• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

ipv6 'delay' using Cisco 1841<->ASA with HSRP configuration

Started by jfalcon, November 10, 2011, 12:25:33 PM

Previous topic - Next topic

jfalcon

My setup is exactly as it sounds.  (2) 1841 configured for HSRP failover, the ASA is default routed to the link-local HSRP which routes to the tunnel interface and into the cloud.  I have a routed /48 which i have one /64 on the interface between the 1841s and the asa(s) and another /64 that is RA'ed on the inside interface of the ASA.

Ping works fine.  Able to resolve and ping/ping reply back without issue.

However TCP based activities (HTTP,SSH,FTP,etc) has a loooooooong lag.  Like Rip Van Winkle type of lag.  Epic lag.  Eventually it may go through but sometimes it doesn't.

A packet trace on the client shows a bunch of DUP ACK from time to time... the same is confirmed on the ASA filter that sometimes I'll get a bunch of denyed ACK's after a connection closes.

Once the connection is established however, it's fine... was able to scp files over ipv6 and all that fun stuff.

So, what am I missing?

cconn


jfalcon

Router Config

Building configuration...

!
version 12.4
!
hostname rtr2
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
dot11 syslog
ip cef
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
ipv6 unicast-routing
ipv6 cef
ipv6 inspect name V6-INSPECT tcp
ipv6 inspect name V6-INSPECT udp
ipv6 inspect name V6-INSPECT ftp
ipv6 inspect name V6-INSPECT icmp
multilink bundle-name authenticated
!
!
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:470:A:aaaa::2/64
ipv6 enable
ipv6 traffic-filter V6-FILTER in
ipv6 inspect V6-INSPECT out
ipv6 virtual-reassembly
tunnel source xxx.xx.xx.254 - HSRP IPv4 address
tunnel destination 216.218.226.238
tunnel mode ipv6ip
!
interface FastEthernet0/0
bandwidth 10000
ip address xxx.xxx.xxx.xxx 255.255.255.252
ip route-cache flow
speed 10
full-duplex
!
interface FastEthernet0/1
description router on a stick
no ip address
no ip route-cache cef
no ip route-cache
speed 100
full-duplex
!
interface FastEthernet0/1.1
description vlan1
encapsulation dot1Q 1 native
ip address xxx.xxx.xxx.250 255.255.255.224
no ip route-cache
ipv6 address 2001:470:ffff:1::/64 eui-64
ipv6 enable
no ipv6 redirects
ipv6 nd prefix 2001:470:ffff::/64
ipv6 nd dad attempts 5
standby version 2
standby 1 ip xxx.xxx.xxx.254
standby 1 timers msec 100 msec 300
standby 1 preempt
standby 1 track FastEthernet0/0
standby 3 ipv6 autoconfig
standby 3 timers msec 100 msec 300
standby 3 preempt
standby 3 track FastEthernet0/1.1
!
!
ip forward-protocol nd
!
ipv6 route 2001:470:ffff:A::/64 FastEthernet0/1.1 FE80::223:33FF:FECF:2C32
ipv6 route 2001:470:ffff::/48 2001:470:B:aaaa::1
ipv6 route ::/0 Tunnel0
!
!
!
!
ipv6 access-list V6-FILTER
permit icmp any any
deny ipv6 any any log



ASA Config

ASA Version 8.2(2)
!
hostname fw
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.224 standby xxx.xxx.xxx.252
ipv6 address 2001:470:ffff:1::/64 eui-64
ipv6 enable
ipv6 nd suppress-ra
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address xxx.xxx.xxx.xxx 255.255.255.0 standby xxx.xxx.xxx.251
ipv6 address 2001:470:ffff:a::/64 eui-64
ipv6 enable
ipv6 nd prefix 2001:470:ffff::/64
!
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ipv6 route outside ::/0 fe80::5:73ff:fea0:3
ipv6 access-list outside_access_ipv6_in permit ip any any
ipv6 access-list inside_access_ipv6_in permit ip any any
access-group outside_access_in in interface outside
access-group outside_access_ipv6_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_ipv6_in in interface inside
access-group dmz_access_in_1 in interface dmz

cconn


jfalcon