PIX IPv6 Failover bug

A active/standby failover is to set up for IPv6. Current configuration excerpt:

interface Ethernet1 nameif inside security-level 100 ipv6 address 2001:4bd8:x:y::/64 eui-64 ipv6 enable ipv6 nd prefix 2001:4bd8:x:y::/64 ! failover failover key ***** failover replication http failover link failover Ethernet5 failover interface ip failover ... !

primary# sh ipv6 interface brief inside [up/up] fe80::20d:88ff:fe10:7a98 2001:4bd8:x:y:20d:88ff:fe10:7a98 secondary# sh ipv6 interface brief inside [up/up] fe80::20d:88ff:fe10:70c4 2001:4bd8:x:y:20d:88ff:fe10:70c4

This results in the following autoconfig entry on an inside host:

ip -6 addr
1: eth: mtu 1500 qlen 1000 inet6 2001:4bd8:x:y:20e:cff:fe36:822c/64 scope global dynamic valid_lft 2591954sec preferred_lft 604754sec inet6 fe80::20e:cff:fe36:822c/64 scope link valid_lft forever preferred_lft forever
ip -6 route
2001:4bd8:x:y::/64 dev eth proto kernel metric 256 expires 2592120sec mtu 1500 advmss 1440 fe80::/64 dev eth metric 256 mtu 1500 advmss 1440 ff00::/8 dev eth metric 256 mtu 1500 advmss 1440 default via fe80::20d:88ff:fe10:70c4 dev eth proto kernel metric 1024 expires 1742sec mtu 1500 advmss 1440 default via fe80::20d:88ff:fe10:7a98 dev eth proto kernel metric 1024 expires 1758sec mtu 1500 advmss 1440

It's obivous that the router announcement from the secondary pix is send despite the machine is in standby state. This causes the responses from the inside host to send to the standby pix which silently drops the packets.

Crosschecking the usage of the wrong route (display neighbour states):

primary# sh ipv6 neighbor IPv6 Address Age Link-layer Addr State Interface

2001:4bd8:x:y:20e:cff:fe36:822c 60 000e.0c36.822c STALE inside fe80::20e:cff:fe36:822c 60 000e.0c36.822c STALE inside

secondary# sh ipv6 neighbor IPv6 Address Age Link-layer Addr State Interface fe80::20e:cff:fe36:822c 0 000e.0c36.822c REACH inside

Packet debug on the inside host:

11:27 00:0d:88:10:7a:98 > 00:0e:0c:36:82:2c, ethertype IPv6 (0x86dd), length 118: 2001:4bd8:0:666:280:adff:fe1e:79ba > 2001:4bd8:x:y:20e:cff:fe36:822c: icmp6: echo request seq 1 11:27 00:0e:0c:36:82:2c > 00:0d:88:10:70:c4, ethertype IPv6 (0x86dd), length 118: 2001:4bd8:x:y:20e:cff:fe36:822c > 2001:4bd8:0:666:280:adff:fe1e:79ba: icmp6: echo reply seq 1 11:27 00:0e:0c:36:82:2c > 00:0d:88:10:70:c4, ethertype IPv6 (0x86dd), length 74: 2001:4bd8:x:x:20e:cff:fe36:822c.25 > 2001:4bd8:0:104:230:6eff:fe06:8b73.54880: R [tcp sum ok] 0:0(0) ack 3120461656 win 0 (len 20, hlim 64)

Please note the different mac addresses: Packets come from primary and answers are send to secondary. Furthermore you can see a TCP-RST from the pix denying outgoing SMTP via IPv6.

How can IPv6 configured correctly in failover enviroment?

Reply to
Lutz Donnerhacke
Loading thread data ...

[...]

The problem becomes worse in failover situation itself: The IPv6 addresses does not change, but the interface MAC does. The IPv6 addresses does change only when the standby unit reboots (or vice versa, I did not notice excatly).

Consequently the Pixs are unable to receive IPv6 packets at all, because they do not take the frames from the Ethernet for there IPv6 addresses or ignore them, because the frames contains packets with the wrong the IPv6 addresses.

Question remains.

Currently IPv6 is not usable with PIX in simple failover environments.

Reply to
Lutz Donnerhacke

It can't.

Answer from TAC: Configure "ipv6 nd suppress-ra" on the standby interfaces. I did this directly after notifying the problem days ago, so tac said nothing new.

This "solution" requires hand configuration after each failover: - "no ipv6 nd suppress-ra" on the now active unit - "ipv6 nd suppress-ra" on the now standby unit - urge all connected hosts to reconfigure IPv6 - change the destination of (static) IPv6 routes on outside routers

In active-active configuration the situation becomes even worse.

Conclusion: IPv6 with failover setups is a NO GO for production enviroments. Bad luck, Cisco!

Reply to
Lutz Donnerhacke

Current workaround for failover. interface ethernet0 ipv6 enable ipv6 address autoconfig ! learn external router ipv6 address 2001:4bd8:r:s::x:1/64 ! for static external routes ipv6 nd suppress-ra interface ethernet1 ipv6 enable ipv6 address fe00::1 link-local ! router-announcements ipv6 nd prefix 2001:4bd8:x:y::/64 ! router-announcements ipv6 address 2001:4bd8:x:y::1/64 ! external access via DNS

This setup works for failover due to reboot of the active PIX. The addresses of the new standby PIX are disabled using Neighbour Discovery Duplicate Address Detection. External and internal routers and hosts use ND to determine the MAC address of those addresses (just like ARP). MAC addresses change on failover.

It fails to work on manual failover or failover due to failure of monitored interfaces. In those cases ND DAD prevents the address switch. IPv6 traffic is routed to the standby PIX which discards it silently.

Reply to
Lutz Donnerhacke

This workaround has to be used for longer time.

TAC respond, that Cisco does not support IPv6 in failover. If you use PIX and IPv6 please drop a feature request to your account manager. Thanx.

Reply to
Lutz Donnerhacke

Bug ist confirmed: CSCsc87555

Reply to
Lutz Donnerhacke

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.