SRX Services Gateway
Highlighted
SRX Services Gateway

Basic IPv6 Reachability issue

‎08-10-2009 10:17 PM

Hi Everybody,

 

I'm trying to set up IPv6 in my internal network and access IPv6 resources on the internet after setting up an IPv6 over IPv4 tunnel with a (free) tunnel broker (hurricane electric, he.net). However i'm having issues getting both local IPv6 to work, and reaching the end od the tunnel. I have a SRX210 running on 9.6r1.13. I have gotten a /48 adssigned to me, which im using in my internal LAN. The /48 = 2001:470:d45d::/48. I am also testing with a FEC address, but no go.

 

I wan't to start with troubleshooting local connectivity. I have auto configuration working for my ubuntu client. My client generates these addresses:

dennish@dennish-desktop:~$ ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:11:2f:91:6e:6b 
          inet addr:10.50.2.50  Bcast:10.50.2.255  Mask:255.255.255.0
          inet6 addr: fec0::ffff:211:2fff:fe91:6e6b/64 ScopeSmiley Frustratedite
          inet6 addr: 2001:470:d45d:dead:211:2fff:fe91:6e6b/64 Scope:Global
          inet6 addr: fe80::211:2fff:fe91:6e6b/64 Scope:Link

 

Router has:

root@core-router# show interfaces vlan.502
family inet {
    address 10.50.2.1/24;
}
family inet6 {
    address 2001:470:d45d:dead::1/64;
    address FEC0:0:0:FFFF::1/64;
}

 

The following config for router-advertisement has been set (timers are very low, for testing):

root@core-router# show protocols router-advertisement
traceoptions {
    file router-advertisement;
    flag all;
}
interface vlan.502 {
    max-advertisement-interval 5;
    min-advertisement-interval 3;
    managed-configuration;
    other-stateful-configuration;
    prefix 2001:470:d45d:dead::1/64 {
        on-link;
        autonomous;
    }
    prefix FEC0:0:0:FFFF::/64 {
        on-link;
        autonomous;
    }
}

 

The physical interface on which my PC is connected is simply a switchport in vlan 502and can ping the router on IPv4 and reach IPv4 internet correctly.

 ge-0/0/0 {
    unit 0 {
        family ethernet-switching {
            port-mode access;
            vlan {
                members vlan-10.50.2.0;
            }
        }
    }
}

 

root@core-router# show vlans
vlan-10.50.2.0 {
    vlan-id 502;
    l3-interface vlan.502;
}

 

From my client i can't ping the 2001, nor the FEC address. From my router i can't ping my client either.

When i run a wireshark trace, i see the client doing Neighbor Solicitations, but no answers to this. Router Advertisements are comming trough with the correct prefix.

 

I'm probably missing something very obvious, but my experience with IPv6 is a bit poor.

 

Dennis

10 REPLIES 10
SRX Services Gateway

Re: Basic IPv6 Reachability issue

‎08-10-2009 10:29 PM

Extra info:

root@core-router# show security zones security-zone trust

interfaces {
    vlan.502 {
        host-inbound-traffic {
            system-services {
                all;
            }
            protocols {
                all;
            }      
        }          
    }              
}

 

 

[edit]
root@core-router# run show ipv6 neighbors

[edit]

 

 root@core-router# run show ipv6 router-advertisement
Interface: vlan.502
  Advertisements sent: 10005, last sent 00:00:03 ago
  Solicits received: 0
  Advertisements received: 0

 

SRX Services Gateway

Re: Basic IPv6 Reachability issue

[ Edited ]
‎08-11-2009 02:14 PM

Got my ipv6 over ipv4 tunnel working after forcing ipv6 in packet mode:

 

[edit]
root@core-router# run ping inet6 ipv6.he.net source 2001:470:d45d:dead::1     
PING6(56=40+8+8 bytes) 2001:470:d45d:dead::1 --> 2001:470:0:64::2
16 bytes from 2001:470:0:64::2, icmp_seq=0 hlim=57 time=174.227 ms
16 bytes from 2001:470:0:64::2, icmp_seq=1 hlim=57 time=175.717 ms
16 bytes from 2001:470:0:64::2, icmp_seq=2 hlim=57 time=176.104 ms

 

And as you can see, i can even resolve AAAA DNS records and ping from source address interface vlan.502...

 

Still having problems with reachability on local lan though... I can ping  my link address on my ubuntu pc:

 

root@core-router# run ping inet6 fe80::211:2fff:fe91:6e6b                                
PING6(56=40+8+8 bytes) fe80::226:88ff:fe05:a5c8 --> fe80::211:2fff:fe91:6e6b
16 bytes from fe80::211:2fff:fe91:6e6b, icmp_seq=0 hlim=64 time=2.435 ms
16 bytes from fe80::211:2fff:fe91:6e6b, icmp_seq=1 hlim=64 time=2.910 ms

 

but not my global address:

root@core-router# run ping inet6 2001:470:d45d:dead:211:2fff:fe91:6e6b
PING6(56=40+8+8 bytes) 2001:470:d45d:dead::1 --> 2001:470:d45d:dead:211:2fff:fe91:6e6b
^C
--- 2001:470:d45d:dead:211:2fff:fe91:6e6b ping6 statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

 

from my pc to the router i can't ping the global address. I can't test the link local address. Ping6 somehowdoesn't accept it:

dennish@dennish-desktop:~$ ping6 fe80::226:88ff:fe05:a5c8
connect: Invalid argument

 

Any input would be appreciated!

Message Edited by dennish on 11-08-2009 11:15 PM
SRX Services Gateway

Re: Basic IPv6 Reachability issue

‎08-11-2009 10:38 PM

For future reference, my working IPv6 over IPv4 tunnel set-up (tunnel broker - he.net) :

 

root@core-router# show interfaces ip-0/0/0
unit 0 {
    tunnel {
        source 95.96.190.13;
        destination 216.66.84.46;
    }
    family inet6 {
        address 2001:470:1f14:25c::2/64;
    }
}

 

 root@core-router# show security forwarding-options
family {
    inet6 {
        mode packet-based;
    }
}

 

root@core-router# show routing-options rib inet6.0
static {
    route ::/0 next-hop 2001:470:1f14:25c::1;
}

 

root@core-router# show system name-server
62.179.104.196;
213.46.228.196;
2001:470:20::2;

 

 

SRX Services Gateway

Re: Basic IPv6 Reachability issue

‎08-17-2009 10:13 PM

For your information; i just discovered it does work on a physical interface, just not on a vlan interface.

Have a JTAC case running for this.

 

Working physical int config:

 

root@core-router# show interfaces ge-0/0/1  
unit 0 {
family inet6 {
address 2001:470:d45d:dead::1/64;
}
}

root@core-router# show protocols router-advertisement
interface ge-0/0/1.0 {
max-advertisement-interval 20;
min-advertisement-interval 5;
prefix 2001:470:d45d:dead::/64 {
on-link;
autonomous;
}
}

 

SRX Services Gateway

Re: Basic IPv6 Reachability issue

‎08-21-2009 01:32 PM

I don't seem to have the security forwarding-options on my srx3400.

 

Some magic I'm missing?  Running JunOS 9.5R2.7.

SRX Services Gateway

Re: Basic IPv6 Reachability issue

‎08-22-2009 02:16 AM

Hi routehero,

 

There are some differences between the branch office boxes code (SRX100/210/240/650) and the 3000/5000 series.

I think  this is one of the differences, but i don't know how you should approach this config on a 3000 series, as i did not yet have my hands on a box that big Smiley Sad.

 

Dennis

SRX Services Gateway

Re: Basic IPv6 Reachability issue

‎08-22-2009 06:19 PM

Yeah, I'm beginning to think there is an issue.

 

I'm working with JTAC on this also, but just for fun:

 

    forwarding-options {
        family {
            ##
            ## Warning: configuration block ignored: unsupported platform (srx3400)
            ##
            inet6 {
                mode packet-based;
            }
        }
    }

 

And adding config on a specific int:

 

unit 0 {
    ##
    ## Warning: configuration block ignored: unsupported platform (srx3400)
    ##
    family inet6 {
        address 2607:fc28::2:a/126;
    }
}

SRX Services Gateway

Re: Basic IPv6 Reachability issue

‎10-31-2009 05:23 AM

Hi,

 

I think you are right. I have the same issues as you. I tried having IPv6 configured on a vlan interface. It does not work, but I kind of need it. I would like to use the ports on the SRX210 as switchports and have a dual stack vlan interface, and I cannot.

 

How did the JTAC case end up?

 

Maybe someone have a good idea how to do this in an other way?

 

 

 

 

SRX Services Gateway

Re: Basic IPv6 Reachability issue

[ Edited ]
‎11-02-2009 03:06 AM

Hi Dennis,


I have the same issue, same type of config with inet6 address on the vlan interface.

Found this in the 9.6R2 release notes:

  • On SRX100, SRX210, SRX240, and SRX650 devices, when J-Web is used to configure a VLAN, the option to add an IPv6 address appears. Only IPv4 addresses are supported. [PR/459530]

I did not use J-Web but it seems it is not supported at all.

Guess we will have to change my config to a physical interface too, thanks Smiley Happy

 

Menno

SRX Services Gateway

Re: Basic IPv6 Reachability issue

‎03-25-2011 12:44 PM

Something to note on the devices with the security code enabled is that you have to have ICMP permitted to that interface in order for things to come up. I didn't and had a heck of a time figuring it out. After this:

set security zones security-zone untrust interfaces ip-0/0/0.0

Things came up nicely.

 

 

Dan