[c-nsp] So when is IPv6 failover coming to the ASA?

Andrew Yourtchenko ayourtch at cisco.com
Wed Oct 7 14:19:40 EDT 2009 


On Mon, 28 Sep 2009, Nick Hilliard wrote:

> On 28/09/2009 18:13, Abello, Vinny wrote:
>>  I don't care so much at this point if it fails over or not. If I were to
>>  configure it, would it at least work as far as passing the traffic? I
>>  thought I read early on that it would cause a conflict between the two ASA
>>  devices or is this not the case? If that's all I have to worry about, it's
>>  not critical that it fails over automatically at this point for me. It's
>>  more of an initial staging of the technology so I can start numbering my
>>  devices and verify connectivity, etc... As you said, you turn IPv6 off and
>>  back on. Is that all that's needed at this point in time? I can deal with
>>  that for the time being.
>
> It certainly passes traffic and performs stateful packet firewalling.  It 
> doesn't do inspection very well, and failover is documented as not 
> implemented.
>
> What I have observed is that these things are overlooked during specification 
> because you feel that you can live with an occasional amount of pain. But 
> once you get the boxes into production, you'll find that ipv6 breaks at times 
> which are, well, frankly rather inconvenient, like during time-constrained 
> maintenance windows or when a switch crashes or reboots or whatever.

both units act in ND and RA as if they had the same IPv6 address 
configured - "failover" and "ipv6" are unaware of each other. Hence the 
effect you observe - there are pseudo-stable states in this scenario.

8.2.2 should make the ipv6 and failover better friends than they are now.

thanks,
andrew

>
> This isn't intended as a jab at Cisco or anything - ipv6 failover is well 
> documented as not being implemented yet and, well, that's that.  It's a known 
> failure mode.  It's just that we're all human and because failover often 
> occurs under times of extreme network stress, end-users and management may 
> get unhappy and may start shouting and colourful verbal incantations may be 
> invoked when ipv6 stops working all of a sudden.
>
> Unfortunately, ASA boxes are beloved of enterprises, and ipv6 is very much 
> down the list as far as the enterprise market segment is concerned.  The 
> service provider market has significantly different needs, but Cisco's ASA 
> product managers are not especially focussed on this segment.
>
> Nick
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

More information about the cisco-nsp mailing list