Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1943
Views
0
Helpful
2
Replies

Cisco ASA5512 and Windows DHCPv6

AJWatsonLCT
Level 1
Level 1

‎10-31-2016 01:51 PM - edited ‎03-01-2019 05:51 PM

So I have been trying to get IPv6 up and going internally and a big part of that is getting our DHCP server to hand out addresses to clients instead of using autoconfig. However, it has been a huge pain in the rear end. Basically, I am learning that with DHCPv6, there is no concept of a default gateway as a configurable DHCPv6 option like dns servers. So basically, this results in the client getting an IP address but no DG and it can't talk to anything. If I modify the Cisco ASA interface config to allow it to advertise itself as the default router to the clients on that interface, the clients cease to get IPs from the DHCP server and start getting autoconfig addresses. I have provided two scenarios below that represent what is happening with the "ipv6 nd suppress-ra" command enabled and disabled.

If someone could please help me figure out how to successfully hand out DHCPv6 to my clients and still allow the Cisco ASA to send its default router advertisement, that would be great.

I have obfuscated the addresses a bit to make myself feel better about this post :-)

Scenario 1 - Autoconfig

ASA 5512
interface GigabitEthernet0/1
nameif inside
security-level 100
ipv6 address 2600:1234:f7ea:1ab:a::1/64
ipv6 enable
ipv6 nd ra-lifetime 1801
ipv6 nd prefix 2600:1234:f7ea:1ab::/64 300 300

Windows DCHP Server
Can get out to internet via IPv6.
Scope:
2600:1234:f7ea:1ab::/64
Exclusions:
2600:1234:f7ea:1ab:: - 2600:1234:f7ea:1ab:c:ffff:ffff:ffff
2600:1234:f7ea:1ab:d:0:1:0 - 2600:1234:f7ea:1ab:ffff:ffff:ffff:ffff
(This means I should be handing out only 2600:1234:f7ea:1ab:d::xxxx addresses)
IP Address:
2600:1234:f7ea:1ab:c::11/64 (Statically configured in Windows NIC)
Default Gateways:
fe80::e6c7:1234:1234:f3cf (Cisco ASA's Inside interface link-local address)
2600:1234:f7ea:1ab:a::1 (Cisco ASA's manually configured global address) (Statically configured in Windows NIC)

Windows DHCP Client
Is not getting an IPv6 address from the DHCP server.
Can ping global and local addresses including internal and internet addresses. Cannot resolve DNS
IP Address:
Global
2600:1234:f7ea:1ab:55b:1234:1234:793f (Assigned via autoconfig I assume)
Link Local
fe80::55b:1234:1234:793f
Default Gateway:
fe80:e6c7:1234:1234:f3cf (Cisco ASA's Inside interface link-local address)
DNS Servers:
fec0:0:0:ffff::1
fec0:0:0:ffff::2
fec0:0:0:ffff::3


Scenario 2 - DHCPv6

I added suppress-ra to the interface config in order to get the DHCP server to successfully hand an address to the client.

ASA 5512
interface GigabitEthernet0/1
nameif inside
security-level 100
ipv6 address 2600:1234:f7ea:1ab:a::1/64
ipv6 enable
ipv6 nd ra-lifetime 1801
ipv6 nd prefix 2600:1234:f7ea:1ab::/64 300 300
ipv6 nd suppress-ra

Windows DCHP Server
Same as above

Windows DHCP Client
Is successfully getting an IPv6 address from the DHCP server but can't talk to any global or local addresses as far as I can tell
(If I manually enter the ASA's Inside interface global address as the DG, everything works fine)
IP Address:
2600:1234:f7ea:1ab:d::9418 (Assigned via DHCP)
Default Gateway:
None
DNS Servers:
2600:1234:f7ea:1ab:c::11
2001:4860:4860::8888

Labels:
0 Helpful
2 Replies 2

AJWatsonLCT
Level 1
Level 1

‎11-01-2016 07:52 AM

So an update... Other than the fact that I am about to throw all my lab equipment into oncoming traffic for my own personal amusement rather than continue to submit myself to this absolute nonsense... here is what is happening.

So I have made some config changes on the ASA and am basically having the same problem, except now I have wireshark on all machines involved, so I can actually see what is happening. I just have no idea why.

I see the client send out its solicitations, the DHCP server responds with the appropriate info.

That's all fine and dandy, the client has all its IP info except the default gateway.

I see the Cisco ASA sending out its router advertisement (I configured it to send out every 3 seconds for troubleshooting purposes), but the client refuses to use that link local address from the Cisco ASA as its default gateway. This is on multiple Windows 7 and 8 client machines.

New Cisco ASA Inside interface config:
interface GigabitEthernet0/1
nameif inside
security-level 100
ipv6 address fe80:c15c::1 link-local
ipv6 address 2600:1234:f7ea:1ab:a::1/64
ipv6 enable
ipv6 nd ra-interval 3
ipv6 nd ra-lifetime 0
ipv6 nd prefix 2600:1234:f7ea:1ab::/64 300 300 no-autoconfig
ipv6 nd managed-config-flag

0 Helpful

AJWatsonLCT
Level 1
Level 1
In response to AJWatsonLCT

‎11-01-2016 07:58 AM

And immediately after reading my own reply, I figured it out.

So I made the mistake of assuming that the value "0" in the command "ipv6 nd ra-lifetime 0" would indicate infinite, as in "always use this as the default router". But NOOOOO. In this case it actually means "Don't ever use this as the default router."

I changed it to the max value of 9000, "ipv6 nd ra-lifetime 9000" and it instantly showed up in the clients' NICs as the default gateway and everything now functions properly.

0 Helpful
Customers Also Viewed These Support Documents