Hello,

i have a problem regarding an IPv6 ACL on a Cisco 2801. I run IOS Version 12.4(15)T3 Advanced IP Services. You will find below, what I put in my configuration.

My problem is that the outbound acl never matches anything. For example my tunnel broker pings the tunnel endpoint every 30 minutes i can see the echo requests in TU0-INBOUND. If i ping something i see the replies in TU0-INBOUND. But the match counters of TU0-OUTBOUND remain zero.

If i make a telnet like this 'telnet ipv6.google.com 80' i get '% Connection timed out; remote host not responding'. I would expect a match in line 3 of TU0-OUTBOUND and the router should create the temporary acl REFLECTOUT. But all what matches is the implicit deny of TU0-INBOUND causing the above time out. :-(

What am i missing here is it a bug or is there an error in my configuration?

Carsten

interface Tunnel0

description IPv6 uplink to SixXS

no ip address

ipv6 address 2A01:aaa:bbb:cc::d/64

ipv6 enable

ipv6 traffic-filter TU0-INBOUND in

ipv6 traffic-filter TU0-OUTBOUND out

tunnel source Dialer0

tunnel destination a.b.c.d

tunnel mode ipv6ip

!

ipv6 access-list TU0-INBOUND

permit icmp any host 2A01:aaa:bbb:cc::d echo-request

permit icmp any host 2A01:aaa:bbb:cc::d echo-reply

evaluate REFLECTOUT

deny ipv6 any any log-input

!

ipv6 access-list TU0-OUTBOUND

permit icmp host 2A01:aaa:bbb:cc::d any echo-reply

permit icmp host 2A01:aaa:bbb:cc::d any echo-request

permit tcp any any reflect REFLECTOUT

permit udp any any reflect REFLECTOUT

deny ipv6 any any log-input