The IPv6 Neighbor Discovery Protocol (NDP) failed to receive solicited Neighbor Advertisement messages from hosts on a specific interface, preventing IPv6 communication.
This usually happens because of a firewall blocking ICMPv6 traffic, a misconfigured router, or a broken network stack on the client.
1. Firewall Blocking ICMPv6 Type 135 (Neighbor Solicitation) and 136 (Neighbor Advertisement)
- Diagnosis: On the client machine experiencing the issue, run
sudo tcpdump -i <interface_name> icmp6. Look for Neighbor Solicitation packets being sent out but no corresponding Neighbor Advertisement packets coming back. If you see ICMPv6 packets being dropped, this is your culprit. - Fix: If you’re using
iptables, allow these ICMPv6 types:
Forsudo iptables -I INPUT -i <interface_name> -p icmpv6 --icmpv6-type 135 -j ACCEPT sudo iptables -I INPUT -i <interface_name> -p icmpv6 --icmpv6-type 136 -j ACCEPT sudo iptables -I FORWARD -i <interface_name> -p icmpv6 --icmpv6-type 135 -j ACCEPT sudo iptables -I FORWARD -i <interface_name> -p icmpv6 --icmpv6-type 136 -j ACCEPTnftables:
This explicitly permits the Neighbor Solicitation and Advertisement messages, allowing hosts to resolve each other’s link-layer addresses.sudo nft add rule ip6 filter input iifname "<interface_name>" icmpv6 type neighbor-solicitation accept sudo nft add rule ip6 filter input iifname "<interface_name>" icmpv6 type neighbor-advertisement accept sudo nft add rule ip6 filter forward iifname "<interface_name>" icmpv6 type neighbor-solicitation accept sudo nft add rule ip6 filter forward iifname "<interface_name>" icmpv6 type neighbor-advertisement accept - Why it works: NDP relies on these ICMPv6 messages to function. Blocking them severs the communication channel needed for address resolution.
2. Router Advertisements (RA) Not Being Sent or Received
- Diagnosis: On the router interface connected to the affected network segment, check if it’s configured to send Router Advertisements. For Cisco IOS:
show ipv6 interface <interface_name>. Look for "ND DAD attempts" and "ND reachable time". On Linux, checksysctl net.ipv6.conf.<interface_name>.accept_ra. If it’s 0, the system is not configured to listen for RAs. - Fix: Ensure RAs are enabled on the router. For Cisco IOS:
On Linux, you need to enable RA reception and potentially RA sending if the host is acting as a router:interface <interface_name> ipv6 enable ipv6 nd prefix <prefix>/<length> ipv6 nd managed-config-flag # If using DHCPv6 for addresses ipv6 nd other-config-flag # If using DHCPv6 for other info no shutdown
Then, ensure the# To receive RAs sudo sysctl -w net.ipv6.conf.<interface_name>.accept_ra=1 # To send RAs (if this machine is a router) sudo sysctl -w net.ipv6.conf.<interface_name>.router_solicitations=1 sudo sysctl -w net.ipv6.conf.<interface_name>.router_advertisements=1radvdservice is running and configured correctly if you’re using it to send RAs. - Why it works: Router Advertisements are crucial for hosts to learn their network prefix, default router, and other network parameters. Without them, hosts may not know how to reach other nodes on the network or even form valid IPv6 addresses.
3. Duplicate Address Detection (DAD) Failures
- Diagnosis: On the affected host, check system logs for DAD failures. For example, in
/var/log/syslogorjournalctl -xe, search for "DAD failed" or "duplicate IPv6 address detected". You can also check the IPv6 address status withip -6 addr show dev <interface_name>. An address in a "tentative" state for too long indicates a DAD issue. - Fix: This usually points to a network configuration problem where another host is already using the address. The common fix is to re-probe the address or simply wait for DAD to time out and then re-assign. On Linux, you can force a re-probe:
If the problem persists, investigate other hosts on the subnet for address conflicts.sudo ip -6 addr flush dev <interface_name> scope global sudo ip -6 addr add <ipv6_address>/<prefix_length> dev <interface_name> label <interface_name>:0 - Why it works: DAD is a safety mechanism to prevent two hosts from using the same IPv6 address. If DAD fails, the host won’t use the address, leading to communication failures.
4. Incorrect Link-Local Address Configuration or Neighbor Cache Issues
- Diagnosis: Check the neighbor cache on both the client and the router using
ip -6 neigh show dev <interface_name>orshow ipv6 neighborson Cisco. Look for entries that are stale, unreachable, or missing for the target IPv6 addresses. Also, verify that the interface has a valid link-local address (fe80::/64). - Fix: Clear the neighbor cache to force a re-resolution:
If the link-local address is missing, ensure IPv6 is enabled on the interface and the system is configured to generate one (usually automatic). For Cisco:sudo ip -6 neigh flush all dev <interface_name>ipv6 enable. - Why it works: The neighbor cache stores the mapping between IPv6 addresses and their corresponding link-layer (MAC) addresses. Stale or incorrect entries prevent proper NDP communication.
5. Network Interface Card (NIC) or Driver Issues
- Diagnosis: Check
dmesgoutput for any errors related to the network interface or its driver. Look for messages like "eth0: Rx descriptor error" or "driver bug". - Fix: Update or reinstall the NIC driver. Sometimes, simply disabling and re-enabling the interface can resolve transient issues:
sudo ip link set dev <interface_name> down sudo ip link set dev <interface_name> up - Why it works: A faulty NIC or driver can corrupt NDP packets or fail to process them correctly, leading to communication breakdowns.
6. IPv6 Routing Issues (Less Common for Link-Local)
- Diagnosis: While less common for direct host-to-host communication on the same link (where link-local addresses are used), if the communication involves globally routable addresses and is failing, check routing tables. Use
ip -6 route showorshow ipv6 routeon Cisco. Ensure there’s a valid route to the destination network. - Fix: Add or correct static routes if necessary, or ensure dynamic routing protocols are functioning correctly.
- Why it works: Even on the same link, if the NDP process is somehow trying to use a globally routable address and routing is misconfigured, it can lead to resolution failures.
The next error you’ll likely encounter after fixing this is a "No route to host" error if the underlying routing is still broken, or potentially a DNS resolution issue if name resolution was dependent on the now-fixed IPv6 connectivity.