01-04-2017 05:07 AM - edited 02-21-2020 09:06 PM
Is there someway to turn off the IPv6 feature of AnyConnect on the ASA; we run ver 9.5(2)?
We assign IPv4 addresses to clients via DHCP. We don't use IPv6 anywhere in our network - v6 has been disabled.
We created a client profile to disable IPv4 by changing the option to just IPv4 as:
Applied via ASDM to AnyConnect Client Profile, Preferences (Part 1) --
IP Protocol Supported
IPv4
and applied to global webvpn:
webvpn
anyconnect profiles PROFILE_NAME disk0:/profile_name.xml
We continue to receive this syslog message:
%ASA-4-722051: Group <VPN5Policy> User <UserName> IP <174.xxx.xxx.xxx> IPv4 Address <10.yyy.yyy.yyy> IPv6 address <::> assigned to session
Thank you
Frank
01-04-2017 08:09 AM
Frank
I have used the option in the AnyConnect profile to disable IPv6 and have found it effective. I am not sure why it is not working for you. Is it possible that some users do not have the correct profile?
HTH
Rick
01-04-2017 08:21 AM
Hi Richard,
Once a user logs in - Windows - checking the DOS prompt, ipconfig /all, the Cisco AnyConnect Security .... adapter does not show anything related to IPv6!!! Which is good.
However, the ASA still forwards the syslog message:
Jan 04 2017 11:13:32 10.xxx.xxx.xxx : %ASA-4-722051: Group <RemoteAccessPolicy> User <fsebera> IP <xxx.xxx.xxx.xxx> IPv4 Address <10.yyy.yyy.yyy> IPv6 address <::> assigned to session
Perhaps this is just a cosmetic message and nothing more.
Thanks
Frank
01-04-2017 12:51 PM
Frank
If the IPv6 address really is :: then it is the null address (equivalent to IPv4 0.0.0.0) and I would assume that for your version of code the syslog message has that format built that includes the IPv6 data. So it would be a cosmetic issue.
HTH
Rick
01-10-2017 07:18 AM
Hi Richard,
Follow up - Cisco TAC indicates there is no way to remove the IPv6 <::> portion of the address assignment from the IPv4 assignment syslog message. Cisco TAC indicates you can disable the syslog message (no logging messge 722051), however this obviously removes the entire syslog message which creates more of an issue than it fixes.
Thanks
Frank
01-10-2017 08:12 AM
Frank
Thanks for the follow up confirming that the IPv6 reference is built into the format of the syslog message and can not be removed.
HTH
Rick
01-07-2017 06:53 AM
As of 2017, I would consider planning the IPv6 dual-stack introduction gradually in your network. It is advisable to do it before forced to introduce it in a rush. (-:
01-09-2017 05:09 AM
Peter,
Clearly, you don't work in or understand my environment. In my environment, designing your own path will set you packing.
BTW, do you have any insight into the question at hand?
Thanks
Frank
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide