My setup is exactly as it sounds. (2) 1841 configured for HSRP failover, the ASA is default routed to the link-local HSRP which routes to the tunnel interface and into the cloud. I have a routed /48 which i have one /64 on the interface between the 1841s and the asa(s) and another /64 that is RA'ed on the inside interface of the ASA.
Ping works fine. Able to resolve and ping/ping reply back without issue.
However TCP based activities (HTTP,SSH,FTP,etc) has a loooooooong lag. Like Rip Van Winkle type of lag. Epic lag. Eventually it may go through but sometimes it doesn't.
A packet trace on the client shows a bunch of DUP ACK from time to time... the same is confirmed on the ASA filter that sometimes I'll get a bunch of denyed ACK's after a connection closes.
Once the connection is established however, it's fine... was able to scp files over ipv6 and all that fun stuff.
So, what am I missing?
probably a MTU size issue. post some configs
Router Config
Building configuration...
!
version 12.4
!
hostname rtr2
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
dot11 syslog
ip cef
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
ipv6 unicast-routing
ipv6 cef
ipv6 inspect name V6-INSPECT tcp
ipv6 inspect name V6-INSPECT udp
ipv6 inspect name V6-INSPECT ftp
ipv6 inspect name V6-INSPECT icmp
multilink bundle-name authenticated
!
!
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:470:A:aaaa::2/64
ipv6 enable
ipv6 traffic-filter V6-FILTER in
ipv6 inspect V6-INSPECT out
ipv6 virtual-reassembly
tunnel source xxx.xx.xx.254 - HSRP IPv4 address
tunnel destination 216.218.226.238
tunnel mode ipv6ip
!
interface FastEthernet0/0
bandwidth 10000
ip address xxx.xxx.xxx.xxx 255.255.255.252
ip route-cache flow
speed 10
full-duplex
!
interface FastEthernet0/1
description router on a stick
no ip address
no ip route-cache cef
no ip route-cache
speed 100
full-duplex
!
interface FastEthernet0/1.1
description vlan1
encapsulation dot1Q 1 native
ip address xxx.xxx.xxx.250 255.255.255.224
no ip route-cache
ipv6 address 2001:470:ffff:1::/64 eui-64
ipv6 enable
no ipv6 redirects
ipv6 nd prefix 2001:470:ffff::/64
ipv6 nd dad attempts 5
standby version 2
standby 1 ip xxx.xxx.xxx.254
standby 1 timers msec 100 msec 300
standby 1 preempt
standby 1 track FastEthernet0/0
standby 3 ipv6 autoconfig
standby 3 timers msec 100 msec 300
standby 3 preempt
standby 3 track FastEthernet0/1.1
!
!
ip forward-protocol nd
!
ipv6 route 2001:470:ffff:A::/64 FastEthernet0/1.1 FE80::223:33FF:FECF:2C32
ipv6 route 2001:470:ffff::/48 2001:470:B:aaaa::1
ipv6 route ::/0 Tunnel0
!
!
!
!
ipv6 access-list V6-FILTER
permit icmp any any
deny ipv6 any any log
ASA Config
ASA Version 8.2(2)
!
hostname fw
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.224 standby xxx.xxx.xxx.252
ipv6 address 2001:470:ffff:1::/64 eui-64
ipv6 enable
ipv6 nd suppress-ra
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address xxx.xxx.xxx.xxx 255.255.255.0 standby xxx.xxx.xxx.251
ipv6 address 2001:470:ffff:a::/64 eui-64
ipv6 enable
ipv6 nd prefix 2001:470:ffff::/64
!
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ipv6 route outside ::/0 fe80::5:73ff:fea0:3
ipv6 access-list outside_access_ipv6_in permit ip any any
ipv6 access-list inside_access_ipv6_in permit ip any any
access-group outside_access_in in interface outside
access-group outside_access_ipv6_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_ipv6_in in interface inside
access-group dmz_access_in_1 in interface dmz
just as a test did you try and disable your ipv6 inspection and fragment reassembly?
http://www.tunnelbroker.net/forums/index.php?topic=1907.0
That worked perfectly. Thanks for the CBAC info!