If the JTAC case is publicly accessible, can you please post a link to it here? I'm surprised that Juniper let two releases slip out the door with this regression.

Did you notice during boot up, this message is always there?

Loading configuration ...
Network security daemon: warning: You have enabled/disabled inet6 flow.
Network security daemon: You must reboot the system for your change to take effect.
Network security daemon: If you have deployed a cluster, be sure to reboot all nodes.
mgd: commit complete

It used only show up very first time after you enabled ipv6 flow mode.  Now this message shows up every time I reboot the unit..

R

Juniper removed the feature!  I have the same problem when moving from 10.3R2 to 10.4R2 I lost my HE.net tunnel.  I opened a case with JTAC and this is the response I got:

I consulted my seniors and found that the IPv6 tunnel support has been removed from the version 10.4.The reason being that, this kind of traffic bypassed the security flow as it could not be inhibited with IPv4 security policy.It is scheduled to be fixed in 11.4 time frame.

I can't believe it!  Wait until 11.4 for a feature we had for years?

I just some additional information from a Juniper Systems Engineer.  I informed him of the problem we are all having with 6in4 tunnels and this is the email response I got back:

I got some additional info on the 6in4 issue.   It sounds like it was never an officially supported feature in flow mode (only in packet mode), and apparently it was a bug fix that broke the feature inadvertently rather than a deliberate choice to take it out of 10.4.  Since it wasn’t considered a supported feature it wasn’t documented in the release notes when it broke.  I realize that’s a somewhat lame answer, so I apologize for that.

On a positive note, one of the guys I talked to has come up with a workaround.  It’s not JTAC supported, but might be worth a try.

The fix is to apply a firewall filter to treat the outer packet (IPv4 protocol 41) as stateless, which corrects/refines the behavior of the bug fix to not treat traffic destined to the SRX itself as stateful.  The IPv6 traffic itself remains stateful, of course.

The firewall filter applied to the egress interface (wherever the tunnel traffic is going to/from) is all that's needed.  Everything else is the same.

joel@chilis220> show interfaces terse ge-0/0/7

Interface               Admin Link Proto    Local                 Remote

ge-0/0/7                up    up 

ge-0/0/7.0              up    up   inet     67.1.0.9/20

joel@chilis220>

joel@chilis220> show configuration interfaces ge-0/0/7 mac 00:08:55:01:a6:ea; unit 0 {

    description Comcast;

    family inet {

        filter {

            input fix-v6v4-tunnel;

        }

        dhcp {

            update-server;

        }

    }

}

joel@chilis220> show configuration firewall family inet filter fix-v6v4-tunnel term one {

    from {

        destination-address {

            67.1.0.9/32;

        }

        protocol 41;

    }

    then packet-mode;

}

term one.five {

    from {

        source-address {

            67.1.0.9/32;

        }

        protocol 41;

    }

    then packet-mode;

}

term two {

    then accept;

}

This workaround fixed my Hurrican Electric tunnel!

So is the above workaround for ipv6 in flow mode? If I understand correctly, no such workaround is needed if ipv6 is running in packet mode - which, depending on the required throughput, may be an acceptable option for some.

For anyone else following this saga, I just upgraded my SRX 100 to 10.3R3, from 10.3R2.

The HE IPv6 tunnel was working fine in flow-based mode under 10.3R2, and of course stopped working in 10.3R3. I tried simply deactivating the "security forwarding-options family inet6 mode flow-based" config option, as a reminder to myself to re-activate it at some point in the future. However the tunnel still failed to come up. I had to explicitly set the mode to packet-based, after which the HE tunnel worked again (on 10.3R3). Maybe IPv6 packets are dropped if the forwarding mode is not specified...?

I suspect this same info will apply to the 10.4 images.

A further followup, for anyone still confused (me perhaps?)

A word of warning - setting ipv6 forwarding mode to packet-based will expose your ipv6 hosts to incoming traffic if you do not specifically configure packet filters for them (*packet filters* - not zone based firewall policies). This will be unacceptable to a lot of people.

Borrowing suggestions from nbarsotti's earlier post, I set ipv6 back to flow-based, and added the workaround packet filters for protocol 41. However, since my internet-facing interface gets a dynamic IP (pppoe), I chose to allow protocol 41 to/from the HE tunnel endpoint, rather than my interface IP address.

Some snippets from my config:

interfaces {
    pp0 {
        unit 0 {
            family inet {
                mtu 1492;
                filter {
                    input fix-6in4;
                }
                negotiate-address;
            }
        }
    }
}
security {
    forwarding-options {
        family {
            inet6 {
                mode flow-based;
            }
        }
    }
}
firewall {
    family inet {
        filter fix-6in4 {
            term t1 {
                from {
                    source-address {
                        216.66.80.30/32;
                    }
                    protocol 41;
                }
                then packet-mode;
            }
            term t2 {
                from {
                    destination-address {
                        216.66.80.30/32;
                    }
                    protocol 41;
                }
                then packet-mode;
            }
            term t99 {
                then accept;
            }
        }
    }
}

Using the above config (on 10.3r3), my HE tunnel worked fine, and ipv6 traffic crossing from untrust to trust zone was blocked as it should be. I verified that the flow-based firewall was working by creating a policy that allowed pings from outside to my ipv6 hosts in the trust zone. Disabling the policy again blocked traffic, so that definitely seemed to be working correctly. Yay!

Incidentally, I also then tried an upgrade to 10.4r2, but had major problems connecting to websites. Simple text-only pages loaded ok, but anything that had multiple graphics on it resulted in hung connections. No idea what's going on there, and I've run out of time (and patience) for now, so rolled back to 10.3r3.

10.4r1 might have worked (I didn't try it), but I think the 10.4 series in general is a bit shaky still. I'm happy just to have my HE tunnel working *properly*, without exploiting the side-effects of some bug in an earlier Junos release.

The protocol 41 packet filter workaround is described in detail here http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-admin-guid...

Firstly, I'd like to say that your solution for 10.3r3+ is brilliant.

Secondly, I had heard that 6in4 tunneling would be officially supported in 11.1. Now that it's out, has anybody tried it?

Yes, I have tried it and it did not work using 11.1R1.10.

I had to implement the fix stated above.  Thanks and Kudos given!!!