IPv6 in broken state

We recently identified the root cause for a similar issue related to IPv6. The issue was with low-speed (<=1 Gig) eth interfaces and the solution for it was to disable GRO (generic-receive-offload) for the eth interfaces on the UTM.

You may try the following configuration for the eth interfaces on your device and see if it helps solve the issue you are facing:

1. Disable GRO using "ethtool --offload eth<x> gro off"

2.  If step '1' doesn’t solve the issue, also try disabling other offloading features like GSO, TSO, LRO, etc

If this solution doesn't work, please provide more information about the NICs (like device-id, vendor-id, etc), interface speed and the kernel/ network driver version on your device.

Thanks,

Prakash

i just spent 3 hours reinstalling my complete sophos utm, now ipv6 works, will make a backup of this and see how long it "holds"

i just spent 3 hours reinstalling my complete sophos utm, now ipv6 works, will make a backup of this and see how long it "holds"

ipv6 is dead again, i cant get it to work on the same utm no matter what magic i try.

fresh utm install = works for a while

Hi Ben,

Did disabling GRO using " ethtool --offload eth<x> gro off "  not help?

Can you please provide more information about the network interfaces & UTM? -- ie,... NIC device-id/vendor-id, interface speed, kernel version, network driver type/version and firmware version on the UTM.

hi, it did not help (i did that on the wan interface)

in the end i set the IPv6 adress and gateway on the WAN Interface manually on what i got initially according to the logfile. I also than used the same prefix for my internal clients. It did not work so i finally went to sleep..

this morning ipv6 was suddenly working again on internal clients ...

Are you a Sophos Employee PrakashSwamy? 

newest Firmware Version, ESXi 6.0U2, vmxnet3 NICs

and ipv6 is again non functional. Will disable it until a sophos engineer will spend some proper time on it and iron out basic issues.

Hi Ben,

Yes, I am a Sophos employee. We are looking into this issue on priority. Thank you for your patience.

The solution I suggested earlier was tested for systems which had Intel e1000e NICs. The issue you are facing seems to be different as the NIC in your case is VMXNET3.

Apparently, there are some known IPv6 and LRO related issues with vmxnet3 which have been discussed in some threads on VMWare.

vmxnet3 IPv6 issues:

1. https://www.reddit.com/r/vmware/comments/2kvn2j/ipv6_issue_with_vmxnet3_and_dell_poweredge_m620/
2. http://www.gossamer-threads.com/lists/nsp/ipv6/27038
3. https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1031521

vmxnet3 LRO issues:

1. https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1027511
2. https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2055140

Potential workarounds:

- If possible, try changing the NICs for the VMs to e1000 (or vmxnet2) instead of vmxnet3.

- I would also recommend disabling LRO, GRO, GSO, TSO on all of the NICs (both virtual and physical) on the UTM.

-Prakash

PrakashSwamy: I will make a test machine with e1000 and turn off features via ethtool. The thing that confuses me is that IPv6 works after you do a fresh install. Last night i "killed" ipv6 functionality after rebooting my 1st Router who is handing out the prefix. After that it was impossible to bring up Ipv6 again until i manually set the IPv6 and Gateway Adress on the WAN Interface according to what it got in the ipv6 Log. 

Also the other observation is that DHCPv6 Server and prefix advertisement is not really working, again i will try this with e1000 drivers, the issues seemed to be related to 3.x/4.x Esxi releases, i am on the latest 6.0u2. 

Can also try and pass through a 4 port broadcom nic if that helps.

also one other thing, working IPv6 Prefix Delegation over PPPoE pretty please? would be nice to finally get rid of that other router in front of the sophos.

Would be more than willing to provide a test setup with remote access if any of this needs to be field tested.

thank you!

following scenario now:

passed through "Broadcom Corporation NetXtreme BCM5719 Gigabit Ethernet PCIe" 4-Port NIC to the Sophos UTM directly via VT-D.

initially Ipv6 is working as expected, internal clients on Internal got IPv6 Adresses via SLAAC, IPv6 Adress showing up on interface.

Pulling WAN Cable out for about 30 seconds .. no problem, IPv6 still works

rebooting 1st Router .. IPv6 breaks. No more IPv6 Adress on WAN, same behaviour as on vmxnet3 via esxi. Trying various stuff doesnt work to reenable it.

Reinstall of UTM works....

been playing around a bit .. still cant get it to work again fully automatic.

i set IPv6 static now on WAN with the values i got when it first worked (thanks to logfiles) and switched prefix advertisement to stateless instead of DHCPv6. 

EDIT: testing with a microtik router in front brings the same result; the sophos utm is unable to get a ipv6 adress/prefix over its uplink ports.

more "interesting" observations:

- reinstalling the UTM, pulling a valid ipv6 config on WAN, than restoring the config file from the non-working system --> working IPv6. Works until it breaks again.

- disabling and reenabling prefix delegation on any interface fixes issues where a client doesnt get an IPv6

I also have the issue that IPv6 doesn't work. But with me it never works. I know that it has worked in the past, but since a few months nothing. I just did a fresh re-install and IPv6 did not work.

DHCPv6 works and I can ping/traceroute to an IPv6 address, but that's it, nothing else works.

When I check the firewall log all IPv6 traffic is dropped by the rule "Default DROP" while I have a rule that allows all traffic (4 and 6) from internal to external.