Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1474
Views
0
Helpful
2
Replies

IPv6 Traceroute Fails/Blocked on Cisco 1941 router

chaicka
Level 1
Level 1

‎09-17-2012 07:51 AM - edited ‎03-04-2019 05:35 PM

I am encountering an issue with IPv6 trace route both from within LAN as well as on the Cisco router is unable to function beyond the WAN interface of my Cisco 1941 router with IOS v15.x.

Below is the IPv6 Access List:

[code]

sequence 410 remark Allow Specific Inbound ICMP Types

permit icmp any 2001:D98:XXXX::/64 1 3

permit icmp any 2001:D98:XXXX::/64 packet-too-big

permit icmp any 2001:D98:XXXX::/64 parameter-problem

permit icmp any 2001:D98:XXXX::/64 echo-reply

permit icmp 2001:D98:XXXX::/64 any echo-request

sequence 510 remark Allow Inbound Connections to WAN Interface for Specific Services

permit icmp any host 2001:D98:XXX::XXX 1 3

permit icmp any host 2001:D98:XXX::XXX packet-too-big

permit icmp any host 2001:D98:XXX::XXX parameter-problem

permit icmp any host 2001:D98:XXX::XXX echo-reply

permit icmp host 2001:D98:XXX::XXX any echo-request

sequence 810 remark Block Specific ICMP Types

deny icmp any any echo-request log

sequence 910 remark Block IPv6 *

deny ipv6 any any log

[/code]

Below is the Logs that indicates IPv6 trace route being blocked:

[code]

081439: Sep 17 21:22:18.168 GMT: %IPV6_ACL-6-ACCESSLOGDP: list ViewQwest-IPv6-WAN-Inbound/920 denied icmpv6 2406:3000:0:4::17 -> 2001:D98:XXX::XXX (3/0), 4 packets

081440: Sep 17 21:22:18.168 GMT: %IPV6_ACL-6-ACCESSLOGDP: list ViewQwest-IPv6-WAN-Inbound/920 denied icmpv6 2406:3000:A:1::7C9B:DF2B -> 2001:D98:XXX::XXX (1/4), 110 packets

[/code]

Is there any specific permit that I need to add in order for IPv6 Trace Route to work?

Labels:
0 Helpful
2 Replies 2

John Blakley
VIP Alumni
VIP Alumni

‎09-17-2012 10:06 AM

No, but I believe that your line in the acl is incorrect:

Change:

permit icmp host 2001:D98:XXX::XXX any echo-request

to:

permit icmp any host 2001:d98:xxx::xxx echo-request

** Edit ** Actually, how are these applied and in what direction?

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

chaicka
Level 1
Level 1
In response to John Blakley

‎09-17-2012 06:22 PM

The ACL posted is applied on the WAN interface which has been provisioned for a dual-stack IPv4 and IPv6 FTTH connection. This particular ACL is for inbound IPv6 traffic only. There is another separate ACL for inbound IPv4 traffic which is working fine.

The logs I have posted seems to indicate the blocking is due to ACL rule sequence 920. I realized the post I made didn't indicate which line is sequence 920 and have included below:

deny ipv6 any any log

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card