Cannot ping to switch from other network using IPv6 (IPv4 works fine)

martenbe · ‎04-28-2021

Hello everybody,

In the attachment you'll find a very small network: PC-A <---> switch <---> router <---> PC-B.

When using IPv4 everything can ping everything (PC's, switch, router). Using IPv6 GUA adresses everything can ping eachother, except PC-B is unable to ping the switch. PC-A can ping the switch without a problem. When using simulation mode, the ICMP packets seem to reach the switch from PC-B, but are dropped by the switch. I am troubleshooting this for a while now, but am really stumped ...

IPv6 Table:

PC-A        2001:DB8:ACAD:1::3
S0          2001:DB8:ACAD:1::B
R1 G0/0/1   2001:DB8:ACAD:1::1

R1 G0/0/0   2001:DB8:ACAD:A::1
PC-B        2001:DB8:ACAD:A::3

Kind regards,

Marten

ilay · ‎04-28-2021

s0 is a C2960 switch, it can not config ipv6 route (when config ipv6 route on it , program will crash)

when use ipv4 address , it can use "ip default-gateway x.x.x.x" forward package to ISR4331

You can use cat3650 instead of 2960 to complete the experiment (You need to install a power supply on "Physical" tab before using the 3650）

martenbe · ‎04-28-2021

But shouldn't SLAAC put in the default-gateway on the IPv6 interface? It is enabled on the router by `ipv6 unicast-routing`.

ilay · ‎04-28-2021

Yes, SLAAC will automatically generate a default route for the endpoint ("ipv6 address autoconfig" needs to be set on the network device interface)
This may also be a problem with the simulator. I use packet8.0, and no ipv6 commands can be configured on 2960. but vios running with another emulator(EVE) is normal.

-------------------------------------------------------------------------------------------------

update 2021-04-29

I test it again.

On the Packet Tracer. When manually configure ipv6 address, no matter whether it is 2960 or 3650, the default route cannot be obtained normally. The difference is that the 3650 can manually configure default route of ::/0, and 2960 configure default route will cause the packet program crash(Packet Tracer 8.0).

On the physical device, both "ipv6 address x:x:x:x:x" and "ipv6 address autoconfig" can make the device obtain the default route

Your configuration works well on the physical device. For the simulator, it is best to use "ipv6 address autoconfig"

Harold Ritter · ‎04-28-2021

It is possible to enter the ipv6 commands on the vlan interface.

S1(config-if)#do sh ver

Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 15.0(2)SE4, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Compiled Wed 26-Jun-13 02:49 by mnguyen

ROM: Bootstrap program is C2960 boot loader

BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)FX, RELEASE SOFTWARE (fc4)

Switch uptime is 39 minutes

System returned to ROM by power-on

System image file is "flash:c2960-lanbasek9-mz.150-2.SE4.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

cisco WS-C2960-24TT-L (PowerPC405) processor (revision B0) with 65536K bytes of memory.

Processor board ID FOC1010X104

Last reset from power-on

1 Virtual Ethernet interface

24 FastEthernet interfaces

2 Gigabit Ethernet interfaces

The password-recovery mechanism is enabled.

64K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address : 00:17:59:A7:51:80

Motherboard assembly number : 73-10390-03

Power supply part number : 341-0097-02

Motherboard serial number : FOC10093R12

Power supply serial number : AZS1007032H

Model revision number : B0

Motherboard revision number : B0

Model number : WS-C2960-24TT-L

System serial number : FOC1010X104

Top Assembly Part Number : 800-27221-02

Top Assembly Revision Number : A0

Version ID : V02

CLEI Code Number : COM3L00BRA

Hardware Board Revision Number : 0x01

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 26 WS-C2960-24TT-L 15.0(2)SE4 C2960-LANBASEK9-M

Configuration register is 0xF

S1(config-if)#ipv6 ?

address Configure IPv6 address on interface

enable Enable IPv6 on interface

nd IPv6 interface Neighbor Discovery subcommands

traffic-filter Access control list for packets

S1(config-if)#ipv6

Regards,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

ilay · ‎04-28-2021

Haha, I forgot to type "sdm prefer dual-ipv4-and-ipv6 default". I even entered this command on physical device before. ......=_=#

After reload , I can configure "ipv6 address x:x" and "ipv6 address autoconfig" on the 2960

Harold Ritter · ‎04-28-2021

Use "ipv6 address autoconfig" under vlan1 instead of "ipv6 address 2001:DB8:ACAD:1::B/64". This will cause the switch to use the source of the router advertisement as its default gateway and you should then be able to ping any devices in the lab topology.

Regards,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

herrickw · ‎02-01-2022

I have the same issue with Cisco ISR931. I use 2 ports of this Router, GigabitEthernet 4 and GigabitEthernet 5. Port 4 connects to ISP modem and Port 5 connects to WiFi AP. All IPv4 traffic is through correctly without any issue, but none of PC or Phone can get internet access using IPv6.

I have multiple PCs connected to Router through WiFi AP and each PC has its global unicast IPv6 address assigned automatically, also Router GigabitEthernet port 4 and 5 have their global unicast IPv6 addresses too. Port 4 got it from ISP modem using autoconfig. Port 5 was manually assigned. I also configured static router on ISR931 directed to Port 4 and ipv6 unicast-routing enabled.

From the router, I can ping all PCs without issue also ping Internet IPv6 address successfully. From PC, ping port 5 ipv6 address is fine but "destination unreachable" for any IPv6 address on port 4 or behind it.

Below is my ISR931 config log.

Building configuration...

Current configuration : 2171 bytes
!
! Last configuration change at 02:44:53 UTC Wed Feb 2 2022
!
version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable secret 5 $1$WGe/$Bckz8JieV7WfRySECC99N0
enable password
!
no aaa new-model
no process cpu extended history
no process cpu autoprofile hog
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!

!
ip dhcp excluded-address 192.168.10.1 192.168.10.9
!
ip dhcp pool Home
network 192.168.10.0 255.255.255.0
dns-server 192.168.1.1
domain-name cisco.com
default-router 192.168.1.4
lease 30
!
!
!
no ip domain lookup
ip cef
ipv6 unicast-routing
ipv6 cef
multilink bundle-name authenticated
!
!
!
!
license udi pid C931-4P sn PSZ24331GY0
!
!
!
redundancy
!
no cdp run
!
!
!
!
!
interface GigabitEthernet0
no ip address
no cdp enable
!
interface GigabitEthernet1
no ip address
shutdown
no cdp enable
!
interface GigabitEthernet2
no ip address
shutdown
no cdp enable
!
interface GigabitEthernet3
no ip address
shutdown
no cdp enable
!
interface GigabitEthernet4
ip dhcp client lease 10 0 0
ip dhcp client update dns server both
ip address dhcp
ip nat outside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
no cdp enable
ipv6 address autoconfig
ipv6 enable
no mop enabled
!
interface GigabitEthernet5
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
ipv6 address 240E:388:175D:6800::1/64
ipv6 address autoconfig
ipv6 enable
ipv6 nd autoconfig default-route
!
interface Vlan1
no ip address
shutdown
!
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface GigabitEthernet4 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
no service-routing capabilities-manager
ipv6 route ::/0 GigabitEthernet4 FE80::1
ipv6 ioam timestamp
!
!
snmp-server community public RO
access-list 1 permit any
!
control-plane
!
!
line con 0
exec-timeout 0 0
line vty 0 4
password
login
transport input none
!
scheduler allocate 20000 1000
!
end

My IPv6 details.

sh ipv6 int
GigabitEthernet4 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::287:64FF:FE94:3B88
No Virtual link-local address(es):
Stateless address autoconfig enabled
Global unicast address(es):
240E:388:175D:6800:287:64FF:FE94:3B88, subnet is 240E:388:175D:6800::/64 [EUI/CAL/PRE]
valid lifetime 140538 preferred lifetime 54138
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF94:3B88
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
Input features: Common Flow Table Stile classification
Output features: Common Flow Table Stile Classification
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
GigabitEthernet5 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::287:64FF:FE94:3B89
No Virtual link-local address(es):
Stateless address autoconfig enabled
Global unicast address(es):
240E:388:175D:6800::1, subnet is 240E:388:175D:6800::/64
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF00:1
FF02::1:FF94:3B89
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
Input features: Common Flow Table Stile classification
Output features: Common Flow Table Stile Classification
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.

Could anybody help here?

Georg Pauwen · ‎02-01-2022

Hello,

at first glance, I would say the autoconfig default route should be on interface GigabitEthernet4, not 5:

interface GigabitEthernet4
ip dhcp client lease 10 0 0
ip dhcp client update dns server both
ip address dhcp
ip nat outside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
no cdp enable
ipv6 address autoconfig
ipv6 enable
no mop enabled
--> ipv6 nd autoconfig default-route
!
interface GigabitEthernet5
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
ipv6 address 240E:388:175D:6800::1/64
ipv6 address autoconfig
ipv6 enable
--> no ipv6 nd autoconfig default-route

herrickw · ‎02-02-2022

Thanks so much, Georg! I followed your instructions but unfortunately it didn't change anything. Still our Router could ping both outside network as well as the PC behind GigabitEthernet 5 but those PC couldn't reach GigabitEthernet 4. See updated sh run and my PC ping result below.

--------------------------------------------From Router ISR931------------------------------------------

sh running-config
Building configuration...

Current configuration : 2171 bytes
!
! Last configuration change at 01:26:56 UTC Thu Feb 3 2022
!
version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable secret 5 $1$WGe/$Bckz8JieV7WfRySECC99N0
enable password
!
no aaa new-model
no process cpu extended history
no process cpu autoprofile hog
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!

!
ip dhcp excluded-address 192.168.10.1 192.168.10.9
!
ip dhcp pool Home
network 192.168.10.0 255.255.255.0
dns-server 192.168.1.1
domain-name cisco.com
default-router 192.168.1.4
lease 30
!
!
!
no ip domain lookup
ip cef
ipv6 unicast-routing
ipv6 cef
multilink bundle-name authenticated
!
!
!
!
license udi pid C931-4P sn PSZ24331GY0
!
!
!
redundancy
!
no cdp run
!
!
!
!
!
interface GigabitEthernet0
no ip address
no cdp enable
!
interface GigabitEthernet1
no ip address
shutdown
no cdp enable
!
interface GigabitEthernet2
no ip address
shutdown
no cdp enable
!
interface GigabitEthernet3
no ip address
shutdown
no cdp enable
!
interface GigabitEthernet4
ip dhcp client lease 10 0 0
ip dhcp client update dns server both
ip address dhcp
ip nat outside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
no cdp enable
ipv6 address autoconfig
ipv6 enable
ipv6 nd autoconfig default-route
no mop enabled
!
interface GigabitEthernet5
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
ipv6 address 240E:388:175D:6800::1/64
ipv6 address autoconfig
ipv6 enable
!
interface Vlan1
no ip address
shutdown
!
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface GigabitEthernet4 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
no service-routing capabilities-manager
ipv6 route ::/0 GigabitEthernet4 FE80::1
ipv6 ioam timestamp
!
!
snmp-server community public RO
access-list 1 permit any
!
control-plane
!
!
line con 0
exec-timeout 0 0
line vty 0 4
password Aca$ia2326
login
transport input none
!
scheduler allocate 20000 1000
!
end

#sh ipv6 int
GigabitEthernet4 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::287:64FF:FE94:3B88
No Virtual link-local address(es):
Stateless address autoconfig enabled
Global unicast address(es):
240E:388:175D:6800:287:64FF:FE94:3B88, subnet is 240E:388:175D:6800::/64 [EUI/CAL/DEP]
valid lifetime 58252 preferred lifetime 0
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF94:3B88
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
Input features: Common Flow Table Stile classification
Output features: Common Flow Table Stile Classification
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
GigabitEthernet5 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::287:64FF:FE94:3B89
No Virtual link-local address(es):
Stateless address autoconfig enabled
Global unicast address(es):
240E:388:175D:6800::1, subnet is 240E:388:175D:6800::/64
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF00:1
FF02::1:FF94:3B89
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
Input features: Common Flow Table Stile classification
Output features: Common Flow Table Stile Classification
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.

---------------------------------Ping Results from Router-------------------------------------------

#ping 240e:388:175d:6800:89a7:7b67:2998:8d50 ###########This global unicast IPv6 is a PC behind the Router GigabitEthernet 5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 240E:388:175D:6800:89A7:7B67:2998:8D50, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/13/48 ms
Acacia_SH_Router#ping 2600:1400:9000:28b::180c #################This is a global unicast IPv6 of internet site
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2600:1400:9000:28B::180C, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 230/231/238 ms

--------------------------------Ping Result from the PC which could be reached by Router--------------------------

C:\Users\hawang>ping 240e:388:175d:6800::1 ############Global unicast IPv6 address of Router GigabitEthernet5

Pinging 240e:388:175d:6800::1 with 32 bytes of data:
Reply from 240e:388:175d:6800::1: time=3ms
Reply from 240e:388:175d:6800::1: time=5ms
Reply from 240e:388:175d:6800::1: time=4ms
Reply from 240e:388:175d:6800::1: time=4ms

Ping statistics for 240e:388:175d:6800::1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 3ms, Maximum = 5ms, Average = 4ms

C:\Users\hawang>ping 240E:388:175D:6800:287:64FF:FE94:3B88 #######Router global unicast Ipv6 address of GigabitEthernet4

Pinging 240e:388:175d:6800:287:64ff:fe94:3b88 with 32 bytes of data:
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.

Ping statistics for 240e:388:175d:6800:287:64ff:fe94:3b88:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Users\hawang>

herrickw · ‎02-04-2022

After a few days study, I have more clues of this issue mentioned above. But I don't have a resolution so I seek your help here.

1. Not like IPv4 which uses NAT in this scenario, it seems there is no NAT for IPv6.

2. Inside Cisco Router, it uses direct connected and NDp to learn the entries in routing table, this becomes issue of my setup. My WAN port Gi4 uses Prefix 240E:388:175D:6800::/64 assigned by ISP, if I assign the same prefix for my LAN port, I lose correct route into the ISP Router which is suppose to be my gateway to internet. The reason for that is Cisco router adds an entry of 240E:388:175D:6800::/64 direct to my LAN port that I could never reach gateway behind my WAN port which uses global unicast IPv6 address with same prefix.

3. If I assign a different prefix for my LAN port, I could reach outside IP successfully from my Cisco router, but my PC behind LAN port couldn't. I guess the reason is similar to not using NAT with IPv4, the ISP router doesn't know where to route back the packet with destination IPv6 address of my PC using a different prefix.

So how to resolve the dilemma above?

herrickw · ‎02-05-2022

Maybe it is more clear to ask the question this way. Is it possible for me to configure 2 ports on Cisco ISR931 (Gi4 and Gi5) to do routing with NAT for IPv4 packets and bridging only for IPv6 packets in the same time? If so, how to configure ?