:1
Apr 14 15:21:03.476: ICMPv6-ND: Sending NA for 2001:550:2:8::2:2 on GigabitEthernet0/3.552
Apr 14 15:21:03.476: ICMPv6-ND: STALE -> DELAY: 2001:550:2:8::2:1
Apr 14 15:21:07.996: ICMPv6-ND: REACH -> STALE: FE80::250:56FF:FE80:3506
Apr 14 15:21:08.476: ICMPv6-ND: DELAY -> PROBE: 2001:550:2:8::2:1
Apr 14 15:21:08.476: ICMPv6-ND: Sending NS for 2001:550:2:8::2:1 on GigabitEthernet0/3.552
Apr 14 15:21:09.476: ICMPv6-ND: Sending NS for 2001:550:2:8::2:1 on GigabitEthernet0/3.552
Apr 14 15:21:10.476: ICMPv6-ND: Sending NS for 2001:550:2:8::2:1 on GigabitEthernet0/3.552
We receive an NS and send an NA, but when we send out own NS, we never get an NA reply? How can that be?
So, 2001:550:2:8::2:1 never goes into the reachable state....
04-20-2011 07:50 AM
Hello Phillip
Thanks for the ideas. No I cannot ping the IPS B interface over IPv6, same link and sub-interface with IPv4 pings fine. PING was my first attempt, and when it didn't ping I went to see if it had formed a neighbor relationship on the link, and it hadn't.
Yes, it does look like a unidirectional link, or FW issuse but there in no FW or ACLs in place on the link between the 2 sites. ISP B is on a vlan/subinterface on my end, carried by a RAN to a demarc, and broken out onto a switch accessport to connect to ISP B's physical interface. I{v4 traffic to ISP B on the same sub-interface is fine.
Steve
04-20-2011 10:59 AM
Is it possible that you can add another device (any IPv6 device!) on to that VLAN and see if you can sucessfully ping? This will help to identify if the problem is on your side of the ISPs side.
Have you contacted the ISP? Maybe they have a configuration issue?
04-20-2011 08:11 PM
Phillip - I like that idea of putting an additional device on line in the path. I'm going to ask the
RAN/carrier to put a device on the vlan mid way and see which, if either end they can see.
thanks for the idea
steve
04-21-2011 12:02 AM
Yes, the excess amount of IP addresses makes such tests very easy compared to IPv4!!
I thought a little more and wondered if the ISP might have an access list blocking ICMPv6 packets. A bad habit form the IPv4 days was to add a "deny any any" at the end of every IP access list "just in case" even though there was an implict deny at the end of every list.
At the end of an IPv6 access list, there is a more complex "implicit" ending
If the ISP added an explicit "deny IPv6 any any" on their access lists, they actually BREAK IPv6 neighbor discovery, since the implicit exceptions for ICMPv6 neighbor discovery would be overridden.
Earl Carter wrote a nice blog on the topic at
http://blogs.cisco.com/security/securing-ipv6/
Ask them to inspect their access lists, and either remove any explicit deny at the end (if they have it) or be sure to add in the ICMP ND exceptions.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide