- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPV6 VirtualIP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2001:1890:1222:900::32Is that above prefix fully routed? 2001:1890::/29 *[BGP/170] 5d 17:30:21, localpref 100 AS path: 7018 I, validation-state: unverified > to 2001:1890:111d:111d:12:255:255:31 via fe-0/0/1.0 Have you ran any diag flow and/or sniffer looking for traffic? Does your ipv6 route-table have a default route? Btw can' t ping it nor telnet to port 25, I would check all of the above and the fwpolicy6 rules
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Denied by forward policy checkYou have posted your VIP configuration but what about the fwpolicy6 ? A " Denied by forward policy check" is like 9 out of 10 times related to no policy. It' s been that way with ipv4 and I would assume ipv6 is the same. I would review all of the fwpolicies and ordering of such. See the below reference tips from KB. " http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD31702" FWIW ; if it was matching a fwpolicy6 id , it would have presented the policy #.
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a similar problem, could you help me?
I received a / 56 and put a valid ip server 2804: 150: 11: 9e02 :: 8. I Created an address and created a firewall rule ALL -> 2804: 150: 11: 9e02 :: 8 ICMP / https, the requests hit the firewall, but without external connectivity. Upon debug i saw the traffic:
in 2804: 150: 11: 9e00 :: 1 -> 2804: 150: 11: 9e02 :: 8: icmp6: neighbor sun: who has 2804: 150: 11: 9e02 :: 8 [class 0xc0]
but when I create a VIP, access works normal.
Access would not have to work without the VIP due to the server have a valid ip?
Tnks,
André.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you mean /56 did you assign this on one interface? What's your topology?
e.g (using your debug )
2804: 150: 11: 9e00 :: 1 -> 2804: 150: 11: 9e02 :: 8: icmp6: neighbor sun: who has 2804: 150: 11: 9e02 :: 8 [class 0xc0]
That's telling a IPv6 ND lookup is taking place for ::8.
PCNSE
NSE
StrongSwan