[c-nsp] So when is IPv6 failover coming to the ASA?

[Nick Hilliard]

On 28/09/2009 18:13, Abello, Vinny wrote:
> I don't care so much at this point if it fails over or not. If I were to
> configure it, would it at least work as far as passing the traffic? I
> thought I read early on that it would cause a conflict between the two ASA
> devices or is this not the case? If that's all I have to worry about, it's
> not critical that it fails over automatically at this point for me. It's
> more of an initial staging of the technology so I can start numbering my
> devices and verify connectivity, etc... As you said, you turn IPv6 off and
> back on. Is that all that's needed at this point in time? I can deal with
> that for the time being.

It certainly passes traffic and performs stateful packet firewalling.  It 
doesn't do inspection very well, and failover is documented as not implemented.

What I have observed is that these things are overlooked during 
specification because you feel that you can live with an occasional amount 
of pain. But once you get the boxes into production, you'll find that ipv6 
breaks at times which are, well, frankly rather inconvenient, like during 
time-constrained maintenance windows or when a switch crashes or reboots or 
whatever.

This isn't intended as a jab at Cisco or anything - ipv6 failover is well 
documented as not being implemented yet and, well, that's that.  It's a 
known failure mode.  It's just that we're all human and because failover 
often occurs under times of extreme network stress, end-users and 
management may get unhappy and may start shouting and colourful verbal 
incantations may be invoked when ipv6 stops working all of a sudden.

Unfortunately, ASA boxes are beloved of enterprises, and ipv6 is very much 
down the list as far as the enterprise market segment is concerned.  The 
service provider market has significantly different needs, but Cisco's ASA 
product managers are not especially focussed on this segment.

Nick