IPv6 in broken state

Hi Ben,

Yes, I am a Sophos employee. We are looking into this issue on priority. Thank you for your patience.

The solution I suggested earlier was tested for systems which had Intel e1000e NICs. The issue you are facing seems to be different as the NIC in your case is VMXNET3.

Apparently, there are some known IPv6 and LRO related issues with vmxnet3 which have been discussed in some threads on VMWare.

vmxnet3 IPv6 issues:

1. https://www.reddit.com/r/vmware/comments/2kvn2j/ipv6_issue_with_vmxnet3_and_dell_poweredge_m620/
2. http://www.gossamer-threads.com/lists/nsp/ipv6/27038
3. https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1031521

vmxnet3 LRO issues:

1. https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1027511
2. https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2055140

Potential workarounds:

- If possible, try changing the NICs for the VMs to e1000 (or vmxnet2) instead of vmxnet3.

- I would also recommend disabling LRO, GRO, GSO, TSO on all of the NICs (both virtual and physical) on the UTM.

-Prakash

PrakashSwamy: I will make a test machine with e1000 and turn off features via ethtool. The thing that confuses me is that IPv6 works after you do a fresh install. Last night i "killed" ipv6 functionality after rebooting my 1st Router who is handing out the prefix. After that it was impossible to bring up Ipv6 again until i manually set the IPv6 and Gateway Adress on the WAN Interface according to what it got in the ipv6 Log. 

Also the other observation is that DHCPv6 Server and prefix advertisement is not really working, again i will try this with e1000 drivers, the issues seemed to be related to 3.x/4.x Esxi releases, i am on the latest 6.0u2. 

Can also try and pass through a 4 port broadcom nic if that helps.

also one other thing, working IPv6 Prefix Delegation over PPPoE pretty please? would be nice to finally get rid of that other router in front of the sophos.

Would be more than willing to provide a test setup with remote access if any of this needs to be field tested.

thank you!

following scenario now:

passed through "Broadcom Corporation NetXtreme BCM5719 Gigabit Ethernet PCIe" 4-Port NIC to the Sophos UTM directly via VT-D.

initially Ipv6 is working as expected, internal clients on Internal got IPv6 Adresses via SLAAC, IPv6 Adress showing up on interface.

Pulling WAN Cable out for about 30 seconds .. no problem, IPv6 still works

rebooting 1st Router .. IPv6 breaks. No more IPv6 Adress on WAN, same behaviour as on vmxnet3 via esxi. Trying various stuff doesnt work to reenable it.

Reinstall of UTM works....

been playing around a bit .. still cant get it to work again fully automatic.

i set IPv6 static now on WAN with the values i got when it first worked (thanks to logfiles) and switched prefix advertisement to stateless instead of DHCPv6. 

EDIT: testing with a microtik router in front brings the same result; the sophos utm is unable to get a ipv6 adress/prefix over its uplink ports.

more "interesting" observations:

- reinstalling the UTM, pulling a valid ipv6 config on WAN, than restoring the config file from the non-working system --> working IPv6. Works until it breaks again.

- disabling and reenabling prefix delegation on any interface fixes issues where a client doesnt get an IPv6

I also have the issue that IPv6 doesn't work. But with me it never works. I know that it has worked in the past, but since a few months nothing. I just did a fresh re-install and IPv6 did not work.

DHCPv6 works and I can ping/traceroute to an IPv6 address, but that's it, nothing else works.

When I check the firewall log all IPv6 traffic is dropped by the rule "Default DROP" while I have a rule that allows all traffic (4 and 6) from internal to external.

I'd be willing to let Sophos support root around in my UTM to examine the problem.

I upgraded the hard disk in my router and thus did a clean install. The problem persists.

I ve got similar problems since 6-8 weeks - maybe caused by an update.

I´m using Sophos XG 105 and after a few month of stable functionality with my ISP (Deutsche Glasfaser) connected on WAN to a Genexis Live! Modem (bridged mode) the UTM lost the IPv6 via DHCP. Only the prefix-adress is displayed in IPv6-Status.

Are there any workarounds to fix this problem? The workarounds in the thread above i already tried out - without success.

Thanks,
Thorsten

I wasn't able to get an IPv6 address from my provider, either. However, I have gotten one consistently now after fixing the MTU issue I was having. For some reason, the DHCP server was giving me an MTU of only 576 and DHCPv6 wouldn't pull an address. As soon as I fixed the MTU (edited the /var/chroot-dhcpc/etc/default.conf), I was able to obtain an IPv6 address again.

Not sure if you are facing the same issue, but if you are, that may be the fix for you as well.