Cisco 2811 unable to connect to ipv6

[diabloprint]

Hi all,

I've spent the last few hours reading many posts here but I still can't get my 2811 to talk to anything over the tunnel.

To quickly cover off what seems to be common issues people have:
this is my external router - no nat involved anywhere,
I have what I believe are the correct v6 address in the tunnel config (..:1f08:131b::2) and the local interface (..:1f09:131b::1/64)
I have enabled ipv6 unicast-routing
I am running IOS 15.1.4M - the latest available
My external IP address is dynamic but is correct on the HE Tunnel Details page.

My ISP is Virgin Media in the UK but at least one other person on the forum has been successful with them so I don't think they are the problem!

I can ping 2001:470:1F08:131B::1 which I believe is the far end of the tunnel as well as the local end ::2. The trip times are different so it does look like the packets are going somewhere!

I can't ping ipv6.google.com or www.tunnelbroker.net. In both cases it is telling me an IPv6 address is the target so its not a DNS issue.

Code Select Expand

Router#ping 2001:470:1F08:131B::2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:470:1F08:131B::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms
Router#ping 2001:470:1F08:131B::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:470:1F08:131B::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/21/28 ms
Router#ping ipv6.google.com
Translating "ipv6.google.com"...domain server (194.168.4.100) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2A00:1450:8006::93, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router#ping www.tunnelbroker.net
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:470:0:63::2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Does anyone have any suggestions?

The router config is

Code Select Expand


Building configuration...


Current configuration : 3867 bytes
!
! Last configuration change at 23:37:50 UTC Thu May 26 2011 by david
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
ipv6 unicast-routing
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
license udi pid CISCO2811 sn FCZ104574DV
username david privilege 15 password 7 ----------------------------
!
redundancy
!
!
ip tcp synwait-time 10
ip scp server enable
!
!
!
!
!
!
!
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:470:1F08:131B::2/64
ipv6 enable
ipv6 mtu 1280
tunnel source FastEthernet0/1
tunnel mode ipv6ip
tunnel destination 216.66.80.26
!
interface FastEthernet0/0
description $FW_INSIDE$
ip address 192.168.53.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
ipv6 address 2001:470:1F09:131B::1/64
ipv6 enable
!
interface FastEthernet0/1
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet0/1
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
!
!
ip nat inside source list 100 interface FastEthernet0/1 overload
!
logging esm config
access-list 1 remark HTTP Access-class list
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 192.168.53.0 0.0.0.255
access-list 1 deny   any
access-list 100 permit ip 192.168.53.0 0.0.0.255 any
nls resp-timeout 1
cpd cr-id 1
ipv6 route ::/0 Tunnel0
!
!
!
control-plane
!
!
banner login ^CPrivate. Go Away.^C
!
line con 0
line aux 0
line vty 0 4
transport input ssh
!
scheduler allocate 20000 1000
end


I've trimmed out a couple of bits about the routers voip support and removed my password. Otherwise this is what is running on the machine.

Any help will be welcome!

Thanks


David

[jimb]

hrm.  Based on what I can see, it should work.  A few things to try:

Assure there's no ACLs or IOS firewall stuff blocking the 6in4 or IPv6 traffic coming in through the tunnel0 int.
Try pinging with tunnel0 as the source interface and see if it works.  If it does, the problem has to do with forwarding/routing.
Try using the ipv6 address of the other side of the tunnel as the ipv6 default route instead of tunnel0 (maybe there's a bug).
Make sure your 6in4 IPv4 traffic isn't being NATed by the router for some bizarre reason.
Try doing ipv6 enable on the outside interface (fa0/1) even though it should not be required.

That's about all I can think of at the moment.  You may also want to do some debug statements and maybe that will show you what's going on.  There may also be clues in "show logg".

[diabloprint]

Well, after another few hours :)
I tried your suggestions, even tried going back to IOS 12.4. Started again with a blank config and no nat or acls anywhere and it still didn't work.

Finally deleted the tunnel I had created and made a new one. This time I tried making one that terminated in Amsterdam instead of London and everything works fine!

I've tried going back to a london based tunnel but it doesn't work. Back to .nl and its fine.
I guess there is something different on the London server that is either broken or just doesn't like me :)

Anyway, thanks again for the help.

David

[jimb]

Well, after another few hours :)
I tried your suggestions, even tried going back to IOS 12.4. Started again with a blank config and no nat or acls anywhere and it still didn't work.

Finally deleted the tunnel I had created and made a new one. This time I tried making one that terminated in Amsterdam instead of London and everything works fine!

I've tried going back to a london based tunnel but it doesn't work. Back to .nl and its fine.
I guess there is something different on the London server that is either broken or just doesn't like me :)

Anyway, thanks again for the help.

David

LOL.  OOPS.  Well sometimes it is an issue on HE's equipment.  Not sure how that happens since it's automated.  Bugs I guess.