Our new ISP does stuff with IPv6 PD that evidently works with their provided routers, but causes issues with Sophos v21 and at least Mac laptops, and I think a Sophos solution is needed.
The subnet's RA (which is sub-delegated from the Sophos to the subnet) has Preferred and Valid lifetimes of 120 minutes, which is evidently set by the ISP in its PD and I cannot change it. BUT at roughly the 60-minute mark, the Mac laptops usually lose their IPv6 connectivity. The Sophos System Log indicates that "Lease expired for delegated IPv6 prefix...", and then about 15 seconds later, "IPv6 prefix ____/56 delegated by ISP...". (The underscores are a legit IPv6, I've left them out.)
EDIT 1: I have checked with Wireshark, and the Sophos RA switches from the one prefix to the other prefix and the Valid Lifetime is 7200 (seconds) throughout. There is no RA with the old prefix and a Valid Lifetime of 0 which would tell the clients to deprecate the old prefix. This is a bug, and would eliminate any Mac-related issues. (Note that we don't have non-Macs, so to be clear, it's not as if Macs have a problem and PCs don't. I mention Macs just to be thorough..)
EDIT 2: The prefix usually expires at the one-hour mark, though sometimes it goes to two, which leads me to believe that Sophos is able to renew sometimes. Whether the non-renewals are a Sophos thing or an ISP thing I don't know.
EDIT 3: I've submitted this as a ticket. I believe Sophos should be able to reproduce this in their lab.
EDIT 4: I've submitted PCAPs from clients, tcpdumps from the Sophos, and Sophos logs that will hopefully nail this down. I can't tell if the ISP is doing something weird or the Sophos is misunderstanding that causes delegated prefixes to expire before their lifetime, but ultimately, the delegated subnet is not being informed that the prefix is (prematurely) expired even though Sophos knows. So basically, IPv6 clients think IPv6 is down for an hour, then if the second delegated prefix is renewed (and the first one hits its official lifetime), IPv6 comes back.
EDIT 4 update.
[edited by: Wayne Folta at 12:42 AM (GMT -7) on 24 Mar 2025]
Quote