This article describes the reason why an IPv6 gateway may not be reachable and a workaround using RFC6164.
A simple analogy for an IPv6 subnet-router anycast address is that it looks like a ‘network address’ for IPv4 as it is the first address in a subnet.
For example, if the prefix for the subnet is 2600:5000:9830::28/126, the subnet-router anycast address for that subnet is 2600:5000:9830::28.
Additionally, for the example above, the address range for that subnet is:
It is not recommended to have an interface address set to a subnet-router anycast address, but it is possible that some ISP’s would deliver a subnet as above and have their device set to the subnet-router anycast address; therefore, the next hop/gateway for FortiGate would be 2600:5000:9830::28.
In order to prevent this issue, starting with FortiOS 7.2.2, it is not allowed to set a subnet-router anycast address as the gateway address of an IPv6 static route. In previous FortiOS versions, it is possible to set it, but the gateway will not be reachable as in the example below for directly connected devices:
FortiGate (port2) ==> ISP Router ==> Internet
FortiGate port2 IPv6: 2600:5000:9830::29/126
FortiGate port2 link-local: fe80::20c:29ff:fe42:dc8d
FortiGate port2 MAC: 00:0c:29:42:dc:8d
ISP Router IPv6: 2600:5000:9830::28/126
ISP Router link-local: fe80::20c:29ff:fe01:3ff2
ISP Router MAC: 00:0c:29:01:3f:f2
# config system interface edit "port2" config ipv6 set ip6-address 2600:5000:9830::29/126 set ip6-allowaccess ping https http end next end
# config router static6 edit 1 set gateway 2600:5000:9830::28 set device "port2" next end
With the above configuration, the gateway is not reachable and the next hop device is not listed in the neighbor cache as shown below:
FGT1-A # execute ping6 2600:5000:9830::28 PING 2600:5000:9830::28(2600:5000:9830::28) 56 data bytes --- 2600:5000:9830::28 ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss, time 0ms FGT1-A # di ipv6 neighbor-cache list | grep 00:0c:29:01:3f:f2
Due to the fact that 2600:5000:9830::28 is a subnet-router anycast address, and it should not be used as a gateway because FortiGate is a router already and owns the anycast address, the workaround, if the ISP cannot reconfigure the address in their end, is to make use of /127 subnet as detailed in the RFC6164.
With the configuration changed to /127 as below, the gateway is now reachable and it is shown in the neighbor cache list.
# config system interface edit "port2" config ipv6 set ip6-address 2600:5000:9830::29/127 set ip6-allowaccess ping https http end next end
# config router static6 edit 1 set gateway 2600:5000:9830::28 set device "port2" next end FGT1-A # execute ping6 2600:5000:9830::28 PING 2600:5000:9830::28(2600:5000:9830::28) 56 data bytes 64 bytes from 2600:5000:9830::28: icmp_seq=1 ttl=255 time=0.232 ms --- 2600:5000:9830::28 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.232/0.232/0.232/0.000 ms FGT1-A # di ipv6 neighbor-cache list | grep 00:0c:29:01:3f:f2 ifindex=4 ifname=port2 fe80::20c:29ff:fe01:3ff2 00:0c:29:01:3f:f2 state=00000002 use=1441 confirm=1941 update=1441 ref=1 ifindex=4 ifname=port2 2600:5000:9830::28 00:0c:29:01:3f:f2 state=00000002 use=446 confirm=2324 update=2443 ref=3