Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: ipv6 'delay' using Cisco 1841<->ASA with HSRP configuration  (Read 4040 times)

jfalcon

  • Newbie
  • *
  • Posts: 3
ipv6 'delay' using Cisco 1841<->ASA with HSRP configuration
« on: November 10, 2011, 12:25:33 PM »

My setup is exactly as it sounds.  (2) 1841 configured for HSRP failover, the ASA is default routed to the link-local HSRP which routes to the tunnel interface and into the cloud.  I have a routed /48 which i have one /64 on the interface between the 1841s and the asa(s) and another /64 that is RA'ed on the inside interface of the ASA.

Ping works fine.  Able to resolve and ping/ping reply back without issue.

However TCP based activities (HTTP,SSH,FTP,etc) has a loooooooong lag.  Like Rip Van Winkle type of lag.  Epic lag.  Eventually it may go through but sometimes it doesn't.

A packet trace on the client shows a bunch of DUP ACK from time to time... the same is confirmed on the ASA filter that sometimes I'll get a bunch of denyed ACK's after a connection closes.

Once the connection is established however, it's fine... was able to scp files over ipv6 and all that fun stuff.

So, what am I missing?
Logged

cconn

  • Full Member
  • ***
  • Posts: 128
Re: ipv6 'delay' using Cisco 1841<->ASA with HSRP configuration
« Reply #1 on: November 12, 2011, 09:25:27 AM »

probably a MTU size issue.  post some configs
Logged

jfalcon

  • Newbie
  • *
  • Posts: 3
Re: ipv6 'delay' using Cisco 1841<->ASA with HSRP configuration
« Reply #2 on: November 14, 2011, 08:10:48 AM »

Router Config
Code: [Select]
Building configuration...

!
version 12.4
!
hostname rtr2
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
dot11 syslog
ip cef
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
ipv6 unicast-routing
ipv6 cef
ipv6 inspect name V6-INSPECT tcp
ipv6 inspect name V6-INSPECT udp
ipv6 inspect name V6-INSPECT ftp
ipv6 inspect name V6-INSPECT icmp
multilink bundle-name authenticated
!
!
!
interface Tunnel0
 description Hurricane Electric IPv6 Tunnel Broker
 no ip address
 ipv6 address 2001:470:A:aaaa::2/64
 ipv6 enable
 ipv6 traffic-filter V6-FILTER in
 ipv6 inspect V6-INSPECT out
 ipv6 virtual-reassembly
 tunnel source xxx.xx.xx.254 - HSRP IPv4 address
 tunnel destination 216.218.226.238
 tunnel mode ipv6ip
!
interface FastEthernet0/0
 bandwidth 10000
 ip address xxx.xxx.xxx.xxx 255.255.255.252
 ip route-cache flow
 speed 10
 full-duplex
!
interface FastEthernet0/1
 description router on a stick
 no ip address
 no ip route-cache cef
 no ip route-cache
 speed 100
 full-duplex
!
interface FastEthernet0/1.1
 description vlan1
 encapsulation dot1Q 1 native
 ip address xxx.xxx.xxx.250 255.255.255.224
 no ip route-cache
 ipv6 address 2001:470:ffff:1::/64 eui-64
 ipv6 enable
 no ipv6 redirects
 ipv6 nd prefix 2001:470:ffff::/64
 ipv6 nd dad attempts 5
 standby version 2
 standby 1 ip xxx.xxx.xxx.254
 standby 1 timers msec 100 msec 300
 standby 1 preempt
 standby 1 track FastEthernet0/0
 standby 3 ipv6 autoconfig
 standby 3 timers msec 100 msec 300
 standby 3 preempt
 standby 3 track FastEthernet0/1.1
!
!
ip forward-protocol nd
!
ipv6 route 2001:470:ffff:A::/64 FastEthernet0/1.1 FE80::223:33FF:FECF:2C32
ipv6 route 2001:470:ffff::/48 2001:470:B:aaaa::1
ipv6 route ::/0 Tunnel0
!
!
!
!
ipv6 access-list V6-FILTER
 permit icmp any any
 deny ipv6 any any log


ASA Config
Code: [Select]
ASA Version 8.2(2)
!
hostname fw
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.224 standby xxx.xxx.xxx.252
 ipv6 address 2001:470:ffff:1::/64 eui-64
 ipv6 enable
 ipv6 nd suppress-ra
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address xxx.xxx.xxx.xxx 255.255.255.0 standby xxx.xxx.xxx.251
 ipv6 address 2001:470:ffff:a::/64 eui-64
 ipv6 enable
 ipv6 nd prefix 2001:470:ffff::/64
!
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ipv6 route outside ::/0 fe80::5:73ff:fea0:3
ipv6 access-list outside_access_ipv6_in permit ip any any
ipv6 access-list inside_access_ipv6_in permit ip any any
access-group outside_access_in in interface outside
access-group outside_access_ipv6_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_ipv6_in in interface inside
access-group dmz_access_in_1 in interface dmz
Logged

cconn

  • Full Member
  • ***
  • Posts: 128
Re: ipv6 'delay' using Cisco 1841<->ASA with HSRP configuration
« Reply #3 on: November 14, 2011, 02:50:31 PM »

just as a test did you try and disable your ipv6 inspection and fragment reassembly?


http://www.tunnelbroker.net/forums/index.php?topic=1907.0

Logged

jfalcon

  • Newbie
  • *
  • Posts: 3
Re: ipv6 'delay' using Cisco 1841<->ASA with HSRP configuration
« Reply #4 on: November 14, 2011, 03:34:22 PM »

That worked perfectly.  Thanks for the CBAC info!
Logged