cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7488
Views
0
Helpful
8
Replies

ASA Anyconnect IPv6 problem

with_joerg
Level 1
Level 1

Dear all,

we followed the instructions on how to enable anyconnect for IPv6. They seem to be dated since they mention that ASDM does not support IPv6 but it does.

The problem is as follows: when an anyconnect client connects to the external IPv6 address of the ASA then the ASA does not see that as SSL VPN connection but drops it.

3 Aug 07 2009 13:54:17 710003 2001:610:b20:b02:21b:63ff:fe01:601c 50756 ochre6-ext 443 TCP access denied by ACL from 2001:610:b20:b02:21b:63ff:fe01:601c/50756 to outside:ochre6-ext/443

It seems as if the SSL VPN option on the interface doesnot apply to IPv6. Does anyone know how I could enable this for IPv6 SSL VPNs to be accepted?

Also there is a difference in the way Anyconnect works on VISTA and on OS X.

On OS X the Anyconnect Client accepts IPv6 adresses as VPN gateway and tries to establish a native IPv6 SSL VPN. But it does not work because of the above described. If an IPv4 VPN is established the IPv4 client does not get an IPv6 pool address.

On VISTA the Anyconnect client does not seem to accept native IPv6 addresses for the VPN Gateway address. However if an IPv4 tunnel is established clients get both an IPv4 and an IPv6 pool address.

I am now confused as to what is supposed to work and how. Our goal would be to establish native IPv6 anyconnect VPNs.

8 Replies 8

aghaznavi
Level 5
Level 5

The AnyConnect client allows access to IPv6 resources over a public IPv4 connection (only for Windows XP SP2, Windows Vista, Mac OS X, and Linux). You must use the command line interface to configure IPv6 access. ASDM does not support IPv6. You enable IPv6 access using the ipv6 enable command as part of enabling SSL VPN connections.

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect20/release/notes/cvcrn200.html#wp659370

I am running into the same problem.

The previous answer is just a collection of phrases from the manual (which all are true and valid sentences), but they are beside the point.

The answer is: Too bad, the ASA does not support native IPv6 VPN connections.

Do you know if that's the case for all VPN connections or just Any Connect connections?

I'm trying to setup a VPN over IPv6 (site to site) between my 5505 and 5520.  I think I have everything set up correctly, but the VPN won't start.  If I reboot the 5505, it will ping the 5520 via IPv6 when it's back online, but nothing else happens.

kerstin-534
Level 1
Level 1

I think the best to check this out to use the socker table on the ASA (like on Linux OS)

ciscoasa(config)# show asp table socket         

Protocol  Socket    Local Address               Foreign Address         State

SSL       0000ca9f  192.84.221.15:443           0.0.0.0:*               LISTEN

DTLS      0001148f  192.84.221.15:443           0.0.0.0:*               LISTEN

TCP       001320ef  192.84.221.15:22            0.0.0.0:*               LISTEN

TCP       0013c12f  2a00:1860:108::18:15:22     :::*                    LISTEN

So I have configured SSH access for some IPv6 network and have webvpn enabled.

Since there is no entry in the socket table .. only IPV6 as passenger protocol is possible.

I'm seeing the same problem. When I try to access the WebVPN service with a browser I get denies in the logs claiming "TCP access denied by ACL from ..." although "self originated" traffic doesn't go through interface ACLs (well at least on IPv4). And I'm seeing the same as you on the asp table. No sockets other than management are listening on the IPv6 adresses. Even the "Packet Tracer" claims that access gets denied by an implicit rule, although the interface access list doesn't use implicit rules at all.

Has anybody at Cisco ever tried to run WebVPN over IPv6 on an ASA?

Just got the confirmation. Today ASA/AnyConnect only supports IPv4 for transportation. Within the tunnel there can be IPv6 packets. Forthcoming releases will support also IPv6 as transportation media. But don't know when.

I'm looking for an ASA/AnyConnect IPv6 over IPv4 SSL/DTLS configuration example (command line).

We followed the basic instructions on how to enable IPv6 on the ASA 5500 (SW 8.4.3 ED) and finally

assigned a IPv6 Pool to a existing Group-Policy. After the VPN connection is established no IPv6 address

is assigned to the  AnyConnect Client.

Can anyone help?

PS: Please don't ask me for my current configuration. I don't have access to the affected ASA - It's just a try
to support a colleague. I need only a working tunnel connection for IPv6 testing to the internet.

Hallo,

You need to set the MTU in Windows 7 to a higher value

netsh interface ipv4 set interface "Interface-Index" mtu=1374

and to enable BOTH an IPv4 and and IPv6 address pool.

This works:

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.222.1 255.255.255.0

ipv6 address fd00:1865:108:690::1/64

ipv6 local pool ipv6pool fd00:1865:108:690::100/64 128

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ssl-client

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool ipv4pool

ipv6-address-pool ipv6pool

ip local pool ipv4pool 192.168.222.100-192.168.222.200

webvpn

enable outside

enable inside

anyconnect image disk0:/anyconnect-win-3.0.5075-k9.pkg 1

Ciao,

Herbert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: