Technical Tip: Unable to reach IPv6 gateway that is a Subnet-Router Anycast Address
| Description | This article describes the reason why an IPv6 gateway may not be reachable and a workaround using RFC 6164. |
| Scope | FortiOS 6.4.2 and later, IPv6 |
| Solution | As a primer, an IPv6 subnet-router anycast address is the lowest/first address in any given IPv6 subnet. For comparison, IPv4 has a similar concept called the network identifier or network address, which is also the first address in a given IPv4 subnet (such as 192.168.1.0 for 192.168.1.0/24)
As an example, an IPv6 prefix such as 2001:db8:abcd:1::28/126 would break out to the following addresses:
Generally speaking, it is not recommended to assign the subnet-router anycast address directly to any network interfaces within a given subnet, and in-fact RFC 2526 Section 2 specifies that this address (and any other IPv6 reserved subnet anycast address) must not be assigned as unicast addresses to any interface. However, some ISPs may still specify an IPv6 prefix with a longer prefix-length that results in their router being assigned the subnet-router anycast address.
This can be a problem for FortiGates running FortiOS v6.4.2 or later, as Change #639470 was implemented to prevent the subnet-router anycast address from being used for IPv6 static routes. Consider the following example topology:
In the above configuration, the FortiGate has an IPv6 global unicast address (GUA) of 2001:db8:9830::29/126 and the ISP router has a GUA of 2001:db8:9830::28/126. Additionally, the FortiGate has an IPv6 default static route configured with 2001:db8:9830::28 as the next-hop gateway:
config system interface edit "port1" config ipv6 set ip6-address 2001:db8:9830::29/126 set ip6-allowaccess ping https http end next end
config router static6 edit 1 set gateway 2001:db8:9830::28 set device "port1" next end
With the above configuration, the FortiGate will not be able to see the next-hop address in the IPv6 neighbor cache, and so it will not be able to reach the next-hop gateway to send traffic (note t: FortiGate # diagnose ipv6 neighbor-cache list | grep 00:0c:29:01:3f:f2
FortiGate # execute ping6 2001:db8:9830::28
As noted above, this is because 2001:db8:9830::28 is the subnet-router anycast address and should not be assigned directly to any network interfaces. Additionally, the FortiGate itself is also an IPv6 router, and so it is also implicitly listening for this anycast address.
Workaround: There is one situation where it is acceptable to assign the subnet-router anycast address to a network interface, and that is when the IPv6 prefix-length is /127 (two host addresses in the subnet). This is defined within RFC 6164, and so changing to a /127 prefix-length on the FortiGate can be used as a workaround in cases where the ISP cannot reconfigure the address assigned to its device.
In the following modified configuration, the FortiGate has been changed to use a /127 prefix-length on the network interface rather than a /126, and no changes are required on the IPv6 static route:
config system interface edit "port1" config ipv6 set ip6-address 2001:db8:9830::29/127 set ip6-allowaccess ping https http end next end
config router static6 edit 1 set gateway 2001:db8:9830::28 set device "port1" next end
After doing this, the FortiGate is able to discover the ISP router as an IPv6 neighbor and the next-hop gateway becomes reachable and available for traffic forwarding:
FortiGate # diagnose ipv6 neighbor-cache list | grep 00:0c:29:01:3f:f2
FortiGate # execute ping6 2001:db8:9830::28
--- 2001:db8:9830::28 ping statistics ---
Related document: |
