Cisco access list logging. Why is there a difference between IPv4 and IPv6?

Question

I've got a Cisco 877 router. I've got an IPv4 access list and an IPv6 access list set up and configured similar to this:

interface Dialer1
    ...
    ip access-group INTERET-IN
    ipv6 traffic-filter IPV6-IN

The Access lists are similar to this:

ip access-list extended INTERNET-IN
 remark establishd connections
 permit tcp any any established
...
 deny ip any any log

And:

ipv6 access-list IPV6-IN
 permit esp any any
 sequence 30 permit tcp any any established
 sequence 50 remark NTP
...
 sequence 240 deny ipv6 any any log-input

Each of these access lists has a final rule of deny ip/ipv6 any any log. However, in my syslog I notice that there's a difference in formatting between the two types of entries. IPv4 will say:

 %SEC-6-IPACCESSLOGP: list INTERNET-IN denied udp 88.89.209.63(137) -> 1.2.3.4(137), 1 packet

Whereas the IPv6 list will say

%IPV6_ACL-6-ACCESSLOGNP: list IPV6-IN/240 denied 59 2001:0:5EF5:79FD:14F9:B773:3EBA:3EE3 (Dialer1) -> 2001:800:1000:0::1, 8 packets

Both have broadly the same information, but the IPv6 log entry is missing the protocol type and port, both of which are very useful if I'm trying to troubleshoot connectivity.

Why is this? How do I get IPv6 deny logs to display the protocol and port used, if any?

score 1 · Answer 1 · answered Jun 19 '12 at 21:07

1

It shouldn't be different. As an example from one of my routers (redacted, obviously):

Jun 19 16:39:56.440: %IPV6_ACL-6-ACCESSLOGP: list tu0-internet-in/190 denied udp 2001:x:x:x::2(123) (Tunnel0) -> 2001:x:x:x:x:x:x:x(123), 2 packets

Jun 19 16:41:04.636: %SEC-6-IPACCESSLOGP: list internet-in denied tcp x.y.z.q(443) (GigabitEthernet0/3 beef.1aa1.beef) -> a.b.c.d(xxxxx), 1 packet

Do you have a terminating line on your ipv6 ACL with an explicit deny w/log-input, like:

ipv6 access-list tu0-internet-in ... sequence xxx deny ipv6 any any log-input

Adding a sample of the ACL's in question for purposes of comparison would help, but I suspect it may just be the explicit deny that should fix things.

answered Jun 19 '12 at 21:07

rnxrx

8,143
3
22
31

Added access list details to original question. – growse Jun 19 '12 at 21:23
Are there any other denies in that ACL? – rnxrx Jun 19 '12 at 22:21
No, the deny statement is the only one, and is last. – growse Jun 20 '12 at 14:32

score 0 · Answer 2 · answered Jun 20 '12 at 14:24

The log line that you show displays protocol 59 which is just a way for the IPV6 header to indicate that there is no more data that follows the IPV6 header in the packet. Usually you would see protocol number 6 in this field and then a TCP packet header would follow or protocol 17 for UDP.

Cisco access list logging. Why is there a difference between IPv4 and IPv6?

2 Answers2