Source address is from IPv6 GUA range 2001::...

Routing to reach the address is the default route ::/0 through the external interface (PtP between FW and L3 leaf)

Hello Andy,

thank you for your time. Here are the results (full ips omitted):

fw6 ctl zdebug + drop

Output:

@;124675495;[kern];[tid_37];[SIM-242006539];pkt_handle_no_match: packet dropped (spoofed address), conn: <<2001:xxxx::dce7,1,fdca::xxxx:32:2,128,58>>, ifn 35
@;124675495;[kern];[tid_37];[SIM-242006539];sim_pkt_send_drop_notification: (2,0) received drop, reason: Anti-Spoofing, conn: <<2001:xxxx::dce7,1,fdca::xxxx:32:2,128,58>>;
@;124675495;[kern];[tid_37];[SIM-242006539];sim_pkt_send_drop_notification: sending packet dropped notification drop mode: 0 debug mode: 1 send as is: 0 track_lvl: -1, conn: <2001:xxxx::dce7,1,fdca::xxxx:32:2,128,58>;
@;124675495;[kern];[tid_37];[SIM-242006539];sim_pkt_send_drop_notification: sending single drop notification, conn: <<2001:xxxx::dce7,1,fdca::xxxx:32:2,128,58>>;
@;124675495;[kern];[tid_37];[SIM-242006539];do_packet_finish: SIMPKT_IN_DROP vsid=2, conn:<<2001:xxxx::dce7,1,fdca::xxxx:32:2,128,58>>;

K, so its 100% clear from the drops its anti-spoofing related, as you described in the post. Can you send a screenshot of how those settings are configured from topology please? Just blur out any sensitive data.

Best,

Andy

Certainly, thank you for your time for reviewing this.

Best regards,

 Krešimir

No worries. Can you send how below is configured for that interface?

Andy

Definitely can !

Thank you! Hey, just wondering, does it let you set it as external zone or not? Because I find it really odd it would be giving those messages, considering there are only so many things you can change with topology on external interface.

Andy

No, thank you for taking your time reviewing my problem. Actually it's automatically set as external when I set the default routes out of the interface.

Works fine with IPv4 that's why I found it unusual in the first place.

Best regards,

Kresimir

Of course, we are always happy to help mate. By the way, apologies, I see now its VSX, so it makes sense it set it automatic like that. Question...does this ONLY happen when you give the interface ipv6 address, but otherwise no drops for anti-spoofing?

As a matter of fact, I will assign bogus ipv6 address in my lab to external interface and see what happens when I push the policy.

Will keep you posted.

Andy

Just tested in the lab, no issues, but then again, I dont have vsx to test, so cant tell really what the main difference is, but in my lab box, I have my external interface set as external zone, like below.

Andy

No issues whatsoever with IPv4. Only with IPv6 addresses.

Tried with external security zone but per documentation that should only influence any decisions if security policies are applied to the zone which I don't have at the moment.

Yes, thats 100% true, for the external zone. I got nothing else, sorry mate, I would see if TAC may be able to give some suggestions. Though, Im sure there must be some ipv6 gurus here as well : - )

Andy

Do this 🙂 

Seems like I'll have to resort to this method! Thanks, just wanted to make sure I was not missing something.

Same here, a hotfix solved the AS problems with IPv6...