I've got a Cisco 877 router. I've got an IPv4 access list and an IPv6 access list set up and configured similar to this:
interface Dialer1
...
ip access-group INTERET-IN
ipv6 traffic-filter IPV6-IN
The Access lists are similar to this:
ip access-list extended INTERNET-IN
remark establishd connections
permit tcp any any established
...
deny ip any any log
And:
ipv6 access-list IPV6-IN
permit esp any any
sequence 30 permit tcp any any established
sequence 50 remark NTP
...
sequence 240 deny ipv6 any any log-input
Each of these access lists has a final rule of deny ip/ipv6 any any log. However, in my syslog I notice that there's a difference in formatting between the two types of entries. IPv4 will say:
%SEC-6-IPACCESSLOGP: list INTERNET-IN denied udp 88.89.209.63(137) -> 1.2.3.4(137), 1 packet
Whereas the IPv6 list will say
%IPV6_ACL-6-ACCESSLOGNP: list IPV6-IN/240 denied 59 2001:0:5EF5:79FD:14F9:B773:3EBA:3EE3 (Dialer1) -> 2001:800:1000:0::1, 8 packets
Both have broadly the same information, but the IPv6 log entry is missing the protocol type and port, both of which are very useful if I'm trying to troubleshoot connectivity.
Why is this? How do I get IPv6 deny logs to display the protocol and port used, if any?
Best Answer
It shouldn't be different. As an example from one of my routers (redacted, obviously):
Jun 19 16:39:56.440: %IPV6_ACL-6-ACCESSLOGP: list tu0-internet-in/190 denied udp 2001:x:x:x::2(123) (Tunnel0) -> 2001:x:x:x:x:x:x:x(123), 2 packets
Jun 19 16:41:04.636: %SEC-6-IPACCESSLOGP: list internet-in denied tcp x.y.z.q(443) (GigabitEthernet0/3 beef.1aa1.beef) -> a.b.c.d(xxxxx), 1 packet
Do you have a terminating line on your ipv6 ACL with an explicit deny w/log-input, like:
ipv6 access-list tu0-internet-in ... sequence xxx deny ipv6 any any log-input
Adding a sample of the ACL's in question for purposes of comparison would help, but I suspect it may just be the explicit deny that should fix things.