ASA Anyconnect IPv6 problem

Unanswered Question
Aug 7th, 2009

Dear all,

we followed the instructions on how to enable anyconnect for IPv6. They seem to be dated since they mention that ASDM does not support IPv6 but it does.

The problem is as follows: when an anyconnect client connects to the external IPv6 address of the ASA then the ASA does not see that as SSL VPN connection but drops it.

3 Aug 07 2009 13:54:17 710003 2001:610:b20:b02:21b:63ff:fe01:601c 50756 ochre6-ext 443 TCP access denied by ACL from 2001:610:b20:b02:21b:63ff:fe01:601c/50756 to outside:ochre6-ext/443

It seems as if the SSL VPN option on the interface doesnot apply to IPv6. Does anyone know how I could enable this for IPv6 SSL VPNs to be accepted?

Also there is a difference in the way Anyconnect works on VISTA and on OS X.

On OS X the Anyconnect Client accepts IPv6 adresses as VPN gateway and tries to establish a native IPv6 SSL VPN. But it does not work because of the above described. If an IPv4 VPN is established the IPv4 client does not get an IPv6 pool address.

On VISTA the Anyconnect client does not seem to accept native IPv6 addresses for the VPN Gateway address. However if an IPv4 tunnel is established clients get both an IPv4 and an IPv6 pool address.

I am now confused as to what is supposed to work and how. Our goal would be to establish native IPv6 anyconnect VPNs.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
aghaznavi Thu, 08/13/2009 - 10:23

The AnyConnect client allows access to IPv6 resources over a public IPv4 connection (only for Windows XP SP2, Windows Vista, Mac OS X, and Linux). You must use the command line interface to configure IPv6 access. ASDM does not support IPv6. You enable IPv6 access using the ipv6 enable command as part of enabling SSL VPN connections.

Service Spring Thu, 09/23/2010 - 11:56

Do you know if that's the case for all VPN connections or just Any Connect connections?

I'm trying to setup a VPN over IPv6 (site to site) between my 5505 and 5520.  I think I have everything set up correctly, but the VPN won't start.  If I reboot the 5505, it will ping the 5520 via IPv6 when it's back online, but nothing else happens.

fabasoft-534 Thu, 12/29/2011 - 05:50

I think the best to check this out to use the socker table on the ASA (like on Linux OS)

ciscoasa(config)# show asp table socket         

Protocol  Socket    Local Address               Foreign Address         State

SSL       0000ca9f *               LISTEN

DTLS      0001148f *               LISTEN

TCP       001320ef  *               LISTEN

TCP       0013c12f  2a00:1860:108::18:15:22     :::*                    LISTEN

So I have configured SSH access for some IPv6 network and have webvpn enabled.

Since there is no entry in the socket table .. only IPV6 as passenger protocol is possible.

ROBERTO GIANA Wed, 02/01/2012 - 15:36

I'm seeing the same problem. When I try to access the WebVPN service with a browser I get denies in the logs claiming "TCP access denied by ACL from ..." although "self originated" traffic doesn't go through interface ACLs (well at least on IPv4). And I'm seeing the same as you on the asp table. No sockets other than management are listening on the IPv6 adresses. Even the "Packet Tracer" claims that access gets denied by an implicit rule, although the interface access list doesn't use implicit rules at all.

Has anybody at Cisco ever tried to run WebVPN over IPv6 on an ASA?

ROBERTO GIANA Thu, 02/02/2012 - 07:24

Just got the confirmation. Today ASA/AnyConnect only supports IPv4 for transportation. Within the tunnel there can be IPv6 packets. Forthcoming releases will support also IPv6 as transportation media. But don't know when.

michael.wegner@... Mon, 03/19/2012 - 08:47

I'm looking for an ASA/AnyConnect IPv6 over IPv4 SSL/DTLS configuration example (command line).

We followed the basic instructions on how to enable IPv6 on the ASA 5500 (SW 8.4.3 ED) and finally

assigned a IPv6 Pool to a existing Group-Policy. After the VPN connection is established no IPv6 address

is assigned to the  AnyConnect Client.

Can anyone help?

PS: Please don't ask me for my current configuration. I don't have access to the affected ASA - It's just a try
to support a colleague. I need only a working tunnel connection for IPv6 testing to the internet.

fabasoft-534 Tue, 03/20/2012 - 01:22


You need to set the MTU in Windows 7 to a higher value

netsh interface ipv4 set interface "Interface-Index" mtu=1374

and to enable BOTH an IPv4 and and IPv6 address pool.

This works:

interface Ethernet0/1

nameif inside

security-level 100

ip address

ipv6 address fd00:1865:108:690::1/64

ipv6 local pool ipv6pool fd00:1865:108:690::100/64 128

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ssl-client

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool ipv4pool

ipv6-address-pool ipv6pool

ip local pool ipv4pool


enable outside

enable inside

anyconnect image disk0:/anyconnect-win-3.0.5075-k9.pkg 1




This Discussion