SRX Services Gateway
Highlighted
SRX Services Gateway

SRX220 Cannot ping the ISP or Internet using IPv6 from user Lan Segment

‎11-16-2018 11:42 AM

Hello,

I'm looking for help in that I cannot ping anything on the internet via IPv6 from an internal IPv4/IPv6 VLAN Segment.
My VLAN.7 is configured with globally routable IPv6 and from it I can ping it's /64 gateway, and my routers last hop before the ISP. From the SRX router I can ping everywhere IPv6, including my internal VLAN.7 IPv6 users, ISP, OPENDNS IPv6 etc. But alas, from that VLAN I cannot reach the internet IPv6.

My internal polices and zones are configured for ANY ANY PERMIT from my Internal Zone to Internet Zone.

Any help would be greatly appreciated. Thank you in adavance!

 

Policy:

From zone: Internal, To zone: Internet
Policy: InternalTOInternet, State: enabled, Index: 21, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit

 

Security Zone:

Security zone: Internal
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 10
Interfaces:
ge-0/0/2.0
ge-0/0/4.0
ge-0/0/5.0
ge-0/0/6.0
ge-0/0/7.0
st0.1
vlan.1
vlan.2
vlan.5
vlan.7

 

Routes:

inet6.0: 10 destinations, 12 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

::/0 *[Static/5] 01:18:15
> to 2001:438:fffe::f69 via ge-0/0/0.0
2001:438:2d:10::/64*[Direct/0] 01:18:15
> via vlan.7
2001:438:2d:10::1/128
*[Local/0] 01:18:32
Local via vlan.7
2001:438:2d:40::/64*[Direct/0] 01:18:15
> via vlan.5
2001:438:2d:40::1/128
*[Local/0] 01:18:32
Local via vlan.5
2001:438:fffe::f68/126
*[Direct/0] 01:18:15
> via ge-0/0/0.0
2001:438:fffe::f6a/128
*[Local/0] 01:18:21
Local via ge-0/0/0.0
fe80::/64 *[Direct/0] 01:18:15
> via ge-0/0/0.0
[Direct/0] 01:18:15
> via vlan.5
[Direct/0] 01:18:15
> via vlan.7
fe80::3e61:4ff:fe98:4440/128
*[Local/0] 01:18:21
Local via ge-0/0/0.0
fe80::3e61:4ff:fe98:4448/128
*[Local/0] 01:18:32
Local

3 REPLIES 3
Highlighted
SRX Services Gateway

Re: SRX220 Cannot ping the ISP or Internet using IPv6 from user Lan Segment

‎11-19-2018 10:53 PM

Hi,

Please check flow mode is enabled for IPv6 by using the command "show security flow status".

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway
Solution
Accepted by topic author ScottL1
‎11-21-2018 12:42 PM

Re: SRX220 Cannot ping the ISP or Internet using IPv6 from user Lan Segment

‎11-21-2018 08:19 AM

Hi Nellikka - Thank you for your reply.  I do have IPv6 Flow enabled. I'm checking with the carrier/ISP to see if they have a static route back to me. 2001:438:002D::/48 to 2001:438:fffe::f6a/126. I don't think that they do at this point.
show security flow status
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: flow based
MPLS forwarding mode: drop
ISO forwarding mode: drop
Flow trace status
Flow tracing status: off
Flow session distribution
Distribution mode: RR-based
Flow ipsec performance acceleration: off
Flow packet ordering
Ordering mode: Hardware

Highlighted
SRX Services Gateway

Re: SRX220 Cannot ping the ISP or Internet using IPv6 from user Lan Segment

‎11-21-2018 12:43 PM

It turned out to be an issue with carrier as I had begun to suspect. They were missing a route to my assigned IPv6 addresses. Thank you for your time ALL.

 

Feedback