Incoming ICMPv6 fails on Netscreen-25
Shadow Hawkins on Sunday, 19 October 2014 20:03:24
So I have a Netscreen-25 (inherited from my old job) that I've set up with my SixXS tunnel on it as per the instructions in the Wiki here.
However, no matter what I do I can't seem to get it to accept incoming ICMPv6 messages, neither on the external interface (which has my endpoint IP) nor on hosts behind the firewall. That means my tunnel registers as down, even though I have perfect IPv6 connectivity on my LAN.
I've tried different versions of the SixXS setup, both using loopback interfaces, setting my endpoint IP on the external LAN interface and so on. Nothing works.
I've got a policy set up on the Untrust interface that allows ICMP6-ANY.
And now I've run out of ideas to try. Any Netscreen gurus out there who might be able to help me? The box is running ScreenOS 5.4.0r28a.0.
Incoming ICMPv6 fails on Netscreen-25
Shadow Hawkins on Saturday, 01 November 2014 23:46:43
Your problem sounds a lot like the issue I had with return ICMPv6 packets on my Cisco 1801. LAN Connectivity was fine, and debugs showed the ICMPv6 packets arriving and leaving, but the POP was convinced I was down.
The way I fixed it was to ensure that only my IPv4 inside addresses were subject to NAT outbound.
I have no experience with Netscreen, but see if you can disable NAT from inside your network fully, and get the ICMPv6 packets to flow.
If that works, then look very carefully at how your outbound IPv4 NAT ACLs are configured.
Posting is only allowed when you are logged in. |