cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3420
Views
0
Helpful
16
Replies

ASA to allow hop limit of 0 for IPv6

jgenender
Level 1
Level 1

I have a Cisco ASA 5512-X and it is discarding any IPv6 packets on the ingress interface.  In particular I have an ISP (Comcast) who sends DHCPv6 advertisement and reply XIDs with a hop limit of 0.  I reported it to them, but they told me to pound sand and they won't fix it.  The interesting point of this is that I believe the 5506X will accept the hop limit at 0, but the 5512X will not (strange).

I would like to know if there is a way to have the ASA set to not discard packets with a hop limit of 0.  I looked in TCP options, etc and I cannot find anything that would allow it.  The ACLs don't appear to provide that capability niether.

Does anyone know of a way to have the firewall accept IPv6 packets with a hop limit of 0 into the ingress interface so that I may process the DHCPv6 packets?

16 Replies 16

Confirmed the same problem (behavior by design) exists on the 5506. Also curious if the problem could lie in the Arris 6183 firmware and not on Comcast's upstream routers.

Thanks for that update.  That's important to know the same issue is with the 5506X.  Do you have a SB6183?  I saw some posts over on Reddit stating they can make a 5506X work with Comcast... but never got their modem.

Not sure if it is indeed the modem as the RA packets are coming in with a 255 hop limit on the ICMPv6 packets, which coexists with the RFC.  Its the DHCPv6 that appears to be the problem.  But it is possible its the modem.... wish I had another mfr to try out. ;-)

Using a SB6183 as well. Good eye on the RA packets. Seeing the same on my captures. Initially overlooked that.

Wouldn't surprise me if it is a Comcast issue. Their support naturally wanted to point the blame at the "customer owned modem". I have a tech coming out tomorrow for an outage that has since been corrected. Will try and run that by him to see if there is anything that can be done...Not holding my breath though.

Do a packet dump and show the tech.  They actually can get stuff done.  I got to tier 3 with a ticket, but they shut it down and said they will not escalate it to engineering since I am not a "Business" customer.  I am residential, so I was told to pound sand.

You can probably have the tech try a SMC to see if that changes things.  They usually have a stock of modems in the truck.  I would love to know if the modem is the issue (although I doubt it since we aren't getting decrements in the other packets).

Good luck and please let us know what what you find.

In the mean time I can go over to Reddit and ask what modem the guy who is getting the 5506X working uses.

I chatted with the guy at Reddit.

He has residential Comcast and is in the Minneapolis area.  His modem is a Zoom 5370.  I asked him if he can do a packet dump and look at the Advertisement and Reply XIDs and let me know the hop count.

Until I get the packet dump to see what is up, my thought is it is either the SB6183 causing the hop limit to go to zero or its the region deployment of Comcast.  I am in Colorado.

I am in south florida. Going to get a capture when connected to a Netgear modem on their business service. Will keep you posted.

Hi greenturtlesteak, any update?

Ran a packet capture today while connected to a business Netgear modem/router and didn't get a single DHCPv6 packet.

The problem is likely that device is functioning as a full router and not a bridge like my modem at home is. In any case, it does seem to be the node that I am connected to that contains this bug in it's software. No level of escalating with Comcast is likely to get them to upgrade the software on that system, so I'll just wait it out and at some point in the future they might fix the issue.

Ok... more info... the reddit guy graciously did a packet dump and it looks as if Comcast is sending a hop limit of 255 back from their router, which is why its working for him.

Hence, it's either the modem or it is definitely a geographical issue with Comcast.

I await your response on your modem as that should hopefully narrow this down to being modem or Comcast region specific.

jgenender
Level 1
Level 1

Quick update to this.  The problem is in Arriss CMTS and they have patched the hop limit to be > 0.  It will eventually be rolled out to customers after Comcast has gone through testing.

 

That said, this actually eventually must fall on Cisco to allow a ipv6 hop limit to process a 0 packet.  RFC 8200 was released which supercedes RFC 2460.  There is a significant change:

 

https://tools.ietf.org/html/rfc2800

 

P6: "When forwarding, the packet is discarded if Hop Limit was zero when received or is decremented to zero.  A node that is the destination of a packet should not discard a packet with Hop Limit equal to zero; it should process the packet normally."

 

Therefore, if the Cisco ASA is the destination, it should allow a 0 packet.

One more update.  It appears that RFC 8200 was ratified as a standard for IPV6.  Turns out the providers are doing it correctly (as of July 2017).

 

This now falls on Cisco, as the ASAs are now NOT compliant with the IPV6 RFC 8200 standard.  The new spec on page 6 states:

 

A node that is the destination of a packet should not discard a packet with Hop Limit equal to zero; it should process the packet normally.

So far it appears Juniper has gone back and enabled all of their firmware to allow a hop limit of 0 for IPv6 on a destination packet.  Cisco has yet to enable this and since this is the standard, I think this is now considered a full-on bug on Cisco's part.  This one is fairly critical since TWC and Comcast currently send ipv6 him = 0 on their DHCP packets.

Does anyone have the bug ID so we can track this and know when it is fixed?

Cisco made one yesterday with some help from community members over on the Comcast forums.

 

Bug is CSCvi46759

 

Lets hope Cisco gets a patch for this really soon.

Any update on this?

 

I had the same problem with Juniper SRX, but Juniper has this option:

 

set system internet-options no-ipv6-reject-zero-hop-limit

 

Which after setting, resolved my IPv6 problems with Spectrum. Maybe a similar setting in the ASA? 

Review Cisco Networking for a $25 gift card