Hi, I have a Cisco ASA 5555-X running 9.1(2) that is providing Remote Access VPN Services.

The outside interface is configured with /64 IPv6 address which also provides an IPv6 local

pool (a /116) configured from that /64. The remote users are getting a /128 properly assigned

but unable to reach any ipv6 destinations. IPv4 services are setup in similar fashion and are

working correctly, but IPv6 traffic is getting dropped.

The device has the following relevant configuration settings:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

sysopt connection tcpmss 0

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect sqlnet
  inspect ip-options
  inspect http
  inspect icmp
!
service-policy global_policy global

There are no interface access-lists.

packet-tracer input outside icmp <removed>:1401:13::1001 8 0 <removed>:0:7008::100

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   ::              ::              outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
 inspect icmp
service-policy global_policy global
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

thanks

dragan