IPv6 is no longer optional—it's a core part of modern networks and heavily tested on the CCNA 200-301 exam (Objective 1.9). Even with dual-stack deployment, IPv6 connectivity issues can bring down critical services. This chapter equips you with a systematic troubleshooting methodology, covering neighbor discovery, addressing, routing, and common misconfigurations that trip up experienced engineers.
Jump to a section
Imagine a large office building with thousands of employees. Each employee has a unique badge number (IPv6 address). The building has an intercom system (Neighbor Discovery Protocol) that allows employees to find each other. When Employee A wants to talk to Employee B, they press the intercom button and broadcast a request: 'Who is Employee B? Please give me your badge number.' This is the Neighbor Solicitation (NS) message. Employee B hears the broadcast and replies directly over the intercom: 'I am Employee B, and my badge number is 12345.' This is the Neighbor Advertisement (NA) message. Employee A then writes down Employee B's badge number and location on a personal directory (Neighbor Cache). Now, the building also has a mailroom (Router Advertisement) that periodically announces: 'All mail goes through Room 101' (default gateway). If an employee moves desks (changes IPv6 address), they must send a 'I moved!' announcement (Unsolicited NA) to update everyone's directories. Troubleshooting IPv6 connectivity is like figuring out why two employees can't talk: Are they on the same floor (subnet)? Did someone forget to update their directory (stale neighbor cache)? Is the mailroom misconfigured (wrong default gateway)? This analogy maps directly to ND messages, neighbor cache entries, and router advertisements.
What Is IPv6 Connectivity Troubleshooting and Why It Matters
IPv6 connectivity troubleshooting is the process of identifying and resolving issues that prevent IPv6-enabled hosts and routers from communicating. On the CCNA 200-301, this falls under Objective 1.9: 'Troubleshoot IPv6 connectivity issues.' The exam expects you to diagnose problems with addressing, neighbor discovery, routing protocols (OSPFv3, EIGRP for IPv6), and first-hop redundancy (HSRP for IPv6). Real-world networks increasingly run dual-stack (IPv4 + IPv6), and a silent IPv6 failure can cause application timeouts, asymmetric routing, or complete loss of connectivity. Cisco's own data shows that IPv6-related tickets account for a growing percentage of TAC cases.
Step-by-Step: The IPv6 Neighbor Discovery Process
IPv6 uses Neighbor Discovery Protocol (NDP) instead of ARP. The key messages are: - Neighbor Solicitation (NS): Sent to solicited-node multicast address to resolve a neighbor's link-layer address. - Neighbor Advertisement (NA): Unicast reply with the neighbor's MAC address. - Router Solicitation (RS): Sent by hosts to discover routers. - Router Advertisement (RA): Sent by routers to advertise their presence and prefix information.
When a host wants to send a packet to another host on the same link, it checks its Neighbor Cache (equivalent to ARP cache). If no entry exists, it sends an NS to the solicited-node multicast address FF02::1:FFxx:xxxx (where xx:xxxx is the last 24 bits of the target's IPv6 address). The target responds with an NA containing its MAC address. The sender then caches this information.
Key States, Timers, and Defaults
- Neighbor Cache Entry States: - INCOMPLETE: NS sent, waiting for NA. Default timeout is 3 retransmissions, each 1 second apart (total ~3 seconds). - REACHABLE: Positive confirmation received. Default reachable time is 30 seconds (based on RA's Reachable Time field). - STALE: Reachable time expired. Next packet triggers a delay before sending NS. - DELAY: Packet sent, waiting 5 seconds before sending NS (to allow upper-layer confirmation). - PROBE: NS sent, waiting for NA. Up to 3 retransmissions.
Router Advertisement defaults: Sent every 200 seconds (default MaxRtrAdvInterval). Hosts set a default router lifetime of 1800 seconds (30 minutes).
Duplicate Address Detection (DAD): Before using a unicast address, a host sends NS to its own solicited-node multicast address. If an NA is received, the address is a duplicate and cannot be used.
IOS CLI Verification Commands
Use these commands to diagnose IPv6 issues:
show ipv6 interface brief
show ipv6 neighbors
show ipv6 route
show ipv6 protocols
debug ipv6 ndExample output for show ipv6 neighbors:
IPv6 Address Age Link-layer Addr State Interface
2001:db8:1::1 0 aabb.cc00.0100 REACHABLE Gi0/0
2001:db8:1::2 120 aabb.cc00.0200 STALE Gi0/0
fe80::1 0 aabb.cc00.0100 REACHABLE Gi0/0Note the State column – if it's INCOMPLETE or PROBE, there's a Layer 2 or ND issue.
Interaction with Related Protocols
ICMPv6: Used for error reporting (e.g., Destination Unreachable, Time Exceeded) and ping/traceroute.
OSPFv3: Uses link-local addresses for neighbor adjacency. Troubleshooting involves verifying OSPFv3 neighbor state (FULL/2WAY) and matching interface areas.
EIGRP for IPv6: Uses IPv6 unicast or multicast (FF02::A). Requires a router-id (usually from IPv4) or manual configuration.
HSRP for IPv6: Uses link-local addresses and virtual MAC. Troubleshooting involves verifying active/standby states and virtual IP reachability.
Common IPv6 Misconfigurations
Missing or wrong default gateway: Hosts learn default gateway from RA. If RA is not sent (e.g., ipv6 nd ra suppress enabled), hosts cannot reach off-link destinations.
Duplicate addresses: DAD fails if another host uses the same address. Check show ipv6 interface for Duplicate address messages.
Mismatched prefix lengths: Two hosts on the same link must have the same prefix length (usually /64). A /64 vs /56 will cause on-link vs off-link confusion.
Firewall blocking ICMPv6: NDP relies on ICMPv6 (types 133-137). Blocking these breaks neighbor discovery and router discovery.
Static routes pointing to wrong next-hop: Next-hop must be a link-local address or global unicast address that is reachable.
Troubleshooting Flowchart
Use this systematic approach:
1. Verify IPv6 is enabled on interfaces (show ipv6 interface brief).
2. Check address assignment (SLAAC, DHCPv6, static).
3. Verify neighbor cache entries (show ipv6 neighbors).
4. Check default gateway (RA or static route).
5. Verify routing table (show ipv6 route).
6. Test with ping ipv6 and traceroute ipv6.
7. If routing protocol, verify neighbor adjacencies (show ipv6 ospf neighbor, show ipv6 eigrp neighbors).
8. Check for ACLs or firewall rules blocking ICMPv6.
Always start with Layer 2 (neighbor discovery) before moving to Layer 3 (routing).
Verify IPv6 Interface Status
Begin by checking that IPv6 is enabled on the relevant interfaces. Use `show ipv6 interface brief` to see a summary of IPv6-enabled interfaces and their addresses. Look for the interface status (up/up) and the presence of an IPv6 address (link-local and global). If an interface does not show an IPv6 address, check if IPv6 is enabled with `ipv6 enable` or if an address is configured. Also verify that the interface is not administratively down. If the interface is up but has no IPv6 address, the issue may be with SLAAC or DHCPv6 client configuration.
Check Neighbor Cache Entries
Use `show ipv6 neighbors` to examine the neighbor cache. Look for the state of entries for the target device. A REACHABLE state means Layer 2 resolution succeeded. STALE or DELAY are normal if no recent traffic. INCOMPLETE or PROBE indicates that Neighbor Solicitation (NS) messages are not receiving replies. Check if the target host is on the same link and if any ACL or firewall blocks ICMPv6 types 135 (NS) and 136 (NA). Also verify that the target's MAC address is correct. If you see INCOMPLETE, try pinging the target's link-local address to force resolution.
Test Link-Local Connectivity
Ping the link-local address of the next-hop router or neighbor to verify Layer 2 connectivity. Use `ping ipv6 fe80::1%<interface>` (the %<interface> is required on Cisco IOS to specify the source interface). If link-local ping fails, the problem is at Layer 2 or with ND. Check cabling, VLAN membership, and switch port configuration. Also verify that the interface is not in a passive state (e.g., HSRP standby). If link-local ping succeeds but global unicast ping fails, the issue is likely with default gateway or routing.
Verify Default Gateway and RA
On hosts, the default gateway is learned from Router Advertisement (RA) messages. On Cisco routers, check if RA is enabled with `show ipv6 interface <interface> | include RA`. Look for 'RA interval' and 'Router lifetime'. If RA is suppressed (e.g., `ipv6 nd ra suppress`), hosts will not have a default route. On the host, check the default route with `show ipv6 route` (if router) or `ip -6 route` (if Linux). Ensure the default route points to a reachable next-hop (usually the link-local address of the router). If the default route is missing, configure a static default route or enable RA on the router.
Examine Routing Table and Protocols
Use `show ipv6 route` to verify that the destination network is in the routing table. Check for connected, static, and dynamic routes. If using OSPFv3, verify neighbor state with `show ipv6 ospf neighbor`. Ensure the neighbor state is FULL (for DR/BDR) or 2WAY (for other routers). Check OSPFv3 interface costs and area assignments. For EIGRP for IPv6, use `show ipv6 eigrp neighbors`. Verify that the router-id is set (manually or via IPv4). If routes are missing, check redistribution and passive interfaces. Also verify that ACLs or prefix-lists are not filtering routes.
Test End-to-End Connectivity
Perform a ping from the source to the destination using `ping ipv6 <destination>`. If it fails, use `traceroute ipv6 <destination>` to identify where the packet stops. Look for '!' (success) or 'U' (unreachable) or '*' (timeout). If the traceroute stops at a router, check the routing table on that router for a return route. Asymmetric routing can cause one-way connectivity. Also verify that the destination host has a route back to the source. If the destination is on a different subnet, ensure the default gateway is configured correctly on the destination host.
Check for ACLs and Firewall Rules
Use `show ipv6 access-list` to list IPv6 ACLs applied to interfaces. Check for any deny statements that might block ICMPv6 (types 133-137) or the specific traffic. Also check for Cisco Firewall or Zone-Based Policy Firewall (ZBFW) rules that inspect IPv6. Common exam trap: an ACL that permits IPv4 but denies IPv6 implicitly (since IPv6 and IPv4 ACLs are separate). Use `show run | section ipv6 access-list` to review. If you find a deny entry, modify the ACL to permit the required traffic. Remember that NDP requires ICMPv6 types 133-137, and OSPFv3 uses multicast addresses FF02::5 and FF02::6.
Verify DNS and Application Layer
If basic IPv6 connectivity works but applications fail, check DNS resolution. Use `ping ipv6 <hostname>` to see if the hostname resolves to an IPv6 address (AAAA record). If not, the DNS server may not have AAAA records. Also check that the application supports IPv6 (e.g., dual-stack sockets). On Cisco routers, use `show hosts` to see cached DNS entries. If the hostname resolves to an IPv4 address only, the application may fall back to IPv4. Ensure that the client's DNS resolver has both A and AAAA records. For exam scenarios, remember that a missing AAAA record causes IPv6 connectivity failure at the application layer even though the network is fine.
Enterprise Network Scenario 1: Dual-Stack Data Center Migration
A large enterprise is migrating its data center to dual-stack. The network team enables IPv6 on all access switches and core routers. However, after enabling IPv6, users report intermittent connectivity to a critical application. The troubleshooting team finds that the application server has a static IPv6 address, but the default gateway on the server points to a router that is not sending RAs (because RA suppression is enabled on that interface). The server cannot reach any off-link destination. The fix: either enable RA on the router interface or configure a static default route on the server pointing to the router's link-local address. This scenario highlights the importance of verifying RA configuration on router interfaces that serve as default gateways for hosts.
Enterprise Network Scenario 2: OSPFv3 Neighbor Flapping
A service provider runs OSPFv3 across a backbone network. After a hardware upgrade, OSPFv3 neighbors start flapping (alternating between FULL and DOWN). The engineer checks show ipv6 ospf neighbor and sees that the neighbor state goes to EXSTART then back to DOWN. The issue is traced to mismatched MTU values on the two routers' interfaces. OSPFv3 uses the interface MTU to determine if a database description (DBD) packet is too large. If the MTU mismatches, the DBD packet is dropped, causing the neighbor to reset. The fix: ensure both sides have the same MTU (usually 1500). This is a common exam trap—OSPFv3 does not negotiate MTU like OSPFv2 does.
Enterprise Network Scenario 3: HSRP for IPv6 Virtual IP Not Reachable
A campus network uses HSRP for IPv6 to provide first-hop redundancy. After a router reboot, the virtual IP address becomes unreachable from hosts. The engineer checks show standby ipv6 and sees that both routers are in ACTIVE state (split-brain). This happens because the HSRP hello packets are blocked by an IPv6 ACL that denies ICMPv6 type 130 (multicast listener query) or type 143 (multicast listener report). The fix: permit ICMPv6 types 130 and 143 in the ACL. Also verify that the virtual IP address is configured correctly and that the virtual MAC address (0000.0c9f.fxxx) is used. This scenario underscores the need to allow multicast traffic for HSRP to work.
What the 200-301 Exam Tests on IPv6 Troubleshooting
Objective 1.9 specifically tests your ability to troubleshoot IPv6 connectivity issues. The exam focuses on:
Neighbor Discovery Protocol (NDP) states and messages.
Common IPv6 addressing problems (duplicate addresses, wrong prefix length).
Default gateway discovery via RA.
Routing protocol issues (OSPFv3 neighbor states, EIGRP for IPv6).
ACL and firewall impact on IPv6 traffic.
Top 3 Wrong Answers and Why Candidates Choose Them
'The host has no IPv6 address' – This is often true, but the real issue might be that the host has a link-local address only (no global unicast). Candidates see 'no IPv6 address' in show ipv6 interface brief and stop there. The deeper issue is that SLAAC or DHCPv6 failed due to RA suppression or DHCPv6 server misconfiguration.
'The router is not running a routing protocol' – A common trap: when a host cannot reach off-link destinations, candidates assume the router is not running OSPFv3. However, the real issue is often that the host has no default gateway (no RA received). The router may be running OSPFv3 perfectly, but if RA is suppressed, hosts won't learn the default route.
'The neighbor cache is empty' – Candidates see an empty neighbor cache and assume ARP (ND) is broken. But an empty cache is normal if no traffic has been sent recently. The real issue might be that the host is trying to reach an off-link destination and needs a default gateway, not a neighbor cache entry.
Specific Values and Command Outputs to Memorize
RA default interval: 200 seconds (MaxRtrAdvInterval).
Reachable time: Default 30 seconds (set by RA).
Neighbor cache states: INCOMPLETE, REACHABLE, STALE, DELAY, PROBE.
DAD: Sends NS to solicited-node multicast address; if NA received, address is duplicate.
OSPFv3 neighbor states: DOWN, INIT, 2WAY, EXSTART, EXCHANGE, LOADING, FULL.
EIGRP for IPv6: Uses multicast FF02::A; requires router-id.
Decision Rule for Scenario Questions
When faced with an IPv6 connectivity scenario, follow this elimination strategy: 1. Is the problem on the same link or different links? If same link, focus on ND (neighbor cache). If different links, focus on default gateway and routing. 2. Check if the host has a global unicast address. If not, SLAAC/DHCPv6 is failing. 3. Check if the host has a default route. If not, RA is missing or suppressed. 4. If default route exists but ping fails, check routing table on intermediate routers. 5. If routing table looks correct, check ACLs and firewall rules.
This systematic approach will help you eliminate the most common wrong answers.
IPv6 uses Neighbor Discovery Protocol (NDP) instead of ARP; NS/NA messages use ICMPv6 types 135/136.
Neighbor cache states: INCOMPLETE, REACHABLE, STALE, DELAY, PROBE – each with specific timeout values.
Default gateway is learned via Router Advertisement (RA) sent every 200 seconds by default.
Duplicate Address Detection (DAD) sends NS to the solicited-node multicast address; if NA received, address is duplicate.
OSPFv3 neighbor states include DOWN, INIT, 2WAY, EXSTART, EXCHANGE, LOADING, FULL.
EIGRP for IPv6 uses multicast address FF02::A and requires a router-id.
ICMPv6 types 133-137 are essential for NDP; blocking them breaks IPv6 connectivity.
Common misconfigurations: RA suppression, mismatched MTU (OSPFv3), missing static routes with link-local next-hop.
These come up on the exam all the time. Here's how to tell them apart.
IPv6 Neighbor Discovery
Uses ICMPv6 messages (NS/NA) to multicast address.
Provides router discovery and prefix advertisement.
Neighbor cache with multiple states (INCOMPLETE, REACHABLE, etc.).
Supports Duplicate Address Detection (DAD).
Uses solicited-node multicast (FF02::1:FFxx:xxxx).
IPv4 ARP
Uses ARP request/reply (broadcast).
Only provides MAC address resolution.
ARP cache has single state (dynamic/static).
No built-in duplicate address detection.
Uses broadcast (FF:FF:FF:FF:FF:FF).
Mistake
IPv6 does not use broadcasts, so there is no equivalent of ARP.
Correct
IPv6 uses Neighbor Solicitation (NS) messages sent to the solicited-node multicast address, which is a more efficient form of broadcast. The function is equivalent to ARP in IPv4.
Candidates confuse 'no broadcast' with 'no address resolution'. NDP is the address resolution protocol for IPv6.
Mistake
If a host has a link-local address, it can reach off-link destinations.
Correct
Link-local addresses (fe80::/10) are only valid on the local link. Off-link communication requires a global unicast address (or unique local) and a default gateway.
Candidates think any IPv6 address enables full connectivity, but link-local is non-routable.
Mistake
OSPFv3 uses the same neighbor discovery mechanism as OSPFv2.
Correct
OSPFv3 uses link-local addresses for neighbor discovery and does not require IPv4 addresses. It also uses multicast addresses FF02::5 (AllSPFRouters) and FF02::6 (AllDRouters).
Candidates assume OSPFv3 is just OSPFv2 with IPv6, but the addressing and packet format differ.
Mistake
RA suppression only affects SLAAC, not DHCPv6.
Correct
RA suppression prevents hosts from learning the default gateway. Even with DHCPv6, hosts need RA to get the default gateway (unless they are configured statically).
Candidates think DHCPv6 provides the default gateway, but DHCPv6 only provides addresses and other options (like DNS), not the default route.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
There are several possible reasons. First, check if you have a default gateway. If you are using SLAAC, the router must send Router Advertisements (RAs) to provide the default gateway. If RA is suppressed, you need a static default route. Second, verify that the destination is reachable via the routing table. Use `traceroute` to see where the packet stops. Third, check for ACLs or firewall rules that block ICMPv6 or the specific traffic. Fourth, ensure that the neighbor cache has a REACHABLE entry for the next-hop router. If the entry is INCOMPLETE, there is a Layer 2 issue. A systematic approach: start with link-local ping to the next-hop, then global ping, then traceroute. On the CCNA exam, always check the neighbor cache first.
A solicited-node multicast address is used for Neighbor Solicitation (NS) messages. It is derived from the last 24 bits of a unicast address, with the prefix FF02::1:FF00:0/104. For example, for address 2001:db8:1::1, the solicited-node multicast address is FF02::1:FF00:1. This address is used to target a specific host without broadcasting to all nodes. A link-local multicast address, such as FF02::1 (all-nodes) or FF02::2 (all-routers), is used for general announcements. The key difference: solicited-node is unicast-specific, while link-local multicast is for groups. On the exam, know that NS messages go to solicited-node multicast, not to FF02::1.
The INIT state means the router has received a Hello packet from the neighbor but the neighbor has not seen its own router ID in the Hello packet. This usually indicates a mismatch in OSPFv3 parameters. Check the following: (1) Verify that both interfaces are in the same area. (2) Check that the Hello and Dead intervals match (default Hello 10 sec, Dead 40 sec). (3) Ensure that the network type is the same (e.g., both broadcast). (4) Verify that the interface is not passive. (5) Check for ACLs blocking multicast traffic (FF02::5 for OSPFv3). Use `show ipv6 ospf interface` to see the current parameters. Also, ensure that the router has a router-id configured (either manually or via IPv4 address).
A link-local address is automatically generated when IPv6 is enabled. A global unicast address requires either SLAAC, DHCPv6, or static configuration. If the host is using SLAAC, it needs a Router Advertisement (RA) from a router to learn the prefix. If no RA is received (e.g., router has RA suppression, or no router on the link), the host will only have a link-local address. For DHCPv6, the host must send a DHCPv6 Solicit message and receive a Reply from a DHCPv6 server. Check if the router is configured to send RAs (`ipv6 nd ra suppress` should be absent). Also verify that the host's operating system is configured to accept RAs (e.g., Windows firewall may block them).
This command enables IPv6 routing on a Cisco router. Without it, the router will not forward IPv6 packets between interfaces, even if IPv6 addresses are configured. It is required for the router to act as a router (forward packets) and to send Router Advertisements. If you are troubleshooting and the router is not forwarding IPv6 traffic, check if `ipv6 unicast-routing` is enabled in the global configuration. This is a common omission that causes hosts to get RAs but still cannot reach off-link destinations because the router is not routing. Use `show running-config | include ipv6 unicast-routing` to verify.
Before using a unicast address, a host sends a Neighbor Solicitation (NS) to its own solicited-node multicast address. If no Neighbor Advertisement (NA) is received within a certain time (typically 1 second, with up to 3 retries), the address is considered unique. If an NA is received, the address is a duplicate and cannot be used. To troubleshoot DAD failures, check the syslog or use `debug ipv6 nd` to see DAD messages. Common causes: another host with the same address (manual misconfiguration), or a loop in the network causing the NS to be reflected back. On Cisco routers, you can see DAD status with `show ipv6 interface <interface>`. Look for 'Duplicate address' messages.
ICMPv6 Destination Unreachable (type 1) has several codes: 0 (no route to destination), 1 (administratively prohibited), 2 (beyond scope of source address), 3 (address unreachable), 4 (port unreachable). The most common in CCNA scenarios are code 0 (no route) and code 1 (ACL blocking). Code 0 means the router has no route to the destination. Check the routing table. Code 1 means an ACL is dropping the packet and sending an unreachable message. Use `show ipv6 access-list` and `show ipv6 interface` to check for ACLs applied to the interface. Also, code 2 can occur if the source address is link-local and the destination is global (link-local cannot be routed).
You've just covered Troubleshoot: IPv6 Connectivity Issues — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?