Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3346
Views
0
Helpful
16
Replies

ASA to allow hop limit of 0 for IPv6

jgenender
Level 1
Level 1

‎03-03-2017 01:57 PM - edited ‎03-12-2019 02:00 AM

I have a Cisco ASA 5512-X and it is discarding any IPv6 packets on the ingress interface.  In particular I have an ISP (Comcast) who sends DHCPv6 advertisement and reply XIDs with a hop limit of 0.  I reported it to them, but they told me to pound sand and they won't fix it.  The interesting point of this is that I believe the 5506X will accept the hop limit at 0, but the 5512X will not (strange).

I would like to know if there is a way to have the ASA set to not discard packets with a hop limit of 0.  I looked in TCP options, etc and I cannot find anything that would allow it.  The ACLs don't appear to provide that capability niether.

Does anyone know of a way to have the firewall accept IPv6 packets with a hop limit of 0 into the ingress interface so that I may process the DHCPv6 packets?

7 people had this problem
Labels:
0 Helpful
16 Replies 16

farkdotcom
Level 1
Level 1

‎10-28-2018 09:10 AM

CSCvi46759 is fixed (finally) in 9.10(1)

 

 

0 Helpful

esundberg
Level 1
Level 1
In response to farkdotcom

‎11-08-2018 02:23 AM

I have posted this in a couple of places.... I was able to get it working on 9.10.1

 

I can verify the following for IPv6 DHCP on Comcast\Xfinity


Cisco ASA 9.8 and 9.9 does not have the bug fix in it as of 11/8/2018
-Verified 9.8.3 by code load on a ASA5516x doesn't work. Also no mention of the RFC 8200 fix.
-Verified 9.9.2 by looking at the release notes no mention of the RFC 8200 fix.

Only 9.10.1 has the fix as previously verified by other users

 

If you want to check the release notes in the future. Check ou this link.
https://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-release-notes-list.html

Search for: CSCvi46759 Allow ASA to process packet with hop limit of 0 (Follow RFC 8200)


My CMTS in Chicago has not been upgraded with the bug fix that has been discussed in this and other threads. Where the DHCPv6 packet from the ARRIS CMTS has a Hop Limit of 0, which is a Harris Bug. Cisco ASA will drop this packet, do a show asp drop to verify. Cisco has only impleted RFC 8200 on the 9.10.1 version of code which allows the Hop Limit to be 0.

ASA Comcast IPv6 DHCPd Working Config and show commands. ASA Version 9.10.1
---------------------------------------------------------------------------
Gi1/1 - Outside Comcast interface (Recieved a /60)
Gi1/2 - Inside LAN interface
DHCP is configured for IPv4 LAN
IPv6 LAN Addressing is autoconfig

Sorry i blocked out my IPv4/IPv6 and MAC addresses with xxxx

interface GigabitEthernet1/1
description Comcast Internet
nameif outside
security-level 0
ip address dhcp setroute
ipv6 address dhcp default
ipv6 enable
ipv6 nd suppress-ra
ipv6 dhcp client pd hint ::/56
ipv6 dhcp client pd From-Comcast

interface GigabitEthernet1/2
description LAN
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ipv6 address From-Comcast ::1/64
ipv6 address autoconfig
ipv6 enable
!
dhcpd auto_config inside interface outside
!
dhcpd address 192.168.1.101-192.168.1.199 inside
dhcpd lease 86400 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
**auto-config from interface 'outside'
**auto_config dns 75.75.75.75 75.75.76.76
**auto_config domain xxx.il.comcast.net.

 

Firewall# show interface g1/1
Interface GigabitEthernet1/1 "outside", is up, line protocol is up
Hardware is Accelerator rev01, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: Comcast Internet
MAC address 500f.80xx.xxxx, MTU 1500
IP address 73.22.xx.xx, subnet mask 255.255.254.0
27381 packets input, 16521726 bytes, 0 no buffer
Received 198 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
24054 packets output, 5208726 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (2009/1912)
output queue (blocks free curr/low): hardware (2047/2040)
Traffic Statistics for "outside":
27379 packets input, 16011367 bytes
24054 packets output, 4742192 bytes
2259 packets dropped
1 minute input rate 3 pkts/sec, 700 bytes/sec
1 minute output rate 4 pkts/sec, 876 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 14 pkts/sec, 7929 bytes/sec
5 minute output rate 13 pkts/sec, 3017 bytes/sec
5 minute drop rate, 0 pkts/sec


Firewall# sh ipv6 interface outside
outside is up, line protocol is up
IPv6 is enabled, link-local address is fe80::520f:xxxx:xxxx:166
Global unicast address(es):
2001:558:xxxx:xxxx:xxxx:xxxx:xxxx:286b, subnet is 2001:558:xxxx:xxxx:xxxx:xxxx:xxxx:286b/128
Joined group address(es):
ff02::1:ff06:286b
ff02::2
ff02::1:ffc0:166
ff02::1
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
Hosts use stateless autoconfig for addresses.
Firewall# sh ipv6 interface inside
inside is up, line protocol is up
IPv6 is enabled, link-local address is fe80::520f:xxxx:xxxx:167
Global unicast address(es):
2601:xxxx:xxxx:xxx0::1, subnet is 2601:xxxx:xxxx:xxx0::/64
Joined group address(es):
ff02::1:ff00:1
ff02::1:ffc0:167
ff02::2
ff02::1
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 1000 milliseconds
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
Hosts use stateless autoconfig for addresses.

 

Firewall# show ipv6 dhcp interface outside

GigabitEthernet1/1 is in client mode
Prefix State is OPEN
Renew will be sent in 1d23h
Address State is OPEN
Renew for address will be sent in 1d23h
List of known servers:
Reachable via address: fe80::201:xxxx:xxxx:9a46
DUID: 000100011xxxxxxxxxxxxxxCC
Preference: 0
Configuration parameters:
IA PD: IA ID 0x00020001, T1 172800, T2 276480
Prefix: 2601:xxxx:xxxx:xxx0::/60
preferred lifetime 345600, valid lifetime 345600
expires at Nov 12 2018 12:19 AM (344444 seconds)
IA NA: IA ID 0x00020001, T1 172800, T2 276480
Address: 2001:558:xxxx:xxxx:xxxx:xxxx:xxxx:286b/128
preferred lifetime 345600, valid lifetime 345600
expires at Nov 12 2018 12:19 AM (344456 seconds)
DNS server: 2001:558:feed::1
DNS server: 2001:558:feed::2
Information refresh time: 0
Prefix name: From-Comcast
Prefixes sent as hint:
::/56


See the IPv6 address Leased out to the LAN

Firewall# show ipv6 neighbor
IPv6 Address Age Link-layer Addr State Interface
2601:xxxx:xxxx:xxx0:3xxx:xxxx:xxxx:xxx3 9 70xx.xxxx.xxxa STALE inside
2601:xxxx:xxxx:xxx0:6xxx:xxxx:xxxx:xxx6 3 74xx.xxxx.xxxd STALE inside
fe80::xxxx:xxxx:xxxx:xxx6 1 00xx.xxxx.xxx6 STALE outside
fe80::xxxx:xxxx:xxxx:xxx3 1 18xx.xxxx.xxxb STALE inside
fe80::xxxx:xxxx:xxxx:xxxb 11 74xx.xxxx.xxxd STALE inside

Firewall# show dhcpd binding

IP address Client Identifier Lease expiration Type

192.168.1.101 0190.xxxx.xxxx.x1 85313 seconds Automatic
192.168.1.102 0170.xxxx.xxxx.xa 85323 seconds Automatic
192.168.1.103 0134.xxxx.xxxx.xe 85525 seconds Automatic

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card