https://live.paloaltonetworks.com/t5/general-topics/ipv6-over-backup-interface/m-p/258679#M73356 <P>A couple things you may be able to test to see what's going on:</P><P>&nbsp;</P><P>1. Dump the fib table. It won't help for your PBF rule, but since your VR has a static route it should show that correctly:</P><PRE>&gt; show routing route</PRE><P>2. Test the routing to see what the firewall thinks the correct route should be:</P><PRE>&gt; test routing fib-lookup virtual-router your_vr_name ip 2a00:1450:4001...</PRE><P>The virtual router will always take a more specific route, so make sure your eth1/1 route doesn't have a more specific IPv6 route that is overriding your static route. It may also be helpful to see what your static route and PBF policy does (if you can sanitize it for public consumption here in the forums).</P> Wed, 24 Apr 2019 20:27:35 GMT gwesson 2019-04-24T20:27:35Z https://live.paloaltonetworks.com/t5/general-topics/ipv6-over-backup-interface/m-p/258643#M73344 <DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>I have IPv6 over my backup ISP (dual PA 3020s). </SPAN></DIV><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr">&nbsp;</DIV><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>I am trying to route all IPv6 traffic over that interface but not having much luck passing any IPv6 through the PA. If I ping6 internal and external hosts from the PA itself it works. If I try to ping/traceroute from behind the PAN at the core or from outside the PAN it doesn't work. I have policies in both directions and I see when I send traffic from behind the PAN (from the core) the PAN is routing it out the primary interface eth1/2 which won't work.&nbsp; I need it to go out eth1/3.</SPAN></DIV></DIV><DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>&nbsp;</SPAN></DIV></DIV><DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>This is what I have tried:</SPAN></DIV><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr">&nbsp;</DIV><UL><LI>Static route for IPv6 default route pointing to backup interface + next hop of IPv6 WAN</LI><LI>PBF for IPv6 source traffic forwarded to backup interface + next hop IPv6 WAN</LI></UL></DIV><DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>Neither worked and I am still seeing IPv6 packets being routed out the primary interface. </SPAN></DIV><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr">&nbsp;</DIV><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>Anyone have any ideas?<BR /></SPAN></DIV><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr">Trust &gt; Untrust (wrong int):</DIV><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN><A href="https://imgur.com/77ht8L7" target="_blank" rel="noopener">https://imgur.com/77ht8L7</A></SPAN></DIV><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr">&nbsp;</DIV><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>Untrust &gt; Trust: (right int):</SPAN></DIV><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN><A href="https://imgur.com/dOiv54J" target="_blank">https://imgur.com/dOiv54J</A></SPAN></DIV></DIV> Wed, 24 Apr 2019 17:21:31 GMT https://live.paloaltonetworks.com/t5/general-topics/ipv6-over-backup-interface/m-p/258643#M73344 drewdown 2019-04-24T17:21:31Z https://live.paloaltonetworks.com/t5/general-topics/ipv6-over-backup-interface/m-p/258679#M73356 <P>A couple things you may be able to test to see what's going on:</P><P>&nbsp;</P><P>1. Dump the fib table. It won't help for your PBF rule, but since your VR has a static route it should show that correctly:</P><PRE>&gt; show routing route</PRE><P>2. Test the routing to see what the firewall thinks the correct route should be:</P><PRE>&gt; test routing fib-lookup virtual-router your_vr_name ip 2a00:1450:4001...</PRE><P>The virtual router will always take a more specific route, so make sure your eth1/1 route doesn't have a more specific IPv6 route that is overriding your static route. It may also be helpful to see what your static route and PBF policy does (if you can sanitize it for public consumption here in the forums).</P> Wed, 24 Apr 2019 20:27:35 GMT https://live.paloaltonetworks.com/t5/general-topics/ipv6-over-backup-interface/m-p/258679#M73356 gwesson 2019-04-24T20:27:35Z https://live.paloaltonetworks.com/t5/general-topics/ipv6-over-backup-interface/m-p/258696#M73360 <P>I got it working.&nbsp; I simply moved the PBF to the top of my PBF list and did not specify a next hop interface (eth 1/3) on the static route and it started working.&nbsp; Which is weird because that PBF rule was the only one referrencing any IPv6 traffic so I figured it would match it regardless of where it resided in the list.&nbsp; Not sure which one of this allowed it start working but it is now.&nbsp;&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="pbf-ipv6.JPG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/19712i183117BED515263B/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="pbf-ipv6.JPG" alt="pbf-ipv6.JPG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="route-ipv6.JPG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/19713i707A4DB49712AEF4/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="route-ipv6.JPG" alt="route-ipv6.JPG" /></span></P> Wed, 24 Apr 2019 21:19:36 GMT https://live.paloaltonetworks.com/t5/general-topics/ipv6-over-backup-interface/m-p/258696#M73360 drewdown 2019-04-24T21:19:36Z