Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

ASA 9.3 - Multiple Context - IPv6 between contexts

Hi,


We have a ASA 5525 with multiple contexts running 9.3(1). We are having troubles routing IPv6 traffic between contexts.

Assume: Internet ---- <ASA "Internet" Context> --- <ASA "Customer A" Context> ---- End Host

We have configured static to route from internet to end host and the other way around.
We do not see IPv6 neighbors getting established between the two ASA contexts. IPv4 is working just fine.

Does anyone have an idea what I missed in the configuration? All interfaces (in all contexts) are using unique mac addresses.

 

Regards,

Erik Tamminga

 

Customer ASA:

interface CustomerAInside
 nameif inside
 security-level 100
 ip address 172.29.10.10 255.255.255.0 standby 172.29.10.11
 ipv6 address 2001:abcd:0:a::a/64 standby 2001:abcd:0:a::b
 ipv6 enable
 ipv6 nd suppress-ra
!
interface PublicDMZ
 nameif outside
 security-level 0
 ip address 1.2.3.10 255.255.255.0
 ipv6 address 2001:abcd:0:ff01::a/64 standby 2001:abcd:0:ff01::b
 ipv6 enable
 ipv6 nd suppress-ra
!

ipv6 route outside ::/0 2001:abcd:0:ff01::1
ipv6 route inside 2001:abcd::/48 2001:abcd:0:a::1

Internet ASA:

 

interface Outside
 nameif outside
 security-level 0
 ip address 7.8.9.10 255.255.255.0
 ipv6 address 2001:7890:1400:18::2/64
 ipv6 enable
 ipv6 nd suppress-ra
!
interface PublicDMZ
 nameif public-dmz
 security-level 50
 ip address 1.2.3.10 255.255.255.0
 ipv6 address 2001:abcd:0:ff01::1/64
 ipv6 enable
 ipv6 nd suppress-ra
!

 

ipv6 route outside ::/0 2001:7890:1400:18::1
ipv6 route public-dmz 2001:abcd::/48 2001:abcd:0:ff01::a

 

 

5 REPLIES
Hall of Fame Super Silver

Hmm this is a bit of

Hmm this is a bit of speculation but IPv6 relies heavily on multicast. I know that when we tried to do OSPF routing (IPv4) between contexts it would not work since multicast is not supported between either shared or unshared interfaces in multiple context mode.

Bronze

Hi,Thanks. I suspected

Hi,

Thanks. I suspected something like this. All IPv6 manual pages say it is supported in multi-context but do not specifically mention shared interfaces.

I've created a TAC case to be sure.

 

Regards,

Erik

New Member

HiI have exactly the same

Hi

I have exactly the same problem.

Did you get it sorted and if what was the solution.

Thanks.

Bronze

Hi,It turns out to be not

Hi,

It turns out to be not supported on ASA 9.3. The IPv6 neighbor mechanism relies on multicasting and multicasting (ipv4 & ipv6) is not supported on shared interfaces.

Two ways to work around it:

- Define static neighbors. Works fine if you only have 2-3 contexts. Too much work if you need more contexts. You need to setup a full mesh of routes and static neighbors. 

- Have some other device in the shared network do routing (router on a stick) for IPv6.

I did the last. I use one context for Internet->DMZ traffic and multiple other contexts (one per customer) to handle DMZ->Customer X traffic. The switch in the DMZ VLAN was able to do IPv6 routing and I now have all my routes from all contexts pointed to the L3 interface on the DMZ VLAN of the switch. And on the switch routes pointing to all Customers/contexts and a default. 

Regards,

Erik

New Member

Thank You Erik

Thank You Erik

246
Views
3
Helpful
5
Replies
CreatePlease login to create content