Hi,
I got IPv6 mostly working on my network, to the point where I can reach the IPv6 Internet from workstations connected without any problems. However I'm unable to reach the FortiGate _itself_ on any service (ping, ssh, HTTPS) from those stations. I suspect this something to do with the following oddity.
Setup:
FortiGate (FG) unit at 2001:db8::1/64, LL is fe80::926c:acff:fe02:b848
My workstation (WS) gets 2001:db8::62a4:4cff:fe61:3170/64 obtained via SLAAC, LL is fe80::62a4:4cff:fe61:3170
(I'm not actually 2001:db8, but and actual routable block obviously).
Now if I try to ping WS->FG using LL, no problem:
matt@vishna:~$ ping6 -I enp10s0 fe80::926c:acff:fe02:b848
PING fe80::926c:acff:fe02:b848(fe80::926c:acff:fe02:b848) from fe80::62a4:4cff:fe61:3170 enp10s0: 56 data bytes
64 bytes from fe80::926c:acff:fe02:b848: icmp_seq=1 ttl=64 time=0.363 ms
64 bytes from fe80::926c:acff:fe02:b848: icmp_seq=2 ttl=64 time=0.305 ms
^C
--- fe80::926c:acff:fe02:b848 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.305/0.334/0.363/0.029 ms
However if I try to ping WS->FW with the actual IPs, it fails, and the "tcpdump icmp6" shows this:
18:25:43.611437 IP6 2001:db8::62a4:4cff:fe61:3170 > 2001:db8::1: ICMP6, echo request, seq 1, length 64
18:25:43.611734 IP6 fe80::926c:acff:fe02:b848 > 2001:db8::62a4:4cff:fe61:3170: ICMP6, redirect, 2001:db8::1 to 2001:db8::1, length 152
18:25:44.619229 IP6 2001:db8::62a4:4cff:fe61:3170 > 2001db8::1: ICMP6, echo request, seq 2, length 64
18:25:44.619602 IP6 fe80::926c:acff:fe02:b848 > 2001:db8::62a4:4cff:fe61:3170: ICMP6, redirect, 2001:db8::1 to 2001:db8::1, length 152
Strangely, but consistently, if I try FG->WS with "exec ping6 2001:db8::62a4:4cff:fe61:3170", the tcpdump on the WS shows this:
18:29:43.735328 IP6 2001:db8::1 > 2001:db8::62a4:4cff:fe61:3170: ICMP6, echo request, seq 1, length 64
18:29:43.735378 IP6 2001:db8::62a4:4cff:fe61:3170 > 2001:db8::1: ICMP6, echo reply, seq 1, length 64
18:29:43.735768 IP6 fe80::926c:acff:fe02:b848 > 2001:db8::62a4:4cff:fe61:3170: ICMP6, redirect, 2001:db8::1 to 2001:db8::1, length 152
18:29:43.745656 IP6 fe80::926c:acff:fe02:b848 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2001:db8::1, length 32
18:29:44.745666 IP6 fe80::926c:acff:fe02:b848 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2001:db8::1, length 32
Those ICMP redirect look pretty bogus/loopy to me, I'm fairly knowledgeable about v6 in general, but maybe there's one of its idiosyncracies I'm missing here?
This is the relevant config block for that interface:
config ipv6
set ip6-allowaccess ping https ssh snmp fgfm capwap
set ip6-address 2001:db8::1/64
set ip6-send-adv enable
set ip6-manage-flag enable
set ip6-other-flag enable
config ip6-prefix-list
edit 2001:db8::/64
set autonomous-flag enable
set onlink-flag enable
next
end
end
Any advice would be much appreciated!
Thanks,
- Matt
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.