NDP causes the firewall to save the MAC addresses and IPv6
addresses of neighbors in its ND cache. (Refer to the figure in
NPTv6 and NDP Proxy Example.) The firewall
does not perform NPTv6 translation for addresses that it finds in
its ND cache because doing so could introduce a conflict. If the
host portion of an address in the cache happens to overlap with
the host portion of a neighbor’s address, and the prefix in the
cache is translated to the same prefix as that of the neighbor (because
the egress interface on the firewall belongs to the same subnet
as the neighbor), then you would have a translated address that
is exactly the same as the legitimate IPv6 address of the neighbor,
and a conflict occurs. (If an attempt to perform NPTv6 translation
occurs on an address in the ND cache, an informational syslog message
logs the event:
NPTv6 Translation Failed.
)