SRX

Hi Everybody,

I'm trying to set up IPv6 in my internal network and access IPv6 resources on the internet after setting up an IPv6 over IPv4 tunnel with a (free) tunnel broker (hurricane electric, he.net). However i'm having issues getting both local IPv6 to work, and reaching the end od the tunnel. I have a SRX210 running on 9.6r1.13. I have gotten a /48 adssigned to me, which im using in my internal LAN. The /48 = 2001:470:d45d::/48. I am also testing with a FEC address, but no go.

I wan't to start with troubleshooting local connectivity. I have auto configuration working for my ubuntu client. My client generates these addresses:

dennish@dennish-desktop:~$ ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:11:2f:91:6e:6b 
          inet addr:10.50.2.50  Bcast:10.50.2.255  Mask:255.255.255.0
          inet6 addr: fec0::ffff:211:2fff:fe91:6e6b/64 Scope:Site
          inet6 addr: 2001:470:d45d:dead:211:2fff:fe91:6e6b/64 Scope:Global
          inet6 addr: fe80::211:2fff:fe91:6e6b/64 Scope:Link

Router has:

root@core-router# show interfaces vlan.502
family inet {
    address 10.50.2.1/24;
}
family inet6 {
    address 2001:470:d45d:dead::1/64;
    address FEC0:0:0:FFFF::1/64;
}

The following config for router-advertisement has been set (timers are very low, for testing):

root@core-router# show protocols router-advertisement
traceoptions {
    file router-advertisement;
    flag all;
}
interface vlan.502 {
    max-advertisement-interval 5;
    min-advertisement-interval 3;
    managed-configuration;
    other-stateful-configuration;
    prefix 2001:470:d45d:dead::1/64 {
        on-link;
        autonomous;
    }
    prefix FEC0:0:0:FFFF::/64 {
        on-link;
        autonomous;
    }
}

The physical interface on which my PC is connected is simply a switchport in vlan 502and can ping the router on IPv4 and reach IPv4 internet correctly.

 ge-0/0/0 {
    unit 0 {
        family ethernet-switching {
            port-mode access;
            vlan {
                members vlan-10.50.2.0;
            }
        }
    }
}

root@core-router# show vlans
vlan-10.50.2.0 {
    vlan-id 502;
    l3-interface vlan.502;
}

From my client i can't ping the 2001, nor the FEC address. From my router i can't ping my client either.

When i run a wireshark trace, i see the client doing Neighbor Solicitations, but no answers to this. Router Advertisements are comming trough with the correct prefix.

I'm probably missing something very obvious, but my experience with IPv6 is a bit poor.

Dennis

Extra info:

root@core-router# show security zones security-zone trust

interfaces {
    vlan.502 {
        host-inbound-traffic {
            system-services {
                all;
            }
            protocols {
                all;
            }      
        }          
    }              
}

[edit]
root@core-router# run show ipv6 neighbors

[edit]

 root@core-router# run show ipv6 router-advertisement
Interface: vlan.502
  Advertisements sent: 10005, last sent 00:00:03 ago
  Solicits received: 0
  Advertisements received: 0

Got my ipv6 over ipv4 tunnel working after forcing ipv6 in packet mode:

[edit]
root@core-router# run ping inet6 ipv6.he.net source 2001:470:d45d:dead::1     
PING6(56=40+8+8 bytes) 2001:470:d45d:dead::1 --> 2001:470:0:64::2
16 bytes from 2001:470:0:64::2, icmp_seq=0 hlim=57 time=174.227 ms
16 bytes from 2001:470:0:64::2, icmp_seq=1 hlim=57 time=175.717 ms
16 bytes from 2001:470:0:64::2, icmp_seq=2 hlim=57 time=176.104 ms

And as you can see, i can even resolve AAAA DNS records and ping from source address interface vlan.502...

Still having problems with reachability on local lan though... I can ping  my link address on my ubuntu pc:

root@core-router# run ping inet6 fe80::211:2fff:fe91:6e6b                                
PING6(56=40+8+8 bytes) fe80::226:88ff:fe05:a5c8 --> fe80::211:2fff:fe91:6e6b
16 bytes from fe80::211:2fff:fe91:6e6b, icmp_seq=0 hlim=64 time=2.435 ms
16 bytes from fe80::211:2fff:fe91:6e6b, icmp_seq=1 hlim=64 time=2.910 ms

but not my global address:

root@core-router# run ping inet6 2001:470:d45d:dead:211:2fff:fe91:6e6b
PING6(56=40+8+8 bytes) 2001:470:d45d:dead::1 --> 2001:470:d45d:dead:211:2fff:fe91:6e6b
^C
--- 2001:470:d45d:dead:211:2fff:fe91:6e6b ping6 statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

from my pc to the router i can't ping the global address. I can't test the link local address. Ping6 somehowdoesn't accept it:

dennish@dennish-desktop:~$ ping6 fe80::226:88ff:fe05:a5c8
connect: Invalid argument

Any input would be appreciated!

For future reference, my working IPv6 over IPv4 tunnel set-up (tunnel broker - he.net) :

root@core-router# show interfaces ip-0/0/0
unit 0 {
    tunnel {
        source 95.96.190.13;
        destination 216.66.84.46;
    }
    family inet6 {
        address 2001:470:1f14:25c::2/64;
    }
}

 root@core-router# show security forwarding-options
family {
    inet6 {
        mode packet-based;
    }
}

root@core-router# show routing-options rib inet6.0
static {
    route ::/0 next-hop 2001:470:1f14:25c::1;
}

root@core-router# show system name-server
62.179.104.196;
213.46.228.196;
2001:470:20::2;

For your information; i just discovered it does work on a physical interface, just not on a vlan interface.

Have a JTAC case running for this.

Working physical int config:

root@core-router# show interfaces ge-0/0/1
unit 0 {
    family inet6 {
        address 2001:470:d45d:dead::1/64;
    }
}

root@core-router# show protocols router-advertisement
interface ge-0/0/1.0 {
    max-advertisement-interval 20;
    min-advertisement-interval 5;
    prefix 2001:470:d45d:dead::/64 {
        on-link;
        autonomous;
    }
}

I don't seem to have the security forwarding-options on my srx3400.

Some magic I'm missing?  Running JunOS 9.5R2.7.

Hi routehero,

There are some differences between the branch office boxes code (SRX100/210/240/650) and the 3000/5000 series.

I think  this is one of the differences, but i don't know how you should approach this config on a 3000 series, as i did not yet have my hands on a box that big :(.

Dennis

Yeah, I'm beginning to think there is an issue.

I'm working with JTAC on this also, but just for fun:

    forwarding-options {
        family {
            ##
            ## Warning: configuration block ignored: unsupported platform (srx3400)
            ##
            inet6 {
                mode packet-based;
            }
        }
    }

And adding config on a specific int:

unit 0 {
    ##
    ## Warning: configuration block ignored: unsupported platform (srx3400)
    ##
    family inet6 {
        address 2607:fc28::2:a/126;
    }
}

Hi,

I think you are right. I have the same issues as you. I tried having IPv6 configured on a vlan interface. It does not work, but I kind of need it. I would like to use the ports on the SRX210 as switchports and have a dual stack vlan interface, and I cannot.

How did the JTAC case end up?

Maybe someone have a good idea how to do this in an other way?

Hi,

Sorry for reviving a very old thread, but just wondering if configuring IPv6 on VLAN is still a limitation on 12.3?

Here is what i have on my system:

emilfr@jupiter# show interfaces ip-0/0/0
##
## inactive: interfaces ip-0/0/0
##
unit 0 {
    tunnel {
        source 93.107.12.123;
        destination 209.51.45.678;
    }
    family inet6 {
        address 2001:470:1f06:5dzz::2/64;
    }
}

[edit]
emilfr@jupiter# show protocols router-advertisement
##
## inactive: protocols router-advertisement
##
interface vlan.0 {
    max-advertisement-interval 60;
    min-advertisement-interval 3;
    managed-configuration;
    other-stateful-configuration;
    reachable-time 10;
    retransmit-timer 10;
    default-lifetime 600;
    prefix 2001:470:1f06:5dzz::/64 {
        valid-lifetime 604800;
        on-link;
        autonomous;
    }
}

[edit]
emilfr@jupiter# show routing-options
rib inet6.0 {
    static {
        route ::/0 next-hop 2001:470:1f06:5dzz::1;
    }
}
static {
    route 0.0.0.0/0 next-hop pp0.0;
}

[edit]
emilfr@jupiter# show access address-assignment
inactive: pool ADDR6-POOL {
    family inet6 {
        prefix 2001:470:1f06:5dzz::/64;
        dhcp-attributes {
            maximum-lease-time 120;
            grace-period 3600;
            dns-server {
                2001:470:1f06:5dzz::2049;
                2001:470:1f06:5dzz::209c;
            }
        }
    }
}

I have VDSL2 MPIM connect to my ISP on SRX220H2 and the HE IPv6 tunnel is currently disabled as my IPv6 traffic didn't properly flow through, so fallback to good old linksys for now.

Something to note on the devices with the security code enabled is that you have to have ICMP permitted to that interface in order for things to come up. I didn't and had a heck of a time figuring it out. After this:

set security zones security-zone untrust interfaces ip-0/0/0.0

Things came up nicely.

Dan

Hi Dennis,

I have the same issue, same type of config with inet6 address on the vlan interface.

Found this in the 9.6R2 release notes:

• On SRX100, SRX210, SRX240, and SRX650 devices, when J-Web is used to configure a VLAN, the option to add an IPv6 address appears. Only IPv4 addresses are supported. [PR/459530]

I did not use J-Web but it seems it is not supported at all.

Guess we will have to change my config to a physical interface too, thanks 🙂

Menno