IPv6 with Cisco ASA, Windows 2008, Linux

It's my first blog post in nearly a year. One of my new years resolutions is to post at least three times/week. We'll see how it goes.

Recently I was implementing IPv6 using the devices mentioned above. The Cisco ASA firewall code was 8.2(1), which supposedly supports IPv6... it seems unless you have a failover pair. If you set a static IPv6 address, the IPv6 on the interfaces will shut themselves down because of a DAD (duplicate address detection) failure as both the active and the standby firewalls will assume whatever address you put in. With IPv4, you can enter a "standby" address on each interface so that won't happen. The way around it on a failover pair is to use the EIU-64 address (the prefix+the 48-bit MAC address and padding between the vendor part and the device part). Therefore, both firewalls will have unique addresses and there will be no conflict. The problem with this is:

• The addresses become full sized monsters
• The address will change in the event of the standby firewall going active
  
• Both firewalls give out RA (router advertisement) messages

With Linux, if I hard-code a default route, it will pay attention to that, primarily. If I hard-code a default route in Windows 2008, it seems to simply add it to the other ones it obtained via the RA messages it received. As a result, IPv6 will be quite flaky on Windows with two routers, if one is not forwarding traffic (in the ASA world, the standby firewall will not route anything).

I can think of two solutions:

• Upgrade the ASA to 8.3 code, which allows IPv6 failover commands and should work fine. The problem with this is that you will have to upgrade the RAM, which is a pain.
• Suppress the RA messages from the ASA. This can be done with the " ipv6 nd suppress-ra" interface configuration command.

Obviously the first solution is better, but the second one works if upgrading is not possible.

Cheers!
Matt