Simple IPv6 setup on SRX650 12.1X44-D45.2 w/ VLAN & DHCPv6/SLAAC

Hello folks,

I've been racking my brain over this for several days. I've actually setup IPv6 with BGP etc with two other SRX650's over the last 5 years and can't recall if i ran into this problem using VLAN setup or not. From my searching it seems that IPv6 on VLANs are unsupported - i'm assuming this was no longer the case with later versions of JunOS.

Either way my setup below is extremely simple and should "just work". However that does not appear to be the case for any servers connected to the vlan via the switching module. They are unable to ping the IP (2606:XXXX:0:1::1) that i have setup on the VLAN.

From the router i can ping/traceroute anything ipv6 on the internet - so i know native connectivty from the router outbound to the internet appears to be working. The internet can ping, traceroute to my interface IP on ge-2/0/23 but not my vlan IP 2606:XXXX:0:1::1.

Assuming it's not a vlan support issue - i'm sure i'm just missing something elementry in the setup. Any help would be appreciated.

Excuse my poor grammar..

I've got an SRX650 w/ a 24 port switching module setup as an interface range. 

    interface-range trusted {
        member-range ge-2/0/0 to ge-2/0/21;
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan-trust;
                }
            }
        }
    }

Here's vlan-trust :

    vlan {
        unit 3 {
            description "Main - Vlan";
            family inet {
                address x.x.x.x/26;
            }
            family inet6 {
                address 2606:XXXX:0000:0001::1/64;
            }
        }
    }

and vlan block for completeness:

vlans {
    vlan-trust {
        vlan-id 3;
        interface {
            trusted;
        }
        l3-interface vlan.3;
    }
}

Here's my SLAAC and DHCPv6 Setup:

nareface@srx650-irvine> show configuration access
address-assignment {
    neighbor-discovery-router-advertisement trust6;
    pool trust6 {
        family inet6 {
            prefix 2606:XXXX:0000:0001::/64;
            range r1 {
                low 2606:XXXX:0000:0001::2/128;
                high 2606:XXXX:0000:0001::90/128;
            }
        }
    }
}

nareface@srx650-irvine> show configuration system services dhcp-local-server
dhcpv6 {
    overrides {
        interface-client-limit 100;
    }
    group trust6 {
        interface vlan.3;
    }
}

nareface@srx650-irvine> show configuration protocols
router-advertisement {
    interface vlan.3 {
        managed-configuration;
        other-stateful-configuration;
        default-lifetime 3600;
        prefix 2606:XXXX:0:1::/64 {
            no-autonomous;
        }
        prefix ::/0 {
            no-autonomous;
        }
    }
}
bgp {
... OMITTED ...
}

nareface@srx650-irvine>

I've got all protocols in packet-mode:

nareface@srx650-irvine> show configuration security forwarding-options
family {
    inet6 {
        mode packet-based;
    }
    mpls {
        mode packet-based;
    }
    iso {
        mode packet-based;
    }
}

nareface@srx650-irvine>

Uplink and static route to uplink for completeness:

nareface@srx650-irvine> show configuration interfaces ge-2/0/23
description "Uplink #1";
speed 1g;
link-mode full-duplex;
gigether-options {
    no-auto-negotiation;
}
unit 0 {
    family inet {
        filter {
            inactive: input inbound-wr;
            inactive: output outbound-wr;
        }
        address xxx.xx.xxx.xx/30;
    }
    family inet6 {
        address 2606:xxx::2/64;
    }
}

nareface@srx650-irvine> show configuration routing-options rib inet6.0
static {
    route ::/0 next-hop 2606:xxx::1;
}

nareface@srx650-irvine>