Technical Tip: How to verify IPv6 link-local address (LLA) connectivity from the FortiGate to a local host

Description

This article describes how to verify link-local IPv6 connectivity between the FortiGate and an IPv6 client on the local network.

Scope

FortiGate, IPv6.

Solution

The first step is to assign an IPv6 address to the FortiGate network interface, either manually or automatically from another device via SLAAC or DHCPv6. Doing this also enables the FortiGate to auto-configure a link-local IPv6 address for that interface:

config system interface

    edit "wan1"

        set vdom "root"

        set type physical

            config ipv6

                set ip6-address 2001:db8:2016:210::1/64

                set ip6-allowaccess ping https ssh

            end

        next

    end

Note: The above behavior differs depending on the kernel version running on the FortiGate. For NP7 and VM FortiGates running Linux kernel 4.x or later, IPv6 link-local addresses are always automatically generated regardless of the IPv6 manual configuration, whereas NP6/SOC4 based FortiGates with kernel 3.x will only generate a link-local address after an IPv6 address is assigned to the interface. See also: Technical Tip: How to check Kernel version of FortiGate.

To view the IPv6 addresses assigned/present on the FortiGate interface, use the command diagnose ipv6 address list (link-local IPv6 addresses will fall within the fe80::/10 prefix):

FortiGate # diagnose ipv6 address list

dev=5 devname=wan1 flag=P scope=0 prefix=64 addr=2001:db8:2016:210::1 preferred=4294967295 valid=4294967295 cstamp=290729 tstamp=290729
dev=5 devname=wan1 flag=P scope=253 prefix=64 addr=fe80::926c:acff:fee5:4c50 preferred=4294967295 valid=4294967295 cstamp=290729 tstamp=290729

On the same local network, connect an IPv6 client. In this example, the IPv6 client is a Windows-based host, and so the IPv6 addressing can be obtained with either the ipconfig command or the Get-NetIPAddress -AddressFamily IPv6 PowerShell cmdlet:

C:\Users\TestUser>ipconfig

[...]

IPv6 Address . . . . . . . . . . . . : 2001:db8:2016:210::101(Preferred)
Link-local IPv6 Address . . . . . : fe80::598:2d42:a930:fbc8(Preferred)

[...]

To send an ICMPv6 Echo Request from the FortiGate's link-local address (LLA) to the client's LLA, use the command execute ping6 <IPv6_Address> -I <outgoing_interface_name>. Note that the -I flag is mandatory when pinging IPv6 link-local addresses, as the FortiGate needs to know which interface is connected to the same network segment as the destination host:

FortiGate # execute ping6 fe80::598:2d42:a930:fbc8 -I wan1
PING fe80::598:2d42:a930:fbc8(fe80::598:2d42:a930:fbc8) from fe80::926c:acff:fee5:4c50 wan1: 56 data bytes
64 bytes from fe80::598:2d42:a930:fbc8: icmp_seq=1 ttl=128 time=0.571 ms
64 bytes from fe80::598:2d42:a930:fbc8: icmp_seq=2 ttl=128 time=0.414 ms
64 bytes from fe80::598:2d42:a930:fbc8: icmp_seq=3 ttl=128 time=0.542 ms
64 bytes from fe80::598:2d42:a930:fbc8: icmp_seq=4 ttl=128 time=0.248 ms
64 bytes from fe80::598:2d42:a930:fbc8: icmp_seq=5 ttl=128 time=0.839 ms

The following options are available for the execute ping6 command on the FortiGate and are similar to the general Linux version of the command:

FortiGate # execute ping6 ?
Usage: ping6 [-LUdfnqrvaA] [-c count] [-i interval] [-w deadline]

[-p pattern] [-s packetsize] [-t ttl] [-I interface]
[-M mtu discovery hint] [-S sndbuf]
[-F flow label] [-Q traffic class] [hop1 ...] destination

Related documents:

• IPv6 quick start
• Technical Tip: IPv6 Manual Configuration of a Link-Local Address