Routing
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
CFU-JoshHoppes
Visitor
CFU-JoshHoppes
Posts: 4
Registered: ‎10-07-2011
0

IPv6 can't ping local neighbor but can reach other sites

[ Edited ]
Options

‎05-10-2012 12:52 PM - edited ‎05-10-2012 12:54 PM

I have an interesting issue, might be a known bug some where. Up front here is some of the configuration snippets

 

Model: mx80
JUNOS Base OS boot [11.2R5.4]
JUNOS Base OS Software Suite [11.2R5.4]
JUNOS Kernel Software Suite [11.2R5.4]
JUNOS Crypto Software Suite [11.2R5.4]
JUNOS Packet Forwarding Engine Support (MX80) [11.2R5.4]
JUNOS Online Documentation [11.2R5.4]
JUNOS Routing Software Suite [11.2R5.4]

 

show configuration interfaces ge-1/1/0
description "Hurricane Electric";
mtu 9014;
unit 0 {
    description "Hurricane Electric IP Transit";
    family inet {
        mtu 9000;
        address 216.66.77.130/30;
    }
    family inet6 {
        mtu 9000;
        address 2001:470:1:31b::2/126;
    }
}

 

show configuration interfaces lo0
unit 0 {
    family inet {
        filter {
            input-list [ management ospf-routing bgp-routing permit-icmp ];
        }
        address 24.149.0.181/32;
        address 127.0.0.1/32;
    }
    family inet6 {
        filter {
            input-list [ management6 ospf3-routing bgp6-routing permit-icmp6 ];
        }
        address ::1/128;
    }
}

 

show configuration firewall family inet6 filter permit-icmp6
term permit-icmp {
    from {
        next-header [ icmpv6 icmp6 icmp ];
    }
    then accept;
}

 

I have also tried with a /64 on the interface to no avail, and disabled and enabled the interface as well. The 9000 MTU was previously agreed upon.

 

If I try to ping the other side I get no ICMP response, but I do see their hardware address show up.

 

ping 2001:470:1:31b::1
PING6(56=40+8+8 bytes) 2001:470:1:31b::2 --> 2001:470:1:31b::1
^C
--- 2001:470:1:31b::1 ping6 statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

 

show ipv6 neighbors
IPv6 Address                 Linklayer Address  State       Exp Rtr Secure Interface
2001:470:1:31b::1            00:1b:ed:e4:8f:66  reachable   31  yes no      ge-1/1/0.0
fe80::21b:edff:fee4:8f66     00:1b:ed:e4:8f:66  stale       549 no  no      ge-1/1/0.0

 

If I run traceroute to another host with a default route pointed at 2001:470:1:31b::1 I do get responses

 

traceroute ipv6.google.com no-resolve
traceroute6 to ipv6.l.google.com (2607:f8b0:4009:802::1012) from 2001:470:1:31b::2, 64 hops max, 12 byte packets
 1  2001:470:1:31b::1  0.428 ms  0.303 ms  0.299 ms
 2  2001:470:0:bf::2  2.008 ms  0.342 ms  1.817 ms
 3  2001:4860::1:0:3f7  8.038 ms  0.877 ms  1.008 ms
 4  2001:4860:0:1::4da  0.792 ms  0.715 ms  0.733 ms
 5  2607:f8b0:8000:f::5  0.479 ms  0.472 ms  0.456 ms

 

I can also ping from Hurricane Electrics looking glass from locations that don't include the neighboring router I'm attached to and I respond to them as well.

 

Am I missing a known issue or overlooking something in the configuration? Thanks for any input.

Josh Hoppes
Message 1 of 8 (815 Views)
 
Reply
Trusted Contributor
acecanal
Posts: 149
Registered: ‎07-05-2011
0

Re: IPv6 can't ping local neighbor but can reach other sites

[ Edited ]
Options

‎05-10-2012 02:05 PM - edited ‎05-10-2012 02:06 PM

 

 

  Could you show the other filters applied to lo0.0 ?. Maybe the problem is that for the ping, the icmp reply match on a reject term. But traceroute replies are icmp ttl exceed messages, not icmp reply, so maybe this bypass your filters.

 

  Try to configure your icmp6 filter first, this way you could check if this is a filter problem.

 

 

Br
Alex

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you want to say thanks, the word is Kudos!!.

Thx.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

JNCIA-JUNOS, JNCIS-ENT, JNCIS-SP, JNCIP-SP.
CCNA, CCNP, Written CCIE.
Message 2 of 8 (807 Views)
 
Reply
CFU-JoshHoppes
Visitor
CFU-JoshHoppes
Posts: 4
Registered: ‎10-07-2011
0

Re: IPv6 can't ping local neighbor but can reach other sites

Options

‎05-10-2012 02:08 PM

Here is the full filter set for inet6

 

family inet6 {
    filter bgp6-routing {
        term bgp-neighbors {
            from {
                prefix-list {
                    bgp-neighbors;
                }
                next-header tcp;
                port bgp;
            }
            then accept;
        }
    }
    filter management6 {
        term dns {
            from {
                prefix-list {
                    dns-server;
                }
                next-header [ tcp udp ];
            }
            then accept;
        }
        term ntp {
            from {
                prefix-list {
                    ntp-server;
                }
                next-header udp;
                port ntp;
            }
            then accept;
        }
    }
    filter ospf3-routing {
        term edge {
            from {
                next-header ospf;
                interface xe-1/3/0.998;
                interface xe-1/3/0.999;
            }
            then accept;
        }
    }
    filter permit-icmp6 {
        term permit-icmp {
            from {
                next-header [ icmpv6 icmp6 icmp ];
            }
            then accept;
        }
    }
    filter permit-all {
        term permit-all {
            then {
                count permit-all;
                accept;
            }
        }
    }
}

 that permit-all isn't currently applied, but I tired adding it earlier but it didn't appear to help.

Josh Hoppes
Message 3 of 8 (801 Views)
 
Reply
Trusted Contributor
acecanal
Posts: 149
Registered: ‎07-05-2011
0

Re: IPv6 can't ping local neighbor but can reach other sites

Options

‎05-10-2012 02:17 PM

 

  Then try to change filter order, configure icmp6 filter first.

 

 

Br
Alex

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you want to say thanks, the word is Kudos!!.

Thx.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

JNCIA-JUNOS, JNCIS-ENT, JNCIS-SP, JNCIP-SP.
CCNA, CCNP, Written CCIE.
Message 4 of 8 (799 Views)
 
Reply
Trusted Contributor
acecanal
Posts: 149
Registered: ‎07-05-2011
0

Re: IPv6 can't ping local neighbor but can reach other sites

[ Edited ]
Options

‎05-12-2012 02:54 PM - edited ‎05-12-2012 03:27 PM

  Hi Cfu.

 

  I get your configuration working. Icmp could take long to reply after the configuration commit. I did several tests, and after commit have to wait at least 10 seconds for icmp get working. Im not sure if this is due to he icmp neighbor discovery process.

 

 

 

admin@MX> ping routing-instance RI1 2001:470:1:31b::2
PING6(56=40+8+8 bytes) 2001:470:1:31b::1 --> 2001:470:1:31b::2
16 bytes from 2001:470:1:31b::2, icmp_seq=6 hlim=64 time=4535.180 ms
16 bytes from 2001:470:1:31b::2, icmp_seq=7 hlim=64 time=3534.976 ms
16 bytes from 2001:470:1:31b::2, icmp_seq=8 hlim=64 time=2535.342 ms
16 bytes from 2001:470:1:31b::2, icmp_seq=9 hlim=64 time=1534.675 ms
16 bytes from 2001:470:1:31b::2, icmp_seq=10 hlim=64 time=535.238 ms
16 bytes from 2001:470:1:31b::2, icmp_seq=11 hlim=64 time=2.257 ms
^C
--- 2001:470:1:31b::2 ping6 statistics ---
12 packets transmitted, 6 packets received, 50% packet loss
round-trip min/avg/max/std-dev = 2.257/2112.945/4535.180/1599.290 ms

 

 

 From this icmp will responde very quick.

 


admin@MX> ping routing-instance RI1 2001:470:1:31b::2
PING6(56=40+8+8 bytes) 2001:470:1:31b::1 --> 2001:470:1:31b::2
16 bytes from 2001:470:1:31b::2, icmp_seq=0 hlim=64 time=1.893 ms
16 bytes from 2001:470:1:31b::2, icmp_seq=1 hlim=64 time=0.999 ms
16 bytes from 2001:470:1:31b::2, icmp_seq=2 hlim=64 time=0.883 ms

 

 

  This is the configuration. 


set firewall family inet6 filter bgp6-routing term bgp-neighbors from prefix-list bgp-neighbors
set firewall family inet6 filter bgp6-routing term bgp-neighbors from next-header tcp
set firewall family inet6 filter bgp6-routing term bgp-neighbors from port bgp
set firewall family inet6 filter bgp6-routing term bgp-neighbors then accept


set firewall family inet6 filter management6 term dns from prefix-list dns-server
set firewall family inet6 filter management6 term dns from next-header tcp
set firewall family inet6 filter management6 term dns from next-header udp
set firewall family inet6 filter management6 term dns then accept
set firewall family inet6 filter management6 term ntp from prefix-list ntp-server
set firewall family inet6 filter management6 term ntp from next-header udp
set firewall family inet6 filter management6 term ntp from port ntp
set firewall family inet6 filter management6 term ntp then accept

set firewall family inet6 filter ospf3-routing term edge from prefix-list ospf3-routing

set firewall family inet6 filter ospf3-routing term edge from next-header ospf
set firewall family inet6 filter ospf3-routing term edge from interface xe-1/3/0.998
set firewall family inet6 filter ospf3-routing term edge from interface xe-1/3/0.999
set firewall family inet6 filter ospf3-routing term edge then accept

set firewall family inet6 filter permit-icmp6 term permit-icmp from next-header icmpv6
set firewall family inet6 filter permit-icmp6 term permit-icmp from next-header icmp6
set firewall family inet6 filter permit-icmp6 term permit-icmp from next-header icmp
set firewall family inet6 filter permit-icmp6 term permit-icmp then accept

 


set policy-options prefix-list bgp-neighbors 2002::0/16

set policy-options prefix-list dns-server 2003::0/16

set policy-options prefix-list ntp-server 2004::0/16

set policy-options prefix-list ospf3-routing 2005::0/16

 

 


set interfaces lo0 unit 0 family inet6 filter input-list management6
set interfaces lo0 unit 0 family inet6 filter input-list ospf3-routing
set interfaces lo0 unit 0 family inet6 filter input-list bgp6-routing
set interfaces lo0 unit 0 family inet6 filter input-list permit-icmp6
set interfaces lo0 unit 0 family inet6 address 0::1/128

 

 

 

 

Br
Alex

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you want to say thanks, the word is Kudos!!.

Thx.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

JNCIA-JUNOS, JNCIS-ENT, JNCIS-SP, JNCIP-SP.
CCNA, CCNP, Written CCIE.
Message 5 of 8 (773 Views)
 
Reply
CFU-JoshHoppes
Visitor
CFU-JoshHoppes
Posts: 4
Registered: ‎10-07-2011
0

Re: IPv6 can't ping local neighbor but can reach other sites

Options

‎05-14-2012 08:33 AM

Interesting, I tried putting the ICMP filter first but still seeing the same results. Sounds like the configuration is sound if it's working for you.

Josh Hoppes
Message 6 of 8 (759 Views)
 
Reply
Trusted Contributor
acecanal
Posts: 149
Registered: ‎07-05-2011
0

Re: IPv6 can't ping local neighbor but can reach other sites

Options

‎05-14-2012 10:17 AM

The first thing i did was try ping without any filter, this works, from this applied the filters.

 

 Other thing you could try, configure a prefix list for the icmp traffic, a 0::0/0 prefix. On my first test, i saw there was not icmp reply, so configure this under the icmp filter. Then i got replies, but i think this was because i spend more than 10 sec after the commit to execute the ping. I delete this prefix list, and icmp works anyway.

 

 

Br
Alex

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you want to say thanks, the word is Kudos!!.

Thx.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

JNCIA-JUNOS, JNCIS-ENT, JNCIS-SP, JNCIP-SP.
CCNA, CCNP, Written CCIE.
Message 7 of 8 (756 Views)
 
Reply
CFU-JoshHoppes
Visitor
CFU-JoshHoppes
Posts: 4
Registered: ‎10-07-2011
0

Re: IPv6 can't ping local neighbor but can reach other sites

Options

‎05-18-2012 09:56 AM

Yea, I've let is sit for days, but no response. Suppose I'll poke support and see if they have any additional suggestions. Thanks!
Josh Hoppes
Message 8 of 8 (740 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.