[c-nsp] PIX ipv6 neighbour problem
Andreas Mueller
andreas.mueller at zdv.uni-tuebingen.de
Tue Oct 19 10:02:38 EDT 2010
Hello,
my PIX515E is running PIX 8.0.4 with multiple contexts. In one of my
contexts I would like to have IPv6 connectivity. The Interface is
configured as follows (anonymized IPv6 address)
-- interface:
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.232 255.255.255.0
ipv6 address XXXX:YYYY:ZZZZ:1::e8/64
ipv6 nd prefix XXXX:YYYY:ZZZZ:1::/64 no-advertise no-autoconfig
-- ipv6-routing:
Codes: C - Connected, L - Local, S - Static
L XXXX:YYYY:ZZZZ:1::e8/128 [0/0]
via ::, inside
C XXXX:YYYY:ZZZZ:1::/64 [0/0]
via ::, inside
L fe80::/10 [0/0]
via ::, int_ipv6
via ::, outside
via ::, inside
L ff00::/8 [0/0]
via ::, int_ipv6
via ::, outside
via ::, inside
S ::/0 [0/0]
via XXXX:YYYY:ZZZZ:1::d, inside
when I tried to ping the IP (XXXX:YYYY:ZZZZ:1::e8) of the PIX on the
inside interface from a linux box I get no responses.
When I look at the output of the command "show ipv6 neighbours", started
multiple times during the pings I get the following outputs:
pix515e/s6ipv6# show ipv6 neigh
IPv6 Address Age Link-layer Addr State
Interface
fe80::20a:b8ff:fefb:6d43 518 000a.b8fb.6d43 STALE inside
fe80::221:85ff:feca:6146 - 0021.85ca.6146 REACH inside
pix515e/s6ipv6# show ipv6 neigh
IPv6 Address Age Link-layer Addr State
Interface
fe80::20a:b8ff:fefb:6d43 518 000a.b8fb.6d43 STALE inside
XXXX:YYYY:ZZZZ:1::d 0 0021.85ca.6146 DELAY inside
fe80::221:85ff:feca:6146 - 0021.85ca.6146 REACH inside
pix515e/s6ipv6# show ipv6 neigh
IPv6 Address Age Link-layer Addr State
Interface
fe80::20a:b8ff:fefb:6d43 519 000a.b8fb.6d43 STALE inside
XXXX:YYYY:ZZZZ:1::d 0 0021.85ca.6146 PROBE inside
fe80::221:85ff:feca:6146 - 0021.85ca.6146 REACH inside
pix515e/s6ipv6# show ipv6 neigh
IPv6 Address Age Link-layer Addr State
Interface
fe80::20a:b8ff:fefb:6d43 519 000a.b8fb.6d43 STALE inside
fe80::221:85ff:feca:6146 - 0021.85ca.6146 REACH inside
here is the output of the PIX-debugging:
Oct 19 15:55:52 pix515e %PIX-7-609001: Built local-host
identity:fe80::20e:cff:fe80:c80c
Oct 19 15:55:52 pix515e %PIX-7-609001: Built local-host inside:ff02::1
Oct 19 15:55:52 pix515e %PIX-6-302020: Built outbound ICMP connection
for faddr ff02::1/0 gaddr fe80::20e:cff:fe80:c80c/0 laddr
fe80::20e:cff:fe80:c80c/0
Oct 19 15:55:52 pix515e %PIX-7-711001: ICMPv6-ND: Sending RA to ff02::1
on inside
Oct 19 15:55:52 pix515e %PIX-7-711001: ICMPv6-ND: MTU = 1500
Oct 19 15:55:52 pix515e %PIX-7-711001: IPV6: source
fe80::20e:cff:fe80:c80c (local)
Oct 19 15:55:52 pix515e %PIX-7-711001: dest ff02::1 (inside)
Oct 19 15:55:52 pix515e %PIX-7-711001: traffic class 224, flow
0x0, len 72+0, prot 58, hops 255, originating
Oct 19 15:55:52 pix515e %PIX-7-711001: IPv6: Sending on inside
Oct 19 15:55:56 pix515e %PIX-6-302021: Teardown ICMP connection for
faddr ff02::1/0 gaddr fe80::20e:cff:fe80:c80c/0 laddr
fe80::20e:cff:fe80:c80c/0
Oct 19 15:55:56 pix515e %PIX-7-609002: Teardown local-host
identity:fe80::20e:cff:fe80:c80c duration 0:00:04
Oct 19 15:55:56 pix515e %PIX-7-609002: Teardown local-host
inside:ff02::1 duration 0:00:04
the neighbour discovery is working well if I ping one linux-host from
another.
greetings and thanks for help,
Andreas
--
Zentrum für Datenverarbeitung
Abteilung Netze
Tel: 07071-2970342
Fax: 07071-295912
More information about the cisco-nsp
mailing list