Cisco ASA & IPv6 Failover

When we began planning the upgrade of our corporate infrastructure to fully support IPv6 in a dual-stack configuration, one of the earliest stumbling blocks came from an unexpected source – our Cisco ASA security appliances. By the time we’d begun our changes Cisco ASAs and PIXes had already been supporting IPv6 for a full three years (since release 7.0 in mid-2005), so I was expecting a feature-complete IPv6 product.

Initial configuration went smoothly (via the CLI, as the ASDM does not currently support IPv6 commands), but IPv6 connectivity through the ASA was spotty at best. Digging into the problem, we discovered that the Primary and Standby ASA were both transmitting router advertisements with the same priority, and that most of the hosts were sending their non-local packets to the link-local address of the Standby ASA, which was duly discarding them. A Cisco TAC request confirmed that IPv6 failover configuration will not be supported until 8.2. Timeframe for release of 8.2? Unknown.

How could IPv6 and critical enterprise functionality such as Failover be mutually exclusive, especially after three years and one full major release (IPv6 functionality was introduced in 7.0 – as of this writing the current version is 8.04)? This tells me that NO enterprises (0.000%) running Cisco ASAs have deployed IPv6 in their existing production environments. Since Cisco is the market share leader in the firewall segment, one has to wonder what percentage of North American companies have even begun planning for the approaching IPv4 exhaustion.

tags: IPv6 Cisco ASA
Ken Mix - November 03, 2008

Pulling the IPv4 Plug

Just as a little experiment tonight I disabled my IPv4 stack on Vista and went entirely IPv6 native (no tunneling). Of course I got what I expected, a completly unusable system.

What worked:

  • Windows domain and Exchange - Thanks to recent upgrade of our company to Server 2008 and Exchange 2007 everything worked internally. File sharing, DNS, authentication…​all worked like a charm.

  • ipv6.google.com - Loaded right up and I was able to search. Also if you edit your host file and add a record for mail.google.com pointing to 2001:4860:0:2001::68 (at least for right now) you can access Gmail. I’m pretty sure that this works for MAPS and DOCS. Doesn’t work for TALK however.

  • www.arin.net - For all your IPv4/IPv6 needs…​at least until they run out.

  • www.kame.net - Love to see that turtle dance.

What didn’t work:

  • Basically everything else.

If IPv4 is going to run out in 2-3 years, the content providers have a long way to go.

Cody Lerum - October 30, 2008

Ubuntu IPv6 Only Torrents

If you didn’t notice, Ubuntu 8.10 was released today. As usual the mirrors and torrents were flooded with eager downloaders.

Canonical was nice enough to setup an IPv6 only tracker (http://ipv6.torrent.ubuntu.com:6969)

Unfortunately it looks like only 27 downloads have completed in the 12+ hours it’s been released.

It’s a start, but when the first response to any networking problem on the support forum is to "DISABLE IPv6" I tend to think we have a long road left to travel.

tags: IPv6 Linux Ubuntu
Cody Lerum - October 30, 2008

Windows Vista DHCPv6 Issues

While working through an internal deployment at the company where I work something pecurlier started to happen when we lit up an IPv6 DHCP service.

What happened was the DHCP client on Vista had trouble parsing the DNS Suffix Search List which was sent by the DHCP server. The DNS suffix of corp.company.com was sent but the OS showed

DNS Suffix Search List:
corp
company
com

So, instead of searching on corp.company.com it tried each of them in succession — first com, then company, then corp.

I sent an email to Sean Siler who is the Microsoft IPv6 program manager (IPv6 Blog) and he has confirmed that this is a known bug which will be fixed in SP2…​possibly sooner.

I have confirmed this is fixed in the latest SP2 Beta (10/29/08)

Cody Lerum - October 10, 2008

T Minus 774 Days Untl IPv4 Exhaustion

According to Geoff Huston’s IPv4 Address Report there are approximately 774 days until there are no more IPv4 addresses for the IANA (Internet Assigned Numbers Authority) to assign. This means that the last 5 remaining /8’s will have been assigned to the RIRs (such as ARIN). Of course this is just a projection and the actual date could come sooner if there is a rush on the last remaining addresses out there.

So, if your company was unable to get any more IPv4 address after December 08…​where would you be?

It’s time to start asking your vendors if they support IPv6, and if they don’t then ask when it will be supported. Most vendors are currently citing no demand and thus they aren’t pushing development. It’s time to start demanding IPv6 support in all your hardware and software…​vote with your checkbook. It’s time.

tags: IPv6 IANA
Cody Lerum - October 07, 2008
About Knowledge Bombs
Random bits of knowledge that we don't want to forget and that might help you!
Cody Lerum
Ken Mix