Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10548
Views
0
Helpful
7
Replies

Disable IPv6 in ASA AnyConnect

fsebera
Level 4
Level 4

‎01-04-2017 05:07 AM - edited ‎02-21-2020 09:06 PM

Is there someway to turn off the IPv6 feature of AnyConnect on the ASA; we run ver 9.5(2)?

We assign IPv4 addresses to clients via DHCP. We don't use IPv6 anywhere in our network - v6 has been disabled.

We created a client profile to disable IPv4 by changing the option to just IPv4 as:

Applied via ASDM to AnyConnect Client Profile, Preferences (Part 1) --

IP Protocol Supported

IPv4

and applied to global webvpn:

webvpn
  anyconnect profiles PROFILE_NAME disk0:/profile_name.xml

We continue to receive this syslog message:
%ASA-4-722051: Group <VPN5Policy> User <UserName> IP <174.xxx.xxx.xxx> IPv4 Address <10.yyy.yyy.yyy> IPv6 address <::> assigned to session


Thank you
Frank

1 person had this problem
Labels:
0 Helpful
7 Replies 7

Richard Burts
Hall of Fame
Hall of Fame

‎01-04-2017 08:09 AM

Frank

I have used the option in the AnyConnect profile to disable IPv6 and have found it effective. I am not sure why it is not working for you. Is it possible that some users do not have the correct profile?

HTH

Rick

HTH

Rick
0 Helpful

fsebera
Level 4
Level 4
In response to Richard Burts

‎01-04-2017 08:21 AM

Hi Richard,

Once a user logs in - Windows - checking the DOS prompt, ipconfig /all, the Cisco AnyConnect Security .... adapter does not show anything related to IPv6!!! Which is good.

However, the ASA still forwards the syslog message:

 Jan 04 2017 11:13:32 10.xxx.xxx.xxx : %ASA-4-722051: Group <RemoteAccessPolicy> User <fsebera> IP <xxx.xxx.xxx.xxx> IPv4 Address <10.yyy.yyy.yyy> IPv6 address <::> assigned to session

Perhaps this is just a cosmetic message and nothing more.

Thanks

Frank

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to fsebera

‎01-04-2017 12:51 PM

Frank

If the IPv6 address really is :: then it is the null address (equivalent to IPv4 0.0.0.0) and I would assume that for your version of code the syslog message has that format built that includes the IPv6 data. So it would be a cosmetic issue.

HTH

Rick

HTH

Rick
0 Helpful

fsebera
Level 4
Level 4
In response to Richard Burts

‎01-10-2017 07:18 AM

Hi Richard,

Follow up - Cisco TAC indicates there is no way to remove the IPv6 <::> portion of the address assignment from the IPv4 assignment syslog message. Cisco TAC indicates you can disable the syslog message (no logging messge 722051), however this obviously removes the entire syslog message which creates more of an issue than it fixes.

Thanks

Frank

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to fsebera

‎01-10-2017 08:12 AM

Frank

Thanks for the follow up confirming that the IPv6 reference is built into the format of the syslog message and can not be removed.

HTH

Rick

HTH

Rick
0 Helpful

Peter Koltl
Level 7
Level 7

‎01-07-2017 06:53 AM

As of 2017, I would consider planning the IPv6 dual-stack introduction gradually in your network. It is advisable to do it before forced to introduce it in a rush. (-:

0 Helpful

fsebera
Level 4
Level 4
In response to Peter Koltl

‎01-09-2017 05:09 AM

Peter,

Clearly, you don't work in or understand my environment. In my environment, designing your own path will set you packing.

BTW, do you have any insight into the question at hand?

Thanks

Frank

0 Helpful
Customers Also Viewed These Support Documents