Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1380
Views
10
Helpful
10
Replies

Cisco ASA IPV6 Issues when LAN machines try to ping

Go to solution
cogenyk
Level 1
Level 1

‎09-23-2021 03:49 PM

I am setup to get IPV6 over DHCP with my ISP, i can access the internet and ping IPv6 from the console but not the local machines, i think maybe i have a routing issue or something, im not sure.

Ive linked a paste bin with several run's of debugging commands.

https://pastebin.pl/view/3234a346

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Harold Ritter
Level 12
Level 12
In response to cogenyk

‎09-24-2021 04:26 PM

Hi @cogenyk ,

 

You first need to validate that you do receive the delegated prefix from the service provider using the following command:

 

show ipv6 general-prefix

 

you then need to apply that delegated prefix to the inside interface in the following way and remove the extra unnecessary command.

 

interface GigabitEthernet0/1

 ipv6 address Outside-Prefix ::1/64

 no ipv6 address dhcp

 

I would also recommend changing the following configuration on the outside interface:

 

interface GigabitEthernet0/0

 ipv6 address dhcp default

 no ipv6 nd managed-config-flag

 no ipv6 nd other-config-flag

 

Let us know how it goes.

 

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

10 Replies 10

Go to solution
Harold Ritter
Level 12
Level 12

‎09-23-2021 07:28 PM

Hi @cogenyk ,

 

You use a unique local address (ULA) on the inside interface. These ULA are not routable on the Internet. The best option would be to configure ipv6 prefix delegation on the ASA. Your inside interface will therefore get a global prefix and your local machine will be able to access the Internet. Please refer to the following document to fond out how you can configure ipv6 prefix delegation on the ASA.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/configuration/general/asa-913-general-config/interface-routed-tfw.html#id_65842

 

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful

Go to solution
cogenyk
Level 1
Level 1
In response to Harold Ritter

‎09-24-2021 07:03 AM

Hello @Harold Ritter,

Im not sure what I should be using as my prefix since I get an error,
This is as far as i got

!
interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address dhcp
 ipv6 address autoconfig
 ipv6 address dhcp
 ipv6 enable
 ipv6 nd managed-config-flag
 ipv6 nd other-config-flag
 ipv6 dhcp client pd hint 2604:3d08:5:13:24e3:4d73:c673:9745/128
 ipv6 dhcp client pd Outside-Prefix
!
interface GigabitEthernet0/1
 nameif INSIDE
 security-level 100
 ip address 10.0.0.1 255.255.254.0
 ipv6 enable
 ipv6 nd other-config-flag
!
0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to cogenyk

‎09-24-2021 07:59 AM

Hello,

 

try and configure:

 

ipv6 address autoconfig

 

on the inside interface...what address do you get ?

0 Helpful

Go to solution
Harold Ritter
Level 12
Level 12
In response to cogenyk

‎09-24-2021 08:03 AM - edited ‎09-24-2021 08:06 AM

Hi @cogenyk ,

 

The hint is about the delegated prefix you expect to receive, not about the address you got on the outside interface. It is optional. Try removing the hint. It should fix it.

 

 

interface GigabitEthernet0/0
no ipv6 dhcp client pd hint 2604:3d08:5:13:24e3:4d73:c673:9745/128 

 

 

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful

Go to solution
cogenyk
Level 1
Level 1
In response to Harold Ritter

‎09-24-2021 08:11 AM

@Georg Pauwen 
INSIDE is up, line protocol is up
IPv6 is enabled, link-local address is fe80::4e4e:35ff:feeb:919
No global unicast address is configured

Joined group address(es):
ff02::1:ffeb:919
ff02::2
ff02::1
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 1000 milliseconds
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
Hosts use stateless autoconfig for addresses.
Hosts use DHCP to obtain other configuration.

@Harold Ritter Applied change as noted ; did not change results.

0 Helpful

Go to solution
Harold Ritter
Level 12
Level 12
In response to cogenyk

‎09-24-2021 08:16 AM - edited ‎09-24-2021 08:37 AM

Hi @cogenyk ,

 

Can you apply the following modification:

 

interface GigabitEthernet0/0
no ipv6 address autoconfig
ipv6 dhcp client pd hint ::/56

 

Can you also do a shut/no shut on the outside interface to reinitialize it.

 

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful

Go to solution
cogenyk
Level 1
Level 1
In response to Harold Ritter

‎09-24-2021 03:33 PM

Still not able to ping IPv6 addresses,

Ran commands as requested 

 

OUTSIDE is up, line protocol is up
  IPv6 is enabled, link-local address is fe80::4e4e:35ff:feeb:91c
  Global unicast address(es):
    2604:3d08:5:13:24e3:4d73:c673:9745, subnet is 2604:3d08:5:13:24e3:4d73:c673:9745/128
  Joined group address(es):
    ff02::1:ff73:9745
    ff02::2
    ff02::1:ffeb:91c
    ff02::1
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds
  ND advertised reachable time is 0 milliseconds
  ND advertised retransmit interval is 1000 milliseconds
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  Hosts use DHCP to obtain routable addresses.
  Hosts use DHCP to obtain other configuration.
INSIDE is up, line protocol is up
  IPv6 is enabled, link-local address is fe80::4e4e:35ff:feeb:919
  No global unicast address is configured

  Joined group address(es):
    ff02::1:ffeb:919
    ff02::2
    ff02::1
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds
  ND advertised reachable time is 0 milliseconds
  ND advertised retransmit interval is 1000 milliseconds
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  Hosts use DHCP to obtain routable addresses.
  Hosts use DHCP to obtain other configuration.
Servers is up, line protocol is up
  IPv6 is enabled, link-local address is fe80::5133:32ac:771:b2db
  No global unicast address is configured
interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address dhcp
 ipv6 address dhcp
 ipv6 enable
 ipv6 nd managed-config-flag
 ipv6 nd other-config-flag
 ipv6 dhcp client pd hint ::/56
 ipv6 dhcp client pd Outside-Prefix
!
interface GigabitEthernet0/1
 nameif INSIDE
 security-level 100
 ip address 10.0.0.1 255.255.254.0
 ipv6 address dhcp
 ipv6 enable
 ipv6 nd managed-config-flag
 ipv6 nd other-config-flag

@Harold Ritter / @Georg Pauwen 

 

0 Helpful

Go to solution
Harold Ritter
Level 12
Level 12
In response to cogenyk

‎09-24-2021 04:26 PM

Hi @cogenyk ,

 

You first need to validate that you do receive the delegated prefix from the service provider using the following command:

 

show ipv6 general-prefix

 

you then need to apply that delegated prefix to the inside interface in the following way and remove the extra unnecessary command.

 

interface GigabitEthernet0/1

 ipv6 address Outside-Prefix ::1/64

 no ipv6 address dhcp

 

I would also recommend changing the following configuration on the outside interface:

 

interface GigabitEthernet0/0

 ipv6 address dhcp default

 no ipv6 nd managed-config-flag

 no ipv6 nd other-config-flag

 

Let us know how it goes.

 

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Go to solution
cogenyk
Level 1
Level 1
In response to Harold Ritter

‎09-24-2021 05:02 PM

Ok, 

IPv6 Prefix Outside-Prefix, acquired via DHCP PD
  2604:3d09:c580:151::/64 Valid lifetime 138151, preferred lifetime 138151
   Consumer List                Usage count
    INSIDE (Address command)    1
ciscoasa#

ran the commands as suggested, can now ping on the ASA CLI, pings on LAN now work!


0 Helpful

Go to solution
Harold Ritter
Level 12
Level 12
In response to cogenyk

‎09-24-2021 05:25 PM

Hi @cogenyk ,

 

Glad to know it now works. Let us know if there is anything else.

 

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card