Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ZBF with IPv6 tunnel (HE/Sixxs) doesn't work when CEF is enabled

Hi,

I recently reworked the firewall config in our office to also filter the self zone, and since then, I'm experiencing issue with our IPv6 tunnel uplinks (both  hurricane electric or sixxs).

The tunnel config :

interface Tunnel4

no ip address

zone-member security zone_wan

ipv6 address 2001:470:1F08:AAAA::2/64

ipv6 enable

tunnel source Loopback0

tunnel mode ipv6ip

tunnel destination 216.66.80.26

interface Loopback0

ip address 212.1.1.1 255.255.255.248

zone-member security zone_wan

( 212.1.1.1 is part of a range routed to this router via another link, also in the zone_wan )

The relevant part of the zbf config :

ip access-list extended acl_v6tunnels

remark IPv6 uplinks ip6 in ip tunnel

permit 41 host 216.66.80.26 any

permit 41 any host 216.66.80.26

class-map type inspect match-any cm_v6tunnels

match access-group name acl_v6tunnels

policy-map type inspect pm_wan_to_self

description Policy for zone wan to zone self

class type inspect cm_gw_svc_vpn

  pass

class type inspect cm_v6tunnels

  pass

class type inspect cm_icmp6_echo

  inspect

class type inspect cm_icmp_echo

  inspect

class class-default

  drop

policy-map type inspect pm_self_to_wan

description Policy for zone self to zone wan

class type inspect cm_gw_svc_vpn

  pass

class type inspect cm_v6tunnels

  pass

class type inspect cm_full_ip_gw_inspect

  inspect

class class-default

  drop

zone-pair security zp_wan_to_self source zone_wan destination self

service-policy type inspect pm_wan_to_self

zone-pair security zp_self_to_wan source self destination zone_wan

service-policy type inspect pm_self_to_wan

If I try to ping the other end of the tunnel for example, the forward packet are getting out, but the return packets are somehow blocked ...  They seem to match the cm_v6tunnels ACL in the return direction but never get to the 'ipv6 stage' (a debug ipv6 packet never shows them).

And the curious part is that if I disable IPv6 CEF ( no ipv6 cef globally ), then traffic starts flowing, both from/to the router itself (trying to ping various stuff) and from/to the hosts on the lan that are on the subnet router through that link.

If I remove the two zone-pairs, then it works as well.

So what is going on ???

Running without self fw on the wan and running without CEF both don't seem like solutions ...

Cheers,

    Sylvain

3 REPLIES
Cisco Employee

ZBF with IPv6 tunnel (HE/Sixxs) doesn't work when CEF is enable

Hi,

Do you see any kind of FW logs when you turn on the ip inspect log drop-pkt?

Mike

Mike
New Member

ZBF with IPv6 tunnel (HE/Sixxs) doesn't work when CEF is enable

No, nothing.

New Member

ZBF with IPv6 tunnel (HE/Sixxs) doesn't work when CEF is enable

On the class type subcommand drop, change it to drop log. This should log all your dropped packets that match this class.

421
Views
0
Helpful
3
Replies