Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10403
Views
0
Helpful
9
Replies

Unable to ping with IPv6 (Cisco ASA)

Kooopobol
Level 1
Level 1

‎03-02-2012 12:34 AM - edited ‎03-01-2019 05:33 PM

Hi,

Firstable, know that I am a beginner in the IPv6 world..

My ISP just gave me an IPv6 block : 2A01:XXXX:1: 100::/56

I have a Cisco ASA running behind my ISP router (see the attached schema)..

The internal interface of the ISP router is configured like this :

interface BVI1

ipv6 address

2A01:XXXX:1:100::1/56

ipv6 enable

no ipv6 redirects

ipv6 nd other-config-flag

ipv6 dhcp server LANv6-Stateless

end

The outside interface of the ASA is configured like this :

asafirewall# sh ipv6 int outside
outside is up, line protocol is up
  IPv6 is enabled, link-local address is fe80::21b:53ff:feff:7ca
  Global unicast address(es):
    2a01:XXXX:1:100::2, subnet is 2a01:XXXX:1:100::/56
  Joined group address(es):
    ff02::1
    ff02::2
    ff02::1:ff00:2
    ff02::1:ffff:7ca
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds
  ND advertised reachable time is 0 milliseconds
  ND advertised retransmit interval is 1000 milliseconds
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  Hosts use stateless autoconfig for addresses.

The default route is also configured :

S   ::/0 [1/0]

     via 2a01:XXXX:1:100::1, outside

When I try to ping my ISP router (or other internet IPv6 host) from the ASA, I have the following in the logging tab :

"

Src IP : 2a01:XXXX:1:100::2    Src Port : 0 Dst IP : ff02::1:ff00:1 Dst Port : 0 

Built outbound ICMP connection for faddr ff02::1:ff00:1/0 gaddr 2a01:XXXX:1:100::2/0 laddr 2a01:XXXX:1:100::2/0

"

I don't really understand why my ping goes to the multicast address "ff02::1:ff00:1/0" instead of "2a01:XXXX:1:100::1"..

Any idea ?

PS : Excuse my English

Thanks

Labels:
Preview file
17 KB
0 Helpful
9 Replies 9

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎03-02-2012 01:37 AM

Any IPv6 device is subscribed to multiple multicast groups.

On your ASA you can see:

    ff02::1
    ff02::2
    ff02::1:ff00:2
    ff02::1:ffff:7ca

Your ASA with IPv6 address of ....:1 will be subscribed to ff02::1:ff00:1 this is called solicited node multicast address.

Marcin

0 Helpful

Kooopobol
Level 1
Level 1
In response to Marcin Latosiewicz

‎03-02-2012 02:25 AM

Thanks for your answer Marcin.

But I don't understand why the ping fails (from ::2 to ::1 ).. Have I missed something in the configurations ?

(access-lists permit all ipv6 traffic)

Thanks a lot

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Kooopobol

‎03-02-2012 02:41 AM

First thing (if you don't want to sniff) I would check is if both sides have their neighborship table populated properly :-)

show ipv6 neigh

I guess they don't but if they do you need to check sniffer trace for actual ICMP echo request and echo reply.

M.

0 Helpful

Kooopobol
Level 1
Level 1
In response to Marcin Latosiewicz

‎03-02-2012 06:10 AM

I don't have access to the ISP router..


As you guessed, the neighbor table is empty on the ASA side.

When I ping from the ASA, the request always go to ff02::1:ff00:1 (instead of the IPv6 destination address specified in the ping command).

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Kooopobol

‎03-05-2012 05:21 AM

Are you sure the ISP has IPv6 enabled on their interface? If they do, "show ipv6 neigh" should show your ASA as having been informed of their address via neighbor discovery.

I tend to fall back on an Internet-based IPv6 proxy (like http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-ping.php ) to check reachability of systems / isolate any configuration errors on my part.

0 Helpful

Kooopobol
Level 1
Level 1
In response to Marvin Rhoads

‎03-08-2012 01:04 AM

"sh ipv6 neigh" return an empty table on both sides..

My ISP replaced the /56 mask by /64 one but the ping between both still not working..

The ISP router can ping IPv6 hosts (on internet).

Here is "sh ipv6 interface" on the ISP router :

ISP_Router#sh ipv6 interface
BVI1 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::219:56FF:FED7:1A5A
  No Virtual link-local address(es):
  Global unicast address(es):
    2A01:XXXX:1:100::1, subnet is 2A01:XXXX:1:100::/64
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:2
    FF02::1:FF00:1
    FF02::1:FFD7:1A5A
    FF05::1:3
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are disabled
  ICMP unreachables are sent
  ND DAD is not supported
  ND reachable time is 30000 milliseconds
  Hosts use stateless autoconfig for addresses.
  Hosts use DHCP to obtain other configuration.

Here is "sh ipv6 interface" on the ASA :

asafirewall(config)# sh ipv6 interface
outside is up, line protocol is up
  IPv6 is enabled, link-local address is fe80::21b:53ff:feff:7ca
  Global unicast address(es):
    2a01:XXXX:1:100::2, subnet is 2a01:XXXX:1:100::/64
  Joined group address(es):
    ff02::1
    ff02::2
    ff02::1:ff00:2
    ff02::1:ffff:7ca
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds
  ND advertised reachable time is 0 milliseconds
  ND advertised retransmit interval is 1000 milliseconds
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  Hosts use stateless autoconfig for addresses.

asafirewall(config)# ping 2a01:c910:1:100::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2a01:c910:1:100::1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

See the attached image (ping logging).

I don't know what to do..

Thanks.

Preview file
258 KB
0 Helpful

zhenningx
Level 4
Level 4

‎03-25-2012 09:16 AM

Hi Armand,

The behaviour you saw is normal. When you ping another host, the first step is always to find the hardware address of the host. In IPV4, it is done by ARP. In IPv6, it is done by ND. The source first sends a ICMP packet to the solicated address of the destination host. Because the destination host joins its solicited multicast address, it will recieve it and reply with its hardware address. That is why you see the icmp packet sent to ff02::1:ff00:1 which is the solicited address of the destination.

I recommend you to connect two IPv6 computers to a hub and try ping each other and sniffer the packets. Then you will see the packet flows.

If you find this post is helpful, pls rate.

Zhenning

0 Helpful

Kooopobol
Level 1
Level 1
In response to zhenningx

‎03-29-2012 05:38 AM

Thanks for your answer,

I can see NS request from the ASA to the ISP router, but there is no response.

I forgot to say that the interface on the ISP side is a BVI...

Would there be some incompatibilities with IPv6 on a BVI ?

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Kooopobol

‎03-29-2012 11:15 AM

Hi,

IPv6 is supported on  BVI only on  15.1(2)T1 or later.

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card