Cisco ASA IPv6 Failover in 8.2(2): So Far, So Good...

After several months of empty promises, missed dates and missing features, we’d pretty much resigned ourselves to waiting until ASA version 8.3(x) (ETA TBD) for IPv6 failover support. So imagine our surprise when the 8.2(2) release notes showed the following new feature:

IPv6 Support in Failover Configurations — IPv6 is now supported in Failover configurations. You can assign active and standby IPv6 addresses to interfaces and use IPv6 addresses for the failover and Stateful failover interfaces.

The following commands were modified: failover interface ip, ipv6 address.

Keeping in mind past disappointments, we were cautiously optimistic that we might finally be able to swing our IPv6 traffic from a spare Juniper SSG (100Mbps interfaces) to our ASA 5520 failover pair (Gigabit Ethernet interfaces). The upgrade was flawless and, sure enough, there is now a spot to specify a standby IPv6 address. After a week of light testing, I can report that so far things are running as one would expect. Time will tell, but it seems that another major step has been taken towards production deployment of IPv6 in the enterprise.

Ken Mix - January 29, 2010

IPv6 Progress in 2009 (or lack thereof)

As this year comes to an end, our march towards IPv6 seems to be a little bit of a mixed bag. On one hand it appears that great strides have been made in raising the awareness that IPv6 is coming and there likely isn’t much that can be done to slow it down. On the other hand it feels like vendor support for IPv6 has either slowed or, in some cases, taken a step backwards.

Cisco, for example, started pulling existing IPv6 features from the 870 series of routers (possibly others, but I’ve only run across it on 870s — so far). Their rationale, however depressing, does make sense. The features were added to the code years ago and just kind of sat there, used by very few customers. Then, in the last year as IPv6 interest started to pick-up, people started opening bug reports on Cisco’s implementation. Rather than allocate the engineering resources to fix the problems, Cisco decided to remove the features. From a business perspective, I can’t really fault them on that; as far as I can tell IPv6 is still only used by forward-looking people inside the industry for testing and non-critical applications.

We did start to see some IPv6 content from mainstream providers did with Netflix’s streaming via IPv6 and Google’s IPv6 DNS Whitelist, but unfortunately progress is still hindered by a lack of widespread consumer adoption; enabling IPv6 on your money-making website is more likely to cost you money in lost traffic than increase it.

Will 2010 be the year we start seeing widespread support? It should be an interesting 12 months.

Cody Lerum - December 29, 2009

Cisco ASA & IPv6 Failover Update

We were pretty excited here when version 8.2 of the ASA OS was released to the public a few weeks ago. Not only was IPv6 failover to be supported in the release (per Cisco TAC — see previous entry), but as I perused through the release notes I saw several other important IPv6 enhancements: IPv6 support in ASDM version 6.2, IPv6 support in transparent mode and IPv6 support for IPS. Interestingly, the release notes did not mention something as important for enterprise IPv6 adoption as IPv6 failover support, so I decided to dig a bit deeper before diving into an upgrade. Sure enough, in the “Failover System Requirements” section of the 8.2 CLI Configuration Guide: IPv6 failover is not supported in Release 8.2(1). This was a disappointing find, but I decided to remain optimistic and maintain the possibility that maybe I’d just run across a documentation error. Going back to the source, I opened another TAC case (SR 611470841). The tech was extremely helpful, informing me that while IPv6 failover support was on Cisco’s roadmap, there was no specific release targeted for inclusion of this "feature".

Basically, since we are running a failover pair in our datacenter, IPv6 is still not an option for us on the ASA. I find it strange that Cisco would devote development time and resources to the IPv6 enhancements listed in the release notes while neglecting critical functionality like IPv6 failover support, the absence of which precludes the possibility of ANY ASA IPv6 deployment in a failover environment. Even if I deem IPv6 as non-critical traffic (at this point) and do not require IPv6 failover capabilities, the lack of support for IPv6 in the failover configuration (or at least the ability to ignore IPv6 commands in the config that is synced to the standby unit), ensures that configuration of IPv6 on my failover pair will result in unpredictable behavior from the devices on my network.

As the IPv4 deadline draws near, enterprises interested in testing and deploying IPv6 services may begin to look to other vendors for the functionality they require. In our case, a demo Juniper SSG (that we’d had no real intention of deploying) is now running parallel to our ASA failover stack, and has been running flawlessly since we deployed it.

Ken Mix - June 02, 2009

Cisco ASA & IPv6 Failover

When we began planning the upgrade of our corporate infrastructure to fully support IPv6 in a dual-stack configuration, one of the earliest stumbling blocks came from an unexpected source – our Cisco ASA security appliances. By the time we’d begun our changes Cisco ASAs and PIXes had already been supporting IPv6 for a full three years (since release 7.0 in mid-2005), so I was expecting a feature-complete IPv6 product.

Initial configuration went smoothly (via the CLI, as the ASDM does not currently support IPv6 commands), but IPv6 connectivity through the ASA was spotty at best. Digging into the problem, we discovered that the Primary and Standby ASA were both transmitting router advertisements with the same priority, and that most of the hosts were sending their non-local packets to the link-local address of the Standby ASA, which was duly discarding them. A Cisco TAC request confirmed that IPv6 failover configuration will not be supported until 8.2. Timeframe for release of 8.2? Unknown.

How could IPv6 and critical enterprise functionality such as Failover be mutually exclusive, especially after three years and one full major release (IPv6 functionality was introduced in 7.0 – as of this writing the current version is 8.04)? This tells me that NO enterprises (0.000%) running Cisco ASAs have deployed IPv6 in their existing production environments. Since Cisco is the market share leader in the firewall segment, one has to wonder what percentage of North American companies have even begun planning for the approaching IPv4 exhaustion.

tags: IPv6 Cisco ASA
Ken Mix - November 03, 2008
About Knowledge Bombs
Random bits of knowledge that we don't want to forget and that might help you!
Cody Lerum
Ken Mix