03-02-2015 11:51 AM
Hi, I have a Cisco ASA 5555-X running 9.1(2) that is providing Remote Access VPN Services.
The outside interface is configured with /64 IPv6 address which also provides an IPv6 local
pool (a /116) configured from that /64. The remote users are getting a /128 properly assigned
but unable to reach any ipv6 destinations. IPv4 services are setup in similar fashion and are
working correctly, but IPv6 traffic is getting dropped.
The device has the following relevant configuration settings:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
sysopt connection tcpmss 0
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect sqlnet
inspect ip-options
inspect http
inspect icmp
!
service-policy global_policy global
There are no interface access-lists.
packet-tracer input outside icmp <removed>:1401:13::1001 8 0 <removed>:0:7008::100
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in :: :: outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
thanks
dragan
03-02-2015 12:14 PM
I can't see all of your config but I have seen this issue before when I did not have a route for the inside network.
03-02-2015 01:17 PM
I have no inside network, there are other multiple interfaces with various names but none are "inside" nor are security-level 100.
03-02-2015 03:02 PM
Someone more experienced in IPv6 may be able to confirm, but on closer inspection your packet-tracer input command maybe using the wrong echo request code for icmpv6, i think that needs to be 128.
http://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/22974-icmpv6codes.html
03-02-2015 05:38 PM
You are correct, changing the ICMP Code type allows the flow creation but I am unable to ping. Anything else you can recommend on collecting the required data to further troubleshoot the issue ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide